The Myth of the Secure Virtual DesktopAvoid a false sense of security with your VPN or VDI endpoints

Brief

Key TakeawaysVirtual Private Network (VPN), Virtual Desktop (VDI), and Remote Desktop •(RDP,RDS)strategiescanbeeffectivecomponentsofaninformationaccessandsecurity strategyTheseimplementationscannotbesolelyrelieduponasasecuritymeasureto•protect network and endpoint computers from security risksSecurityisonlyasstrongasitsweakestlink;avirtualendpointimplementationon•a poorly secured endpoint is hazardousLayersofsecurityarerequired,andconventionalendpointsecurityisstillvalidin•ensuringprotectionfromoutsiderthreats

Synopsis Thereisalotofmisinformationaboutthesecurityofvirtualdesktoptechnology.Noone security tool is 100% secure and because of the complexity of technology and how weuseit,layersofdefencearenecessary.Youareonlyassecureasyourweakestlink.Effectivesecurityinyourvirtualstrategyisnotautomaticorstraightforward.ITprofes-sionalsmustalsoconsiderthesecurityoftheassociatedendpoint.

Inthispaper,wewilloutlinewhykeepingdataofftheendpointisharderthanyouthink,andexamineissuesaroundpasswordsandintrusiondetection,securitysoft-ware,VPNsecurity,connectionsanduserbehaviour.

Sponsor

Reading time 15-20 minutes

TM

TM

Introduction 1

Virtual Desktop Illusion and Reality 3

KeepingDataOfftheEndpointisHarderThanYouThink 3

PasswordsandIntrusionPrevention 4

SecuritySoftware 5

VPN Security 5

The Weakest Link 7

NoConnection,NoProduction 7

Conclusion 8 Bibliography 10

About the Authors 11

About NPC 12

Table of Contents

Brief: The Myth of the Secure Virtual Desktop

TM

IntroductionDavidHarleysaidthisashewasdismissingthecontentiousreportsthatanti-virussoft-warewasnolongerrequired,duetoitsallegedlypoordetectionrates,whiletakingthesensiblepositionthatnothingindatasecurityisperfect.WhileweagreewithhimthatAVdetectionratesareoftenmisunderstoodandmisreported,andthatAVsoftwareisstillrequiredaspartofasolidsecurityposture,hiscommentisinstructiveaboutalldatasecurity.

Noonesecurityproductortoolis100%secure;layersofdefenceareessential.While the security weaknesses outlined below can be made secure, any one of them unaddressedcancausethelossofdata.Thecomplextechnologyandnetworksweusetodayrequirelayersofdefence,andredundancy,toassuredataprotection.Nosolutiononitsownshouldberelieduponascompaniesevolvetheirdatamanagementandaccessstrategies.

Endpoint2securitysalespeopleareoftentold“wedon’tworryaboutendpointdataprotectionbecausenothingisonthem.EverythingcomesinthroughthesecureVPNandisontheserver.”That’swishfulthinking.Unlesstheuserisonasecureddisklessterminalwithcarefullymanagedmultifactorcredentials,allendpointspresentavarietyofrisksthatneedtobedealtwith.

“Personally (and in principle) I’d rather advocate a sound combination of defensive layers than advocate the substitution of one non-panacea for another.” 1

—DavidHarley–CITPFBCSCISSPESETSeniorResearchFellow

1 Harley, David. CITP FBCS CISSP. (2013, January 3). ESET Senior Research Fellow. Retrieved from http://www.welivesecurity.com/2013/01/03/imperva-virustotal-and-whether-av-is-useful/

2 Endpoints refer to all end-user computing devices including laptops, notebooks, ultra-books, netbooks, desktops and tablets.

1

TM

It’seasytobelievethatacomputerissafebecauseitwassetupnottostoreimportantdata,butnothingisthatsimple,especiallyindatasecurity.Newthreatvectorsandmethods emerge daily, product updates and patches (or lack thereof) can create risk, andusersarenotoriousforoutofpolicyactivitythatcanplaceinformationwhereitclearlyshouldnotbe.

