Everything InfoSec

A Business Management Approach to Managing IT Risk – Part Three

2009-10-21T18:21:00.000-07:00

by Dennis Dickstein

The management of IT risk should be accomplished through the management of processes and operational risks. Last month, we showed a framework for the management of business processes and provided a new proactive approach to managing operational risk. Each framework — business process management and operational risk management — is effectively a cycle, reflecting the recurring nature of managing a process. In fact, operational risk management is itself a business process and works in the same manner as all other business processes. Placing the two frameworks side by side, with the “setting and revising the risk environment” component of the operational risk management framework on top and the “setting and revising business goals” component of the business process management framework on top shows the similarities between the two frameworks. This is not a coincidence.

Setting the risk environment should be performed while setting business goals. Each activity requires participation from the highest levels of the corporation. Therefore, it makes sense that these activities are linked. Conducting a simulation of the process model would be the ideal time to determine if potential risks exist. Then, determining ways to improve a business process model prior to its deployment would be a perfect opportunity to determine ways to reduce potential risks to the process. Thus these two sets of activities are obvious candidates to be linked. Once a process is executed, process performance, changes to the business environment, and actual control deficiencies or failures need to be identified. This action of identification is a vital part of ongoing monitoring, which is a component in each framework that can be linked together. Finally, the components of active risk management and process analysis are left. The active management of an identified risk requires the analysis of the impact of such management on the process. Similarly, the analysis of actual performance and potential process changes requires the understanding of risks to the corporation that these changes might create. Linking these two activities together are essential to the effectiveness of these frameworks.

The result of linking these activities together is a combined integrated operational risk management and business process management (ORM-BPM) framework, as shown below.
By integrating the two individual frameworks, business process management and operational risk management, the components and activities of one framework will work in tandem with the components and activities of the other framework in order to effectively manage and mitigate risk and improve business processes. The result is a comprehensive and integrated tool kit to help businesses link the management of operational risk with business process management and thereby operationalize operational risk management into the company culture. This is just the first step. The next step is determining when, where, and how to use these tools, not only with regards to technology, but also with respect to outsourcing, offshoring, all other processes within an organization, and its role in the governance over product and service development, deployment and implementation.

Dennis Dickstein has over thirty years of experience in risk and business process management. Most recently, he installed an operational risk control framework and developed a framework for privacy and data protection, which he currently manages. This article is a compilation of excerpts from No Excuses: A Business Process Approach to Managing Operational Risk by Dennis I Dickstein and Robert H. Flast. If you are interested in learning more, the book can be purchased on amazon.com or on barnesandnoble.com.

Securing a Hacker-Free Zone on the Internet

2009-08-26T18:33:00.000-07:00

by Jacqueline Herships

A recent patent series promises a new, secure telecommunications system by mitigating risks to Internet telephony like Voice over Internet Protocol (VoIP) from espionage, hacking, intrusion, and interruption of service.

The entire worldwide Domain Name System (DNS) was brought to its knees by hackers not too long ago; however, this new Internet telecommunications system will not depend on DNS.
In theory at least, the Wild West days of Internet telecommunications are over.

Based upon the inventions articulated in his five-patent suite, inventor Harry Emerson III, has mapped out a union between our secure and venerable telephone system - (Plain Old Telephone Service; a.k.a., POTS) - and the hyper-evolving, media-rich Internet which is so famously not one bit secure.

As it evolves, he believes this next generation telecommunications system, dubbed IronPipe™, will have huge implications for national security as well as tremendous new revenue opportunities for the carriers and supply chains which serve them.

Conceived in response to what he views as the seriously flawed paradigm, which is currently developing as telecommunications migrates to the Internet, Mr. Emerson says he designed IronPipe™ to offer an alternative with a high degree of security.

The Internet has produced something akin to a gold rush experience for those mining its resources and developing its vast potentialities, he said. However, in the midst of this frenzy, he has observed that fundamental requirements of privacy, secrecy, and security are seldom openly discussed when it comes to Internet-based phone services known as Voice over Internet Protocol (VoIP) systems such as Skype, which are proliferating in cyberspace.

These are serious issues, he maintains, and they need to be fully considered by users such as corporations, telecommunications carriers, VoIP carriers, law enforcement agencies, and federal and state governments, as well as by the millions of Internet using individuals who are concerned with their own personal privacy.

