All posts in Uncategorized

Facts:

Small Businesses according to American Express Open

• 25% aren’t using A/V or if they are many are out of date and ineffective
• 60% don’t protect their wireless networks at the office
• 2/3rds don’t have a security plan in place
• Less than 6% of data breaches are discovered by the company. (Verizon Data Breach Report)

50% of businesses that are hacked go out of business within 3 years

1. Use Protection!… I mean software protection. For home users or very small businesses, we recommend downloading the free Microsoft Security Essentials http://www.microsoft.com/security_essentials. For businesses, we recommend using a centrally monitored end-point protection product, whether you do your monitoring or your IT Company.

2. Keep Your Software Up to Date. Every first Tuesday of the Month Microsoft releases fixes to bugs they and others find. These bugs are exploited by malicious software and can compromise your computer. Patching eliminates the known flaws to programs. Include Windows, Office, Adobe Acrobat, Adobe Flash, Java (if you really need it), Quicktime, or any other “plug-in” software
3. Give yourself and your employees minimal rights. It’s tempting to remove all controls and grant yourself and your staff full access to your computers because otherwise it’s a hassle. However, its best to have a separate account to do any “administrative” work.
4. Use Something Better than 12345. Choose strong passwords with letters, numbers, and special characters to create a mental image or an acronym that is easy for you to remember. Create a different password for each important account, and change passwords regularly. Read http://triadanet.com/is-your-password-12345/ for more information. Consider using a password manager like 1Password or LastPass
5. Be careful of where you compute. It’s great to go to a coffee shop to get some work done. It’s also a great way to get your information stolen. Although your bank provides a secure way to do business with them online, it is best to do that from your home network rather than the open network at a café or airport lounge.
6. Use Good Hygiene. Don’t open unsolicited emails especially if they have attachments, or links to reset a password that you didn’t request. Consider the websites you visit. Don’t put in random USB drives or CD’s you have found or been given.
7. Backup All The Time! Implement a system that security backups online whenever you have a connection whenever you make changes to a file. Not having an automatic offsite backup is a sure-fire way to forget to do it.
8. Protect your sensitive data. There are tools that can encrypt your hard drive so that if someone finds your computer they won’t be able to pull data off of it unless they have your password. Don’t carry lists of your clients’ credit card accounts. Besides being a PCI violation, it’s not responsible.
9.  Educate yourself, your colleagues, and your staff. Most people want to do the right thing. But many times barriers are put in front of them to do their jobs. Without proper explaining the reasons why and the risks involved, participants won’t buy-in to your policies.

As you can see, some of the items on this list are things that you can install onto your computers to help protect you from the bad stuff, the others are things behaviors that if followed would greatly reduce your risk.

#1 Overconfidence

You and your employees’ confident in the security systems and products is the #1 threat to your network. It doesn’t matter what anti-virus software or other safe-guards you are running if your employees do not surf safely. This will result in porn pop-ups or more nefarious spyware that will quietly steal information. Websites promising free stuff, result in theft of information like your mother’s maiden name, high school, etc. used to answer common security questions leading to theft of otherwise secure data. Think before you click!

#2 Social Networking Sites

No one can deny the popularity of social networking sites like Facebook. Threats range from malware (eg. viruses, worms, spyware) to scammers trying to steal your identity, information and money. Businesses are using these sites to communicate with their colleagues and clients, so blocking outright is no longer an option.  Educating your employees and enforcing a strong acceptable use policy.We can help you develop a policy, then monitor compliance using a Unified Threat Management device that controls and reports on network access.

#3 Attacks On Mobile Devices

Mobile is the largest growth area in computing. Mobile devices such as smartphones and tablets are growing at an incredible rate. These small mobile devices often contain sensitive business data and they are easily lost or stolen. Be sure to password protect and encrypt data on all mobile devices whenever possible. Ensure you include mobility and BYOD (Bring Your Own Device) in your acceptable use policy and your enforcement system.

#4 Cloud Computing

Although the cloud is many things, in its basic form it involves using the Internet to access and store your data. When you use programs that store their data online such as email, Facebook, DropBox and others, you are working in “the cloud.” Using the cloud for automated off site backup has rapidly gained popularity and is just the beginning. Companies like Microsoft and Google envision the day when we will use inexpensive terminals or devices such as tablets instead of computers to run programs and access data located somewhere on the Internet. Data should be secured not only where it is stored but as it is transmitted over the Internet.

Halloween is one of our favorite holidays. Not for the candy and not for the “scary old house” on the hill, but for Charlie Brown. Enjoy this Charlie Brown Classic and have a great Halloween.

The biggest technology related news this week, besides the Royal Wedding, has been the various outages with online services and cloud providers including Amazon, Rackspace, Yahoo, and Sony. This isn’t the first time this has happened and it won’t be the last. Cloud detractors use it as a way to show how the cloud or more broadly online services can’t be trusted for your corporate data or applications.

I’m not going to argue that fact. I think there is enough fear, uncertainty and doubt (FUD) around that and there are plenty of cloud cheerleaders that are positioning themselves on the other side. However, I wanted to discuss something that is being somewhat forgotten in the midst of all the cloud-frenzy and that is proper planning. It seems for many companies, both large and small, are putting applications and data in the cloud and are automatically going to be resilient to outages. Cloud proponents maintain that service providers who are in the business of providing hosting services are better positioned to run datacenters and infrastructure than most businesses. I frankly don’t disagree with this statement, however ultimately it is the business’ or their consultant’s responsibility to properly design the entire environment that sits on top of the cloud provider’s infrastructure. A failure in a component of the cloud ecosystem should not cause a complete outage.

