Most reasonable people know they are not perfect, and even accept that they don’t need to be, but it doesn’t stop us from continually striving to improve. We use technology to do things faster, longer, further, and any number of other “-ers” you can think of, typically in the name of being better. The fundamental reason technology exists is to provide tools that extend our abilities beyond that of which we are humanly capable. Technology is a primal multiplier of our own capabilities, good and bad, and amplifying the latter can lead to disastrous outcomes.
Here comes the technology soapbox!
I work with a lot of people, and as you might imagine, none of us are perfect. I see these bad technology practices often enough to know that every one of us is probably guilty of at least one or more of these bad habits, some of which are nasty enough that not breaking them could have serious consequences.
- Not securing mobile devices and laptops with encryption and passwords or pins. Unless your device is a pure entertainment device with zero sensitive information, you should be locking your devices. It’s inconvenient, but so is having your private info leaked onto the internet. Don’t think your info is worth leaking? How about your client’s email correspondence or that private conversation with your family and friends? You may think you have nothing to hide, but the people you interact with on your device also have a say in that privacy decision.
- Using insecure passwords for important accounts. You know this is bad, I don’t even have to explain why. And yet I remind people everyday the importance of using strong, unique passwords that are frequently changed. Breaking this bad habit is hard, but it’s just one of those things we have to do.
- Poor file organization. Very few of us fall into the minority of computer users who stick with a system of organizing all of their documents. A large number of us fall into the category of using our Desktop as a catch-all, and since it can’t overflow onto the floor like real paper, it can get really bad without warning. File that stuff away so you can find it later when you or someone else needs it.
- Poor email management. The email monster will eventually overwhelm even the most experienced technology veteran. Email has been around a long time: we’ve had decades to build up many bad habits in this category, but the number one is an out-of-control “Unread Count.” If you can no longer use that number as a gauge of what needs to be done, you are losing out on a valuable tool.
- Read (and think) before clicking. Most of us have been using computers long enough now that it’s a reflex to click buttons, especially if they say “OK” or “Continue”, and often that leads to disaster. When a dialog pops up or a strange email link presents itself, stop, read, and consider your next action. A minute of critical thinking can make the difference between “delete” and “malware infection.”
- Infrequent or no data backups. This one still surprises me. Very smart people are still making poor choices in regards to securing their data. Backup services are so easy and inexpensive there is literally no excuse to not back up your data.
- Relying on technology to be infallible. Fortunately, this seems to be a habit that is slowly being hammered out of everyone, if only through the constant media exposure of all the data breaches and hacks. Accepting that technology can fail isn’t admitting defeat. Instead it’s a core belief that leads to using it more effectively – understanding and accounting for limitations of a system is the the “yin” to technology’s “yang”.
Image courtesy of atibodyphoto at FreeDigitalPhotos.net
When I attended Cal State University Northridge over twenty years ago, I was already well into my career as a technology consultant. Instead of pursuing a degree in Information Systems or Computer Engineering I chose to complete my degree in English Composition, not because I didn’t love technology, but because the courses offered in most university technology programs were already outdated, even antiquated by the standards of the time. I remember clearly the course that cemented my decision: “COBOL Programming” – offered in 1990 as a requirement for several technology degrees. At the time, COBOL would have been 30 years old, and even a young, wet-behind-the-ears consultant knew that this platform couldn’t possibly be in use much longer. Sadly, this has not been the case, and now America’s biggest banks are in a race against the clock to replace COBOL-backed infrastructure with more sustainable technology.
What this means for you
Despite the continuing, strident need for better security on all network-based services (banking systems fall definitively into this category), many of this country’s largest financial institutions rely on technology that was developed in 1959 and has been held together by a dwindling cadre of COBOL engineers and consultants, some of whom are long since retired, and whose ranks are actually being thinned out by the final arbiter of obsolescence: death. While I’m fairly certain C2 clients aren’t reliant on ancient technology like COBOL, there are plenty of businesses both big and small who are leaning heavily on older and even officially obsolete platforms for core business processes, if only because they haven’t budgeted for that platform’s replacement. The important lesson to learn here is that rather than having your hand forced by things like complete lack of support, planning for replacement of systems should be a critical part of your business planning every year. The financial hit may be significant, but it will be controlled and planned versus pouring emergency money into a dying system to keep the lights on while madly scrambling to find a replacement.
As a parent, I fight a constant battle with my daughter about whether she is dressed appropriately for the day’s weather conditions. Even though we are making slow progress as she matures and is starting to apply experiential learning to her decisions, there’s still a lot of back and forth, “This jacket will be too hot later, but this sweater is not warm enough now,” and then forgets to bring either one as we rush out the door for school. This interchange is strikingly similar to exchanges I have with my some of my clients who, while being mature, successful business professionals, are still learning how to prepare for the digital equivalent of bad weather. Fortunately for them, you can tackle it like you would approach cold weather – handle it in layers.
Whatchu’ talkin’ ’bout, Woo?