According to Mr. Emerson, our current state of vulnerability came about because we have turned a blind eye to these issues of privacy, secrecy and security, combined with the scramble for profit, and an unregulated environment for VoIP.

“The Internet is a lawless frontier where nothing is safe and secure and reliability is always one step away from calamity,” he says. “As things stand today, VoIP does little to protect the interests of the aforementioned entities, not to mention protecting the security of the United States. We are suffering untold numbers of hacker attacks DAILY, with systems broken into and identities stolen. Not too long ago the entire worldwide DNS system (Domain Name System) was brought to its knees by hackers,” Emerson said.

In his opinion, if the technology continues to develop in its current direction, no one will be able to guarantee that communications cannot be intercepted and monitored. In addition, if we examine our circumstances, a lot of the excitement generating the rush to VoIP is based upon an illusion, the appearance that we are being offered new and sophisticated technologies.
In fact, existing VoIP offerings are simply discounted POTS service, he says, with no value-added features, only lower cost caused by fierce price pressure from cable TV and other low-overhead vendors. The result is the continued downward spiral on price that has plagued the telecommunications industry for 30 years.

IronPipe™ is a re-thinking of 21st century telecommunications architecture, which will return a sense of safety to our society as a whole, reinvigorating our economy from the inside out.
If his vision is implemented, Mr. Emerson says we won’t have to put up with either the fear of intrusion or the huge financial burden of protecting ourselves from the ever-increasing army of those with malicious intent.

We will now have a choice. The challenge is that VoIP companies such as Skype (NASDAQ: EBAY), Vonage (NYSE: VG) and the various Cable carriers (Comcast NASDAQ: CMCSA, Time Warner: NYSE TMC, and CableVision: NYSE CVC) , which have migrated to the Internet, did so not only to provide cheaper communications, but to avoid regulatory scrutiny.
“If you don’t have to deal with the regulations it tends to make it cheaper,” Emerson said, “but these profits come at a price.” “The integrity of the communications system has been compromised because of this short term thinking geared towards reducing costs.”

In its simplest terms, IronPipe™ enables us to make Web 2.0 Internet-style media rich calls utilizing the existing private, protected, secure, Public Switched Telephone Network (PSTN), and its unseen private data network - known as Signaling System #7 (SS7), which connects all the main switches around the world. While VoIP uses the Internet exclusively and thus can be, and regularly is, compromised by persons of malicious intent, if we establish Internet calls through these telephone company switches there will be no access from the outside.

We can create rich media visual telephone calls on broadband Internet connections, using wire-line or wireless touch-screen phones such as the Apple (NASDAQ: AAPL) iPhone, simply by dialing a phone number, and still enjoy the privacy, security and reliability of traditional telephone calls.

Mr. Emerson says that his technology seamlessly merges the best of the Internet with the best of the telephone network. Considering the cost to government, industry and “society at large” to protect against intrusion and to remediate the damage caused by intrusion, IronPipe™ could be well worth looking into.

Harry Emerson, the founder of Emerson Development, and a 25 year veteran of AT&T, has conceived of a patented plan for the world-wide telecommunications system which continues to enable valuable multimedia using the broadband capabilities of the Internet while bypassing hazardous VoIP architecture completely, thus eliminating VoIP-induced vulnerabilities to spying / espionage, hacking, intrusion, identity theft, and distributed interruption of service.

Jacqueline Herships is the founder of Jacqueline Herships & Associates, a strategic communications and new business development company.

A Business Management Approach to Managing IT Risk – Part Two

2009-08-07T16:37:00.000-07:00

by Dennis Dickstein

All IT risks represent operational risks that should be managed during the design, simulation, deployment, execution and monitoring of business processes. By integrating the management of operational risks with the management of business processes, companies can ensure the proper and timely identification, evaluation and mitigation of IT risks. Therefore, the management of IT risk can and should be accomplished through the management of processes and operational risks.

Generally, a process produces some value-adding output to an internal or external customer of the process. It does this in response to one or more inputs that are either products or services that will be transformed in the process to create the value-adding outputs, or are information signals, such as events, that trigger the commencement of the process. In either case, the process will produce customer value, subject to a set of business controls. Resources may be used or consumed in the execution of the process.