If you are building a system that your business dictates that it requires high levels of uptime, you must include that in your design, whether it is a cloud based or traditional infrastructure. It is as if a failure in a database driven web application with two or more web-servers but only had one database server would be the fault of the database server vendor as opposed to the architect that set up the infrastructure to begin with. Similarly if you are building services that are using an elastic compute front-end and its back-end storage is only on a single storage system, you run the risk of an outage affecting the storage system taking the whole system down.

There are always trade-offs between the cost of a resilient system and the amount of uptime required. For example, if you require 99.9% up time (which amounts to around 9 hours of unplanned downtime each year) then you need to build a system that supports that and adding additional ’9′s grows the cost exponentially. An online flower merchant should plan based on the fact that these 9 hours may occur during the days leading up to Valentine’s Day, for example. Of course in all likelihood outages wouldn’t collect together and happen at the same time.

Unfortunately, businesses that have been hastily throwing their applications and data in the cloud (even very large systems) without failure planning. Without failure planning, businesses leave themselves to undo risk. Whether you are planning applications in your office, at a hosted datacenter, or in the cloud, proper planning with failure in mind is more important than anything.

Check out our Free BDR checklist http://triadanet.com/bdr

As we “weathered” the storm and are coming out the other end, what have we learned from this event? My home and my office are in the same town, but on different ends and they experienced the storm differently. The roads around my office were flooded and could not be reached (except by boat) but had power and connectivity. I use the term physical isolation with connectivity on the BDR whitepaper (http://triadanet.com/bdr) that I published recently.  At home, we have a complete loss of power and Internet connectivity except for laptop power and 3G/4G connectivity using a Verizon MiFi.

Pre-Storm

First we assessed our situation with all of our clients. Although our backup systems have a combination of automatic checking and some periodic manual checking, we felt it was prudent to review each client at a moment in time prior to any potential outage. We reviewed existing backups both onsite and offsite and added some additional backups to take place if it made sense to minimize recovery point gaps (Recovery Point is the difference between your last backup and when you suffered your outage…and therefore the gap in data loss when you bring things back online). This also had the added benefit of potentially reducing recovery times (Recovery Time is how long it would take to bring systems online from when an outage or disaster is declared). We felt these were important since the event could potentially take out more than one client at a time and reducing both of these would allow us to bring up more clients sooner.

During the Storm

During the storm and prior to our power outage at home, I monitored systems in each client office: services, power, and connectivity. Where we were able to, we tested UPS systems to ensure that a power disruption would give us time to shut equipment down without damage.  The majority of the storm took place after hours in our area. When we lost power at our home on Saturday night/Sunday morning, I continued to monitor my own systems. Fortunately, our office network did not suffer a power outage and we were able to continue to remotely monitor our clients’ systems.

Post-Storm

In the morning, I remotely was able to check to see if our clients’ systems were still operational and provided updates to each of them. Many customers had trouble getting into their offices because of flooding, transit issues, or downed trees, so they worked remotely. Ensuring that their remote connectivity was available was key.

The other issue that arised were systems/connectivity outside of the scope of the office and its locations. For example, one client had perfectly fine internet connectivity, but one of the peering relationships was not working well and therefore voice calls were not passing through properly. These types of issues are difficult to diagnose and report particularly after a major event when the ISP is worried about making sure their customers are up and running and not necessarily the problems any peers may have. This is unfortunate because it ultimately affects the service of a broad number of clients.

Another issue that came up were people working from home (including myself). Fortunately, I was able to reach my office. But many that commute into New York City were cut off and local coffee shops didn’t have power or were otherwise closed.  Those that had cellular service were able to at least use those devices to keep in contact by phone and email.

Final Points

As I look at some of the locations that were harder hit than the NYC metro area, it is obvious that this could have been a bigger concern than it was, but fortunately we had the right kinds of processes and systems in place that allowed us and our customers to get through it.  But like anything, there is always room for improvement.  Besides letting clients know that their systems were still operational during or after the storm, greater communication leading up to a known event should have taken place. In addition, since some events cannot be planned for like a hurricane, periodic communication in addition to testing plans would be prudent to keep things top of mind.

Knee-Jerk Reactions

One unfortunate side effect of these sort of event are knee-jerk reactions and vendor FUD (Fear-Uncertainty-Doubt). For example, one of the things that is cropping up are the large number of cloud related vendors telling companies that if your systems were in the cloud then you won’t have had down time or worried about an outage. This is only partially true. (See “Learning from the Cloud Outages and Failure Planning”) Just like anything else, your systems have to be properly planned out and you need to understand what sort of events you are going to be protected from.  Maybe you have an inhouse system that you still can utilize when your office does not have Internet connectivity; that would not be a good solution to put in a cloud). But if you have an applicatin that can be used by a distributed workforce or you have backup systems, those may be good candidates for the cloud. A cloud or hosted solution for your particular critical applicatinos can be a completely viable solution assuming you understand the caveats or they may not. Do your homework and talk to your trusted technology advisor.