| Carolinas IT

Experience peace of mind.

Blog

Avoiding a Social Engineering Attack

I’ve had a few clients ask, “How do I know an email or call is legitimately from Carolinas IT?” This is a very good question so I wanted to address it in this post. For any organization, standard company procedures and training form the first line of defense against being hacked or infected. Make sure your employees don’t give out information or follow links that could cause your system to be compromised. A social engineering attack is one of the most common ways that hackers attempt to penetrate your defenses. For instance, if one of your users gets a very generic email or call from someone they don’t know that claims to be from their “IT Department”, and this caller or email requests that they provide password or account login information, or download a new “patch”. These type of calls or emails are generally very plain, with no contact information, logos or other identifying information. This is very likely a fraud, and something that our staff would not do.

Emails and calls from Carolinas IT will always plainly feature our logos, contact information, and the name of the person sending, who is most likely someone you have dealt with in the past. If you have any questions, the best thing to do is to just pick up the phone and call our main number and ask for the person. Our main phone number will not change, so by calling back in you have verified that you are speaking to someone who is legitimately from our organization. You can always call your Carolinas IT account rep as well.

A Few Comments From Our Clients

One of my favorite activities as the company president is to review the feedback that comes in daily from our clients. I summarize and send back out to all of our employees as a small way to recognize their efforts. I’ve pasted a screenshot from the folder where I keep those emails below. Makes me very proud to lead this team!

April-BZ-JPG

What Are You Reading?

Over the years, a common question that has been posed to me is, “What are you reading?” I try to mix it up a bit to gain perspectives from different angles, but my favorite topics are evident: History, Leadership, Inspiration, and Technology. Podcasts and audiobooks have become a mainstay of my professional education, turning otherwise wasted time travelling or waiting into a much anticipated period of learning. The list below is by no means comprehensive, but it hits most of the significant points that come to mind and have some lasting value. The Bible is a daily resource for me, and I refer to others frequently, such as The Gallic Wars, and Emerson’s writings. I didn’t include the mountain of technical books on administration and engineering of specific software applications, or Marine Corps centric publications and manuals. I hope you find something on the list of value!

Here’s a link to the full list: Reading and Podcast List.

With Warm Regards,

Mark

10 Things You Should Know About Cloud Computing

Over the past few years, much of the work we have done with clients involves some aspect of Cloud Computing. I thought I’d list out a few thoughts for anyone interested. For the sake of brevity, I just listed the main points that seem to come up frequently. There are many more, but these will get you started. As always, I’ll be glad to discuss any of them with you if you have questions.

1. “The Cloud” is not one single thing, it is comprised of an array of services offered by thousands of vendors across the Internet. Some may be of use to you, others probably aren’t. Much like you get services at home from various power, water, waste, yard maintenance, cleaning, painting, and maintenance providers, shifting services to the cloud allows you to pay for the service you are using. You don’t need to own the lawnmower and edger, you just want to know that the yard will look nice.

2. Just because you move one segment of your data to the cloud doesn’t mean you have to move everything there. It might make sense for your specific situation, but it isn’t a requirement. It might make sense to move your email first, but keep a local file server and have a cloud based backup system.

3. Most of our clients find that a hybrid strategy makes the most sense, leveraging public cloud services for some applications such as line of business, CRM, or ERP functions, while keeping highly sensitive or customized data and applications in a private cloud that they have more control over.

4. Private cloud usually provides more control, flexibility and performance, public cloud provides specific applications at a lower price. Both offer freedom from hardware and software upgrades cycles. Don’t assume either is secure, ask questions pertinent to your particular requirements. Don’t assume that all private clouds are equal. One may be running on a couple servers in someone’s basement, and another might have high end enterprise equipment. A tour to actually see the datacenter and meet the support personnel is a very good idea if possible.

5. Migrating data and applications to the cloud doesn’t always directly save money, it just shifts expenditures from Capital expenses to Operational expenses. Potential cloud savings may come in terms of operational efficiency, scalability, security, or flexibility rather than direct costs. Running an ROI analysis that incorporates as many aspects as possible will help you analyze and make a good decision.

