Blog

You Can Stuff Your Sorries In A Sack, Mister

There’s a great quote from George Costanza on Seinfeld, “…you can stuff your sorries in a sack, mister“.  Basically, saying “I’m sorry” just doesn’t cut it sometimes.  This post examines some situations where saying “I’m sorry” just won’t be enough.

Consider this: How much should an executive be concerned that inattention to security causes damage to another person or organization?  What if by failing to implement proper security measures on your network, it becomes a tool that an attacker uses to damage another person or organization?

Network security can easily be far down on the list of challenges that an executive normally thinks about, there’s always something more pressing.  Most have reconciled themselves to a certain amount of risk to their own business where security is concerned. Their thinking goes like this, “I probably need to invest more in security for my network, but we’re not having any problems right now, so it’s on the back burner until there’s a better time. ”

We all know that if you have a car and you drive around with bad brakes or threadbare tires, you are negligent and will be held accountable if you cause an accident. Even if your insurance covers it, the pain caused can be devastating.

Consider the very realistic scenarios below:

  • One of the servers on your network has been used as a repository for illegal images and videos. The images are shocking, repulsive, and very harmful to all involved.
  • Your CEO is acquainted with executives of several publicly traded companies. His email account was compromised and was used to trick them into revealing non-public information that impacted share prices. The hackers used this to make several million dollars in stock trades.
  • Your network was compromised and used as a staging ground for an extortion scheme where a local firm’s data was encrypted and held for ransom. The hackers were from Eastern Europe. The local firm didn’t have a good backup, and had no choice but to pay the ransom.

The investigators show up and start asking questions:

  • Did you know this was happening, and did you have any part in it?
  • Have you taken any steps at all to secure your network?
  • Have you ever conducted a security evaluation for your network?
  • Did the system in question have the latest security patches and software?
  • What best practices do you follow?
  • Do you have any logs that could help identify who is responsible?

Avoiding an embarrassing and potentially damaging situation isn’t complicated and can be done within the constraints of your budget.

  • Conduct some type of security analysis. Have someone check the network out for security. There are various levels and tools that can be used, but even a quick check is better than nothing.  Leverage your trusted partners to form a security team.
  • Implement a formal program of patching and updates for your systems and software. This must happen continually, it’s not something you can do and then not think about for a couple months.
  • Implement a program of network monitoring and logging.  Gain visibility into what’s going on in your network.
  • Adhere to the principle of “least privilege“.  If someone doesn’t need access for their duties, they don’t have it.
  • Implement a defense in depth strategy for your network that includes protection against a Zero Day Attack.
  • Publish and adhere to formal security and acceptable use policies.
  • Conduct education sessions for your team so they don’t fall prey to social engineering attacks, risky clicks, or other dangerous practices.

Hope this helps spur some thought, please let us know if we can be of assistance with making sure that your network is a safe, reliable, and productive platform for your organization.

Best Regards,

Mark

Help Desk Cooperative Program

Carolinas IT announces the launch of its North Carolina Help Desk Cooperative Program for municipalities and educational institutions throughout the state. The program provides group purchasing discounts and incentives for cost-effective Help Desk support.

Participating organizations may enroll in this program at the group rate and earn additional discounts in the form of credits for future service. These credits can be used for IT services work, helping to relieve the pressures of tight staffing and budgets. Furthermore, cooperative members continue to benefit as enrollment grows, leveraging the power of volume discounts!

Our experienced Help Desk staff in our Raleigh Network Operations Center are professional, courteous, and knowledgeable, earning a consistent A+ ranking from client evaluations. Please contact us to learn more and take advantage of this program for your organization.

 

The dirty secret about cloud computing

A stealthy threat is sapping the life out of the productivity gains that technology offers.  Not only is it killing productivity, it is directly causing frustration, security breaches, HIPAA violations, and is draining precious funds.  The threat is poorly designed cloud architecture.   Often driven by end user demands, IT architectures that formerly were centralized, secured, and well managed are now suffering from unregulated sprawl and lack of control of data.   Dropbox, Office 365, CRM, iCloud, Google docs, AWS, and many, many others create pools of unregulated data splattered across the Internet.  The ease of entry, familiarity of users due to personal use, and low initial cost may be tempting, but as use spreads throughout an organization, the damage amounts to an hidden tax as well as a liability to an organization.   In my next post I’ll offer some analysis and possible solutions.

