Wednesday, July 29, 2009

No Frankenstein Backup Solutions, Please...

If you are creating your own backup solutions out of open source software, BEWARE! Unless you are willing to invest in the support staff to really know that software inside and out, don't risk your clients' data (and business survival) on it.

I was talking to Jim Hunton last night about some things that he is finding at new prospects that will scare the life right out of you. Solutions that were "stitched" together open source programs that had no builtin monitoring or alerting abilities. He and I both agreed that the responsible IT consultant is going to use disaster prevention solutions that have been thoroughly tested, have a support desk with engineers when we need them, and that we can thoroughly train ourselves on.

Now, I am all for experimentation. If you want to take some Rsync and some SSH and mix it with instructions from some internet forums to produce your own low cost backup solution, then go ahead. Heat the test tubes in your lab and howl at the moon while you do it. Sew a lot with the needle and fishing line, and beat your chest about how smart you are. But don't visit your creation on your clients. Use REAL, PROFESSIONAL, SUPPORTED disaster prevention software, and spend the time LEARNING it.

Before you pull out the client cost issue, STOP! I don't want to hear it. Cheap is CHEAP. Free is UNSUPPORTED. We are talking about the ULTIMATE protection for your client. Quit being a wimp! Get in there and sell them the good stuff that you know works and you can get support for when the need arises.

You know, in the end, it turned out bad for Dr. Frankenstein and his creation. Don't let it turn out bad for you and your clients.

Living Next To The Security Graveyard...

IT Consultants and Business Clients are both ignoring the gravestones in their networks, when it comes to security.

When I was a kid in the sixth grade, I lived right next to a graveyard. When I went out to mow the grass (BTW, something I hated), the grave stones were there. When I went to the swing to play, the grave stones were close by. When I looked out the second story windows... well, you know what goes here. When I first moved there, it really bothered me. I got so use to it being close, though, that I successfully learned to ignore it. I only consciencely realized it when a new friend would come over and make a big deal out of it.

IT Security issues are the same as the graveyard I put up with as a preteen. We may know about security holes at our and our clients networks, but we have lived with them close for so long, that we have learned to ignore them. If someone points out a glaring hole in our security practices, we take notice and might get motivated to do something about it. If the news harps on a new "disaster computer worm aka Conflicker", our clients suddenly check their antivirus definition dates or call us to be reassured that we have it under control. Otherwise, we and they get numb to the fact there are security problems.

Here are the names on some of the grave stones:
  • EXPIRED ANTIVIRUS - very common, frightfully so. And rather than just renewing what they currently have, review the best of the current suites out there. Get the LATEST security suite (Trend Micro Worry Free is my favorite!).

  • CONSUMER GRADE FIREWALL - Might be OK for protecting your grandmother's pictures, certainly not your customers' client social security numbers. You need a Business Grade firewall with an IPS (Intrustion Prevention System). All Hail Calyptix, here!

  • NON WORKING LOCAL BACKUP - Yes, backup is a security component. Start thinking that way. Get some imaging software if nothing else and store to an external device. Storagecraft is GREAT! And setup some way to verify that backups actually HAPPEN and are RESTORABLE.

  • NO OFFSITE BACKUP - No protection against fire, flood, bad employee or theft, tisk tisk. This should at least be a device you can take offsite, but ideally a complete internet encrypted backup of your server and critical workstation files.

  • NO OR POOR SPAM BLOCKING - As per my earlier post on the human mind, social engineering is getting really crafty. Users are easily tricked into opening email and clicking on links. Block it so they will not have to make the wrong decision! Best if appliance based or third party filtering.

  • POOR PASSWORDS - I know, I know, I feel the pressure from my clients too to let them use weak passwords. Just make sure there are at least letters and numbers and a symbol, and it is at least 8 characters, more if possible. Passphrases are even better.

  • UNSECURE OR OLD STANDARDS WIRELESS - If you are an IT consultant and set up a client with unsecure wireless, SLAP YOURSELF! Get something for your client that is WPA2 and setup it up as WPA2. (And consider making it a 20+ character passphrase.)

  • UNPATCHED OS AND SOFTWARE - Everyday, a piece of software on your computer gets a new "hole" that needs to be filled. The Russian mobsters, script kiddies, Black Hats, Chinese nationalists, etc actively attempt to find and exploit these holes for their own purposes. And it is not just Microsoft software with the holes. Active patch management is a must, whether a duty assigned to a staff member or a duty that a computer consultant does for the client.
Now, look at your network. Do you see any of these grave stones? Do you see any in your clients' networks? Remember, your client will become numb to these over time. Have a serious talk with them. Clients pick up clues from you as to how serious a security issue is, so stress it. Do the right thing and point the stones out, repeatedly, before the network ends up on a cold, hard slab.

