TCG :: News

Terradon announces new large File Sharing Solution

Tue, 10 Aug 2010 13:47:19 GMT

We have a new large file solution for you and your clients. Email security and size restrictions keep you from emailing large files and FTP sites are cumbersome to setup. We have a new solution that allows your customers to upload or download a file by just clicking on a link and selecting the file to upload or the place to download the file. No more user names and passwords – they are all handled by the secure link. Our system also tracks these downloads and lets you know when your client received the file. All this for only $10.00/Month per GB.

New TCG Staff Announced

Mon, 24 May 2010 15:41:15 GMT

Tina Cobb has joined TCG as an Account Executive and Database Administrator. Cobb provides technical expertise and project oversight TCG clients. Her primary areas of focus include Extranet development and database solutions.

Cobb offers TCG clients more than 20 years of IT, advertising and marketing experience. Prior to joining TCG, Cobb served as a Database Administrator for a large law firm in Charleston, WV. Additionally, she has provided marketing and advertising expertise to a number of organizations as the Creative Director for a statewide media outlet, winning multiple Addy awards on campaigns.

Terradon Communications Group is a custom software development company, providing Content Management System and web-based programming solutions.

Terradon announces a user group session for Search Engine Optimization!

Mon, 24 May 2010 15:40:15 GMT

Only Four Spots Left for the

SEO User Group!

Sign Up Today to

Reserve your Seat!

How would you like to increase traffic to your Web site?

Rather than waiting for customers to come to you, how would you like to appear in front of them at the exact moment that they are looking for your products or services?

If site traffic is a concern or if you are looking to increase traffic and the types of customers you receive then this user group session is designed for you!

Due to the tremendous response and feedback received during our last user group and training session we will be hosting a new User Group session on Friday, June 11th.

In this session we will provide the education and tools to better draw and measure traffic to your Web site.

The SEO User Group Session Agenda:

9:00 A.M. - NOON: Pages Management Wizard, Content Management Wizard, & Utilities Module Training (10:30 A.M. 15-minute coffee break)

Noon - 1:10 P.M.: Lunch (provided by Terradon Communications Group)

1:10 P.M. - 3:30 P.M.: Search engine optimization distinctions & techniques

MARK YOUR CALENDARS for Terradon Communications Group's
NEXT USER GROUP TRAINING!

Location & Time

When: Friday, June 11, 2010

Where: Robert C. Byrd Institute, 100 Angus E. Peyton Drive, South Charleston WV

Time: 9:00 A.M. - 3:30 P.M.

Registration Fee: $99.00/ person

NOTE: Seating is limited, so make your reservation today!

Call today to register for the next User Group Training or by E-mail:

Tina.Cobb@terradon.com

(304) 755-1324

Please make sure to provide the following information:
Your Name, Company Name, and the Number of Attendees.

Note: Attendees will be invoiced after the training session. Cancellations can be made before June 1, 2010. However, you will be invoiced for the full amount for any cancellations made after June 1, 2010.

Come and join us to learn how to increase the traffic to your Web site!

WV Executive Magazine Article on TCG President

Tue, 16 Dec 2008 10:44:21 GMT

Terradon Communications Group's President, Thomas Y. Kittredge, was featured as one of the magazine's "Young Guns" for the year 2000. Twenty individuals are selected from 300 nominees statewide.

Thomas Y. Kittredge, President of the recently formed Terradon Communications Group (formerly the Communications Department of Terradon Corporation), began working with web-based technologies in 1995 as an architect and project manager of software tutorials on CD-ROM. Tom began this job while finishing course work at the University of Denver. In fact, Tom moved from an internship into the role of scriptwriter for training videos before being asked to head the firm’s inaugural CD-ROM development efforts. This upward move required just one year. While designing CD-ROMs was stimulating, Tom’s entrepreneurial spirit eventually lead him home to West Virginia with hopes of establishing a consulting career in the burgeoning Internet arena.

The early days of Terradon’s Communications Department (late 1997) found Tom managing, marketing, programming, testing code, writing copy, facilitating community meetings, and developing newsletters in support of Terradon’s environmental and engineering consulting efforts. While most of Tom’s previous duties have been delegated to other Terradon Communications Group team members, he continues to guide the organization’s strategic vision and associated processes. Additional duties include managing the day-to-day operations, consulting for an international client-base, architecting web applications, and ensuring that client needs are met in an effective manner and with the proper technologies. Tom focuses on fostering a team environment on a daily basis: "When someone comes to work for us, I tell them that the reason they’re here is for the team to tap their gray matter. I want every member of the team, from an intern to a Java programmer, proactively contributing to the cause. I feel blessed to be surrounded by brilliant people who are not afraid to barge in my office with an improvement to one of my ideas. I wouldn’t have it any other way!"

This collaborative spirit exudes in Tom’s philosophy within the workplace, "A large part of my job is making certain that our team works smart. The web development arena moves fast, so our internal processes must be efficient and effective in creating an evolving product offering. If you do not incorporate new techniques and technologies into your organization, you become a commodity." Tom’s dedication to the dynamic is exemplified in Terradon’s Web Wizards, a suite of e-business management tools that have reached Version 3.01 in less than a year.

Tom aims to continue the current course of growing the Terradon Communications Group, "Without a single turnover and an over 100% growth rate in the last year, I feel as though my baby is growing up."

Personal Quote: "It’s not where you live, it’s how you live".

West Virginia Executive

Charleston anesthesiologist helps Indian soccer team train in city

Wed, 28 May 2008 14:20:18 GMT

An under-16 Indian national soccer team is coming to Charleston to train for an upcoming international tournament. The trip is the work of a local anesthesiologist, Dr. Francis Saldanha. Saldanha, who oversees the Day Surgery Center in Kanawha City, is paying for the team to come to West Virginia. An India native, Saldanha said he's pleased to help the boys play in the United States.

"From what I gather, the boys are tremendously excited and all of India is excited to see them come over here," Saldanha said. "It's excellent exposure and they'll be playing some pretty good clubs."

The team is scheduled to arrive July 1 for training and scrimmages to prepare for the Asian Federation Cup, a tournament scheduled for October in Uzbekistan.

