BP’s oil spill is horrific of course, but there are a number of “lessons learned” which are very applicable to the way technology is managed.

Documentation. We are all guilty of a sick laugh over the oil companies’ collective safety plans essentially being carbon copies of each other, with an emphasis on protecting non-existent walruses from spills in the Gulf.  But… when there is a disaster in IT, the written Disaster Recovery and Business Continuity plan is where everyone looks for salvation.  If that Plan isn’t kept up to date nor reviewed objectively periodically, when an IT disaster strikes (note I said “when”, not “if”…) that disaster will almost assuredly be of longer duration and more costly than it would have otherwise been.  Keeping Disaster Recovery and Business Continuity plans up to date in our experience is pretty cheap insurance, and while we understand completely that this activity generally gets deferred to accommodate more pressing matters, we consider it our responsibility to prod clients constructively on this front.

Testing Backups. All Disaster Recovery and Business Continuity plans rely on having good, accessible backups.  You can be the best at rotating tapes off site, but if the office burns down you’ll need to get another tape backup device just to do the restores.  And who knows if the tapes are any good?  This is one good reason why we are in most cases migrating clients away from expensive tape backups to less expensive, easily verifiable, encrypted off site disk storage.  We often muse why it’s called “Backup software” when all anyone really cares about are the restores.  Unless you periodically test your backups for their restore capabilities, the best Disaster Recovery and Business Continuity plan is pretty worthless — with or without walruses.

Single Points of Failure. The news media has harped considerable coverage on the several “single points of failure” in the blowout preventer.  In IT, eliminating all single points of failure is very, very expensive.  But eliminating many common single points of failure is surprisingly inexpensive.  For example, disk drives are dirt cheap nowadays, so having a fast RAID10 (versus a slower RAID5 or RAID6 system) doesn’t cost all that much more.  Similarly, SonicWall for example sells the second unit of a failover pair of firewalls at a considerable discount over the primary unit.  We generally recommend that once our clients have a good understanding of what an hour of downtime really costs them, that they consider making “insurance” technology hardware/software investments appropriate for their risk tolerance and lost revenues from downtime.  If you can eliminate one four-hour outage every three years for a few thousand dollars when an hour of downtime costs you a few thousand dollars, isn’t that a good return on investment?

In the same way that “every author benefits from a good editor”, we work collaboratively with our clients to help ensure their documentation, backups and level of technology investments are uniquely appropriate and cost-effective.

If you think your company could benefit from a “fresh set of eyes” on your Disaster Recovery and Business Continuity plan, backups and/or levels of IT spend, please give us a call at (207) 772-5678.  Remember, we are intentionally not a reseller, so we have no incentive to suggest you buy anything you don’t really need.

All the best,

Mark

CIO

Reliable Networks is pleased to host the April meeting of the New England ISO group, a collaborative group of Information Security Officers and Chief Security Officers from New England enterprises.

During the meeting, I will be sharing our best practices regarding email server security. The talk will be less bits ‘n bytes technical (no procmail rulesets for example!) than it will be strategic; intended to provide ISOs with both a framework and a template for securing email systems.

Malware infestations typically penetrate enterprises through web browsing and email payloads. While there is no substitute for good end-user security training, there are some things which can be done on the email server-side of things to mitigate risk, at reasonable cost, and without inconveniencing end users unduly.

NEISO meeting attendance by non-members is by invitation, so if you would like to come, please follow the link on the NEISO website.

Hope to see you there!

All the best,
Mark
CIO

Researchers (OK, ethical hackers…) in a hacking contest sponsored by a reputable security research firm yesterday broke through — in under two minutes — a fully patched Windows 7 system running the latest version of Internet Explorer 8. Later in the day, Firefox faired no better.

The article is a bit technical, but if you skip over the techno-blah-blah-blah, you’ll see that these two researches essentially circumvented what Microsoft is touting as the two primary lines of defense in protecting Windows systems from becoming compromised. Here’s a link to the ComputerWorld article: http://bit.ly/cs8jP9

Reps from Microsoft and Firefox were in attendance at the contest, and things were arranged in advance that the exploits were not to be made public, and indeed the security firm who sponsored the contest bought the exploits from the contestants and gave them to Microsoft and Firefox.

But that doesn’t help any of us at this moment, when we still have work to do on the public Internet. So, what can you do to protect yourself when the software that’s supposed to protect you doesn’t?