Friday, July 17, 2009

Hacking the Weakest Link... The Human

There is a device in all our networks that is gullible, unpredictable, and lazy. It talks to foreign devices with no firewall between, ignores group policies, and even actively seeks to compromise our security measures. No amount of technology will correct these shortcomings. It's THE HUMAN. And it is amazing easy to hack...

I ran across a Steve Riley video on Defending Layer 8, about the various different ways social engineering is used to get security related information for company employees. You have to have a TechNet account to go straight to the video, but if you go to the link above, you can get to the video through the Related Videos frame on the right side without logging in. At least I did. He is amazingly won't fall asleep for sure...and informative. He exposes the underbelly about why humans are such easy targets. Some methods of compromise I already knew, but alot were eye opening. One such example is our genuine desire to be helpful. He also explains why we all love Wayne Small so much...Americans automatically (and inexplicably) trust Australians. It sounds weird, but I think he is right. And an astute hacker can use that knowledge (and a fake accent) to advantage. Better watch this one, folks, so you have a better idea how to educate your users on this very subject.

As to education, what do we do about it? He gives some good examples on what to tell your clients. He also said that it is a workplace education process. Native Intelligence has a presentation that you can give your clients to "raise" their awareness on the different ways they are solicited. The site also has a number of printed and electronic materials that can be used. There are even some free education materials that you can download and print.

So, what course of action did I get from this? I mean, is it so hopeless that I just throw up my hands and walk away. No. Admittedly, I can never fully secure that part of my networks. But I can reduce the footprint of the problem. I have enough here in the listed resources to start a "drip" campaign, just to raise the awareness of the average user over time. I plan to set up a series of emails that gives several "awareness" bits to my users, and then have them time released so the clients get one every couple of weeks. I do not expect my clients to understand the inner complexities of security, but I do want them to pause and ask "Should I be doing this? Who is this person? Etc."

Tuesday, July 14, 2009

What Clients Want...

I was originally put off by the idea of seeing Mel Gibson in pantyhose, so had not watch the movie that inspired this title. However, it came up in a marketing conversation. I decided I better see the "relationship" to clients, so I watched it tonight. There is definitely a marketing message in there we had better sit up and notice.

Here is Mel, stuck in the past in his view of the ad world, not understanding the target market that he needs to survive. A lot of arrogance and lack of personality. Then he really gets inside into the "heads" of his target market by "magical" means, figures out what is important to them, and succeeds.

Imagine that Mel is an tech consultant that thinks he knows best about what the client needs and proceeds to "lecture" the client with his superior view. A little out of touch with the changes in the market. Not really paying attention to what is important to the clients. So... What "magic" turns Mel the IT guy around?

In the movie, Mel involuntarily finds out what his market wants. In real life, Mel has to exert effort to find out. If you are Mel the IT guy (most of us are), take these steps:
  1. Have a heart to heart talk with yourself, and realize that the word "NEED" is not equal to the word "WANT". If you are competent, you already know the technical needs of your clients. Your attitude toward clients that don't see the importance of your recommendations is that they just don't get it. And you may be right. Since your solutions don't line up with the client's wants, the clients thinks you are asking them to eat broken glass. You have to be able to make the business case from the client's perspective.
  2. Take your clients to lunch and ask them the 5 things they want to solve. Not just the 5 IT things they want to solve, but business challenges they want to solve. You may have an IT solution to a business challenge. Plus, they may start to think of you as a business partner, not just the IT pusher.
  3. After you have talked to a few clients, check your notes and see if you need to develop new services to meet those needs. If the needed solutions are way outside your core competency, find some competent partners that can fill those needs.
  4. Continue to poll your clients as to their satisfaction level on a regular basis. This could be a review meeting, a website survey invitation, or some other way. This lets the clients know that you care how they perceive your service. Keeps listening. And be sure to keep the "What else do you want solved that is not currently being solved" question in the mix every time you do this.

It all turned out well for Mel the ad man. Will it turn out well for Mel the IT guy? Well Mel, get busy.

Monday, July 13, 2009

Attending WPC09...Virtually!

Microsoft has given us partners a great window into its yearly massive partner conference. Susan Bradley sent out an email today with the links to Digital WPC, the website where "everything" Worldwide Partner Conference will be available over the web. I took time out today to watch the Keynote Videos. Almost 3 hours of powerful stuff with lots of annoucements about overall direction, Office 2010 Desktop and Web Editions (watch out Google Apps), and Windows 7 (watch out Vista and Mac OS). My hat is off to Microsoft for making these resources available. With Silverlight, its almost like being there.