The India team is one of 16 squads playing in the tournament. Other teams include national squads from Australia, Japan, China and South Korea.

Growing up in India, Saldanha said he always had a love for sports. He played cricket, field hockey and soccer, but said he was never a good athlete.

Still, Saldanha remained a sports fan.

He came to the United States in 1977 and made Charleston his home in 1981.

For many years, Saldanha worked to help athletics in India, but he could never do more than fund soccer programs at schools and academies across the country.

"I've always wanted to do something more for athletes in India," Saldanha said. "I never had an opportunity until recently."

Saldanha then heard about the success of the under-16 India team and how it qualified for the Asian Federation Cup.

Saldanha began to inquire about funding the team in some capacity. Then he decided to bring the team to West Virginia.

Saldanha described the effort to friend Brian Parrott.

Parrott, a vice-president of commercial lending for City National Bank, had known Saldanha for many years in a business capacity.

When Parrott found out about Saldanha's goal of bringing the team to the United States, he decided to help.

Parrott, a native of Vermont, grew up playing soccer and still takes part in local adult leagues.

Using Parrott's help, the two set out to get the team to the Mountain State.

The work included gaining approval from the All India Football Federation, the governing body of soccer in the country. They worked closely with Albert Colaco, the general secretary of the federation.

The men also had to get clearance from the U.S. Soccer Federation and the West Virginia Soccer Association.

Parrott said they were successful in getting quick approval.

"Everybody we talked to was so enthusiastic about helping us out," Parrott said.

Parrott said he hopes the trip will introduce soccer to a new audience in the area.

"My part of the partnership allows me to progress the level of soccer in the Kanawha Valley," Parrott said. "There's a lot of momentum being built up."

During their stay in Charleston, the squad will live in the Embassy Suites hotel. The team includes 24 players and six coaches.

Their schedule includes five scrimmages at Schoenbaum Stadium at Coonskin Park. They will also play a game against other travel teams at West Virginia University and another at Marshall University.

The team will face off against various soccer clubs from West Virginia, Ohio and South Carolina.

The first scrimmage will be July 6 at Schoenbaum Stadium.

They will head back to India on July 26.

Saldanha is leaving for India on Thursday to meet face-to-face with the team for the first time. He said Charleston would be the first trip to the United States for many of the boys.

Saldanha said he has high hopes for the team's success.

"They'll be up against some pretty formative groups," Saldanha said. "My hope is they get better with each tournament and become dominant."

Dr. Saldanha and the Day Surgery Center have been a customer of TCG since 2002. TCG created Transcription Management Software for the Day Surgery Center and Charleston Pain Management for doctors to administer their patient chart information electronically.

TCG Launches a Fortune 500 Corporate Web site

Wed, 23 Apr 2008 10:01:53 GMT

TCG is thrilled to announce the launch of another fortune 500 company's corporate Web site. The Web site was launched last week for a major retail and merchandising store and enables the company's marketing and PR staff to maintain site content, images and other content using TCG's content management tools. The site also includes tools for managing of product recall notices in multiple languages, executive and management staff pages, and product and service galleries. TCG’s content management system allowed them to consolidate content from multiple Web sites into a single corporate Web presence.

TCG worked with Google to implement a multi-site search tool allowing the company to search across all their other divisional Web sites from a single search interface from within their corporate site. The new corporate Web site was designed to be easy to use and the tools that TCG created, helped provide company staff with updating capabilities without the need for HTML knowledge or programming experience.

Currently, TCG is working on another project with this client to develop a Web site for their non-profit charity promoting and developing after school activities for inner city children. TCG has enjoyed working with this exciting new client and looks forward to working on many more projects together.

CASE Launches New Web site

Tue, 15 Apr 2008 15:09:34 GMT

The Council of American States in Europe, also referred to as CASE for short has launched their new Web site. Designed and created by Terradon Communications Group, the Web site was built to enable companies in Europe to partner, expand, invest and/ or sell to companies in the USA. The new Web site is very different from the last Web site and also has a new domain name invest-in-usa.org. The organization, together with the help of the Web site hopes to increase the amount of business generated around europe and offer european business a lucrative business opportunity for companies looking to invest in the USA. Case helps countries in Europe develop relationships oversees and is a great opportunity for all types of industries.

The Web site is generated to assist all types of industries such as food processing, tourism, aerospace, metal and steel, pharmaceutical, financial and much more. The Web site will display the latest events, state contact information, demographic information, testimonials and provide information on how to go about investing in the USA. The site also provides a lot of useful information about the different states that may be of interest to futore investors. Clink the link; http://www.invest-in-usa.org to learn more. CASE members are able to use TCG's content management sofwtare to make their updates and maintian and change the Web site whenever necessary.

Hatfield-McCoy is a big success

Mon, 03 Mar 2008 15:01:25 GMT

The economy of Southern W.Va. can be diversified, it turns out

For generations, West Virginians have both fretted about the need to diversify the economy of Southern West Virginia and lamented the difficulty of doing so.

"Tourism? In Southern West Virginia?" thought the skeptics. "Not likely."

Well, think again. The Hatfield-McCoy ATV Trail, offers recreation perfectly suited to what Southern West Virginia has to offer, and it's a runaway success.

In some places, as the Daily Mail's Cheryl Caswell reported this week, local residents are diversifying their economies at breakneck speed.

Executive director Jeffrey Lusk said that since the trail opened seven years ago, about 100 new businesses have opened to cater to visitors from just about everywhere.

The trail's slick and professional Web site ( http://www.trailsheaven.com ) gives some insight into the pulling power of rough roads through tough terrain. It turns out that is exactly what many Americans are looking for.

The site includes a note from riders who have done trails in Massachusetts and Michigan and are headed for West Virginia; a note from a grateful visitor thanking "Noah the Ranger" for pulling him out, "the woman who was working at the Bear Wallow Post Office who was so helpful, and "the dirt bike riders from the St. Louis area" who warned him of a safety problem.

"Just a heads up to all the fine people that make H&M the #1 destination on the East Coast for ATV enthusiasts," writes a visitor from Florida. "A number of Michigan clubs would like to know . . ." begins another inquiry. "Coming from Pittsburgh, Pa.," begins a third.

