Blog

iOS Sandbox Vulnerability

MDM administrators will want to update iOS to 8.4.1 sooner than later.  Any version before 8.4.1 allows attackers to by-pass sandbox protection providing access to managed settings and possibly account credentials.  Read the U.S. NVD write-up here: http://1.usa.gov/1NENBLk

The Drawbacks of Dropbox

Sharing files with others has become part of the daily routine for many of us. Whether you are sharing  pictures with a family member, a funny cat video with a friend, or an important document with a co-worker or client, massive amounts of files are shared each day. With so many ways to share, it’s easy to assume a level of security and control that may not be the case. What may be fine for sharing cat videos might be totally inappropriate for your company’s sensitive information.

Dropbox Basic boasts of 400 million users  and continues to be a popular choice in the file-sharing world, however, for corporations concerned about data security and control there are a few worrisome considerations.

Data Dilemmas

Imagine your star sales rep makes a practice of keeping a copy of his contact list and client contracts in Dropbox. What happens if he leaves your firm? Do you have access to his Dropbox account? The biggest concern with Dropbox Basic is the inability to regulate data access, delivery, and management. This can lead to theft, loss, and corruption of important data at the hands of anyone in the company who has access to the information. Without the ability to monitor activities, files can be deleted and shared with no audit trail to track who made changes.

Risky Business

Something else to consider when using Dropbox Basic for business purposes is the risk of potential lawsuits, violations, and lack of accountability. Having a client’s information so accessible and vulnerable with little to no file retention and controls can break a variety of privacy agreements and lead to lawsuits and compliance violations. Your data is your business, and loose controls over data is like leaving your office protected at night by a flimsy screen door.

Bottom Line Recommendations

  • Talk with your team members about their existing workflow to determine their requirements for file sharing
  • Investigate business grade file sharing systems that have the features you require
  • Create a policy defining how data will be stored, accessed, and protected
  • Enforce this policy with network controls that prevent accidental or intentional negligence and liability

Developing Your Private Cloud Computing Strategy

We’re very excited to partner with Lenovo for the latest upgrades to our private hosted cloud computing offering.

http://blog.lenovo.com/en/blog/carolinas-it-flies-high-in-the-cloud-with-flex-system/

As a leading provider of Hosted Private Cloud Services, we’ve been refining and expanding our private cloud computing architecture since version 1.0 back in 2011.   The goal has always been to provide our clients with a high performance, secure, reliable, scalable platform for their critical businesses systems.  We want to help our clients maximize their technology investment and smooth out network operations to better support their core business.  We do this through an interlocking support structure that includes not only our private cloud, but also a strong professional services organization for implementations and projects as well as our managed services division providing 24x7x365 helpdesk and network monitoring services.

The number one question I get from clients these days is “How can I leverage cloud services for my business?”  The answer is as varied as types of organizations that ask.  Developing a cloud services strategy involves an analysis of the systems, workflow, functions, personnel, and many other factors.  The end result should be a roadmap for optimal use of cloud services for their business.

Embarking on a cloud journey without a strategy and roadmap can be expensive in terms of lost opportunity, time, frustration, mistakes, funding, and reputation.   A strategy that simply states, “My CEO said we need to move to the cloud” could result in a very costly lesson.

I’ve listed a few goals of a successful cloud strategy below.

  • Business requirements drive architecture
  • Should facilitate productivity and competitive advantage, and provide for agility
  • Architecture should match requirements for for reliability, availability, performance, security, scalability
  • Obtain the most value for investment
  • Investments are aligned with financial capabilities and preferences
  • Reduce risk

Sound interesting?  Give us a call, we’d be glad to work with your team to develop a cloud computing strategy that works for your organization.

Best Regards,

Mark

Cloud Computing Architecture

 

You Can Stuff Your Sorries In A Sack, Mister

There’s a great quote from George Costanza on Seinfeld, “…you can stuff your sorries in a sack, mister“.  Basically, saying “I’m sorry” just doesn’t cut it sometimes.  This post examines some situations where saying “I’m sorry” just won’t be enough.

Consider this: How much should an executive be concerned that inattention to security causes damage to another person or organization?  What if by failing to implement proper security measures on your network, it becomes a tool that an attacker uses to damage another person or organization?

Network security can easily be far down on the list of challenges that an executive normally thinks about, there’s always something more pressing.  Most have reconciled themselves to a certain amount of risk to their own business where security is concerned. Their thinking goes like this, “I probably need to invest more in security for my network, but we’re not having any problems right now, so it’s on the back burner until there’s a better time. ”

We all know that if you have a car and you drive around with bad brakes or threadbare tires, you are negligent and will be held accountable if you cause an accident. Even if your insurance covers it, the pain caused can be devastating.