Thehighefficacyand“quality”oftoday’sthreatsarealsoanissue.Today,cybercrimeisabigbusinessandbecauseitissolucrative,criminalorganizationsmakehugeinvest-mentsintheillicittechnologytheycreate.Yesterday’sthreatswereoftenobvioustotheirvictims.Infectedendpointcomputersbehavedunpredictablyandserverscrashed,asattackersshowedofftheirprowess.Thethrillforthemwasintheattack,andinshowingtheirpeershowclevertheywere. Butthosedaysaregone.Today’sthreatsdon’tmakethemselvesknown.Instead,it’stoacybercriminal’sbenefittoremaininvisibleaslongaspossible,harvestingdatathatcanbesoldorusedinfutureattacks.Theycomeinquietlythroughsocialengineering trickery,assistedbythecollectionofkeyinformationaboutstafforthecompanyonsocialmediawebsites,orthroughasecurityholesosmallitisnearimpossibletodetect.Their pinnacle of achievement is to have free run of the corporate data, through the VPN,lookinglikeanauthorizeduserfromanauthorizedlocationanddevice.

Thattacticofstayingsilentworks.InthenowinfamousWinnersbreach,afterbreakinginthroughpoorlysecuredWi-FithatwasusingonlyWEP3 level security built into the accesspoints,theattackerslookedlikeauthorizedusersandstoledatadirectlyfromthe server, undetected for what amounted to years4. Usercredentials,intellectualproperty,creditcardnumbers,bankinginformation,oraccesstosensitivesystemsareinfinitelymorevaluablethanbraggingrights,sotodaythecriminalstrategyisallaboutstealth.Today’sthreatsarenotaboutdisruption,theyareaboutprofit.Thecriminal’sprofit,andyourloss.

Those concealed threats, such as rootkits which turn computers into components ofcriminalbotnetscontrolledbyattackers,aredifficulttodetectandevenhardertoeradicate.That’swhytheITsecuritymarketisexpectedtogrowatarateofabout12percentperyearthrough2016,accordingtoanalystsatInternationalDataCorp5.

“...theattackerslookedlikeauthorizedusers, and stole data directly from the server, undetected for what amounted toyears.”4

3 Wired Equivalent Privacy (WEP), sometimes incorrectly called Wired Encryption Protocol. An outdated security algorithm for 802.11 wireless networks. Part of the original 802.11 standard it soon became irrelevant due to its numerous security flaws, although it is still in use on unmanaged and outdated networks.

4 Office of the Privacy Commissioner of Canada (2007, September 25). Inadequate security safeguards led to TJX breach, Commissioners say. Retreived from http://www.priv.gc.ca/media/nr-c/2007/nr-c_070925_e.asp

5 IDC Worldwide Endpoint Security 2012–2016 Forecast, July 2012.

2

TM

Virtual Desktop Illusion and RealityThereisnoquestionthatVPN’s(VirtualPrivateNetworks),VDI(VirtualDesktopInfra-structure)andRDP’s(RemoteDesktopProtocolorServices)canincreasethesecurityofcorporateinformationandinsomeinstanceslowerendpointsupportandmanage-mentcosts.Whencorporatedataresidesinamanagerepository,whichrequiresusersto work directly on a centralized server through a secure link, that bulk of data is more easilysecured.Butoverestimationofthecompletenessofthesecurityofthisstrategy,asapanaceaforendpointsecurity,abounds. Liketheemperorinthechildren’sstory,companiesrelyingsolelyonjustonestrategyandbelievingthattheyareadequatelyprotected,caninfactbenakedtoattackers.Theycancreateevenmoreriskthantherewasbeforetheendpointvirtualization,thinkingtheycanignoreothercriticalendpointsecuritypractices,asafterall,there issupposedtobenodataontheendpoints. Thatcentralizeddata,setuptobeaccessedremotelythroughtheendpoints,offers anenticingtreasure-trovetothieves,thankstonewingresspointsviainadequatelyprotectedendpoints.AVPNagent,anti-malwareandastrongpasswordpolicyormultifactorauthenticationmayhavebeeninstalledontheendpoint,butifjustoneofmanyotherattackvectorsisleftunattended,thecrooksareinthedata.Attackersmakeacareerofthinkingofeverypossibleavenuetoexploit.Endpointsareinthehandsofusers,mostinthefield,andtheattackersonlyneedtofindonehole.