Gilbert, Mingo County? A boom town? Yes, said Kendall Simpson, who owns a convenience store and campground near the Bearwallow Trailhead and owns or is a partner in an ambulance service, an automotive center, a motel and the Crooked Trail Steak and Ribs restaurant.

"You can stand in Logan and not see the results" of the trail system, he told Caswell. "You can stand in Man and not see the results. "You can stand in Gilbert and feel the results."

Eighty-one percent of the people who ride the trails 25,000 last year come from out of state, and the impact they have is going to increase.

The system has added trails in Wyoming County and in McDowell County, where a KOA campground has since opened. Trails in Wayne, Lincoln, Mercer and Kanawha County are on the drawing board.

It is an achievement. Much credit is due to all the people who shared the vision and are making it happen.

The Hatfield & McCoy Trails is a customer of Terradon Communications Group

TCG Launches New Web Site

Mon, 03 Mar 2008 15:00:09 GMT

The time has come for the new face of TCG to shine brightly. The new Web Site is designed to showcase the best that TCG has to offer - a modern, crisp design, a suite of best-of-breed search technologies - all built atop the TCG's flagship Content Management System (CMS) product.

The new site features a series of technical and consulting service briefs, as well as a solutions gallery showcasing past projects, by industry and application. Also debuting with the new site are a series of CMS packages designed to meet the needs of various businesses and organizations. These also can be found within the solutions section of the site.

The Really Simple Syndication (RSS) capabilities included within this news section allow you to stay up-to-date on TCG news using your favorite RSS Reader. TCG blogs will follow in the coming months, featuring technical advice, opinions, and techniques designed to help our clients take full advantage of our CMS products.

The TCG Support site is now also included within this main site, providing a more seamless means to communicate with our customers. This allows customers to access one site for all current and future business needs.

The new Terradon Communications is here. Many changes are in store for this year - it is an exciting time at TCG.

Governor Honors 40 State Firms

Thu, 24 Jan 2008 12:21:00 GMT

Forty West Virginia companies, including 10 from Kanawha and Putnam counties, were recognized by Gov. Joe Manchin Tuesday for their entry into new international markets.

Manchin presented the companies with the Governor's Commendation for International Market Entry, which honors companies that successfully exported to 66 new countries.

In the first six months of 2007, West Virginia exports grew 17 percent, while U.S. exports grew only 10 percent, Manchin said in a news release. In 2006, West Virginia's exports totaled $3.2 billion.

Kanawha County businesses recognized include Convey Weigh of Dunbar, Chile, Cyprus; Cyclops Industries Inc. of South Charleston, Canada, Mexico, United Kingdom; Gilco Lumber Inc. of South Charleston, Egypt, Portugal; Kanawha Manufacturing Company of Charleston, Qatar, Venezuela; The Moore Company of Charleston, Guatemala; Preiser Scientific Inc. of St. Albans, Latvia, Mongolia, South Africa; and Terradon Communications Group of Nitro , Germany.

Putnam County businesses include Clark Truck Parts of Poca, United Arab Emirates, Costa Rica, Saudi Arabia, Ghana; Eagle Research Corp. of Scott Depot, Argentina, Australia, Czech Republic, The Netherlands; and The Metalwood Bat Company of Eleanor, The Netherlands.

Computer World Article - Net consortium to launch fee-based security alert

Thu, 24 Jan 2008 12:20:52 GMT

The Internet Software Consortium (ISC), which develops the server software most commonly used to direct traffic on the Web, is moving to create a fee-based information-sharing club that officials at the organization said is meant to give software vendors and other companies early warnings about security holes affecting its products.

The disclosure of the plans for the information exchange comes just one week after security analysts at the CERT Coordination Center at Carnegie Mellon University and Network Associates' PGP Security subsidiary issued simultaneous warnings about significant security vulnerabilities in multiple versions of ISC's widely used Berkeley Internet Name Domain (BIND) server.

Paul Vixie, chairman of the Redwood City, Calif.-based ISC, said in an interview that the new fee-based exchange is aimed at opening up more direct communication channels with software vendors, Internet service providers and other companies when holes are found in BIND and the other software that his organization develops.

"ISC found that speaking to vendors through the CERT advisory process was somewhat awkward and made for extra work on both sides," Vixie said. "The next time we learn, through CERT or otherwise, that there is an attackable bug in code that we've published, we hope to have a direct and very private communications forum with the people who run the Internet infrastructure or who need lead time to prepare patches for their customers."

However, ISC's plans to set up an exclusive information-sharing service have sparked a heated debate among some security analysts and technology users, many of whom posted their concerns last week on various online discussion boards. Some called ISC's plan the first step down a "slippery slope" that could lead to a time when the only people who will get the information needed to protect their networks will be those who are willing to pay a fee.

"What kind of an edge do they really think they'll be providing to IT staffs and security administrators?" asked Keith Morgan, a network security specialist at Terradon Communications Group in Nitro, W. Va., in an interview. "And why would anyone pay for it? I think this is a pretty poor precedent."

Morgan added that he sees nothing that distinguishes the ISC's planned exchange from the numerous other free security alert forums that are already in place. "It's extremely rare that the developers of any given piece of software find their own security flaws," he said. "Almost 100% of the time, it's a third party that discovers and publishes security vulnerabilities . . . I wouldn't even consider subscribing."

A spokesman at Pittsburgh-based CERT declined to comment on the ISC's plan. However, John Tritak, director of the U.S. Department of Commerce's Critical Infrastructure Assurance Office, said he thinks that the consortium's information-sharing effort is a step in the right direction.

"The government's policy so far has been that we want industry to better organize itself to better share information," Tritak said. "The question is whether or not information sharing overall has been enhanced as a result of this decision. I can't help but think this is to the benefit of everybody."

Eventually, Tritak added, software developers and security vendors will probably develop a more streamlined procedure for reporting and publicizing vulnerabilities. But for now, "it's more important than anything else for [the technology] industry to take ownership of this issue," he said. "We need to encourage that."

