On the seventh day of Christmas

The Security for All “Twelve Days of Christmas” series continues.

On the seventh day of Christmas…

Seven dirtiest jobs in IT

Dan Tynan in this article for InfoWorld gives us this list of jobs that are critical but nasty.

Working in IT isn’t always pretty. After all, we can’t all work on the cutting-edge technologies all the time. Some of us have to get dirty — in some cases, literally.

Unfortunately, dirty jobs — whether you’re being chained to a help desk, hacking 30-year-old code, finding yourself wedged between warring factions in the conference room, or mucking about in human effluvia — are necessary to make nearly every organization tick. (Well, maybe not the human effluvia part.)

The good news? Master at least one of them, and you’re pretty much guaranteed a job with somebody. We don’t guarantee you’ll like it, though.

Dirty IT job No. 6: Help desk zombieExcellent entry-level opportunity for multitasking individual with low self-esteem. Ability to read from scripts a plus. Potential to move up to bug scraper, password reset technician, or tape rotation coordinator.
Dirty IT job No. 5: On-site reboot specialistSeeking individuals for on-site support of end-users. Must be familiar with three-fingered Ctrl-Alt-Del salute and power cord reconfiguration. Ability to withstand a variety of environments and personality types; concealed-weapons permit a plus. Individuals with anger management issues need not apply.
Dirty IT job No. 4: Interdepartmental peace negotiatorLooking for self-starter skilled at moderating tech disputes between warring factions within the same company or between company and its client. Must possess experience in ego-stroking, manipulative massage, and hand-to-hand combat.
Dirty IT job No. 3: Enterprise espionage engineer (black ops)- Seeking slippery individuals comfortable with lying, cheating, stealing, breaking, and entering for penetration testing of enterprise networks. Requirements include familiarity with hacking, malware, and forgery; must be able to plausibly impersonate a pest control specialist or a fire marshal. Please submit rap sheet along with resume.
Dirty IT job No. 2: Datacenter migration specialistPosition involves relocating and reconfiguring datacenter over impossible distances within a ridiculously short time frame. Prior experience as cable jockey, rack-n-stack grunt, console monkey, and/or log zombie a plus.
Dirty IT job No. 1: Sludge systems architectSeeking individuals with demonstrated ability to squeeze over, under, or between confined spaces to solve technical problems. Candidates should be prepared to work long hours for low pay under adverse conditions. Must not be allergic to sawdust, vermin, airborne pathogens, or sewage.

Actually #3 doesn’t sound so bad. I may just have to beef up my rap sheet, er… resume.

On the sixth day of Christmas: Six new Internet hoaxes

On the fifth day of Christmas: Five scary technologies

On the fourth day of Christmas: Four worst E-Mail errors you can make

On the third day of Christmas: Three tools to search for images online by color

On the second day of Christmas: Two fake Bill Gates quotes

On the first day of Christmas: One Belsec birthday

7 Lessons SMBs can learn from big IT redux


David Strom has an interesting article in Network World about 7 Lessons That SMBs Can Learn from Big IT. It’s basically sound and definitely worth checking out. But there are some important gotchas and caveats that didn’t make the cut. So I thought I’d just stuff in a few extra ideas and warnings into the list.

1. Standardize on Desktops and Cell Phones to Reduce Support Differences

This is really a great idea, and you will definitely save money, pain and suffering by standardizing your hardware and software. This would work really swell in an ideal world where you started from zero – with no existing “legacy” equipment or software and were able to bring everything in completely new. Problem is, not only do you have legacy hardware and software, you also can’t afford to refresh every desktop or cell phone simultaneously. So what you are forced to do is review your standards continuously and develop a “refresh path plan” that takes into consideration that different departments (or users) have completely different refresh schedules. For example, you need to refresh engineering every year, but accounting can probably refresh every 3 years. This also leads to some gnarly incompatibilities with different versions of software. A notorious example of this is brought to you by Microsoft who chose a new, improved and decidedly not backward compatible format for Word documents in Office 2007. Finally there is the problem of what “standard” means to hardware vendors. Just for grins compare actual hardware – with the same SKU – that ships in early and later versions of a Dell model number. Just keep in mind that if you choose to save money by standardizing on consumer hardware you run the risk of incompatibilities even with the same model number.

2. Perform Off-Site Backups

Off-site backup are definitely a must have. But they must also be automatic. No transferring data by hand from one place to another. Recall those data breaches by way of lost backup tapes? David suggests some online solutions and even cites a nifty side effect of this method.

Earlier this summer, Damian Zikakis, a Michigan-based headhunter, had his laptop stolen when someone broke into his offices. He replaced it a few days later; and because he had used Mozy, he thought that he was covered in terms of being able to bring back his files from the Internet backup.

When Zikakis had a moment to examine the layout of his new machine, he “found several incriminating files. The individuals who had my computer did not realize that the Mozy client was installed and running in the background. They had also used PhotoBooth to take pictures of themselves and had downloaded a cell phone bill that had their name on it,” he says.

Another possibility is to utilize your web hosting provider or colocation service to provide backup and archive space. In any case, it has to be offsite, easy and automatic otherwise it just won’t work.