Let’slookatafewproblemareas.

Keeping Data Off the Endpoint is Harder Than You ThinkSome companies argue that their data is secure because they require employees to storeitonlyoncompanyservers.Thefallacyhereisbelievingthatthedataexistsonlyonthoseservers.Infact,eveniftheuserdoesnotdoitdeliberately,softwareoftensavesdata,evenserver-baseddata,onthelocalmachineintemporaryfilesofvarioussortstoperformitsfunctionsorimprovecomputerperformance.Itmaystoreusernames and passwords, spreadsheet data or pieces of documents, and it may not erase theinformationwhentheuserexitstheprogram. Iftheendpointisshutdownimproperlyorexperiencesacrash,itcreatesafileof systeminformationtohelpitproperlyrecoverorforsystemerroranalysisandvolumes

3

“Securityisanasymmetricbusiness. Attackershavetoberightonlyonce. Wehavetoberighteverytime.”6

–FrancisdeSouza,SymantecCorp.

6 deSouza, Francis. RSA Security conference keynote address, February 26, 2013. Retreived from http://www.computerworld.com/s/article/9237212/Applying_big_data_approaches_to_information_security_a_challenge_

TM

ofdatacanbeexposed.Thatdatacanbeharvestedandusedbyattackers.Thiscache,temporaryfile,workingfile,andcrash-filedatamayhavevaluableinformationitself,or it may also contain clues as to how to access server data to further penetrate the targetorganization.Whileitcanappeartobedeletedattheendofaremoteaccesssession,hackerrecoverytoolscaneffectivelyundeletethosefiles.

Passwords and Intrusion PreventionWhile passwords are a necessary part of any security regimen in virtualized endpoint strategies,theytoocanbeproblematic,creatingriskwhenpoorlymanaged.Com-panies may, for example, implement BIOS hardware passwords as an extra layer of protectionandtohelplocksystemconfigurations.Butforconveniencetheywill usethesamepasswordonallmachinesthatarenotchangedwhenemployeesleave.Itjusttakesoneincautiousordisgruntledcurrentorformeremployeetoletthat passwordfallintomalicioushands.This,orlackofaBIOSpasswordaltogether,canleavealostdevicevulnerabletoOperatingSystembypassattacks,andifthedataordrive of the device is not encrypted, could provide access to or clues to access the corporatenetwork.

Logonpasswords,eveniftheuserdoesn’tdofoolishthingslikewritingthemonstickynotesattachedtoamonitororstuffedinthepocketoftheircomputerbag,canalsobeamajorrisk.Companieswithgoodpasswordpoliciesrequiringregularchangesandsufficientcomplexitymaystillbecompromisedifanattackermanagestogainaccesstoamachineviamalware,andaccessesthefileinwhichthepasswordsarestored.Ifthelogonpasswordsarenotencodedorencrypted,anOSbypassattackcanmakeforaneasykill.Eveniftheyareencoded,somealgorithmsdonotprovidetrueencryption,butsimplestorageobfuscationstrategiesthatevenalimited-talenthackercandecode.

Sinceuserlogincredentialsgiveaccesstosharesonservers,onceanattackerhasendpointcredentials,anyfilesprotectedbythatusernameandpasswordarealsocompromised.

Theuseofadditionalauthenticationfactorssuchasbiometricfingerprintreaders oraccesscode-randomizingauthenticationdeviceslikeRSAkeysisstronglyrecom-mended in a virtualized endpoint deployment, when not using a diskless device, ontopofstrongpasswordpolicymanagement.Thesemethodsandtechnologies

4

Temporaryfile,workingfile,and crash-dump data may have valuable information.

TM

provideacriticaladditionallayerofintrusionpreventionthatcancoverforpasswordmismanagement.

Security SoftwareAnti-malwareandotherformsofsecuritysoftwarearearequirementineverysecurityposture,buttheycanalsocomprisepartoftherisk.Unlesstheproductsareproperlyinstalledandconfigured,andkeptup-to-dateandmonitored,theytoocanprovideafalsesenseofsecurity.