6. The most important aspect of introducing cloud services into your organization is thinking through the workflow. How does your team members operate currently, how is the optimal way to operate, and can the cloud give you the workflow desired? If the design doesn’t support the workflow, the cloud deployment will fail, or end up being very expensive in terms of lost productivity.

7. It pays to understand licensing agreements of cloud models, especially with Microsoft products. The cheapest license may not be the one that supports your cloud workflow, and it may require you to purchase duplicate licenses to be in compliance. When a Microsoft audit (this is happening more frequently now) finds discrepancies, saying that you didn’t understand the licensing mode won’t help pay the hefty fine.

8. Putting any aspect of your operation on a cloud based platform makes your internal network more important. Switching, routing, and security must be optimized to facilitate access to applications outside of your network. You will most likely need more bandwidth, but that isn’t the end of the story. Network addressing and naming are critical, as is a unified directory that minimizes creation of multiple accounts for multiple services.

9. When evaluating a cloud services provider, you should ask lots of questions. If the cloud provider is offended or secretive, find another vendor. Remember that data centers in other countries may not have the same requirements and controls of those in the US.

- Where is the data stored, backed up, and secured? What certifications does the data center have?

- What is their disaster plan? Do they have written SOPs? What kind of redundancy is built in?

- Who will have access to the data?

- Who provides support when needed, and what Service Level Agreements are available?

10. Everything has a beginning and an ending. It’s important to know that in the event you need to get your data back from a cloud service provider, you understand the costs, timeline, and downtime required for a move. You don’t want to be a “captive audience” of a service provider that doesn’t meet your needs.

Best Regards,

Mark

Cryptolocker Virus

We are beginning to see cases of a malware program called Cryptolocker.  It is a dangerous malware/virus that infects a PC, and then uses that system to infect files on the network.  Once infected, the files cannot be accessed, and a ransom demand is made in order to get a key to unlock the files.  If the demand isn’t met, the files are permanently unusable.  Even if the payment is made, sometimes the files are damaged beyond repair.  This has the potential to make all files on your network unusable, so it is very serious. 

 Here is a safe link that provides details:

http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/

 Carolinas IT recommends the following actions to protect your network, please contact your account representative if you have any questions.

 

  1. Be sure that all servers and workstations are up to date with patches and anti-virus updates.  Use Active Directory to lock down systems on the network so the virus can’t run.  (If you are covered by NetOp Complete, we take care of this for you)
  2. Don’t open attachments or links you weren’t expecting.  If it’s an email attachment or link you weren’t expecting, or from someone you don’t know or do business with, pick up the phone and call them to verify that it is legitimate.  We have seen Cryptolocker arrive in an email that appears to be concerning Payroll data.  Malware attempts can be sneaky, arriving in the form of what look like Facebook, LinkedIn, shipping, or banking notifications with vaguely named attachments. NEVER open an attachment unless you know the person sending it to you and you’re expecting a file on the topic mentioned.
  3. If you do click on something unsafe and receive a CryptoLocker message, disconnect from your network connection immediately. While this won’t save your computer and files from infection, it may keep the program from spreading and infecting the rest of the network.
  4. Have a reliable backup mechanism and test it monthly as part of a disaster recovery plan.   Once infected with Cryptolocker, the only resolution is to delete the files and restore from a good backup prior to the infection.
  5. Upgrade your firewall to a model that scans files as they enter your network.  This gives you a defense in depth that should stop threats at the perimeter of your network before they have a chance to do damage.  Cisco, Palo-Alto, and Watchguard all have very good solutions.  Make sure the specific model of firewall you have actually has this functionality, many basic models do not.

Building the Reservoir of Trust

This blog post is a summary of a group discussion from our company meeting held on June 7th, 2013.  Hopefully this will explain the conversational nature of the post, and you will forgive the poor structure.

One of the most intense scenes from a movie is the D- Day landing from Saving Private Ryan. I’ve watched it many times, and each time I’m amazed by the firm determination of the American troops as they assaulted the beach into the waiting German defenders. What kind of leadership must have been in force for those men to plan and carry out that attack, knowing that at any moment they could be killed or horribly injured?