Wweeelll, its not the same as being in New Orleans. The pushing, shoving, scrambling for seats, sore feet, lots of BEADS, lack of sleep... need I go on? As I hinted in earlier posts, I love conferences. However, WPC is the MOTHER of Conferences. Its size makes it unwieldy, exhausting, and mind boggling. Its like gorging on fine chocolate until you can't stand the sight of it. Yet...I would love to be there. The secret is being selective and not worrying about all the events that you can't make. Maybe next year...

I know that Frank Vers and Michael Coconower from our local Arizona SMB Users Group made the trek to New Orleans. They will get the full experience. I will only get a piece of it, but I can watch from my couch with my favorite beverage. ;)

If you want to know where Microsoft is going and how to work alongside them, you better be watching these Keynote Videos.

Sunday, July 12, 2009

Behavior Monitoring and Peachtree Issues in Worry Free 6.0...

Behavior Monitoring is one of those features for watching apps to see if they "stray" from what programs should normally do.

I had installed TrendMicro Worry Free 6.0 at a client, updating the client from TrendMicro CSM 3.6. The client had no issues running Peachtree 2009 before the upgrade. After I completed the upgrade on the server and the workstations, Peachtree would take a very long time (up to one minute) to open.

I checked back with the server. Peachtree program directory was excluded. Check. Disabled the Active Scan on the server and workstations and made sure the changes took effect. Still same problem. Hummm. (Rubbed chin) I did remember that Bill Kam said something about Behavior Monitoring having an issue in the initial release of WF 6.0. By default, it would be disabled. Checked the Behavior Monitoring settings. It was on. Still should not cause this type of problem. Disabled Behavior Monitoring on the server and the workstations. Made sure ya-da-da-da-da-da, you know. Peachtree opened quickly. According to the client, the same as before the upgrade. Hummm. (Rubbed chin again)

Bill Kam is one of those choice people that all vendors should fight over. He had said to email him whenever we had an issue. So, I emailed him about this. He opened a trouble ticket and I got an immediate call from Trend support. Turned out that this issue with Peachtree had just surfaced. They had already created a hotfix to correct the issue inside Worry Free for Peachtree and other programs that had a similar behavior. I declined to apply the patch as it involved extra work (I AM lazy, after all). They bugged me over the next 2 weeks about applying that patch. That is good tech support there. Now, there is no longer a need to apply the hotfix. As of July 6, the hotfix was rolled into the automatic def and program updates.

Again, I cannot say enough about Bill and the program support he gives us.

Thursday, July 09, 2009

Backing Up While Driving...

Are you so dedicated to backing up that you would do it during your commute? I doubt it. However, our confidence in our tools have advanced to the point that we could.

This topic comes up because I had another IT consultant handling a problem from one of my clients that was vacationing in California. The consultant was in a pinch for time and started a Shadowprotect image backup before he started driving. The backup continued while he and the laptop were in the car, proceeding to my client. He arrived at the client's condo as I was on the phone with the client, and proudly announced that the backup was at 92%. It finished and he released the laptop to the client.

After I stopped laughing, I admired Jim's audacity. I found myself contemplating what had just happened, and realized a couple of things. Now, here are a number of observations to go with this little story. PARTNERING :: It is great to have partners in other areas that you can depend on. In this case, my client benefited from the relationships that I have built. Raises my value in the clients eyes as they see me as not being just another computer consultant. CONFERENCES : Conferencing made this possible. I met Jim at 3 different conferences. My conversations with him gave me the confidence to sub this out. Going to a conference will let you meet people like this. Everyone that knows me knows that I really love conferences. Developing solid relationships with other IT consultants is one of the reasons. RELIABLE TOOLS : The reliability of our imaging tools have gone up, to the point that this consultant was willing to start an imaging job and drive to the client with the confidence that it would work. He wasn't worried about showing up at the client with a failure on the laptop screen. While I would not have thought of doing that, I certainly agreed there was no reason that it would have not worked. StorageCraft products are AWESOME!

So next time you feel that you are wasting driving time, get that much needed laptop backup done! Please start it BEFORE you start the trip. I don't want to run into you unexpectedly. :)

Tuesday, July 07, 2009

Best "Visual" Way to Destroy Data Storage?

Bill from a local recycling center is holding a piece of shredded hard drive. I had a visit with him and his company today. They offer NIST standards drive erasure, shredding, or both for hard drives that come inside the computers they receive. It is all up to the wish of the client delivering the equipment. Their facility is secure with video recording, metal detectors, guards, employee background checks, and restricted entry and egress. Clients can even watch their hard drive be shredded.