Unlike the weather, computer security isn’t likely “warm up” anytime soon, so you’d better bundle up. Here’s how you should be layered:
- Layer 1: Workstation antivirus – Never turn it off, never remove it. Also note that using multiple antivirus applications is never recommended. More does not equal better in this case. It’s like wearing two pairs of pants – you can do it, but it’s definitely going to slow you down and going to be very uncomfortable. In the case of a computer, it might even prevent either product from working effectively.
- Layer 2: Workstation antimalware – Not always the same as “Layer 1”. Some products handle both, such as Webroot’s SecureAnywhere which we use for our clients. Some, like Malwarebytes or Microsoft’s Defender, are meant to be used in concert with an antivirus product. The lines are blurring between viruses and malware, but these products typically focus on adware, spyware and software not considered malicious, but of questionable utility or intent.
- Layer 3: Workstation firewall – even if your computer is behind a perimeter firewall, having a computer firewall in place can provide extra protection, and if it’s programmed properly, will rarely interfere with regular operations. Some products like SecureAnywhere include their own firewall, but even Microsoft’s built-in firewall is better than nothing.
- Layer 4: Perimeter firewall – this typically resides between your computer and the internet. Most routers provided by ISP’s include a basic firewall, which again, is better than nothing, but a professionally managed and maintained, dedicated firewall is like the difference between a wall made of wood and one made of steel. Also be aware that most store-bought routers with firewalls typically don’t include the next 2 layers, primarily because they are targeted for consumer use, not business.
- Layer 5: Gateway antivirus/antimalware – though not as common place in the SMB market, firewalls with built-in antivirus can scan and quarantine inbound (and outbound) malware as users behind the firewall come across it in their internet wanderings.
- Layer 6: Gateway Intrusion Detection/Protection services – often found alongside gateway antivirus, IDS/IPS will actively protect your network against focused attacks on your network by looking for well-known attack vectors and patterns and blocking them as they are aimed at your network.
- Layer 7: Email server spam and virus filtering – Even if you don’t have Layers 5 and 6, you should definitely have this layer. Due to the nature of how email is delivered and accessed, its often possible to sneak malware right by the other layers via email attachment, and as many of you have personally experienced, this is the digital equivalent of the Trojan Horse. Catching malware before it even gets anywhere near your network is nigh as important as Layer 1.
Don’t wait for the security weather front to clear – this storm is nowhere near spent. If your environment is properly geared to survive a long, dark winter, your business can look forward to a warm, bright future.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Despite the recent setbacks the Republican-controlled congress suffered in the healthcare reform arena, they managed to pick themselves up off the mat and delivered a solid drubbing in another area of consumer interest: internet privacy. Following a 50-48 Senate vote, the House passed 215-205 a “joint resolution of congressional disapproval” of the rules put in place by the FCC in October of last year to govern how internet service providers would be required to handle the piles of data they collect on your internet usage. Implementation of these rules, set to take effect in December of this year, were intended to make sure ISP’s handled your data with full transparency and clearly visible warnings (no fine text agreements) as well as protecting it via industry standard security. Proponents of the bill contend that the FCC overstepped its authority with rules that would be confusing and costly to enforce, arguing successfully that the FTC would be better suited to protect consumer and business interests in this area.
Why should this be important to me?
It’s important to understand a few things:
- Search engines like Google, Bing and Yahoo have been making money off your search history for years.
- ISP’s have probably been doing the same, but have likely been less forthcoming about it than the above companies.
- Your data, however mundane or irrelevant you believe it to be, is extremely valuable to every industry.
- In most cases, you can opt out of a vendor’s usage of your data, but you have to request it. You are opted in by default with most ISP’s and cellular carriers.
- Very few people in the US have more than two choices in internet service. It is essentially impossible to “switch” to a provider that operates with your best interests in mind.
- There are ways to secure your privacy despite your ISP’s practices, but they are fairly technical, not consumer friendly, and definitely not foolproof.
Have a look at how your senators and representatives voted on this measure. For the record, both California Senators and my House Representative voted “Nay” on this measure, but if your congress-critter’s view on this matter did not match yours, you should probably do something about that. Regardless of where you stand on the privacy issue, you should know that despite the FCC ruling last year, the rules they intended to enact never went into effect, and pending the President’s signature, likely never will, at least via the FCC’s hand as this joint measure also specifically forbids the FCC from attempting something like this again – also unlikely in the near future given the new Chair’s deregulation leanings.
For the moment, nothing has changed. If you are interested in how your ISP treat’s your privacy, you should read their posted privacy policy. You might want to have a big cup of coffee and a lawyer handy though, as the reading is definitely on the heavy side.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
It had all the trappings of a Hollywood blockbuster: a massive data breach, hackers hired by Russian spies, and a secret operation that went on for years undetected. Except for one rather pedestrian and crucial element. According to indictments handed down by the US Federal Bureau of Investigation, the hackers penetrated Yahoo’s security not through some sophisticated cyber-tango of caffeine-fueled hacker artistry. There weren’t any high-tech micro computers covertly implanted into neon-lit server racks following a series of cleverly choreographed hi-jinks. No, the largest single leak of Personally Identifying Information was enabled by a Yahoo employee falling for a spear phishing attack.