The short answer is: “Take your time and be careful.”

Take your time to be sure that your systems are fully patched, that you are running modern intrusion-prevention (expanded anti-virus) software with updated virus definitions, and that you don’t click immediately on any new popups, warnings, alerts etc. (often used by malware to get you to bypass your computer’s protective systems). Although the exploits these researchers used were very cutting edge, there are still a lot of older, equally dangerous exploits out there that patches and security software can defend against successfully.

Be careful about where you browse and the links on which you are tempted to click. Your best friend may have sent you an email with a spicy link you are drooling to click, but you got that email because your friend’s machine has been infected with malware which is trying to spread itself by sending emails to everyone in your friend’s address book! Click that link and you’ll infect your own machine… Be careful clicking on ads, even on reputable web sites. The ads are served up by third party servers, and malware-infested ads are all the rage right now as a favored attack vector. You would think you could trust an ad on, say, cnn.com, but you can’t always.

A terrific Firefox extension that helps with ads is Adblock Plus, which has been downloaded more than 75 million times and which has a five-star rating. You can learn more at https://addons.mozilla.org/en-US/firefox/addon/1865?src=api

Lastly, recognize that Microsoft and all the anti-virus software vendors are in a perpetual game of catch-up against the bad guys. If your job requires you to be a heavy Internet user, the chances are that your machine will at some point become compromised.

And when that does happen, we are here to help. Call us at (207) 772-5678 when you are ready.

All the best,
Mark Stone, CIO

(“Borks” is a technical term meaning “really messed up” in somewhat less polite terms…)

A recent Microsoft patch MS10-015, which requires a reboot to complete the install, is reported to be causing a number of Microsoft servers and workstations to fail to reboot at all; the reboot ends with the infamous “Blue Screen of Death” and renders the system unusable.

Putting aside for a moment that this patch fixes a security hole Microsoft has known about for seventeen years, we think this incident highlights the need for a multi-layered approach to security in the first instance.

Microsoft is claiming that a number of systems experiencing the Blue Screen of Death are doing so because the systems were already compromised. So, right away, that tells you that even applying patches quickly isn’t enough to keep systems safe.

Further, the risk with applying patches immediately when they are released is that you will bork your system. It doesn’t happen often, but when you consider how expensive downtime really is, even once every few years is very expensive. (As I write this post, I see that Microsoft has pulled the patch to avoid borking additional systems.)

Solid network perimeter protection has been a staple of our best practices for years. Smaller clients sometimes balk initially at spending hundreds of dollars for an enterprise-grade firewall, but these devices represent cheap insurance at worst and in many cases generate a positive return on investment.

End-user education and “safe-browsing” policies are also required to avoid security breaches. Malware these days (as we have blogged previously) is increasingly sophisticated and insidious. Firewalls and anti-virus/malware software will always be a few steps behind.

So, when you have good perimeter protection and careful, educated end-users, you have the luxury of time in which to evaluate new patches as they are issued. The benefits are you stay safer all the time, and reduce the risk of borking your production systems.

If you need help with your company’s patch management and security posture, please give us a call at (207) 772-5678.

Hope that helps,
Mark
CIO

Just a few short years ago most virus writers were amateurs trying to trash your PC, just because they could. Nowadays, the “malware” industry is very professional, dominated by organized crime, whose products keep your PC running to enable sensitive keystroke/data logging (think Hannaford, TJ MAXX, etc.), to send spam, or to try to extort money from you with phony “Your computer is infected! Click here to fix!” scams.

The anti-virus software companies have raised the bar by bundling more protections into their traditional anti-virus products, in many cases releasing them as new products: Symantec Endpoint Protection for example has replaced Symantec Anti-Virus Corporate Edition. And although you can still buy products labeled as “anti-virus” from the majors, sales of these limited-use products have declined considerably of late.

As these new protection products have become more complex, sophisticated and bloated, their performance impact on older PCs has become more noticeable. Bargain PCs purchased as recently as two years ago can be too slow to be used efficiently with these full-suite protection products installed. Furthermore, the protection products are by nature always playing “catch-up” with the bad guys, so we have seen some companies forgo desktop protection software altogether in favor of strong network perimeter protection combined with policies limiting Internet access and prohibiting employees from bringing in cdroms, USB drives, outside laptops etc. into the office. (The more powerful servers still have protection software installed however.)