Theuserfrequentlyisunawarewhenasecurityproducthasceasedtofunctionproperly.Inanefforttobeunobtrusiveandminimizetheirimpactonoperations,anti-malwareprogramsoftendon’treporttheirstatusclearlyandvisibly.Ifanupdatefails,theprogramsimplywritesanentrytoalogfileratherthanwarningtheuserthatheorsheispotentiallyunprotectedagainstnewthreats.Inenterpriseinstallations,wheresecuritystaffreceivesreportsofthosefailures,theycanatleastbedetectedandremedied–ifthesecuritystaffregularlymonitorsthereportsandhasthetimeandresourcetodealwiththem.Inasmallerbusinesswithoutcentralcontrol,problemscangoundetectedforweeksormonths,untilanincidentpromptsinspectionofthecomputer.Bythen,themachineisoftencompromised.

VPN SecurityOnehugeillusionthatbearsgreaterexaminationisthenotionthataconnectiontothenetworkoveraVPN(virtualprivatenetwork)isimpenetrable.Nothingcouldbefartherfromthetruth.WhileaVPNisacriticalpartofanorganization’ssecurityarsenal,itisnotthebe-allandend-allthatkeepsdatasafe.

VPNsthemselvescanprovideafalsesenseofsecurity,notbecauseofflawsintheconcept,butbecauseofpoorimplementationandmaintenance.

Mostremotegatewaysareconfiguredbydefaulttoreportmake,model,andevenfirmwareandsoftwareversions,ontheirloginscreens,andthatdisplayisoftennotanonymizedbyIT.VPNclientsoftwarealsocontainsthisdata,sometimesinunen-cryptedform.Thatinformationisagoldmineforattackers,whohavestudiedtheproducts on the market and know their every weakness; it helps them choose the best waytoinfiltrateanorganization.

5

Virtualizing the endpoint or relying on theprotectionofaVPNconnectionis only one step in securing corporate data.

TM

VPNshavetheirownsecurity,buttomakethingsmoreconvenientforusers,ITofteneitherstoresthecredentialsontheendpoint,ortiesVPNaccesstocomputerlogincredentials.Thosecredentialsmaybestored(ortransmitted)inanunsecureform,perhapsinplaintext.Ifthecomputerisnotproperlyencryptedandsecured,itcanthusbecomeanattackvectorfortheentirenetwork.

SSL VPNs, also known as clientless VPNs, work through a Web browser that supports the SSL protocol, or its successor, Transport Layer Security (TLS), to secure communi-cations.Theydonotrequireaseparateclientoneachendpointtoestablishasecureconnection.Theyeliminatetheneedtoinstall,configureandmaintaintheclientsoft-ware,andallowuserstochoosetheirfavouritebrowser.However,theusermaysavecredentialsinthebrowser,unlessitisexplicitlyconfiguredtopreventthis.Inaddition,anyofthesecurityvagariesofthebrowsercanbecomevulnerabilitiesfortheVPN.

SSL VPNs, according to networking and VPN vendor Cisco Systems (Steven Song, SecurityArchitectforCorporateSecurityPrograms,CiscoSystemsInc.,2010),arevulnerabletoman-in-the-middleattacksinwhichtheattackercreatesafakeSSLVPNsite,whichinterceptstheuserconnection,recordscredentialsandthenpassesthetrafficthroughtothelegitimatesite.Itmayalsoperformothermaliciousactions,forexample,installingakey-loggertoharvestotherinformation.TheseattackssucceedwhenuserseitherarenotawareofhowtoverifythatanSSLcertificatereallybelongstotheirintendeddestination,orhavebrowsersettingsthatdon’tflagcertificateerrors. Although it provides a secure tunnel into a corporate network, a VPN does not protect thenetworkfrommalwareontheconnectingendpoint.Aninfectedmachinewill,securely,passitsmalwareontoothervulnerablesystemsovertheVPN.AproperlysecuredendpointusingtheVPNisthebestdefense. Anetworkaccesscontrol(NAC)solutionthatchecksconnectingcomputerstoensuretheycomplywithspecifiedlevelsofanti-malwaresoftwareandOSpatchesbeforetheyareallowedtoaccessthenetworkcanprovideanadditionallayerofprotection,howevercostsforacquisitionandadministrationmaybeprohibitive. FinallyexecutiveswhotravelcannotrelyonVPNusebeingpermittedineverycountry.Somegovernmentsblocktheiruse(Iranisthemostrecent,prohibitinganybut“legal