The standard ORM framework recommended by COSO, Basel II and SOX 404 has four basic elements: setting the risk environment, managing the risk, ongoing monitoring and disclosure. This framework remain is reactive and manages only those operational risks actually realized through the monitoring of events and losses and the reporting of those risks and losses. A few changes could ensure a more robust and proactive ORM framework: expand the function of monitoring to include business process monitoring; add a new framework element to determine potential risks, with a feedback loop to redefining the risk environment; and remove disclosure as a framework element and instead include it in all of the elements.

Each framework — business process management and operational risk management — is effectively a cycle, reflecting the recurring nature of managing a process. In fact, operational risk management is itself a business process and works in the same manner as all other business processes. Placing the two frameworks side by side and then integrating them would be a natural next step in helping to manage IT risks as well as other operational risks. The next article on this subject will explore this point further.

Source: Dickstein, Dennis I. and Robert H. Flast. No Excuses: A Business Process Approach to Managing Operational Risk. Hoboken: John Wiley & Sons, 2009.

Dennis Dickstein has over thirty years of experience in risk and business process management. Most recently, he installed an operational risk control framework and developed a framework for privacy and data protection, which he currently manages. This article is a compilation of excerpts from No Excuses: A Business Process Approach to Managing Operational Risk by Dennis I Dickstein and Robert H. Flast. If you are interested in learning more, the book can be purchased on amazon.com or on barnesandnoble.com.

A Business Management Approach to Managing IT Risk – Part One

2009-07-14T17:29:00.000-07:00

by Dennis Dickstein

The most obvious failure of technology for an organization is an outage or loss of service in the internal or external information technology (IT) systems, networks or other infrastructure that in turn cause an interruption in agreed to service levels that support the business. This loss of service can be caused by accidental or deliberate fire, power failure, vandalism, flood, weather damage, an aircraft collision, a terrorist attack, environmental disasters and even poor quality software. For external IT systems such as the Internet and other external networks, in addition to the causes listed above that plague both internal and external technology, external IT systems are additionally vulnerable to excess demand for services and denial of service attacks.

Broadly defined, the above failures represent risks to availability and service continuity management. Availability management defines the technology requirements to meet business service levels. Technology requirements are typically specified with respect to IT services, applications, operating systems and middleware, hardware, networks and facilities. Examples of availability risks to these requirements include single points of failure, incorrect configurations, design flaws, out of date or unsupported versions, poor documentation or procedures, inadequate vendor support, lack of spares, and insufficient resources, both physical and human. Countermeasures should be implemented for these risks when they are likely to compromise the meeting of agreed to service levels.

Risks that IT poses to the business are in the typical categories of operational risks, such as:

Internal and External Fraud
Employment Practices & Workplace Safety
Clients, Products, & Business Services
Exposure of sensitive information
Damage to Physical Assets
Business Disruption & System Failure
Execution, Delivery & Process Management

To the extent that developers of technology solutions, either in your organization or in your clients’ and suppliers’ organizations, have access to systems that drive your automated processes and to data concerning your financial accounts, employees and customers, the potential for fraud, both internal and external, or disruption to your business and the execution and delivery of its processes, is one that needs to be taken as seriously as availability and service continuity management.

In addition, systems development and implementation can be adversely affected by changing and uncertain requirements and technologies, as well as unrealistic schedules and budgets, and shortfalls in personnel and externally provided software components. Given the complexity of developing technology based solutions, even a simple mistake, such as developing the wrong user interface, can create significant risk. Finally, external pressures can cause risk too, such as creeping user requirements, excessive schedule pressure, cost overruns, low user satisfaction and involvement, excessive time to market and harmful competitive actions.

In the end, all IT risks represent operational risks that can and should be managed during the design, simulation, deployment, execution and monitoring of business processes. By integrating the management of operational risks with the management of business processes, companies can ensure the proper and timely identification, evaluation and mitigation of IT risks.

The next article on this subject will explore this point further.

Source: Dickstein, Dennis I. and Robert H. Flast. No Excuses: A Business Process Approach to Managing Operational Risk. Hoboken: John Wiley & Sons, 2009.

Dennis Dickstein has over thirty years of experience in risk and business process management. Most recently, he installed an operational risk control framework and developed a framework for privacy and data protection, which he currently manages. This article is a compilation of excerpts from No Excuses: A Business Process Approach to Managing Operational Risk by Dennis I Dickstein and Robert H. Flast. If you are interested in learning more, the book can be purchased on amazon.com or on barnesandnoble.com.