Leader’s IT Checklist for 2015 – 10 Proactive Questions to Save Time and Avoid Headaches

If you are like most leaders I know, your time is one of your most valuable assets.   Taking time to think about your computer system may only happen rarely or if there are problems.   As a leader, I’ve found that one of my most powerful time saving tools is to ask proactive questions of my staff. The answers provide insight into what is going right, and what needs improvement.    I’ve put together a quick hit list of questions to help you be proactive, and ask the right questions to avoid problems, wastes of time, and productivity drains on your organization in 2015.   There are many more, but these should provide a nice starting point to get the conversation going in the right direction.

1. What is your cloud strategy? As a leader, can you succinctly articulate it? Most organizations aren’t ready for a complete migration to either a Public or Private Cloud, but you should have a strategy that maps out your plan for leveraging the cloud over the next few years.       Perhaps you start with one aspect of your network, such as email, and then systematically move other applications and services to cloud based platforms.

2. When was the last time you actually did a restore from your backup? If your office is shut down for a few days or weeks, or a critical component fails or data is destroyed, how would you keep functioning? How long (realistically) will it take to get you back in business? Can your team work from home if power is off at the office? Where are the backups actually kept, and who has access to them both(physically and logically?

3. How are you protected against the new wave of self-mutating viruses and ransomware? It became very evident in 2014 that traditional firewalls do not provide protection against viruses that can spawn thousands of variants in a day, and even the best anti-virus offers incomplete protection. Don’t find yourself in a situation where you are at the mercy of an Eastern European extortion scheme that is costly in terms of downtime, potential data loss, and compromise of confidential information.

4. If you had to produce documentation of licensing for every copy of Microsoft Office and every server and Client License in use, could you do it? Microsoft, Adobe, Symantec, and other software companies are very serious about enforcing software licensing.       Saying “I thought it came with the PC” won’t help. In addition to the expense of getting in compliance, software firms will require historical records so they can figure out how much is owed from previous years, and then there are the fines and penalties. We’ve seen a dramatic increase in the number of these type of audits over the past year.

5. Do you know who within your organization has rights to information on your network? Who can see that HR spreadsheet that lists everyone’s salary? What about employee reviews? Hint – if they are backed up every night, then more people than you think probably have rights.

6. How would you know if something were about to go wrong or had already gone wrong on one of your critical devices? I don’t know how many times I’ve walked into a server room and seen a red light on a hard drive indicating it was either failed or had already failed, and the system was running on a spare drive. Most devices have an amazing ability to provide information that gives       insight into their health, how are you leveraging that ability?

7. If a laptop or mobile device was lost or stolen, would you worry about what information was on it? What data would be on it? Could you absolutely be certain the data could not be accessed or used?

8. Do any of your employees use file sharing or backup services such as Dropbox, Carbonite, Crashplan, or Google docs? Do you have access to this account? How do you control what they share with the world? Would it be possible for an employee to copy key documents from your network for use after they left your team?

9. How do you know that all of the devices on your network are patched, have the latest anti-virus, and are virus/malware free? Your network is only as strong as the weakest link. With more and more employees bringing their own device to work, you don’t want to let the virus that someone got from home cause a disruption to your business.

10. Do you have formal policies in place, and has everyone in your firm been trained on them and has this training been documented? Remember, it’s tough to hold someone accountable for something you didn’t tell them they couldn’t do. Some networks can combine all of these into a single policy, others will need separate and distinct policies.