That’s one way to do it, but many companies can’t manage the politics associated with limiting or preventing employees from browsing the Internet. And some companies, like ad agencies and web developers, can’t really be restricted at all.

Further, we have seen a lot of malware that these protection products simply can’t protect against, because the malware looks and acts like legitimate software.

Switching to a Mac or a Linux PC can help, but these devices can become “carriers” for malware, bringing a whole host of new challenges. And most security pundits believe that as Macs and Linux PCs become more popular, it will only be a matter of time before malware for these machines starts appearing as well.

So if these big protection products can’t save us from ourselves reliably, what can be done?

Well, here is our list of the top four ways you can protect yourself.

1. Slow Down! We have seen malware come in via email looking like Hallmark e-cards, IRS W-2 form updates, PayPal and bank account alerts, etc. If a friend’s PC gets an infection, you will get an email from your friend, and the web link or attachment that looks so enticing (if not workplace safe) will be your downfall. So, before you click on anything, take a moment to scan it with your own brainpower and a skeptical eye.

2. Be Careful Where You Stick Your Browser. The San Fransisco bath house analogy notwithstanding, the majority of malware infections these days are installed via a web link. Staying away from those web sites you know you shouldn’t be frequenting anyway is a good start, but keep in mind that malware writers are very clever. They do things like buy ads on legitimate web sites to distribute their wares, so just because you are on cnn.com doesn’t mean you can click anywhere safely 100% of the time. When you get a popup or other prompt to take an action you weren’t expecting, apply Rule #1 and slow down before doing anything.

3. Be Proactive and Scan Your PC. Whether you use malware protection software or not, periodically being proactive and running scans on your PC at least once a month is a good thing. We like Malware Bytes a lot, but our favorite tool de jour is Combo Fix, available as of this writing here. Be careful when you search for these tools; the malware folks have bought look-alike domains and lots of Google AdWords! We have seen several folks with a minor infection wind up with a totally borked workstation because the web link they thought was malware removal software from the good guys was actually more malware from the bad guys. Remember Rules #1 and #2?

4. Keep Your PC Patched. The majority of patches coming out of Microsoft are security, not bug fixes. Making sure your PC is regularly updated is key. If you are running non-Microsoft products, like Adobe Acrobat Reader, Apple’s Quicktime, etc. you want to be sure those products are kept up to date as well. Acrobat products this week are being blasted in the trade press because the Javascript code in the product has been a valuable attack vector for malware developers. Adobe can’t or won’t “fix” this because the same Javascript code is used for filling in PDF forms, and Adobe doesn’t want to hinder that functionality.

So be safe out there! And if you have questions or get yourself in trouble, we are here to help. Don’t send us an infected email though, just give us a call at (207) 772-5678.

All the best,
Mark
CIO

Before we get started, if you would like to subscribe to our blog posts via an RSS feed, just click here.

Now back to our regularly scheduled programming…

Zimbra 6 includes a number of document features already in Gmail and Google Docs, providing spreadsheet and Word-like document features.  Considering the price of Microsoft Office these days, Zimbra 6 and Gmail/Google Docs can be very cost-effective alternatives.

Unless of course the spreadsheets and documents you are creating you want to keep private.

You see, the Google Terms of Service give Google a perpetual and irrevocable right to use all of your Content pretty much any way they want, including republishing rights (It’s all in Section 11, here).  Sure, those same terms of service allow you to retain the copyrights in your works, but so what if Google can repurpose your content at will.

So, if you are using Gmail or Google Docs for anything confidential, well… it’s not.  If you are a bank, doctor, attorney, accountant or any other kind of professional with a fiduciary, regulatory or contractual responsibility to protect information and you have put any of that information in Gmail or Google Docs, you probably ought to speak with an attorney–fast.

Zimbra 6 on the other hand, has no such content licensing terms.  Nor do we (we are a Zimbra Premiere Hosting provider BTW); you not only retain full ownership of your data, you grant no Google-like licensing to us nor to Zimbra when you use Zimbra.

So if you are looking to avoid an expensive company-wide upgrade to Microsoft Office and/or Microsoft Exchange, while Gmail and Google Docs may look like good value for money, you’ll get what you pay for.  Talk to us about Zimbra (our system is very secure and  HIPAA-compliant out of the box.)