Consider the very realistic scenarios below:

  • One of the servers on your network has been used as a repository for illegal images and videos. The images are shocking, repulsive, and very harmful to all involved.
  • Your CEO is acquainted with executives of several publicly traded companies. His email account was compromised and was used to trick them into revealing non-public information that impacted share prices. The hackers used this to make several million dollars in stock trades.
  • Your network was compromised and used as a staging ground for an extortion scheme where a local firm’s data was encrypted and held for ransom. The hackers were from Eastern Europe. The local firm didn’t have a good backup, and had no choice but to pay the ransom.

The investigators show up and start asking questions:

  • Did you know this was happening, and did you have any part in it?
  • Have you taken any steps at all to secure your network?
  • Have you ever conducted a security evaluation for your network?
  • Did the system in question have the latest security patches and software?
  • What best practices do you follow?
  • Do you have any logs that could help identify who is responsible?

Avoiding an embarrassing and potentially damaging situation isn’t complicated and can be done within the constraints of your budget.

  • Conduct some type of security analysis. Have someone check the network out for security. There are various levels and tools that can be used, but even a quick check is better than nothing.  Leverage your trusted partners to form a security team.
  • Implement a formal program of patching and updates for your systems and software. This must happen continually, it’s not something you can do and then not think about for a couple months.
  • Implement a program of network monitoring and logging.  Gain visibility into what’s going on in your network.
  • Adhere to the principle of “least privilege“.  If someone doesn’t need access for their duties, they don’t have it.
  • Implement a defense in depth strategy for your network that includes protection against a Zero Day Attack.
  • Publish and adhere to formal security and acceptable use policies.
  • Conduct education sessions for your team so they don’t fall prey to social engineering attacks, risky clicks, or other dangerous practices.

Hope this helps spur some thought, please let us know if we can be of assistance with making sure that your network is a safe, reliable, and productive platform for your organization.

Best Regards,

Mark

Help Desk Cooperative Program

Carolinas IT announces the launch of its North Carolina Help Desk Cooperative Program for municipalities and educational institutions throughout the state. The program provides group purchasing discounts and incentives for cost-effective Help Desk support.

Participating organizations may enroll in this program at the group rate and earn additional discounts in the form of credits for future service. These credits can be used for IT services work, helping to relieve the pressures of tight staffing and budgets. Furthermore, cooperative members continue to benefit as enrollment grows, leveraging the power of volume discounts!

Our experienced Help Desk staff in our Raleigh Network Operations Center are professional, courteous, and knowledgeable, earning a consistent A+ ranking from client evaluations. Please contact us to learn more and take advantage of this program for your organization.

 

The dirty secret about cloud computing

A stealthy threat is sapping the life out of the productivity gains that technology offers.  Not only is it killing productivity, it is directly causing frustration, security breaches, HIPAA violations, and is draining precious funds.  The threat is poorly designed cloud architecture.   Often driven by end user demands, IT architectures that formerly were centralized, secured, and well managed are now suffering from unregulated sprawl and lack of control of data.   Dropbox, Office 365, CRM, iCloud, Google docs, AWS, and many, many others create pools of unregulated data splattered across the Internet.  The ease of entry, familiarity of users due to personal use, and low initial cost may be tempting, but as use spreads throughout an organization, the damage amounts to an hidden tax as well as a liability to an organization.   In my next post I’ll offer some analysis and possible solutions.

Leader’s IT Checklist for 2015 – 10 Proactive Questions to Save Time and Avoid Headaches

If you are like most leaders I know, your time is one of your most valuable assets.   Taking time to think about your computer system may only happen rarely or if there are problems.   As a leader, I’ve found that one of my most powerful time saving tools is to ask proactive questions of my staff. The answers provide insight into what is going right, and what needs improvement.    I’ve put together a quick hit list of questions to help you be proactive, and ask the right questions to avoid problems, wastes of time, and productivity drains on your organization in 2015.   There are many more, but these should provide a nice starting point to get the conversation going in the right direction.

1. What is your cloud strategy? As a leader, can you succinctly articulate it? Most organizations aren’t ready for a complete migration to either a Public or Private Cloud, but you should have a strategy that maps out your plan for leveraging the cloud over the next few years.       Perhaps you start with one aspect of your network, such as email, and then systematically move other applications and services to cloud based platforms.

2. When was the last time you actually did a restore from your backup? If your office is shut down for a few days or weeks, or a critical component fails or data is destroyed, how would you keep functioning? How long (realistically) will it take to get you back in business? Can your team work from home if power is off at the office? Where are the backups actually kept, and who has access to them both(physically and logically?