3. Use Hardware to Secure Your Internet Connection

An article like this really shouldn’t have to include a point this obvious. But sadly it does. Not only that, it cannot be stress strongly or often enough that you have to understand and configure your security hardware. You can’t just plug it in and be safe. Furthermore, the appropriate selection of a security solution is critical. No, they are not all created equal. And no, they don’t all do the same things. The hardware that David mentions by way of example is a Unified Threat Management (UTM) system which generally puts quite a bit of security functionality into a single box. UTMs basically secure your internet access and if you intend to become larger than an SMB you need to be aware that they don’t scale up that well. Also if your problem is access control, rather than internet security a Network Access Control (NAC) system might be more appropriate. Or you might need both. Or something lighter weight like StillSecure’s Cobia network platform. Or something completely different. The point is that while everyone agrees that you need something – just which something is a not a trivial question. There is no one size fits all security solution. Here’s where judicious use of your consulting budget makes a lot of sense. And no, I’m not a consultant. I just play one on the internet.

4. Use a VPN

If you don’t like eavesdroppers and you do anything remotely, you need a Virtual Private Network (VPN). Period. They are cheap, easy to set up and will probably even come with that UTM solution you are considering in #3. If you choose to do this in-house instead of a managed VPN services like the ones mentioned by David, make sure you have the internal expertise to handle it. Do not hire a contractor to set up your VPN. Either outsource it all or none of it.

5. Run Personal Firewalls, Especially on Windows PCs

Actually what this title should probably be is “Run a desktop security suite on Windows PCs and make sure that all endpoints are compliant to your policies before you let them on your network.” While that is certainly longer winded that David’s succinct title, it more accurately captures what he is saying. The point is that you should have a desktop security policy that specifies what software your network endpoints must be running and have a way to determine if your network endpoints are compliant to that policy. The best way to accomplish that is with a Network Access Control (NAC) solution, like the Napera appliance mentioned in the article. There is, as usual, more to the story. Once you determine that an endpoint is non-compliant you can’t quarantine them forever. You have to provide a remediation mechanism, preferably automated, so that they can get back to work as soon as possible. It’s been my experience that sales guys get really cranky if you quarantine them for a long time. And just try that with your CEO. Bet it only happens once. And if you are going to have a NAC solution in place, what about “guest” users – you know contractors, visiting product reps, partners. They all need varying levels of access to your network as well, while you still need to be protected. The point is that this isn’t as easy as slapping in an appliance and your endpoint compliance problems are solved. If a sales guy tells you different, hang up the phone. Now.

6. Rely on VoIP PBX for Your Phone System

This is definitely one of the biggest money and time savers you can do. The services associated with a good VoIP PBX system are killer and my experience with these systems has been excellent. The only caveat here is that you should definitely get VoIP as a managed service unless you have some really serious talent in-house. If you think you can just whip an Asterisk server on one of your Linux boxes and you are good to go, think again. VoIP is very cool and it isn’t that hard if you really know what you are doing. Which I don’t and you probably don’t either.

7. Have a Solid Test Plan for Adding New Technology

This is probably the most important point. Treat your technology test plan like an actual project. It’s not good enough to simply say, “Joe will look into it”. That’s not a plan. And it assumes that Joe will do it during his slack time (an IT guy with slack time – whoa!). What will actually happen is that Joe will call one or two vendors and talk to the nice sales folks and ultimately pick the one with the best swag or the hottest looking booth babes. Just pony up and do it right. It will save you beaucoup time, money, pain and suffering. And you stand a chance of actually developing some of that in-house expertise.

Welcome to Security For All

Blackhawk Helicopter

Blackhawk Helicopter

It’s apropos that I’m starting this blog while enjoying the security theater accompanying the Democratic National Convention here in Denver. Specifically I’m watching the blackhawk helicopters patrolling our  friendly skies. I enjoy watching them so I’m not complaining. The point is that while it seems so obvious, preventing a terrorist attack is hardly an important element of their mission. Because that is what almost everyone thinks that security means in this context.

You see security is all about risk management and threat mitigation. So what would you think the risk of a terrorist attack occurring in Denver during the DNC – that could be mitigated by attack helicopters – would be? I’m thinking somewhere between slim and none (closer to none). So if a terrorist attack is the threat you are trying to mitigate then attack helicopters are great security theater. Fun but useless.

Now don’t interpret this as an indictment of the Department of Homeland Security. On the contrary, I believe that an important part of their mission is security theater. “Now just hold on a minute!” I hear you saying, “didn’t you just say that security theater is useless?”. Well you’ve got me. What I meant was that it’s useless in the context of actually mitigating a threat. It’s extremely useful in the sense that it shows that our government is is taking steps to protect us. Steps we can see. And we FEEL better about it. The reality of this situation is that a terrorist attack is not one of the risks being addressed by the blackhawks and security theater is just a nice side effect.

So how does this apply to you? Well, again it depends on the context (doesn’t it always?). If you are a large corporation – like the many vying for my attention and sage advice (hey, it could happen) – security is about managing the risks to your IT infrastructure, protecting your information and complying to the standards and regulations of your particular industry. If you are a small business security is about managing the risks around the communication channels to your employees and customers like making sure those channels are highly available (if your web site isn’t available your customers can’t buy anything) and that those channels are safe for both you and your customers to use (you really don’t want somebody hijacking your customers’ information or using your web site to distribute malware). If you are an individual, security is mostly about mitigating the risks of connecting to the internet without the benefit of high priced network hardware and an IT department (your kids and your son-in-law aren’t really an IT department). The point is that security has different priorities to those with different risks. I’ll address each of these different situations in detail in upcoming posts.

But right now I’m going outside and watch the blackhawks.