Amit Yoran, CEO at Riptech, a network security monitoring firm in Alexandria, Va., said he doesn't see big problems with the formation of another information-sharing mechanism. But, he added, there are still many questions about how ISC plans to share and disseminate information about vulnerabilities.

"I would be surprised and let down if [ISC] does not participate in some of the existing forums," said Yoran, the former director of the Vulnerability Assessment and Assistance Program for the U.S. Department of Defense's Computer Emergency Response Team. "It is imperative that any critical infrastructure information . . . gets to the people who need to know it. I'm not convinced that doing it in a fee-for-service approach is the best way to do that."

Defending the ISC's plans, Vixie said the organization will still use the CERT Coordination Center to announce security holes in its products on a widespread basis. "Nothing ISC has historically done will stop," even with the advent of the fee-based service, he said.

by Dan Verton

Computer World Article - Microsoft MCSE training faulted

Thu, 24 Jan 2008 12:20:52 GMT

The following article, Microsoft MCSE training faulted quotes Terradon Communications Group's Chief Security Engineer Keith Morgan and appeared in the August 13, 2001 edition of Computer World.

(August 13, 2001) IT professionals and trainers are blaming insufficient security training offered under the nationwide Microsoft Certified Systems Engineer program for contributing to the spread of Code Red and other damaging viruses.

In an e-mail newsletter sent out last week to its 96,000 members, the Bethesda, Md.-based SANS Institute, a research and education organization for systems administrators, urged MCSEs to take a free class offered by the institute on how to reconfigure and patch Windows-based systems against the vulnerabilities exploited last month by the Code Red worm. The core courses required to attain MCSE certification don't provide the level of security training engineers need to protect their systems, according to SANS Institute officials and other industry experts.

MCSE trainers and students contacted by Computerworld last week said they agree with the organization. Most noted that while basic security is covered as part of the Microsoft Official Curriculum for MSCE certification, in-depth security training is optional and not a core requirement.

The shortfalls in MCSE training are "one of the root causes of lax security in the private sector," said Keith Morgan, chief of information security at Terradon Communications Group LLC, a Nitro, W.Va.-based network security services company.

"Every MCSE that comes through our door has to be quizzed on his level of security understanding," said Morgan. "Most of them have to be trained in even the most basic of security principles. It costs us time and money."

MCSEs design, install, support and troubleshoot information systems based on Microsoft Corp. software.

Alan Paller, director of the SANS Institute, said the recent outbreak of the Code Red worm, which took advantage of vulnerabilities in Microsoft's Internet Information Services (IIS) software and a misconfiguration in the Internet Server Application Interface (ISAPI), is a perfect example of how MCSE training falls short.

"It is a situation where MCSEs had no idea that there is a fundamental vulnerability in IIS and ISAPI mapping and so had no way to protect their systems other than after-the-fact patching," said Paller.

"One of the saddest dimensions of information security is that hundreds of thousands of people earned MCSE certifications without being required to demonstrate any competence in security," stated the SANS newsletter.

Robert Stewart, general manager of training certification at Microsoft, countered that each of the four core classes required for MCSE certification covers various aspects of security.

"There are definitely items and sections of the core exams that focus on security," said Stewart. In fact, the Windows 2000 Server administration course includes a "pretty big piece on security," he said. "And you can't pass through the gate and become an MSCE without passing it."

MCSE students are required to take five core exams on how to configure, design and administer a Windows 2000 network. (Windows 2000 certification replaced NT certification this year.) However, of the four core design courses offered, only one is geared specifically toward security - and it's optional.

"There's nothing specific on security," said Bob Hillary, vice president of academic affairs and chairman of the IS department at New Hampshire Community Technical College, a major MCSE training center, in Portsmouth. "It's not that MCSE training is without security, but it's an elective. Just as they have an 'MCSE plus I' for their Internet certifications, they should have an 'MCSE plus S' for security," said Hillary.

Although the in-depth security course is an elective, Stewart said, the fact that Microsoft has designed a specific course on security demonstrates the company's commitment.

MCSE training is conducted by dozens of private service providers throughout the country. Microsoft, through its training Web site, "makes no warranties or representations with regard to their services."

Terry Lewis, an MCSE training instructor at Emergent Technologies Inc. in Reston, Va., agreed that security training is "very basic" and should be enhanced. However, to do that, the five-day core courses would have to be lengthened, he said.

"In Microsoft's defense, I don't think that in a certification training environment you can teach the in-depth subject of security," said Lewis. "Should there be more security? Absolutely. Is there any time that can be thrown out of the current courses and devoted to security? No."

Dan Verton
Computer World

Computer World Article - ISC Plans to Launch Fee-Based Security Alert Service

Thu, 24 Jan 2008 12:20:52 GMT

The following article, ISC Plans to Launch Fee-Based Security Alert Service quotes Terradon Communications Group's Chief Security Engineer Keith Morgan and appeared in the February 12, 2001 edition of Computer World.

The Internet Software Consortium (ISC), which develops the server software most commonly used to direct traffic on the Web, is moving to create a fee-based information-sharing club that officials at the organization said will give software vendors and other companies early warnings about security holes affecting the ISC's products.

The disclosure of the plans for the information exchange came just one week after security analysts at the CERT Coordination Center at Carnegie Mellon University in Pittsburgh and Santa Clara, Calif.-based Network Associates Inc.'s PGP Security subsidiary issued simultaneous warnings about significant security vulnerabilities in multiple versions of ISC's widely used Berkeley Internet Name Domain (BIND) server.

Paul Vixie, chairman of the Redwood City, Calif.-based ISC, said that the new fee-based exchange is aimed at opening more direct communication channels with software vendors, Internet service providers and other companies when holes are found in BIND and the other software developed by the ISC.

"ISC found that speaking to vendors through the CERT advisory process was somewhat awkward and made for extra work on both sides," Vixie said.

However, the ISC's plans to set up an exclusive information-sharing service have sparked a heated debate among some security analysts and technology users.

"What kind of an edge do they really think they'll be providing to IT staffs and security administrators?" asked Keith Morgan, a network security specialist at Terradon Communications Group LLC in Nitro, W.Va. "And why would anyone pay for it? I think this is a pretty poor precedent."