Most of the leadership challenges we face are nowhere near as intense as that, but solid leadership is still important. As I think about the kind of leadership that must have been present that day, “Esprit de Corps” seems to be a foundational component.

That bond between team members, that common spirit and devotion to the group that inspires enthusiasm. The glue that securely holds that bond is trust, without it nothing else amounts to much. When you don’t have trust – when trust breaks down, it’s easy to spot

-          Every question from a leader becomes a challenge to the competence, loyalty or ability of the team member.

-          Every response from the team member becomes insubordination.

Here’s what is sounds like: “Well, what about the specifications right here on the paper? Did you think about this variable? Why didn’t you anticipate x, y or z? (Say it in an accusatory manner with a sneer to get the full effect)

We’ve analyzed the increased operational tempo that is made possible by decentralized operations, so I won’t go into detail here, but decentralized ops relies on an implicit contract between leader and those led.

The leader will provide big picture, the vision, the intent, and the subordinate agrees to make decisions in line with that big picture.

The leader agrees to delegate that authority in order to gain the rapid tempo unleashed when the person on the scene with the facts can make a decision and act on it quickly.

What if we analyzed the implicit agreement in the other direction, what would that look like?

In order to figure this out you’d have to ask yourself, what does the team want?

-          To be listened to.

-          To have as much information as is reasonably possible.

-          To be treated with respect.

-          To be encouraged and mentored.

-          To be provided with as good of a working environment as is possible.

In exchange for those things, what will the team do for the leader?

The team will give their leader the benefit of the doubt, understanding that he’s going to make decisions and ask them to do things that may not always seem to make sense at the time. Over cycles of operation, the trust will build and become so ingrained that the leader and his/her team operate as if they are in constant communication, even if they haven’t spoken for days.

Decisions will be vigorously and enthusiastically implemented as if the team had come up with them originally.

Not begrudgingly, not with whispers and eye rolling.  You won’t hear someone say something to the effect of “I really don’t think this is a good idea, but the boss says it’s the way we’ve got to do it, so that’s what we’re going to do.”

What about dissent? How should that be handled?

Dissent is important as a source of new ideas and as a disruption from the normal routine.  Dissent plays a vital role in giving rise to innovation.  However, it must be presented respectfully, in the right time and place.  Good leaders provide mechanisms to capture, analyze and evaluate dissent such as regular meetings with subordinates,  suggestion boxes, and group discussions.  Dissent presented in a positive manner is helpful and should be encouraged.  Dissent presented at the wrong time, with the wrong attitude, in a disrespectful manner should be handled with decisiveness, firmly and calmly, and the individual should be immediately removed from the scene.

Tip for leaders – You’ve got to build up enough of a reservoir of trust and respect, that even when they don’t agree with you, the team will have enough confidence in your ability and judgment that they will give you the benefit of the doubt, remain loyal, and circle back to discuss when time allows.

A common mistake many leaders make is being short and not feeling like the team deserves an explanation.

You should try to provide the team as much of the big picture as you can, along with your intent and vision.  Bits and pieces leave them scratching their heads and wondering why they can’t be trusted with the truth and provided with updated situational awareness.

Leaders  remember – you owe them an explanation.  You can’t expect to just give your team bits and pieces of information and then hammer them when they ask questions.  Take the time, show them the respect of explaining what’s going on.    Communicate (that means listen as well as talk)  Show respect, take the time to build up that reservoir of trust and see how your Esprit de Corps develops.

 

Avoiding a “Zero Day” Attack

Over the past few months, we have seen an increasing threat to networks we support.  The problem is that the new viruses are changing so fast that the Anti-virus providers can’t keep up with them.  The pattern we are seeing is that code is embedded into an existing virus that causes it to change (mutate) into a new version that makes it look like something the anti-virus software hasn’t labeled as a virus.  This leads to what is known as a “zero day” attack, where you get hit before your AV product has the latest code.

