Thursday, August 13, 2009

Security in the Air...

With the new trend on internet on airplanes, I am presented with a new question.

Is airplane wireless any different than coffee shop or or other public hotspots or cell carrier wireless?

Of course, that goes on top of these other questions I already had. What do you tell your clients about their security concerns when accessing internet access while on the road or a business trip? Should clients be using those "privacy screens" on their laptops? Does wifi devices have any additional concerns?

These are all questions that I have asked myself about lately. Right now, at this very moment, I am for the first time using internet on a Delta flight. I find that the questions are even more insistent as I type this from my seat at 28C.

Now, I know that it seems that I have an answer for everything. But I do not. I post those things were I have reached a conclusion based on my long experience in the field as both technician and business advisor. But for this, I do not have answers.

Now, don't get me wrong. I have some ideas, but they are not as polished as I would like, and the final conclusions are still in a state of flux. Of course, shield your laptop screen if possible, but do we push this with our clients, especially if they are using a business laptop for recreation on vacation? Do we get them to use those little wireless routers or the new hotspot devices from Verizon and Sprint? Do we advise them to not use the free Wifi at the airports because nefarious people put up hotspots cloning the same SSID as the airports wifi? (True story, that does happen and I have seen it!)

There is help on the way! I am excited about the new multi policy firewall inside Windows 7 that will allow multiple network connects at once with a different policy for each. Paul Cook writes about how it will help to enable the mobile workforce.

Lots of questions and I am still looking for my final answers on this.

Sunday, August 09, 2009

Justifying the Cost of Security...

Security is always a balance between available money and potential for threats.

Ever been in that situation with a client were they NEED some righteous security upgrades, but you haven't figured out how to get them to pay for it?

Yep, if you have been in business any amount of time, you can say "YES" to that statement. I have often been there and have tried different methods to get the client to do the right thing. So, here are my thoughts on how best to do this.

  • FIRST, decide if this is a keeper client. If they fight you on every upgrade that you advise, then disengage with them. This becomes the item you can use to "request" the client become serious. Let them know that, if they do not "get with the program", you will have to refer them to another tech firm.

  • SECOND, Do not result to lists of feature sets. Most smaller clients (50 desktops and under) could care less. They do want to know that this will help them be compliant, and that you truly believe it is best for them, but they do not want to understand the plumbing.

  • THIRD, Use your Trusted Advisor status. If you have done well with the client, then you will have it. If they see your confidence in the security solutions, and they have confidence in you, then they will buy in emotionally.

  • FOURTH, Relate to them that this is STANDARD security, and that you are not selling them anything exotic. Let them know that you require this level of security in your clients because it will save the network from disruption and downtime. This means better ROI from their investment in personnel and capital.

  • FIFTH, Explain the possible consequences of not doing it. While Amy Babinchak of Harbor Computer Services makes a very good point about the dangers of using FUD (Fear, Uncertainty, and Doubt) to sell, the client still needs to be focused on the problem to solve. If no evident risk, no need for solution. Use examples of botnets, etc to focus the client on the fact that a solution is needed. Preventive in nature, but still needed.

  • SIXTH, Sell them on the fact that this is a duty to their clients to keep their client data as secure as possible. You can also relate the legally mandated (in some states) cost of having to inform their clients of security breaches.

  • SEVENTH, Help them find some way to pay for it. Either spread it with financing (such as Microsoft Financing) or leasing or HAAS. Another idea is to use a vendor such as Calyptix that can bill a monthly MSP fee so the client can "pay as they go".

  • So many of our clients are out of balance. Hopefully, this will help you help them get the security that they need.

    Wednesday, July 29, 2009

    No Frankenstein Backup Solutions, Please...

    If you are creating your own backup solutions out of open source software, BEWARE! Unless you are willing to invest in the support staff to really know that software inside and out, don't risk your clients' data (and business survival) on it.