John Tritak, the director of the U.S. Department of Commerce's Critical Infrastructure Assurance Office, called the consortium's plan a step in the right direction.

"The government's policy so far has been that we want industry to better organize itself to better share information," Tritak said. For now, "it's more important than anything else for [the technology] industry to take ownership of this issue," he said.

Amit Yoran, CEO of Riptech Inc., a network security monitoring firm in Alexandria, Va., said that although it's imperative that information be shared, he's "not convinced that doing it in a fee-for-service approach is the best way to do that."

Dan Verton
Computer World

Computer World Article - How To Lock Down Windows 2000

Thu, 24 Jan 2008 12:20:52 GMT

The following article, How To Lock Down Windows 2000 quotes Terradon Communications Group's Chief Security Engineer Keith Morgan and appeared in the November 19, 2001 edition of Computer World.

(November 19, 2001) Windows 2000 Server, Microsoft Corp.'s premier network operating system, isn't a tool you get to know all at once. Because of security concerns, many users find they must spend time getting fully acquainted with the complicated and robust platform before considering an enterprise rollout. Introduced in February of last year, Windows 2000 Server now offers a bevy of new security features, including certificate services and Kerberos network-authentication services. It also comes with new wizards and tools to help administrators with installation and security settings. But the complexity built into the operating system's 30 million lines of code makes securing it all the more difficult. Here are some practical things administrators can do to lock down Windows 2000.

Match Security to Business Needs

THE PROBLEM: Like all operating systems, Windows 2000 isn't secure right out of the box. The tendency among most administrators, say experts, is to simply click the Install All icon. But with an operating system as complicated as Windows 2000, that may prove more challenging from a security perspective than some can handle.

"When they click Install All, they turn on all of the sample code and demonstration programs and all of the problems that come with those," says Chris Rouland, director of the X-Force vulnerability research unit at Internet Security Systems Inc., a consulting firm in Atlanta.

"It would be nice if all software vendors produced software with default values that leaned toward security and lack of functionality, as opposed to less security and more functionality," says Marty Lindner, an incident-handling team leader at the CERT Coordination Center at Carnegie Mellon University in Pittsburgh. Related to this out-of-the-box functionality is the fact that Windows 2000 added many independent features that are secure in stand-alone mode but that can create more holes if implemented poorly as part of the Windows 2000 environment, says Lindner. Recent examples include the holes discovered in Microsoft's Internet Information Server (IIS). Although it's a separate product, IIS is tightly integrated with Windows 2000. "IIS can only run on Windows, so in that sense, it is tightly coupled to the Windows environment. But implemented poorly, it can get you in a lot of trouble," he says.

THE FIX: Rouland suggests that users separate their Windows 2000 servers logically by function (for example, file servers, print servers and e-mail servers) and then install and activate only the features and services that are required for that system and that match the security level required by their businesses.

Stay Up to Date With Patches

THE PROBLEM: Managing security patches, vulnerability alerts and service pack releases has become one of the major challenges facing all systems administrators. Although there are many vendor and independent security organizations, including Microsoft, that offer automated patch-notification services, users still face the daunting task of keeping track of what they've installed.

"The biggest issue with Windows 2000 machines is keeping the patches up to date," says Mandy Andress, president of ArcSec Technologies Inc., a consultancy in Dublin, Calif. "The biggest reason why many organizations do not stay up to date with their patches is they are afraid that installing the patch will create a problem and their systems will not function properly," she says. "This is why testing patches before installing them in a production environment is a best practice that needs to be followed."

What problems can this cause? One of the biggest has been when a security patch unravels security protections installed previously by either other patches or service pack releases. Likewise, service packs can reverse the benefits of security patches.

"The largest issue here is human error," says Scott Culp, a program manager on Microsoft's security team. Users should have a plan and test things before deploying them, he says. Microsoft's Secure Windows Initiative is making a concerted effort to "get better about the quality of the patches that we release and ensuring that they don't have side effects," says Culp.

"Microsoft security patches have been known to break third-party applications," says Keith Morgan, chief of information security at Terradon Communications Group LLC, a Nitro, W.Va.-based content-management company.

THE FIX: Microsoft has released free tools designed to improve patch management, says Culp. Microsoft Personal Security Advisor scans a system, indicates which patches are needed and recommends how to make the system more secure, he says.

Another tool, Hfnetchk, is built for administrators who monitor large server farms. "It comprises the total of the world's knowledge about Microsoft security patches . . . and it even understands what patches supersede others," says Culp.

A Windows 2000 tool called Qchain allows users to install a string of patches together, instead of installing them individually, says Morgan. Administrators should take advantage of this feature for deploying patches, he says. "This can be a major time and productivity saver and also helps to take the user out of the picture," Morgan adds.

Lindner recommends that users check the authenticity of the patches they install. Although a CD may say "Microsoft" on the label, there have been isolated cases where the authenticity of the source has been questioned, says Lindner. "You need to verify the integrity of the patches you are downloading. You can't trust things at their face value."

Shield the Administrator Account

THE PROBLEM: Hackers who gain administrative access to a network can cause great damage to systems and mission-critical data. They can delete information, change file directory structures, install malicious code and conduct a host of other attacks.

THE FIX: You can make it impossible, or at least very difficult, for hackers to gain access to your network and the almighty administrator account if you know what services you have running, know what applications are running on top of your operating system and closely manage user and administrator accounts.

For example, Morgan creates a user account to run only IIS services, which have proved to be a major vulnerability in recent months. He then places appropriate restrictions on the service account. "What we try to do is mimic a Unix-style environment, where a service account has its own file system and security environment," says Morgan.

Microsoft, however, already offers two IIS-specific tools for Windows 2000, says Culp. One, IIS Lockdown, interviews users and automatically shuts off all nonessential services. The other, URL Scan, keeps an automated lookout for requests that users define as unusual and then throws away any server request that matches the profile.

Andress says there's no single thing an administrator can do to protect the administrator account from being compromised. Strong perimeter security, patch management, cutting off all nonessential services and monitoring and auditing are all key, she says. Automated tools only get you so far, says Andress.

Lyndner agrees. "You can also have a patched machine but do really stupid things, like store scripts in unprotected directories that allow people to run them without permissions," he says.