Virus Infection - What Now?

2009-07-09T18:41:00.000-07:00

by Ajay Gupta

When dealing with viruses or any malware, an old adage rings true: Prevention is the Best Medicine. Still, these infections are almost as inevitable as they can be debilitating and organizations relying on 24/7 availability of IT resources simply must have a documented an incident response plan that coordinates resources to simultaneously fight infections and restore services with minimal downtime while protecting the organization and its data.

The general incident response process is broken down into six stages, including Preparation, Identification, Containment, Eradication, Recovery, and Follow-up, and involves the public relations and internal communications departments so the appropriate messages can be relayed to employees, business partners, customers, and the public and at the appropriate times. This article focuses on the benchmarks that let you know when it is safe to restore services and get back online quickly with the infecting virus or Trojan no longer posing a threat of spreading and of compromising data and services.

When to get back online?

Once an organization’s security measures have been penetrated by a virus, without a plan in place, there is often confusion as to what exactly is happening and what exactly must be done. With a plan in place, organizations can move quickly to quarantine infected hosts and gather data on the infection.

Quarantine

We quarantine so the infection cannot infect additional hosts, transmit data outbound, or receive instructions from Command & Control servers managing the (potential) bot network. Depending on how far and wide the infection has spread, the quarantine may include hosts, subnets, or entire domains. It is possible that restricting the flow of the virus may require at least temporarily for the entire network to be disconnected from the Internet. You don’t want your data transmitted off of your network, and no one wants to be a jumping off point for the infection to hit other networks.

Simultaneously, we want to log all witnessed behavior and symptoms of the infection – and post visibly on the walls of the incident command room to ensure that all known information is shared among staff investigating and fighting the infection. Given the speed of virus propagation and that they can lie dormant for varying periods of time, we continue data gathering while quarantining hosts and disinfecting machines.

Once the infection is quarantined, it is time to remediate.

Remediate

Remediation is a critical step that must be performed prior to restoring services. In fact, the faster remediation takes place, the faster services can be restored online. Remediation is the process of cleaning the infected hosts or mitigating all witnessed behavior and symptoms of the infection. A host is deemed ‘clean’ if:

A known means of deleting the infecting virus, Trojan, or other malware and preventing re-infection has been implemented (e.g. a production virus signature from an Anti-Virus/Security vendor, or a virus-removal tool).
The host can be compared to a clean image and data integrity is maintained.
The host (typically workstation) can be rebuilt from a clean image.

These three items are not always available in the midst of an infection. This is especially true of zero-day attacks, and infections from ‘unpopular’ viruses against whom signatures are not actively being developed.

We may want to stay offline until every infected host has been thoroughly cleaned or re-built – even if this takes a week or longer. However, in many organizations such a loss of computing resources may not be tolerable & business units may not be able to function.

On the other hand, we can’t continue to operate with an active virus on our network. So we need a middle ground that allows us to continue operations while the infection is mitigated or fully blocked.

Middle Ground: Mitigation & Countermeasures

Mitigation means that security countermeasures are in place to block or deny each witnessed action and behavior of the infection – this is where the running list of witnessed activity is taken into consideration.

For example, let’s assume the following is a listing of witnessed actions and behavior of the infection:

1. Changes to normal operations:

Windows Explorer breaks
Unexpected reboots
Regular and often reboots
Machines shut down upon initial infection.
Changes to log settings

2. System Configuration Changes:

Windows Registry settings edited
New users accounts created

3. Software installed on host:

Keystroke logger
Spyware

4. Files created on infected hosts:

‘Password’ text file is seen on infected hosts
File names corresponding to the virus’ name

5. Unusual communication attempts:

Attempted FTP connections from infected machines to multiple, unrecognized addresses
SMB connections to and between IPC$ shares originated by infected hosts to potentially clean hosts (potential means of virus propagation)

We need to design, test, and deploy security measures to block these symptoms, for example:

Configure and run Anti-Virus with latest signatures and rules to block the creation, writing, execution of all suspected bad files.
Run script in loop to delete all virus-related files and kill its’ process and service.
No re-population of infected files after deletion.
Restore Windows Registry settings to correct/default settings.
Verify normal operations
a) Windows Explorer is operating normally
b) No unrecognized rebooting
Delete unauthorized accounts
No further outbound FTP connection attempts to known ‘bad’ IP addresses.
Change system, domain administrator passwords.