    I was talking to Jim Hunton last night about some things that he is finding at new prospects that will scare the life right out of you. Solutions that were "stitched" together open source programs that had no builtin monitoring or alerting abilities. He and I both agreed that the responsible IT consultant is going to use disaster prevention solutions that have been thoroughly tested, have a support desk with engineers when we need them, and that we can thoroughly train ourselves on.

    Now, I am all for experimentation. If you want to take some Rsync and some SSH and mix it with instructions from some internet forums to produce your own low cost backup solution, then go ahead. Heat the test tubes in your lab and howl at the moon while you do it. Sew a lot with the needle and fishing line, and beat your chest about how smart you are. But don't visit your creation on your clients. Use REAL, PROFESSIONAL, SUPPORTED disaster prevention software, and spend the time LEARNING it.

    Before you pull out the client cost issue, STOP! I don't want to hear it. Cheap is CHEAP. Free is UNSUPPORTED. We are talking about the ULTIMATE protection for your client. Quit being a wimp! Get in there and sell them the good stuff that you know works and you can get support for when the need arises.

    You know, in the end, it turned out bad for Dr. Frankenstein and his creation. Don't let it turn out bad for you and your clients.

    Living Next To The Security Graveyard...

    IT Consultants and Business Clients are both ignoring the gravestones in their networks, when it comes to security.

    When I was a kid in the sixth grade, I lived right next to a graveyard. When I went out to mow the grass (BTW, something I hated), the grave stones were there. When I went to the swing to play, the grave stones were close by. When I looked out the second story windows... well, you know what goes here. When I first moved there, it really bothered me. I got so use to it being close, though, that I successfully learned to ignore it. I only consciencely realized it when a new friend would come over and make a big deal out of it.

    IT Security issues are the same as the graveyard I put up with as a preteen. We may know about security holes at our and our clients networks, but we have lived with them close for so long, that we have learned to ignore them. If someone points out a glaring hole in our security practices, we take notice and might get motivated to do something about it. If the news harps on a new "disaster computer worm aka Conflicker", our clients suddenly check their antivirus definition dates or call us to be reassured that we have it under control. Otherwise, we and they get numb to the fact there are security problems.

    Here are the names on some of the grave stones:
    • EXPIRED ANTIVIRUS - very common, frightfully so. And rather than just renewing what they currently have, review the best of the current suites out there. Get the LATEST security suite (Trend Micro Worry Free is my favorite!).

    • CONSUMER GRADE FIREWALL - Might be OK for protecting your grandmother's pictures, certainly not your customers' client social security numbers. You need a Business Grade firewall with an IPS (Intrustion Prevention System). All Hail Calyptix, here!

    • NON WORKING LOCAL BACKUP - Yes, backup is a security component. Start thinking that way. Get some imaging software if nothing else and store to an external device. Storagecraft is GREAT! And setup some way to verify that backups actually HAPPEN and are RESTORABLE.

    • NO OFFSITE BACKUP - No protection against fire, flood, bad employee or theft, tisk tisk. This should at least be a device you can take offsite, but ideally a complete internet encrypted backup of your server and critical workstation files.

    • NO OR POOR SPAM BLOCKING - As per my earlier post on the human mind, social engineering is getting really crafty. Users are easily tricked into opening email and clicking on links. Block it so they will not have to make the wrong decision! Best if appliance based or third party filtering.

    • POOR PASSWORDS - I know, I know, I feel the pressure from my clients too to let them use weak passwords. Just make sure there are at least letters and numbers and a symbol, and it is at least 8 characters, more if possible. Passphrases are even better.

    • UNSECURE OR OLD STANDARDS WIRELESS - If you are an IT consultant and set up a client with unsecure wireless, SLAP YOURSELF! Get something for your client that is WPA2 and setup it up as WPA2. (And consider making it a 20+ character passphrase.)