When it comes to locking down Windows 2000, automated tools make your life easier if you know what you're doing, says Lyndner. "But if you rely on the tools to help you to know what you are doing, you're destined to fail."

Dan Verton
Computer World

Computer World Article - Firm tracks threats, not vulnerabilities

Thu, 24 Jan 2008 12:20:52 GMT

The following article, Firm tracks threats, not vulnerabilities quotes Terradon Communications Group's Chief Security Engineer Keith Morgan and appeared in the July 9, 2001 edition of Computer World.

(July 09, 2001) Companies today are at as much risk of falling victim to security information overload as they are of getting hacked. The number of security advisory services that claim to offer a way to stay ahead of the hundreds of technical vulnerabilities discovered each day has made it virtually impossible for companies to know for sure if they're getting the right information. TruSecure Corp., a Reston, Va.-based security firm, claims it has an answer. Using the client base of 36,000 Internet-connected systems it monitors, TruSecure is developing a threat database that it says will rightfully shift the discussion toward a more effective security model: from one of what vulnerabilities are out there to one that highlights what hackers are actually doing.

Other organizations use a similar approach, but the TruSecure database would power the first alert service based exclusively on threat data pertaining to hacker activity and not on vulnerabilities in general. "A vulnerability without a threat isn't worrisome," said Peter Tippett, TruSecure's chief technologist. "We're focused on risk . . . where there are both vulnerable systems and people shooting."

The threat database will complement TruSecure's vulnerability database. It will be offered in conjunction with the company's quarterly list of the top 10 hacker exploits that it says are responsible for 99% of all successful network intrusions.

"If we focus on protecting against the stuff that really happens, then we're protecting against the relevant stuff," he said. "A quarterly upgrade of systems gets you a twentyfold reduction of risk." TruSecure couldn't say when the database would be completed.

Other security experts and analysts agreed with Tippett's general argument and acknowledged the need for threat information. But most questioned the ability of any one vendor to collect enough detailed information to be able to determine what exploits hackers are actually using. They also pointed to potential problems with TruSecure's focus on what Tippett calls "the easy stuff."

"They're completely right. Looking at a hundred vulnerabilities a day does nothing for you," said Tim Belcher, chief technology officer at security monitoring firm RipTech Inc. in Alexandria, Va. "However, I'm sure that without a very good monitoring base, it would be very difficult to tell what is being done successfully."

One organization that tries to offer both vulnerability reporting and threat data is the CERT Coordination Center at Carnegie Mellon University in Pittsburgh.

"We go to great pains to understand which vulnerabilities are most serious and which are most likely to be exploited by hackers," said Shawn Hernan, team leader for vulnerability handling at CERT.

Hernan also warned against focusing too much energy on the easy exploits.

"Intruders are adaptive and trying to get too simplistic just causes the intruders to pick something else," he said. "If you fix the top 10 [vulnerabilities], they'll pick No. 11 or No. 26."

John Pescatore, an analyst at Stamford, Conn.-based Gartner Inc., acknowledged that analyzing threats has its merits. But he also questioned the ability to know for sure what exploits are being used and warned that by focusing too much on random attacks, some companies could be lulled into thinking they aren't vulnerable to specific, targeted attacks.

"If the vulnerability exists, sooner or later someone will shoot at it," said Keith Morgan, chief of information security at Terradon Communications Group LLC in Nitro, W.Va. "Plug them all. But plug the hot ones first."

Dan Verton
Computer World

Computer World Article - Disaster recovery planning still lags

Thu, 24 Jan 2008 12:20:52 GMT

The following article, Disaster recovery planning still lags quotes Terradon Communications Group's Chief Security Engineer Keith Morgan and appeared in the April 1, 2002 edition of Computer World.

(April 1, 2002) Two months after the Sept. 11 terrorist attacks, the lack of corporate disaster recovery and business continuity planning was still widespread, according to a newly released survey.

Conducted in November by accounting and consulting firm Ernst & Young International, the survey polled 459 CIOs and IT directors from companies of various sizes worldwide. The survey results, released in late March, found that only 53% of those companies had business continuity plans to keep operations going in the event of a major disaster and that less than half had IT security awareness and training programs for employees.

Nathaniel Meyer, a spokesman for New York-based Ernst & Young, said the survey targeted midsize to large companies in all economic sectors throughout 17 regions of the world, including the U.S. and Europe. None of the companies surveyed were small businesses, Meyer said.

The Larger Picture

Some CIOs and security experts contacted by Computerworld last week said they weren't sure of the significance of the results without having a breakdown of the sizes of the companies surveyed. Some also questioned any expectation that companies would necessarily have disaster recovery plans in place just two months after the attacks if no such plans had already existed. Others, however, said two months was plenty of time, given the nature of the wake-up call.

Nancy Bryant, CIO at 1st City Savings Federal Credit Union in Los Angeles, said there's no reason that companies shouldn't be able to put a basic business continuity plan in place within two months. "It doesn't need to have the fancy writing, but a bare-bones plan could be in place within two months," said Bryant. "We're not talking a great outlay of money, either."

Bryant said she has outfitted all of her employees at six branch offices with remote capabilities, and the company is prepared to move to a co-location facility if the main office is affected by a disaster.

"A company can put in the structure, policies and procedures of a continuity plan and can convene a steering committee of all the parties that would need to be involved in such a plan," said Alan Paris, a partner at Capco, a financial services consulting firm located near ground zero in Manhattan. "They can also do an assessment of readiness. Within two months, you can certainly do that much."

Sean Scott, CIO at law firm Womble Carlyle Sandridge & Rice PLC in Winston-Salem, N.C., said six months is a more realistic expectation, given the number of people and positions in a midsize or large enterprise that must be involved in a recovery plan.

But Keith Morgan, chief of information security at Terradon Communications Group LLC, a Nitro, W.Va.-based content management firm, said the survey results pertaining to disaster recovery plans "should terrify executives."

Rick Fleming, vice president of operations at Digital Defense Inc., a security firm in San Antonio that conducts audits for the financial industry, said of the survey finding that "things really are that bad, maybe worse."