And the next time you speak to your own attorney, accountant or health professional, ask them if they are using Gmail or Google Docs, and if they answer yes, you may want to find a different attorney, accountant or health professional…

Mark Stone,

CIO

We went to quote out a new firewall for one of our clients this morning — and found the vendor’s site had been hacked.

Since we had some behind-the-home-page links in our browser’s history, we could see that only the home page had been defaced. So, we called the vendor and they immediately took the entire site down to fix things.

While it might seem a little ironic (if not somehow darkly entertaining) that a company selling firewalls for a living got hacked, there are a few old-school lessons here worth repeating:

1. A great firewall, even correctly configured, isn’t enough to protect you entirely from external threats.
2. A great firewall, even when configured with gateway anti-virus, anti-malware, intrusion prevention and a bunch of other propeller-head acronyms, isn’t enough to protect you entirely from external threats.
3. All of the applications exposed to the Internet (web, email, ftp servers etc.) need to be kept up date with security patches too.
4. Automated monitoring–of web sites and log files–would have given the company’s system administrator a near-immediate heads up that something was wrong.  As it was, the hacker had put a visitor counter on the hacked home page, and 18,402 unique visitors had already been to the site before we arrived (and before the company was aware they had been hacked).

None of these protections cost much in the way of system administration resources or hardware/software costs, (though they do require a fair amount of expertise to implement properly) and very well might have prevented this hack.

Damage to a hacked company’s reputation can cost a lot more than a new firewall for sure. When you take credit card payments, the legal requirements for dealing with a breach can result in astronomical costs.

All of which is a long way of saying that if you haven’t looked over your company’s security posture recently, now might be a good time to give us a call.

Take care,
Mark

With modern-day corporate firewalls doing a pretty good job out of the box protecting corporate network perimeters, hackers have turned to cracking legitimate user email and network accounts. As a result, many corporate networks, banks and other online service providers are now requiring their users to use so-called “strong” passwords, and to change those passwords a few times each year.

We have seen some clients resist enforcing these kinds of policies. Let’s face it, it’s hard for an IT Director to march into the owner’s office and demand s/he change their password to something totally indecipherable. A few months ago, our last holdout client found their business at a standstill when they couldn’t send email any longer. Turns out, someone from Poland (the country, not Maine…) had guessed/cracked correctly a user’s Exchange email password, and had spent the weekend sending out tens of thousands of spam messages from their Exchange server, which was now blacklisted. We got that fixed, shared with them our best practices for “strong” passwords and password rotation, and Bob’s your uncle…

What most people don’t realize is that “strong” or complex passwords can be very easy to remember AND be very difficult to hack–all at the same time. First, the scary part: what is a good “strong” password policy?

Our view is that a good “strong” password policy should require that passwords have a minimum of eight characters, and at least one each of an uppercase character, a lowercase character, a numeral, and a punctuation mark.

If your name is John Doe, an easy-to-remember strong password might be “j0hN;d0e55″ where the letter “o” is replaced by a zero.

If you are feeling particularly clever, you can use a phrase as a password, like “2mUch!cE” (“Too much ice”).

Although these are easy to remember, different sites will have different policies, requiring you to use different passwords. At some, point, you won’t be able to remember them all, so using a good password manager (protected by a strong password please!) will be needed. Our favorite password manager at the moment is KeePassX, which runs on Windows, Linux, Macs and Blackberries.

What is not a good idea is to allow your browser to remember your passwords for you, especially if you use a laptop. In the first instance, the encryption the browser uses isn’t all that strong, and if your PC/laptop is stolen or swapped out, you’ve not only lost your passwords, you’ve effectively just given them away.

Similarly, using an unencrypted spreadsheet for passwords isn’t a great idea either.

One dirty little secret is that the overwhelming majority of corporate security breaches these days are perpetrated by insiders, not outside hackers. As a result, many sites are requiring users to change their passwords every few months as well too.

Using easy-to-remember but strong passwords goes a long way to protecting your personal and your company’s valuable data. When things get too complex, a good cross-platform password manager can help keep things straight as well.

If you have any questions about your company’s password policies, please call us at (207) 772-5678.

Welcome to the Reliable Networks blog! Here you will find informative articles on network best practices, network security, news on cutting edge networking technologies, and much more. These articles will be written by experienced network engineers who will pass on their own experiences to you. Check back soon for more!

Click here to subscribe to our RSS feed