7 Song, Steven. Security Architect for Corporate Security Programs, Cisco Systems Inc. (2010). SSL VPN Security. Retrieved from Cisco Systems Inc.: http://www.cisco.com/web/about/security/intelligence/05_08_SSL-VPN-Security.html

6

“VPNtechnologies(SSLVPNincluded)comewiththeirownsecurityissues.These issues must be dealt with appropriatelytoensuretheconfidenti-ality and integrity of data and infor-mation,aswellasoverallcorporatenetworksecurity.”7

–StevenSong,ArchitectforCorporate

SecurityProgramsOrganizationatCisco

SystemsInc.

TM

andregisteredVPNs”–runbythegovernment,soeasilymonitored8), because they allowuserstoaccessunapprovedsitesontheInternet.ThustravelerswhorelyonVPNconnectionsmayunexpectedlylosethatsecurityblanketinsomeregions,suchasChinaandtheMiddleEast,makingasecureendpointtheironlydefense.

The Weakest LinkPuttingtechnologyaside,userbehaviourisoftenthemostsignificantsecurityriskinendpointdeployments.Inanefforttodotheirjobs,orjustforconvenience’ssake,where they can users will bypass security protocols if they impede the way they like to work,inhibitaccesstonecessaryfiles,orforthatmatteraccesstotheInternet.

Userswillcopydatatotheircomputers,regardlessofrules,iftheyfindtheserverconnectiontooslow.Whilecutandpastefeaturescansometimesbecontrolled,othermethodsofcopyingdatasuchasscreencapsandfilecopiestoportablemedialikeUSB stickswhileinsidethefirewall,orotherinventiveways,likesendingthemselvesfilesonemails,canbeproblematic.Storiesareplentifulofanorganization’ssensitiveinforma-tionbeingfoundontheInternetorinthehandsofacompetitor,andaserverhackisimmediatelyblamed.Oftenitisfoundthatthefileswereactuallypluckedoffanemployee’shomecomputer,becausethatcomputerallowedtheemployeefaster,localtoolstodohisorherwork,offtheVPN.

Usersare,infact,theweakestlink.Theywillsavecredentialsontheircomputer,andfindsmallutilityprogramswhichareoftennotsecured,todoso.Theywillclickondubiouslinksinemails,possiblyinfectingtheirsystemswithmalwareintheprocess.Iftheycan’taccessneededresourcesonthecorporatenetwork,theymaysurftheInter-netorconnecttopublicwirelessnetworkswithoutlaunchingtheVPN.Ifthecomputeritselfisnotsecure,it,andthecompanynetworkresources,areallputatrisk.

No Connection, No ProductionOne of the key challenges of a virtualized endpoint strategy is that when you are not abletoconnectsatisfactorilytothenetwork,youarenotworking.Therearemanyinstanceswhenthisoccurs,fromemployeessittinginairportsandonairplanes(slowlychangingwithinflightWi-Fi),orwhensalesandfieldstaffareonthemove.Wesayhere“connectsatisfactorily”asnotjustanyconnectiontotheInternetisrobustenoughtoprovideausefulconnection.Thenumberonecomplaintbyusersastowhy

8 Farrell, Nick. TechEye.net. (2013, March 11). Iran will lop off your VPN for network adultery. Retrieved from TechEye.Net: http://news.techeye.net/security/iran-will-lop-off-your-vpn-for-network-adultery

Userbehaviourisoftenthemostsignificantriskinvirtualizedendpointdeployments.