"These numbers are generous and probably reflect awareness of the typical Fortune 500-type company that [Ernst & Young] works with," said Fleming. "It only gets worse as the company size gets smaller."

"Until now, disaster recovery planning was mostly seen as an IT thing," said Paris. "So it's particularly surprising that so many CIOs would not have a plan in place."

Dan Verton
Computer World

Computer World Article - Cybercrime Reporting Procedure Draws Fire

Thu, 24 Jan 2008 12:20:52 GMT

The following article, Cybercrime Reporting Procedure Draws Fire quotes Terradon Communications Group's Chief Security Engineer Keith Morgan and appeared in the February 18, 2002 edition of Computer World.

(February 18, 2002) The FBI and the Secret Service last week announced support for a controversial set of standard procedures that businesses can use to report serious hacking incidents and other Internet-related crimes.

A panel of federal and private-sector security experts, including Howard Schmidt, the newly appointed vice chairman of the president's Critical Infrastructure Protection Board, helped draft "The CIO Cyberthreat Response & Reporting Guidelines." The effort was cosponsored by CIO Magazine, a sister publication of Computerworld.

The guidelines instruct CIOs to report only major incidents that result in damage to property or loss of significant revenue or that indicate a noteworthy trend or new type of attack. According to the guidelines, companies shouldn't "report routine probes, port scans or other common events," because law enforcement simply doesn't have the resources to investigate those incidents.

Some experts wondered if the reports IT groups file will be as useful as closing the gate after the horse has already left the barn. "Will they be able to stop or recognize malicious acts before damage is done, or before we fill out these forms?" asked Steven Sommer, CIO at Hughes Hubbard & Reed LLP, a law firm in New York.

Probably not, said Keith Morgan, chief of information security at Terradon Communications Group LLC, a Nitro, W.Va.-based content management company. "If you want really useful information, log and track the scans," said Morgan. "The scans tell you what systems are actively searching the net for vulnerable hosts. The information that may be of the most value is exactly what they're asking you not to send."

There's also concern that the level of reporting and information-sharing necessary will remain elusive as long as the government continues to ignore industry's need to protect proprietary data from potential exposure under the Freedom of Information Act (FOIA).

"Without assurances of how this information will be handled, I would advise enterprises to avoid this like the plague," said John Pescatore, an analyst at Gartner Inc. in Stamford, Conn. "The information on the form is a hacker's and [news] reporter's dream. We still have no definition about Freedom of Information requests. Will this information be exempt from FOIA? Antitrust? It seems like a very unnecessary effort until all of this is defined."

Sommer said he has similar concerns about the use of information provided to the government. "The real question is, What will they do with the information?" he asked.

"We are not interested in highlighting the vulnerabilities of a company's system," said James Mackin, a spokesman for the Secret Service. "Underreporting of these crimes is unfortunately the norm, and we are trying to take steps to improve in that area."

Dan Verton
Computer World

Computer World Article - Corporate America Is Lazy, Say Hackers

Thu, 24 Jan 2008 12:20:52 GMT

The following article, Corporate America Is Lazy, Say Hackers suggests Terradon Communications Group's standard content management techniques as industry best practices while quoting Terradon Communications Group's Chief Security Engineer Keith Morgan and appeared in the July 22, 2002 edition of Computer World.

(July 22, 2002) When a group of Web vandals hacked into USA Today's Web site July 11 and inserted false news stories, the Internet security community got a taste of how serious Web page defacements can be. While most security professionals consider Web page defacements nothing more than a nuisance, hackers and analysts said the newspaper got off easy. Subtle changes to the site could have been much more damaging, they said. In addition, the hack demonstrates the continued vulnerability of Web sites as a result of poor administration.

Although the defacement led to only minor downtime for USA Today's Web site, companies should fear the economic ramifications of such hacks, said Peggy Weigle, CEO of Sanctum Inc., a security consultancy in Santa Clara, Calif.

"Imagine a press release being posted that says the CEO and CFO are resigning due to undisclosed ethical or financial concerns. The stock price would likely plummet immediately," said Weigle. Companies should always audit Web applications before "taking them live" on the Internet, she said.

Hackers Find Open Doors

"We found in our auditing that 90% of all attacks stem from poor configuration and administrators that do not consistently update the software they use," said EPiC, the leader of a white hat hacker group known as Hack3r.com.

A hacker who goes by the nickname Hackah Jak agreed. "I can in minutes code a scanner to scan the Internet for 2-year-old known vulnerabilities," he said. "I've hit a lot of workstations this way and then worked my way through the network to the server."

A hacker nicknamed RaFa was the leader of the World of Hell defacement group, which racked up thousands of Web site defacements before disbanding last year. He said that in addition to making simple configuration mistakes, most administrators don't keep up with the updates and patches released by software vendors.

"They don't update services running on the system, and they set up permissions and software settings the wrong way on the Web server," said RaFa.

However, the real problem isn't laziness; it's trust, said Genocide, the leader of the Genocide2600 hacker group. Most administrators and managers simply trust that their systems are secure, he said.

"That is their first and biggest mistake," Genocide said.

Ways to Protect Web Content

1. Use message authentication and document-signing technologies.

2. Deploy digital rights management software.

3. Subscribe to automated security/patch notification services for the software vendors you do business with.

4. Audit Web server configurations, applications, guest accounts and user permissions before going live.

5. Consider content management software that offers digital hashing of HTML documents and images.

Sources: Bill Malik, an analyst at KPMG LLP in stamford, conn., and Keith Morgan, chief of information security at Terradon Communications Group LLC in Nitro, W.Va.

Dan Verton
Computer World

Computer World Article - Brinks Breaks Into Net Security Market

Thu, 24 Jan 2008 12:20:52 GMT

The following article, Brinks Breaks Into Net Security Market quotes Terradon Communications Group's Chief Security Engineer Keith Morgan and appeared in the March 19, 2001 edition of Computer World.

The company that once guarded the bat used by Hank Aaron when he broke Babe Ruth's home run record in 1974 and the diamond Richard Burton gave to Elizabeth Taylor has quietly entered the Internet security market.