    • UNPATCHED OS AND SOFTWARE - Everyday, a piece of software on your computer gets a new "hole" that needs to be filled. The Russian mobsters, script kiddies, Black Hats, Chinese nationalists, etc actively attempt to find and exploit these holes for their own purposes. And it is not just Microsoft software with the holes. Active patch management is a must, whether a duty assigned to a staff member or a duty that a computer consultant does for the client.
    Now, look at your network. Do you see any of these grave stones? Do you see any in your clients' networks? Remember, your client will become numb to these over time. Have a serious talk with them. Clients pick up clues from you as to how serious a security issue is, so stress it. Do the right thing and point the stones out, repeatedly, before the network ends up on a cold, hard slab.

    Friday, July 17, 2009

    Hacking the Weakest Link... The Human

    There is a device in all our networks that is gullible, unpredictable, and lazy. It talks to foreign devices with no firewall between, ignores group policies, and even actively seeks to compromise our security measures. No amount of technology will correct these shortcomings. It's THE HUMAN. And it is amazing easy to hack...

    I ran across a Steve Riley video on Defending Layer 8, about the various different ways social engineering is used to get security related information for company employees. You have to have a TechNet account to go straight to the video, but if you go to the link above, you can get to the video through the Related Videos frame on the right side without logging in. At least I did. He is amazingly won't fall asleep for sure...and informative. He exposes the underbelly about why humans are such easy targets. Some methods of compromise I already knew, but alot were eye opening. One such example is our genuine desire to be helpful. He also explains why we all love Wayne Small so much...Americans automatically (and inexplicably) trust Australians. It sounds weird, but I think he is right. And an astute hacker can use that knowledge (and a fake accent) to advantage. Better watch this one, folks, so you have a better idea how to educate your users on this very subject.

    As to education, what do we do about it? He gives some good examples on what to tell your clients. He also said that it is a workplace education process. Native Intelligence has a presentation that you can give your clients to "raise" their awareness on the different ways they are solicited. The site also has a number of printed and electronic materials that can be used. There are even some free education materials that you can download and print.

    So, what course of action did I get from this? I mean, is it so hopeless that I just throw up my hands and walk away. No. Admittedly, I can never fully secure that part of my networks. But I can reduce the footprint of the problem. I have enough here in the listed resources to start a "drip" campaign, just to raise the awareness of the average user over time. I plan to set up a series of emails that gives several "awareness" bits to my users, and then have them time released so the clients get one every couple of weeks. I do not expect my clients to understand the inner complexities of security, but I do want them to pause and ask "Should I be doing this? Who is this person? Etc."

    Tuesday, July 14, 2009

    What Clients Want...

    I was originally put off by the idea of seeing Mel Gibson in pantyhose, so had not watch the movie that inspired this title. However, it came up in a marketing conversation. I decided I better see the "relationship" to clients, so I watched it tonight. There is definitely a marketing message in there we had better sit up and notice.

    Here is Mel, stuck in the past in his view of the ad world, not understanding the target market that he needs to survive. A lot of arrogance and lack of personality. Then he really gets inside into the "heads" of his target market by "magical" means, figures out what is important to them, and succeeds.

    Imagine that Mel is an tech consultant that thinks he knows best about what the client needs and proceeds to "lecture" the client with his superior view. A little out of touch with the changes in the market. Not really paying attention to what is important to the clients. So... What "magic" turns Mel the IT guy around?