A better long term solution is to upgrade the firewall to something that actually scans files as they enter your network and controls what your network users can do on the Internet.  A basic firewall is good, in that it blocks intruders from unauthorized access to your network.  It works kind of like the doors/windows on your house.  You can open certain doors or windows, and let things that normally come in to those doors through.  So for instance, you open the door (actually called a port) that web traffic comes in and out on so your employees can use the web for legitimate work.  Well, that port is now open, so in addition to legitimate work, they can browse facebook.  Unfortunately, if they click on a facebook post that has a virus, that virus can come in through the open port.

What is needed is something that not only controls ports, but actually looks at the traffic that comes in through the port, and allows you to control that traffic in a very granular manner (so for instance, you could allow certain employees to access Facebook during lunch, but not use Facebook chat)

We’ve seen these next generation firewalls in action and they are very impressive and give you great visibility to what is coming into and going out of your network.  The system uses built in intelligence, and links back to a research center to screen for threats that are known as well as threats that haven’t yet been documented.

Both Cisco and Palo Alto have some great solutions.   Which one you choose depends on your particular needs.   Here’s a link to an information sheet that gives a very good description of how they work. : http://media.paloaltonetworks.com/documents/datasheet-firewall-feature-overview.pdf

Here is some good Cisco reference material on their Intrusion Prevention System: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/data_sheet_c78-459520.html

Here is a link to some videos that describe how one of the the systems work: http://www.paloaltonetworks.com/literature/videos/    Check out the one labeled “Next-Generation Firewalls: A New Dimension to Network Security”  for an overview of the system.

A New Vision By Asking Some Tough Questions

Over the years, I’ve read volumes of books and articles that address the subject of maximizing business performance and operations.  Most all of them agree that one of the most critical things you can do as a business owner is to stake out your vision for the company.   The vision should be the statement of your intent as the business owner.  It describes how you as the business owner see the company evolving.  It is a statement of where you want the company to go.  Many years ago, we as a company embarked on a discussion to craft our own vision statement.  We were all proud of our completed product:

“Our vision is to be the technology support partner of choice for organizations in the Southeastern United States through our innovation, dedication to operational excellence, leadership, and effective delivery of professional services.”

Earlier this year, I began to ask myself some tough questions.  Does the vision truly reflect who we want to be?  Does it accurately represent why we exist as a company?   Does it reflect what makes us unique?   When you parse it out, is it in sync with my most basic ideas of leadership?  I had a nagging feeling that it was too similar to the vision of every other company whose leader read Good to Great.   That it sounded overly “corporate”.  That it was more about who I thought we should be than who I knew we should be, and who we truly were.  Over the course of a few weeks,  I began to work up a new vision.  I realized that the vision had to say things that only I could authorize.  I wanted it to be a bold pronouncement of who we were, of what made Carolinas IT such a special place.  It had to give guidance that a team member could use when making decisions.  With some help from our team, it  took shape.  I think we finally got it right.

Can you see any differences?  Let me know what you think.  What would the answers be if you asked yourself some tough questions?

“We are building a world class technology services organization where our team members are valued and treated with respect.  Our company provides talented professionals with a challenging opportunity to learn, contribute, and grow while supporting their families and maintaining a healthy work-life balance.   Our formula for providing great services to our clients depends on enabling and supporting our employees, enhancing their quality of life while enabling them to share in our financial success.”

Mark

 

Don’t Jerk the Trigger

I’ve always been fascinated with the power of words.  How words are used to convey ideas.  How a word can mean multiple things to different people, how words can inspire, and if used the wrong way, how damaging they can be.  Here’s a story to illustrate.   It’s a five minute read, but perhaps you will find something of value in return for your time.