Sorry Bill. While your methods are effective, they just are not spectacular enough for me. Don't get me wrong. Bill and his company are great. But there is room for a "marketing" dimension. I have been asking around for a really effective method that would be "satisfying" to the client. In other words, I would let the client see the drive "done in" in their presence, and they would leave with the confidence that their scrap hard drive will never be read again.

You may ask why we need to go through all this effort? Statistically, the chances that information will be lifted from a hard drive are quite small. But information is power. And the PCI complaint standards are becoming stricter. Add in that the fact that many of your clients will be subject to HIPAA and SARBANES-OAXLY regulations. If any information is retrieved from a storage device that the client as "disposed of", the client is considered responsible. Clients also desire that "comfort" level from knowing their secrets are NOT sitting in a landfill somewhere, waiting to be picked up. That need for the client to be reassured that there is NO chance the information can be retrieved should be satisfied by you, the guardian of their data. And we all know that a visual is worth a 1000 words. Hence, the reason I am looking for a "visual" destruction for the client to witness.

So, what method to use? I have had suggestions of rifles, shotguns, C4 (yep, he is crazy that suggested that), hydraulic jacks... Even a garbage disposal. Hum, I think garbage disposals need water to work...that would get messy.

Please, comment and give me suggestions of your favorite way to "visually dispose" of data storage devices. Have fun with it. LOL

Saturday, July 04, 2009

Still Waiting For Independence Day...

"What are you talking about?!" I can just hear readers asking that. Yes, today is July 4th, American Independence Day. Yes, I am an American, so it is my Independence Day. No, it is not the Independence Day that I am referring to.

My Independence Day that I am looking forward to is the day that I no longer have to rely on Break/Fix for the revenue to pay my company expenses, my payroll, and my salary. No longer reliant on that highly variable revenue, but on the definate contracted revenue. Call it "Covering the NUT Independence Day".

I have Managed Service contracts now (some call them Maintenance Contracts), so recurring reveneue is part of my revenue stream every month. And it is nice to see that monthly revenue come in automatically at the start of every month. I am not covering all expenses with that recurring revenue yet, but well on my way.

This does not mean that I will abandon Break/Fix entirely. Just that I will treat those service calls as small immediate projects that get placed in the service queue. They will have to take a position behind my MS clients, though. I have to give first divs to those clients willing to commit to monthly revenue with me. If you are a client that does not have a contract with me and you want to be at the top of my service queue, let's talk. I would be happy to show you why it is to your advantage.

I have to thank the biggies for getting me here (King Karl, Amy Luby, Mark Crall) and the smallies that suffered with me (Ben Ahlquist, Josh McCullough, Bob Nitrio), and just about everyone in the Arizona SMB Users Group (sorry, too many to name). Without you, this would not have been possible.

It may not be Independence Day for me, but it turned out to be Thanksgiving Day. :)

Friday, July 03, 2009

New Wine In Old Wineskins

When is an old computer too old for your client's new software? It is definitely a balancing act. Often, putting new programs into the older computer is like the foolishness of putting new wine in old wineskins. There is a lesson in this parable that Jesus taught that can apply to IT. The principle is easy enough. Like new wine bursting the old wineskin, new software will ruin the use of an old computer.

I have a client that has gotten an update to a line of business app. They were using a version from 2004, but were finally force to upgrade to the new 2009 verison as they simply could not get support for the previous version. Well, 5 years and several versions of the LOB app has resulted in a much larger program with hefty requirements on the workstation and the server. What was a comfortable fit before is now strained and "bursting" for the server.

This is also a downside of partnering. An impromptu "partnering" forced by the client... In this case, I am not schooled in this business app. The client has a separate consultant come in and handle upgrades and special troubleshooting for this app. Unfortunately, I did not pay enough attention during the upgrade. I trusted a little too much. Sorry, another topic for another post...

It happens a little at a time sometimes. A new verison of Yahoo Messenger, the latest version of the antimalware program, Google Updater now installed, Windows Search, etc. Remember when Windows XP ran in 256 megs of ram, but now you want 1 gig? Software upgrades over time will put you slowly in this position. Maybe a ram upgrade will save you. Our challenge is that the client will want to hang on to the computer too long. If you are hourly, it costs the client extra dollars as the computer is simply slower to work on. If you are on a maintenance plan, then the extra time to maintain the computer comes from your pocket.

As I am comparing to a parable, there is a moral to this story. Always check if the software is too new to go into your "wineskin". If your objective opinion is that it is time to retire that unit, let the client know. Convince the client to not hold on to the old stuff too long.