7

TM

theydislikeusingtheVPNisspeedandavailability.OneortwoinstancesofnotbeingabletogetontheVPNatacriticaltimemotivatesthemtosquirrelawaydataontheircomputerforthatbigmeeting“justincasetheycan’tconnect”,creatingrisk. Theneedforconstantconnectioncandriveotherdangerousbehavioursthatmayalsobringriskyactivitytotheendpoint,especiallypriortoorwhentheVPNisnotyetloaded.Tosaveatripbacktotheofficeortoaccessapieceofcriticalinformationneededforthenextmeetingwhileontheroad,ausermaydodgeintoacoffeeshopthatoffersfreepublicWi-FioruseairportWi-Fi,bothnotoriouslyunsecurewaysofconnecting.Theymayalsoaskaclientforguestaccessontheirnetwork,aninappro-priaterequestthatcanexposeyourcompanytotheclient’ssecurityrisks,andyourriskstothem.

3G/4G/LTE telco wireless are all highly recommended for increased security while con-nectingonthemove,astheyareinherentlyencryptedandofferusersroamingaccesswithouttheneedtobegorborrowWi-Fi.Buttheytoocanhavecoverage,connectionandcostissues.

ConclusionCertainlyalloftheseriskscanbeaddressedwithproperpolicyandconfiguration,butit’sabigjob,nottobemissedormisunderstood.

VirtualizingtheendpointorrelyingontheprotectionofaVPNconnectionisonlyonestepinsecuringcorporatedata,anditiscriticallyimportanttoemployafullrangeofotherconventionalprotections.Noonethingcansecureacomputerornetwork.Evensecurity vendors acknowledge that and recommend a layered approach:

TheendpointdeviceOperatingSystemshouldbecorrectlyconfiguredand•patchingkeptup-to-date.Webbrowsersshouldbepatchedandsecurelyconfigured.•Anti-malwareiscritical;itmustbeproperlyconfigured,keptup-to-dateand•constantlymonitoredforefficacy.Harddiskdatashouldbeencryptedeveniftheconfigurationisdesignednotto•storedataontheendpoint.Ifthereisadiskpresent,encryptit.Sophisticatedintrusionpreventionandpasswordpolicymanagementiscritical.•Allsecuritycomponentsmustbemonitoredtoensuretheycontinueto •workcorrectly.

8

When you are not able to connect, you arenotworking.

TM

Above all, considering how users work, where they work, and their performance experienceiscritical.Forcingchangestotheiroperatingmethods,poorendpointperformance,orcumbersomesecuritywilldrivethemtoundisciplined,oftendanger-ousbehaviour.Allthesetasks,andothers,combinetosecuretheendpoint.Althoughsecurity experts agree there is no such thing as a completely secure computer, virtual orotherwise,thegoalistomakeitsohardtopenetratethatattackerswilllookelse-whereforeasiertargets.

It’sadauntingtask.ITstaff,stretchedtocapacity,maynotbeabletokeepupwiththework involved, tracking and applying updates to installed products, managing encryp-tionkeys,andmonitoringserverandendpointlogs.

Onealternativeismanagedendpoints.UsedincombinationwithyourVPN,theyaresupplied, secured, monitored, backed up, and maintained through managed services bytheirsupplier,providingasecurityandmanagementalternative.Theseproductsaresecurityhardenedandconfiguredforhighperformanceandusability.Thesuppliertakescareofvettingandinstallingpatchesandupdates,andmayprovideadditionalservicessuchasremotewipemanagementoflostorstolenmachinesandreal-timesecuritymonitoring.Withthoseburdensremoved,ITstaffersarefreedtoinnovateandaddvaluetotheinfrastructure,toworkonmorestrategicprojectsofthecorporateinformationandtechnologystrategy,andthecompanyisassuredthatitsendpointsareprotectedbydedicatedresources,capitalizingonthebenefitsoftheVPN,withouttherisksindicatedabove.

9

TM

BibliographydeSouza,Francis.RSASecurityconferencekeynoteaddress,February26,2013.Retreivedfromhttp://www.computerworld.com/s/article/9237212/Applying_big_data_approaches_to_information_security_a_challenge_

Farrell,Nick.TechEye.net.(2013,March11).IranwilllopoffyourVPNfornetworkadultery.RetrievedfromTechEye.Net:http://news.techeye.net/security/iran-will-lop-off-your-vpn-for-network-adultery

Harley,David.CITPFBCSCISSP.(2013,January3).ESETSeniorResearchFellow.Retrievedfromhttp://www.welivesecurity.com/2013/01/03/imperva-virustotal-and-whether-av-is-useful/

IDCWorldwideEndpointSecurity2012–2016Forecast,July2012.