Based on all information known at the time, and if the deployed countermeasure can be shown to mitigate the known actions and behavior of the infection, systems can be brought back online.

Middle Ground: Testing and Adjusting Countermeasures

We do need to ensure our countermeasures are working and do to so we bring back network connectivity and restore services with a deliberate, phased approach and at each stage, test the network to ensure the infection is held in check. For example, we can allow a server or multiple servers to operate disconnected to the network for a period of time, e.g., three (3) hour or half a day, and monitor behavior. If all is as expected (e.g., no unexpected FTP requests), we can take a further step of restoring internal connections – e.g., connecting quarantined and mitigated LANs to the server – and again monitor operations for evidence of virus activity. All business rules should remain implemented and function properly. During this time, we also work with the users to ensure data integrity. We are also looking for signs that the virus is active or is being blocked.

We monitor the tests closely to know when and if access needs to be removed (again) from the network. Also, if new or additional behavior is witnessed, additional countermeasures will need to be developed, tested, and implemented before fully restoring services.
If no new or additional behavior is witnessed, we expand our testing of the countermeasures to additional hosts and bring back additional services until all normal operations are restored. Normal operations include restoring network connectivity, services, and Internet access.

Virus Removal

Restoring services does not complete the IR effort. The task of removing the virus remains and must be completed by one of the three process identified above. From a strict security perspective, it’s preferable to restore services only when fully confident that the infection is cleared out. However, security is often only one of the considerations the CIOs must juggle – productivity (profit) concerns play a role as well.

A compromise between these two positions is to reconnect services once the known behavior of the infection is neutralized. That point should imply that the organization can conduct operations as normal. It’s true that if the virus is still on the system, it may still be causing harm without our knowledge – that is the risk the organization assumes in order to get back online prior to fully cleaning the network.

Ajay Gupta (CISSP) is President of Gsecurity, Inc. - http://www.gsecurity.com/

"We’re too busy to do IT security”. Really? That’s the point. Time to outsource.

2009-06-25T16:23:00.000-07:00

By Emerson Killam

Let’s face it: convincing companies on being proactive and taking a holistic approach web and network security isn’t always an easy gig. Many of companies "get it", unfortunately, many more remain in denial. Their response is similar to poking your fingers in your ear and saying "la-la-la, I can't hear you".

Some objections are pretty standard. For example:
“We haven’t budgeted for conducting security analysis, so we unable to do it.” OK - understood. No money to check for potential attack vectors that could cost your business time, money, and effort. I understand, many IT departments are challenged with doing more with less these days.

Consider this: have you budgeted for the damage-control campaign when all your customers’ financial information ends up in the hands of joe hacker who in turn resells the information to willing buyers? In this same budget, are there funds set aside for emergency IT work to plug security holes that could have been identified before the attack? Then there is the added chore of reporting to the company's executive an attack took place, and that it was both foreseeable, and preventable.

I'd much rather tell my boss what the problems were, than for them to learn about it from an angry customer. By knowing what needs to be secured in advance, you can easily plan for costs related to securing your applications, rather than paying in multiples to solve it when a crisis occurs.

Another objection goes:
“We’ve never had a problem in the past. Why do we need help with IT security? Our website is so small nobody will try to attack us.” I'm sure that the IT managers at eBay and CIBC probably raised the same objection before they had some very public problems regarding web application security.

Waiting for a security incident to happen to justify the investment is just like waiting to buy car insurance AFTER you have an accident. My experience has been that small business has a lot to be concerned about. Often with limited resources, a compromised web application can operate for weeks undetected due to limited monitoring resources in smaller companies. By the time the issue of security is discussed - it is more often during a crisis, rather than planning to avoid one.

I think perhaps one of my favourite objections to security assessments has to be the following:
“My staff and I are so busy, we don’t have time for IT security scans or testing”. Again, lack of resources is not an excuse for lack of planning. Security analysis is a highly specialized discipline and it is completely unrealistic to expect any day-to-day IT team could manage the depth of analysis a third-party consultant focused in this area could provide, likely for less cost to your business.

Many firms contract and outsource IT services, prepared on-demand, not when someone is capable of 'getting around to it'. The other advantage is that the detailed reporting provided makes your department look like geniuses, for identifying risks, and for obtaining an actionable plan for dealing with them. Let someone else do the work, you take the credit.