Irving, Texas-based Brinks Inc. is best known for its armored cars and 142 years of experience guarding bank loot. Now, Brinks' home security subsidiary, Brinks Home Security Inc., has teamed with Hyperon Inc. to offer an intrusion detection and response service to companies that can't afford a full-time IT security staff.

Brinks Internet Security, as the alliance AT A GLANCE The Initiative Combines Brinks’ real-time monitoring and response capabilities with Hyperon’s intrusion-detection systems Monthly charges range from $2,000 to $7,500, depending on level of service Services include basic alarms through full response between Brinks Home Security and Hyperon is called, marks the first time a traditional brick-and-mortar security firm like Brinks has entered the Internet security market, although Pinkerton has a network security consulting unit.

Hyperon is a consulting and outsourcing firm that specializes in intrusion detection and incident handling. It places an intrusion detection system on a customer's network that is monitored remotely through a central monitoring facility.

Fifteen Brinks agents have been deployed to the new Brinks Internet Security venture, which is co-located with Hyperon in Wilmington, Del. Some monitoring will also take place at Brinks' operations center in Irving, where 120 Brinks agents monitor the homes and businesses of 700,000 Brinks clients.

Business Enabler

Brinks' entry into the network security market makes it clear that "the assets that make up a company's value are changing," said Russ Gates, global managing director of technology risk consulting at Arthur Andersen LLP in Chicago. One of the challenges for Brinks will be looking at security as a strategic business enabler and not strictly as a protective barrier, he said.

"Brinks is not known as a high-tech company," said Bob Allen, chief operating officer at Brink's Home Security. "This is an expansion of the brand name and a logical extension that gets us into the high-tech market."

Brinks and Hyperon plan to issue a "Protected by Brinks" logo for use by e-commerce sites as a sign of assurance, said Allen.

The companies are just now entering into discussions with several financial services companies and plan to extend the service to the manufacturing industry, said Hyperon CEO Jim Molini.

Although physical and IT security will eventually merge, "now is not the time," said Steve Hunt, a security analyst at Cambridge, Mass.-based Giga Information Group Inc. "The market is too distracted and end users spread too thin to replace a system that already works well enough. Neither Brinks nor Hyperon will be able to reach the e-business purchasers or the CIOs in order to make a sale that bridges the two security worlds."

A network administrator at an Internet service provider in Virginia said he liked the idea of combining physical with Internet security but added that the saturation of the market could make it tough for Brinks to win major customers.

Keith Morgan, a network security specialist at Nitro, W. Va.-based Terradon Communications Group LLC, a software developer for Fortune 500 firms, said it's the Hyperon-Brinks combination that could make a difference with users, not simply the Brinks name. "The skill set required for data security just doesn't compare at all with physical [security]," he said. However, "everyone loves a one-stop shop."

Dan Verton
Computer World

Computer World Article - BIND patches leaked to underground, ISC says

Thu, 24 Jan 2008 12:20:52 GMT

The following article, "BIND Patches Leaked to Underground, ISC Says" quotes Terradon Communications Group's Chief Security Engineer Keith Morgan and appeared in the November 18, 2002 edition of Computer World.

The Internet Software Consortium (ISC) is under fire for the fee-based procedures it follows to notify the Internet community of vulnerabilities in Berkeley Internet Name Domain (BIND) software used for routing traffic on the Internet.

When word reached the ISC on Oct. 25 that "serious" BIND vulnerabilities had been discovered, the first companies to receive notification were the paying members of ISC's early-alert notification service. The rest of the Internet security community had to wait until a patch was released Nov. 12 to be notified of the new holes in the software. And even then, some security administrators said they couldn't locate a patch as much as 12 hours after the public announcement was made - about nine hours longer than it took for the patches to be leaked to the hacker underground.

Although the ISC, which maintains BIND, doesn't charge for patches, it does charge companies to be added to an early notification list, said Lynda McGinley, the consortium's executive director. Fees vary depending on the type and size of the subscription. An individual pays roughly $100 per year, while a large company can expect to pay $50,000 per year to be a member of the ISC forum, she said.

"Forum members with the early security notification option pay for ISC to validate their authenticity as someone who is not distributing patches to the underground," said McGinley. She added that notifications of the latest vulnerabilities "were leaked to the underground within a few hours of us sending them out to what we thought were valid users." That demonstrates the importance of the validation process, she said.

Michael Brennen, president of FishNet Inc., a Web hosting firm in Plano, Texas, was one of the many BIND users who couldn't locate patches for more than 12 hours on Nov. 12. "Deliberately withholding patches for root access security bugs is irresponsible in the extreme," he said. "Whether or not it is extortion is for others to decide. Personally, I don't want to be held hostage. I can't live with this anymore."

The latest vulnerabilities, discovered by Atlanta-based Internet Security Systems Inc. (ISS), affect BIND Versions 4 and 8, up to and including Release 8.3.3, according to ISS. "Eleven of the 13 root servers run Version 8.3.3," said Dan Ingevaldson, team leader of the ISS X-Force.

Lasting Problem

Jerry Brady, chief technology officer at Waltham, Mass.-based Guardent Inc., said he thought the patches came out a little late. "The recommendations were to either patch the old code or move to a new release of BIND, which is kind of daunting to the average user," said Brady. "As a result, this vulnerability will probably hang around for a long time."

Mike Schiffman, director of security architecture in the San Francisco office of Cambridge, Mass.-based @Stake Inc., said that while he doesn't know what ISC officials knew, or when they knew it, he does know that vulnerability data was made available before patch information was made available to the public. "When you withhold this type of information, no good can come of it," said Schiffman. "I can tell you with a reasonable degree of certainty that there are thousands of DNS [Domain Name System] servers that are vulnerable, and DNS is critical infrastructure on the Internet."

Keith Morgan, chief of information security at Terradon Communications Group LLC, a Nitro, W. Va.-based content management firm, said delivering early-warning information to a "paying elite" is a conflict of interests that should be criminal. "This is a company exploiting security flaws in its own software to turn profit," said Morgan.

However, McGinley said nearly all of the subscription funds go toward verifying the identity of early notification recipients. "BIND is a free product, and we'd like to keep it that way," she said.

Dan Verton
Computer World