Tim was on his high school football team.  He was fairly athletic, and fast enough to do the job, but just never seemed to have what it took to be on the starting squad.   His coaches usually put him in when the game had been decided one way or another.  The last game of the season, in the last few minutes when his team was in the lead, the starting defensive safety got hurt.  Tim was up, this was his chance.  If he could just keep the other team from scoring, his team would win.  As he buttoned his helmet and ran on the field from the sidelines, his coach said “OK Tim, just don’t get burned.”    Those words stuck with him as he ran onto the field…”don’t get burned”  he said it over a few times as the opposing team came to the line.   The play unfolded right at him, the receiver ran a quick pattern, smoothly accelerated around him as the ball met his outstretched hands just out of Tim’s reach.  He got burned.  He felt terrible.  As he came back to the sidelines, his coaches wouldn’t even look at him.  On the bus home, he was sitting behind the starting safety, Paul.  He told Paul he was sorry he blew it, and asked how Paul was able to consistently avoid getting burned.  Paul said, “Well, sometimes it happens to me too, but when I’m out there I look at the receiver and tell myself “I’ve got him covered.  If the ball comes my way I will be the one to get it or knock it down. I will get that ball.  I just keep telling myself that I will get that ball.”  Tim thought about it, he had a flicker of recognition that there was something different between what he had told himself and what Paul consistently did, but it soon got buried under the bundle of shame and guilt over the game.

A few years later, Tim had joined the Marines and was going through his initial training.  The candidates were being tested to see if they had the endurance to make it, and they were halfway through a ten mile hike with full gear.  Tim knew if he didn’t keep up it would hurt and even possibly end his career before it started.  He was hot, sore, tired and aching.  His platoon sergeant had just come by and noticed Tim was hurting.  He yelled at him…”I see that look in your eye, you better not fall out of this formation…”  Tim thought about all that was at stake and repeated it to himself….”you better not fall out”,   over and over to himself.  It helped for a bit, but after a few minutes he slowly fell behind.  Luckily, his platoon stopped for a quick break before it was evident.  One of the older guys in the platoon came over.  “What’s up with you?” he said.  “I’m hurting, I don’t know if I can make it.”  “OK, I hear you” the older guy said.  “Look at me.”  Tim looked up.  “When we start back up, I want you to tell yourself something, OK?”  “OK” Tim said.  “You tell yourself that you can do this all day.  You tell yourself that you are good to go and that you will stay in this formation.  You will make it. You will stay in this formation.  Got it?”  “Got it” said Tim.  The hike was tough, but as Tim finished with his platoon he was filled with pride and felt like if he could make it through that hike, he could make it through anything.  Later that evening, he didn’t remember much about the second half of the hike except the words echoing through his mind “you will make it.”

A week later, Tim was on the rifle range, qualifying with his weapon.   His shots were inconsistent.  Some would go high, some low, and some right on target.  His Platoon Sergeant came by and chastised him, “You’re jerking the trigger, that’s what’s causing that pathetic pattern of yours.  Don’t jerk the trigger.”  Tim tried not to jerk the trigger, and it worked for a little while, but he soon fell back into the same pattern.  The range coach noticed it and came by during a scoring break.  “OK, look at me.” He said.  “Now, when you are firing, I want you to remember something.  Are you listening?”  “Yes” Tim said.  “Slow steady  squeeze” said the coach.  “That’s what I want you to do.   Slow steady squeeze.”  The coach had him dry fire a couple rounds.  (pulling the trigger with no round in the chamber just to practice)   “Remember, slow, steady squeeze.  Say it back to me.”  “Slow, steady squeeze”, repeated Tim, with confidence.  From then on, his shots were consistently better.  It took him a while, but once he mastered the other techniques of marksmanship, they were dead center, every time.  As he pinned his “Expert” badge on his uniform, that flicker of recognition of the pattern that he had first noticed on the long bus ride home back in high school suddenly struck him.

It became clear to him that his mind and body were connected far more than he ever realized.   More importantly though, he realized that his subconscious mind was really the one in charge much of the time.    Especially when there was no time to think, or during periods of stress, or when he was just running on “autopilot” and not really thinking.   At a deeper level, his subconscious mind didn’t seem to recognize words negative commands, or “do nots”.  While his conscious mind heard “Don’t get burned.”, his subconscious mind landed and stuck on the word “burned”.  When the conscious mind heard   “Don’t jerk the trigger, or “don’t fall out”,  what stuck were essentially commands to  “Jerk” and “Fall out”. 

Not convinced?

Don’t think about penguins.

 What kinds of things do you tell yourself?  What do you tell your spouse, your kids, and your co-workers?    What if you made a subtle change to how you talked to yourself and those around you every day?

Page 1 of 3