    • Acceptable Use – What they can and can’t do on the network
    • Mobile Device – What type of device can be used and how
    • Internet Access – What they can and can’t do on the Internet
    • Email and Communications – How email and communications tools can be used, how electronic communications are archived for future reference
    • Network Security – How the network is secured logically and physically from threats
    • Remote Access – How the network can be accessed remotely, by what devices and where
    • Media Destruction -Destruction of old hard drives, disks, and mobile devices containing data handled

Sincerely,

Mark

 

Avoiding a Social Engineering Attack

I’ve had a few clients ask, “How do I know an email or call is legitimately from Carolinas IT?” This is a very good question so I wanted to address it in this post. For any organization, standard company procedures and training form the first line of defense against being hacked or infected. Make sure your employees don’t give out information or follow links that could cause your system to be compromised. A social engineering attack is one of the most common ways that hackers attempt to penetrate your defenses. For instance, if one of your users gets a very generic email or call from someone they don’t know that claims to be from their “IT Department”, and this caller or email requests that they provide password or account login information, or download a new “patch”. These type of calls or emails are generally very plain, with no contact information, logos or other identifying information. This is very likely a fraud, and something that our staff would not do.

Emails and calls from Carolinas IT will always plainly feature our logos, contact information, and the name of the person sending, who is most likely someone you have dealt with in the past. If you have any questions, the best thing to do is to just pick up the phone and call our main number and ask for the person. Our main phone number will not change, so by calling back in you have verified that you are speaking to someone who is legitimately from our organization. You can always call your Carolinas IT account rep as well.

A Few Comments From Our Clients

One of my favorite activities as the company president is to review the feedback that comes in daily from our clients. I summarize and send back out to all of our employees as a small way to recognize their efforts. I’ve pasted a screenshot from the folder where I keep those emails below. Makes me very proud to lead this team!

April-BZ-JPG

Posted in Leadership | Comments Off on A Few Comments From Our Clients

What Are You Reading?

Over the years, a common question that has been posed to me is, “What are you reading?” I try to mix it up a bit to gain perspectives from different angles, but my favorite topics are evident: History, Leadership, Inspiration, and Technology. Podcasts and audiobooks have become a mainstay of my professional education, turning otherwise wasted time travelling or waiting into a much anticipated period of learning. The list below is by no means comprehensive, but it hits most of the significant points that come to mind and have some lasting value. The Bible is a daily resource for me, and I refer to others frequently, such as The Gallic Wars, and Emerson’s writings. I didn’t include the mountain of technical books on administration and engineering of specific software applications, or Marine Corps centric publications and manuals. I hope you find something on the list of value!

Here’s a link to the full list: Reading and Podcast List.

With Warm Regards,

Mark

Posted in Uncategorized | Comments Off on What Are You Reading?

10 Things You Should Know About Cloud Computing

Over the past few years, much of the work we have done with clients involves some aspect of Cloud Computing. I thought I’d list out a few thoughts for anyone interested. For the sake of brevity, I just listed the main points that seem to come up frequently. There are many more, but these will get you started. As always, I’ll be glad to discuss any of them with you if you have questions.

1. “The Cloud” is not one single thing, it is comprised of an array of services offered by thousands of vendors across the Internet. Some may be of use to you, others probably aren’t. Much like you get services at home from various power, water, waste, yard maintenance, cleaning, painting, and maintenance providers, shifting services to the cloud allows you to pay for the service you are using. You don’t need to own the lawnmower and edger, you just want to know that the yard will look nice.

2. Just because you move one segment of your data to the cloud doesn’t mean you have to move everything there. It might make sense for your specific situation, but it isn’t a requirement. It might make sense to move your email first, but keep a local file server and have a cloud based backup system.

3. Most of our clients find that a hybrid strategy makes the most sense, leveraging public cloud services for some applications such as line of business, CRM, or ERP functions, while keeping highly sensitive or customized data and applications in a private cloud that they have more control over.

4. Private cloud usually provides more control, flexibility and performance, public cloud provides specific applications at a lower price. Both offer freedom from hardware and software upgrades cycles. Don’t assume either is secure, ask questions pertinent to your particular requirements. Don’t assume that all private clouds are equal. One may be running on a couple servers in someone’s basement, and another might have high end enterprise equipment. A tour to actually see the datacenter and meet the support personnel is a very good idea if possible.