OfficeofthePrivacyCommissionerofCanada(2007,September25).InadequatesecuritysafeguardsledtoTJXbreach,Commissionerssay.Retreivedfromhttp://www.priv.gc.ca/media/nr-c/2007/nr-c_070925_e.asp

Song,Steven.SecurityArchitectforCorporateSecurityPrograms,CiscoSystemsInc.(2010).SSLVPNSecurity.RetrievedfromCiscoSystemsInc.:http://www.cisco.com/web/about/security/intelligence/05_08_SSL-VPN-Security.html

10

TM

About the Authors

LynnGreinerisafreelancejournalistspecializingininformationtechnologyandbusi-nesstopics.SheisalsoanITprofessional,givingherreal-worldexperiencethatallowshertocutthroughthehypeandaddresstopicsthatarerelevantinthebusinessworld.

Herarticlesandwhitepapershavebeenpublishedinbothprintandonlinepublica-tions,includingTheEconomist,TheGlobeandMail,itWorldCanada,ComputerDealerNews,CIO.com,CanadianSecurity,SecurityMatters,GlobeTechnology.com,CanadianTechnologyandBusiness,ComputingCanada,andmanyothers.

LynnholdsaBachelorofAdministrativeStudiesdegreefromYorkUniversity.

LarryKeatingispresidentandCEOofNPC.HeisrecognizedasOntario’sfirstAmbassa-dorforPrivacybyDesignbytheInformation&PrivacyCommissionerofOntario.LarryhasalsoservedasfoundingchairmanoftheMinisters’TechnologyAdvisoryGroupfortheProvinceofOntario;memberoftheChair’sAdvisoryCouncilone-Governmentandcurrently serves as a technical advisor to the Lieutenant Governor of Ontario for the AboriginalComputerLiteracyProgram.

Heisaspeakerandauthoronavarietyoftopicsincludingtechnologytrends,datasecurityandembeddedprivacy,andeconomicopportunitythroughtheadoptionanddeploymentofnewtechnologies.LarryalsofoundedKeatingTechnologies,whichhasbeenrecognizedasoneofCanada’s50BestManagedCompaniesonthreeseparateoccasions,bringingmorethan$1.3billionintechnologyandservicestoCanadian businessesandconsumers.

PeterisaPrincipalatSource44Consulting,ateamofexperiencedsecurityexpertsspecializingindeployingnetworkandsecuritytechnologies.

OverthelastdecadePeterhasbeeninvolvedinthedesignandimplementationofclientdefensesusingmanydifferentsecuritytechnologies.Heisalsoskilledinvulner-abilityandpenetrationtestinghavingtakenpartinhundredsofassessments.

11

Lynn Greiner

Larry Keating

Peter GiannoulisGCIH, GCIA, GCFA, GCFW, GREM, GSNA, CISSP

TM

About NPCNPCofferssecure, professionally managed computers featuring a suite of backup, wireless, security and customer support services, controlled and supported by a sophisticatedsupportanddatacentrestrategy,foronelowmonthlypayment.

EveryNPCdevicefeaturesbiometricaccesswithprofessionallymanagedencryptionandisautomaticallybackedupeachday.Allsystemsareconstantlymonitoredforsecurityandbackupcompliance,malwareattacks,physicalunauthorizedintrusionattemptsandsystemperformance.Lost,stolenordefectivesystemsarereplacedwithin48hours,withdataandapplicationsrestored.

NPCprovidesthebenefitsofsophisticatedendpointsecurityandmanagementinfra-structurewithoutalargefinancialinvestment,andkeepspacewithrapidlychangingprivacy and compliance demands, security threats and industry trends to provide certaintyandcontrolofconfidentialinformation. Formoreinformation,visitwww.nopaniccomputing.com,emailinfo@npcmail.net, orcall1-855-667-2642.

12