3. How are you protected against the new wave of self-mutating viruses and ransomware? It became very evident in 2014 that traditional firewalls do not provide protection against viruses that can spawn thousands of variants in a day, and even the best anti-virus offers incomplete protection. Don’t find yourself in a situation where you are at the mercy of an Eastern European extortion scheme that is costly in terms of downtime, potential data loss, and compromise of confidential information.

4. If you had to produce documentation of licensing for every copy of Microsoft Office and every server and Client License in use, could you do it? Microsoft, Adobe, Symantec, and other software companies are very serious about enforcing software licensing.       Saying “I thought it came with the PC” won’t help. In addition to the expense of getting in compliance, software firms will require historical records so they can figure out how much is owed from previous years, and then there are the fines and penalties. We’ve seen a dramatic increase in the number of these type of audits over the past year.

5. Do you know who within your organization has rights to information on your network? Who can see that HR spreadsheet that lists everyone’s salary? What about employee reviews? Hint – if they are backed up every night, then more people than you think probably have rights.

6. How would you know if something were about to go wrong or had already gone wrong on one of your critical devices? I don’t know how many times I’ve walked into a server room and seen a red light on a hard drive indicating it was either failed or had already failed, and the system was running on a spare drive. Most devices have an amazing ability to provide information that gives       insight into their health, how are you leveraging that ability?

7. If a laptop or mobile device was lost or stolen, would you worry about what information was on it? What data would be on it? Could you absolutely be certain the data could not be accessed or used?

8. Do any of your employees use file sharing or backup services such as Dropbox, Carbonite, Crashplan, or Google docs? Do you have access to this account? How do you control what they share with the world? Would it be possible for an employee to copy key documents from your network for use after they left your team?

9. How do you know that all of the devices on your network are patched, have the latest anti-virus, and are virus/malware free? Your network is only as strong as the weakest link. With more and more employees bringing their own device to work, you don’t want to let the virus that someone got from home cause a disruption to your business.

10. Do you have formal policies in place, and has everyone in your firm been trained on them and has this training been documented? Remember, it’s tough to hold someone accountable for something you didn’t tell them they couldn’t do. Some networks can combine all of these into a single policy, others will need separate and distinct policies.

    • Acceptable Use – What they can and can’t do on the network
    • Mobile Device – What type of device can be used and how
    • Internet Access – What they can and can’t do on the Internet
    • Email and Communications – How email and communications tools can be used, how electronic communications are archived for future reference
    • Network Security – How the network is secured logically and physically from threats
    • Remote Access – How the network can be accessed remotely, by what devices and where
    • Media Destruction -Destruction of old hard drives, disks, and mobile devices containing data handled

Sincerely,

Mark

 

Avoiding a Social Engineering Attack

I’ve had a few clients ask, “How do I know an email or call is legitimately from Carolinas IT?” This is a very good question so I wanted to address it in this post. For any organization, standard company procedures and training form the first line of defense against being hacked or infected. Make sure your employees don’t give out information or follow links that could cause your system to be compromised. A social engineering attack is one of the most common ways that hackers attempt to penetrate your defenses. For instance, if one of your users gets a very generic email or call from someone they don’t know that claims to be from their “IT Department”, and this caller or email requests that they provide password or account login information, or download a new “patch”. These type of calls or emails are generally very plain, with no contact information, logos or other identifying information. This is very likely a fraud, and something that our staff would not do.

Emails and calls from Carolinas IT will always plainly feature our logos, contact information, and the name of the person sending, who is most likely someone you have dealt with in the past. If you have any questions, the best thing to do is to just pick up the phone and call our main number and ask for the person. Our main phone number will not change, so by calling back in you have verified that you are speaking to someone who is legitimately from our organization. You can always call your Carolinas IT account rep as well.

A Few Comments From Our Clients

One of my favorite activities as the company president is to review the feedback that comes in daily from our clients. I summarize and send back out to all of our employees as a small way to recognize their efforts. I’ve pasted a screenshot from the folder where I keep those emails below. Makes me very proud to lead this team!

April-BZ-JPG

Posted in Leadership | Comments Off on A Few Comments From Our Clients

What Are You Reading?

Over the years, a common question that has been posed to me is, “What are you reading?” I try to mix it up a bit to gain perspectives from different angles, but my favorite topics are evident: History, Leadership, Inspiration, and Technology. Podcasts and audiobooks have become a mainstay of my professional education, turning otherwise wasted time travelling or waiting into a much anticipated period of learning. The list below is by no means comprehensive, but it hits most of the significant points that come to mind and have some lasting value. The Bible is a daily resource for me, and I refer to others frequently, such as The Purpose Driven Life, and Emerson’s writings. I didn’t include the mountain of technical books on administration and engineering of specific software applications, or Marine Corps centric publications and manuals. I hope you find something on the list of value!

Here’s a link to the full list: Reading and Podcast List.

With Warm Regards,

Mark

Page 1 of 4