5. Migrating data and applications to the cloud doesn’t always directly save money, it just shifts expenditures from Capital expenses to Operational expenses. Potential cloud savings may come in terms of operational efficiency, scalability, security, or flexibility rather than direct costs. Running an ROI analysis that incorporates as many aspects as possible will help you analyze and make a good decision.

6. The most important aspect of introducing cloud services into your organization is thinking through the workflow. How does your team members operate currently, how is the optimal way to operate, and can the cloud give you the workflow desired? If the design doesn’t support the workflow, the cloud deployment will fail, or end up being very expensive in terms of lost productivity.

7. It pays to understand licensing agreements of cloud models, especially with Microsoft products. The cheapest license may not be the one that supports your cloud workflow, and it may require you to purchase duplicate licenses to be in compliance. When a Microsoft audit (this is happening more frequently now) finds discrepancies, saying that you didn’t understand the licensing mode won’t help pay the hefty fine.

8. Putting any aspect of your operation on a cloud based platform makes your internal network more important. Switching, routing, and security must be optimized to facilitate access to applications outside of your network. You will most likely need more bandwidth, but that isn’t the end of the story. Network addressing and naming are critical, as is a unified directory that minimizes creation of multiple accounts for multiple services.

9. When evaluating a cloud services provider, you should ask lots of questions. If the cloud provider is offended or secretive, find another vendor. Remember that data centers in other countries may not have the same requirements and controls of those in the US.

– Where is the data stored, backed up, and secured? What certifications does the data center have?

– What is their disaster plan? Do they have written SOPs? What kind of redundancy is built in?

– Who will have access to the data?

– Who provides support when needed, and what Service Level Agreements are available?

10. Everything has a beginning and an ending. It’s important to know that in the event you need to get your data back from a cloud service provider, you understand the costs, timeline, and downtime required for a move. You don’t want to be a “captive audience” of a service provider that doesn’t meet your needs.

Best Regards,

Mark

Cryptolocker Virus

We are beginning to see cases of a malware program called Cryptolocker.  It is a dangerous malware/virus that infects a PC, and then uses that system to infect files on the network.  Once infected, the files cannot be accessed, and a ransom demand is made in order to get a key to unlock the files.  If the demand isn’t met, the files are permanently unusable.  Even if the payment is made, sometimes the files are damaged beyond repair.  This has the potential to make all files on your network unusable, so it is very serious. 

 Here is a safe link that provides details:

http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/

 Carolinas IT recommends the following actions to protect your network, please contact your account representative if you have any questions.

 

  1. Be sure that all servers and workstations are up to date with patches and anti-virus updates.  Use Active Directory to lock down systems on the network so the virus can’t run.  (If you are covered by NetOp Complete, we take care of this for you)
  2. Don’t open attachments or links you weren’t expecting.  If it’s an email attachment or link you weren’t expecting, or from someone you don’t know or do business with, pick up the phone and call them to verify that it is legitimate.  We have seen Cryptolocker arrive in an email that appears to be concerning Payroll data.  Malware attempts can be sneaky, arriving in the form of what look like Facebook, LinkedIn, shipping, or banking notifications with vaguely named attachments. NEVER open an attachment unless you know the person sending it to you and you’re expecting a file on the topic mentioned.
  3. If you do click on something unsafe and receive a CryptoLocker message, disconnect from your network connection immediately. While this won’t save your computer and files from infection, it may keep the program from spreading and infecting the rest of the network.
  4. Have a reliable backup mechanism and test it monthly as part of a disaster recovery plan.   Once infected with Cryptolocker, the only resolution is to delete the files and restore from a good backup prior to the infection.
  5. Upgrade your firewall to a model that scans files as they enter your network.  This gives you a defense in depth that should stop threats at the perimeter of your network before they have a chance to do damage.  Cisco, Palo-Alto, and Watchguard all have very good solutions.  Make sure the specific model of firewall you have actually has this functionality, many basic models do not.