    In the movie, Mel involuntarily finds out what his market wants. In real life, Mel has to exert effort to find out. If you are Mel the IT guy (most of us are), take these steps:
    1. Have a heart to heart talk with yourself, and realize that the word "NEED" is not equal to the word "WANT". If you are competent, you already know the technical needs of your clients. Your attitude toward clients that don't see the importance of your recommendations is that they just don't get it. And you may be right. Since your solutions don't line up with the client's wants, the clients thinks you are asking them to eat broken glass. You have to be able to make the business case from the client's perspective.
    2. Take your clients to lunch and ask them the 5 things they want to solve. Not just the 5 IT things they want to solve, but business challenges they want to solve. You may have an IT solution to a business challenge. Plus, they may start to think of you as a business partner, not just the IT pusher.
    3. After you have talked to a few clients, check your notes and see if you need to develop new services to meet those needs. If the needed solutions are way outside your core competency, find some competent partners that can fill those needs.
    4. Continue to poll your clients as to their satisfaction level on a regular basis. This could be a review meeting, a website survey invitation, or some other way. This lets the clients know that you care how they perceive your service. Keeps listening. And be sure to keep the "What else do you want solved that is not currently being solved" question in the mix every time you do this.

    It all turned out well for Mel the ad man. Will it turn out well for Mel the IT guy? Well Mel, get busy.

    Monday, July 13, 2009

    Attending WPC09...Virtually!

    Microsoft has given us partners a great window into its yearly massive partner conference. Susan Bradley sent out an email today with the links to Digital WPC, the website where "everything" Worldwide Partner Conference will be available over the web. I took time out today to watch the Keynote Videos. Almost 3 hours of powerful stuff with lots of annoucements about overall direction, Office 2010 Desktop and Web Editions (watch out Google Apps), and Windows 7 (watch out Vista and Mac OS). My hat is off to Microsoft for making these resources available. With Silverlight, its almost like being there.

    Wweeelll, its not the same as being in New Orleans. The pushing, shoving, scrambling for seats, sore feet, lots of BEADS, lack of sleep... need I go on? As I hinted in earlier posts, I love conferences. However, WPC is the MOTHER of Conferences. Its size makes it unwieldy, exhausting, and mind boggling. Its like gorging on fine chocolate until you can't stand the sight of it. Yet...I would love to be there. The secret is being selective and not worrying about all the events that you can't make. Maybe next year...

    I know that Frank Vers and Michael Coconower from our local Arizona SMB Users Group made the trek to New Orleans. They will get the full experience. I will only get a piece of it, but I can watch from my couch with my favorite beverage. ;)

    If you want to know where Microsoft is going and how to work alongside them, you better be watching these Keynote Videos.

    Sunday, July 12, 2009

    Behavior Monitoring and Peachtree Issues in Worry Free 6.0...

    Behavior Monitoring is one of those features for watching apps to see if they "stray" from what programs should normally do.

    I had installed TrendMicro Worry Free 6.0 at a client, updating the client from TrendMicro CSM 3.6. The client had no issues running Peachtree 2009 before the upgrade. After I completed the upgrade on the server and the workstations, Peachtree would take a very long time (up to one minute) to open.

    I checked back with the server. Peachtree program directory was excluded. Check. Disabled the Active Scan on the server and workstations and made sure the changes took effect. Still same problem. Hummm. (Rubbed chin) I did remember that Bill Kam said something about Behavior Monitoring having an issue in the initial release of WF 6.0. By default, it would be disabled. Checked the Behavior Monitoring settings. It was on. Still should not cause this type of problem. Disabled Behavior Monitoring on the server and the workstations. Made sure ya-da-da-da-da-da, you know. Peachtree opened quickly. According to the client, the same as before the upgrade. Hummm. (Rubbed chin again)

    Bill Kam is one of those choice people that all vendors should fight over. He had said to email him whenever we had an issue. So, I emailed him about this. He opened a trouble ticket and I got an immediate call from Trend support. Turned out that this issue with Peachtree had just surfaced. They had already created a hotfix to correct the issue inside Worry Free for Peachtree and other programs that had a similar behavior. I declined to apply the patch as it involved extra work (I AM lazy, after all). They bugged me over the next 2 weeks about applying that patch. That is good tech support there. Now, there is no longer a need to apply the hotfix. As of July 6, the hotfix was rolled into the automatic def and program updates.

    Again, I cannot say enough about Bill and the program support he gives us.