“I don’t have time to take care of IT security” is the the very reason why companies should seriously consider outsourcing this critical part of maintaining their organizations electronic assets. Your web applications and network aren't going to fix themselves.

Emerson Killam is a Web Security Analyst at PCIS - http://pcis.com/.

How to Use Social Networking to Steal Your Identity

2009-06-24T09:29:00.000-07:00

Found a great article on how social networking makes identity theft a lot easier "How I'm going to use social networking to steal your identity". Ron Shulkin does a nice job of pointing out where we leave a trail of sensitive information that, put together, provides a surprisingly complete picture of who we are and how to attempt access to our password protected websites. BTW, did you know that "monkey" is the 6th most commonly used password according to PC Magazine (after the usual suspects like "password", "123456", etc)?

Shifts in Security – What it Means for the IT Department

2009-06-19T16:49:00.000-07:00

by Rob Newby

Security has seen a marked shift in recent times. Emphasis on securing the perimeter is dying down to justified levels, having been over-hyped for the best part of 2 decades, as corporates realise the value of securing their data.

In the late 90s and even early this decade, security was roughly defined as drawing a circle around your network, the users on the inside, the bad guys on the outside, and the business having control over who came in and out. In hindsight it’s easy to see the holes in this model – users working outside ‘the circle’: outsourcers, remote workers (via VPN), data leaving the enterprise on disks and on laptops. Laptops have been a huge source of productivity, but also a huge increase in risk.

Having been an advocate of data security since it was unfashionable to be so, I’ve come across heavy opposition to it. As has The Jericho Forum, a group of like-minded security professionals set up to discuss ways of ‘deperimeterising’ security, and knocking down walls, the barriers to business. However, now people are beginning to realize data security for what it is: essential to the running of a business.

Traditionalists talk of Confidentiality, Integrity and Availability as the cornerstones of security, inferring that secure data must be slow and corruptible, or uncorruptible data must be slow and unwieldy. And in earlier days it was, but it should now be fairly obvious, especially considering recent high profile data losses, that the risk is around data. Securing it is necessary to do effective business, and we are now see that it can increase performance and trust, strengthening the security of the networks it is held in.

At this point in time, perimeter security is still a very necessary investment, layered security or defense in depth is very important to keep intruders out at every level. But will this ever change? I would love to see firewalls disappear up their own ARPs, but mutate as they have done, disappearing seems unlikely. The reality is that data and network security will start to merge in terms of UTM, content filtering and key management systems, with a data standard being used for compression, encryption and signing.

With luck then, this will not mean more large investments, replacing firewalls, investing in huge new data security deployments, but rather incremental security – layers, in depth. Where currently data lies in the clear, soon it will be encrypted, compressed, signed, tagged and linked to. This can happen over time. Where network boundaries exist, the data can be controlled in terms of its tags, encryption or signature. The thing about security is it never shifts so fast, and it is the users which decide when this happens.

Vendors continually try to make quantum leaps in security technology without examining what they already have. But unless you want to know about every piece of software on the market there is little to worry about in terms of being left behind. As long as you are aware of your risks, security will keep up with you without you having to keep up with security.

Rob Newby is a guest blogger for Everything InfoSec. Rob is a partner in ABC Networking Ltd. an IT security consultancy and reseller based in the UK – www.abcnetworking.co.uk

Welcome to Everything InfoSec

2009-06-18T15:47:00.000-07:00

Welcome to the first post on Everything InfoSec - a new blog for the information security community!

This blog is an offspring of the largest LinkedIn group for professionals in the information security industry. The purpose of the infosec community is to build a network that connects people, opportunities, and ideas. So if you are involved in purchasing, selling, designing, marketing ... or using information security solutions - this community blog is for you.

Everything InfoSec is community managed. If you have something interesting to share, you can contribute to this blog. Here we can cover everything related to information security (and of interest to our community) across all technologies, threats and best practices, including data protection, compliance, encryption, identity theft, disaster recovery, application security, business continuity, secure storage, network security, anti-virus, intrusion prevention - you name it. The best contributions will also become part of the community newsletter.

If you would like to become an official blog author, please send me an email with the content you'd like to post.

I hope you will find this new blog interesting and engaging!

Holger Schulze
hhschulze@gmail.com