Building the Reservoir of Trust

This blog post is a summary of a group discussion from our company meeting held on June 7th, 2013.  Hopefully this will explain the conversational nature of the post, and you will forgive the poor structure.

One of the most intense scenes from a movie is the D- Day landing from Saving Private Ryan. I’ve watched it many times, and each time I’m amazed by the firm determination of the American troops as they assaulted the beach into the waiting German defenders. What kind of leadership must have been in force for those men to plan and carry out that attack, knowing that at any moment they could be killed or horribly injured?

Most of the leadership challenges we face are nowhere near as intense as that, but solid leadership is still important. As I think about the kind of leadership that must have been present that day, “Esprit de Corps” seems to be a foundational component.

That bond between team members, that common spirit and devotion to the group that inspires enthusiasm. The glue that securely holds that bond is trust, without it nothing else amounts to much. When you don’t have trust – when trust breaks down, it’s easy to spot

–          Every question from a leader becomes a challenge to the competence, loyalty or ability of the team member.

–          Every response from the team member becomes insubordination.

Here’s what is sounds like: “Well, what about the specifications right here on the paper? Did you think about this variable? Why didn’t you anticipate x, y or z? (Say it in an accusatory manner with a sneer to get the full effect)

We’ve analyzed the increased operational tempo that is made possible by decentralized operations, so I won’t go into detail here, but decentralized ops relies on an implicit contract between leader and those led.

The leader will provide big picture, the vision, the intent, and the subordinate agrees to make decisions in line with that big picture.

The leader agrees to delegate that authority in order to gain the rapid tempo unleashed when the person on the scene with the facts can make a decision and act on it quickly.

What if we analyzed the implicit agreement in the other direction, what would that look like?

In order to figure this out you’d have to ask yourself, what does the team want?

–          To be listened to.

–          To have as much information as is reasonably possible.

–          To be treated with respect.

–          To be encouraged and mentored.

–          To be provided with as good of a working environment as is possible.

In exchange for those things, what will the team do for the leader?

The team will give their leader the benefit of the doubt, understanding that he’s going to make decisions and ask them to do things that may not always seem to make sense at the time. Over cycles of operation, the trust will build and become so ingrained that the leader and his/her team operate as if they are in constant communication, even if they haven’t spoken for days.

Decisions will be vigorously and enthusiastically implemented as if the team had come up with them originally.

Not begrudgingly, not with whispers and eye rolling.  You won’t hear someone say something to the effect of “I really don’t think this is a good idea, but the boss says it’s the way we’ve got to do it, so that’s what we’re going to do.”

What about dissent? How should that be handled?

Dissent is important as a source of new ideas and as a disruption from the normal routine.  Dissent plays a vital role in giving rise to innovation.  However, it must be presented respectfully, in the right time and place.  Good leaders provide mechanisms to capture, analyze and evaluate dissent such as regular meetings with subordinates,  suggestion boxes, and group discussions.  Dissent presented in a positive manner is helpful and should be encouraged.  Dissent presented at the wrong time, with the wrong attitude, in a disrespectful manner should be handled with decisiveness, firmly and calmly, and the individual should be immediately removed from the scene.

Tip for leaders – You’ve got to build up enough of a reservoir of trust and respect, that even when they don’t agree with you, the team will have enough confidence in your ability and judgment that they will give you the benefit of the doubt, remain loyal, and circle back to discuss when time allows.

A common mistake many leaders make is being short and not feeling like the team deserves an explanation.

You should try to provide the team as much of the big picture as you can, along with your intent and vision.  Bits and pieces leave them scratching their heads and wondering why they can’t be trusted with the truth and provided with updated situational awareness.

Leaders  remember – you owe them an explanation.  You can’t expect to just give your team bits and pieces of information and then hammer them when they ask questions.  Take the time, show them the respect of explaining what’s going on.    Communicate (that means listen as well as talk)  Show respect, take the time to build up that reservoir of trust and see how your Esprit de Corps develops.

 

Posted in Leadership | Comments Off on Building the Reservoir of Trust

Page 1 of 4