Here comes the email security soapbox again!
What’s a spear phishing attack and what makes it different from the rest of the spam you get in your email? Typical spam and phishing emails are sent to as many people as possible in the hopes that a small percentage will click the link or open the attachment, whereas spear phishing is designed to target a very specific audience or even a particular individual. They are typically several levels more sophisticated than the usual garbage clogging our email as the content is custom-tailored to appear believable to the target. While I’m sure many of you are scratching your heads at how a single click on a fake email could lead to the largest breach in history against a storied dot-com darling, keep in mind that in the ongoing plate-spinning war of internet security, the good guys only win if they can keep all the plates spinning, and the bad guys win if even a single plate falls.
There are many lessons to be learned from this incident, but perhaps the most important one of all still remains: all security systems are only as strong as the weakest link, and many times that weakest link is a human. Given enough resources, time and determination, any security system can be hacked, and any company or organization can be breached. What’s a business owner to do in light of a seemingly unstoppable force? Just like preparing for two other famously unavoidable eventualities, planning for security breach will prepare you to react properly and deliberately rather than a mad scramble for recovery. Not sure how to get started? Pick up the phone and let C2 give you a leg up on getting ready.
On February 17, 2017 Southern California was drenched by an epic (according to SoCal standards) storm. As any long-time resident will tell you, even a little bit of rain results in major disruptions in our otherwise sunny and mild climate. Friday’s torrential rain and high winds wreaked apocalyptic levels of chaos, including wide-spread power and internet outages. Because we also live in the land of earthquakes, wildfires and drought, Californians suffer from chronically high levels of disaster-preparedness fatigue, so when the lights went out on that Friday, a lot people were left sitting in the dark, both literally and metaphorically, as to what to do about their technology (or sudden lack thereof).
Yes, I am beating the “be prepared” drum again:
When meeting new clients (oftentimes in the exact situation depicted above), it’s not uncommon for them to have very little “hard” documentation on the technology in use at their organization. By “hard” I mean paper and digital files that outline the very basics of their technology foundation. “But Chris,” you protest, “Now that I have C2 on speed-dial, what more do I need?” As honored and pleased as we are to have your back in a disaster, and as much as it pains me to consider it, we may not always be there when you need us, which is where that technology documentation comes into play.
Every company should have the following recorded in a physical manual that is kept somewhere safe and secure, as well as a digital copy stored off premise in cloud-based storage:
- Contact information for your TECHNOLOGY SUPPORT PROVIDER, including names, phone numbers, email addresses and mailing addresses. Staff photos may help company personnel or proxies identify authorized support providers.
- Contact information for your INTERNET SERVICE PROVIDER, including account number, technical support phone number, type of service (a brief, layman-esque description), a picture of the physical equipment installation, and a description of the install location (basement MPOE, kitchen cabinet, Suite #, etc).
- Contact information for your EMAIL provider if you don’t host it yourself. Provider name, support number and account number (if relevant) as well as a list of all administrator accounts (not the same as office admin), ie. people who are authorized to make changes to the account such as password changes, billing information, etc.
- Contact information for your WEBSITE HOST and DOMAIN REGISTRAR, including login information, accounts with admin rights, and the name of the company providing the services.
- Contact information for your BACKUP PROVIDER, including vendor name, account number/name, login information, and a list of which devices were being backed up.
- A HARDWARE INVENTORY of all technology devices, including servers, workstations, laptops, printers and critical network equipment. Make sure you include serial numbers, make and model, and who the equipment is assigned to if relevant.
- A SOFTWARE INVENTORY of all purchased software, including proof of purchase, activation keys, account email addresses (and passwords) and on which machines the software was installed.
- Contact information for your PREMISE SECURITY PROVIDER, including company name, account number, account rep, and if there is a physical security infrastructure on premise, descriptions of systems, login information and a list of provider and company personnel authorized to access and/or change the listed systems.
- Contact information for your PROPERTY MANAGER. Include contact names, numbers and email addresses, as well as after-hours contact info.
- A brief description of how to access office space after hours (if possible), including who outside of the company may be able to provide “approved” access to office and associated spaces, such as data closets, server rooms and building MPOEs (Minimum Point of Entry).
- A company directory of, at minimum, critical office personnel and their emergency contact information, including cell numbers, home addresses and possibly next of kin contact info as well.
While the above list is by no means complete, even the above contains highly sensitive and confidential information. When storing it physically, the data should be in a locked file cabinet with limited access, and when stored remotely, it should be encrypted and accessible by a very limited set of personnel and designated providers. If you need assistance building this very important collection of information, C2 is ready to gather and compile this information into a document we call the Technology Assets Binder (TAB), which will assist you in keeping “tabs” on all your technology.
Image courtesy of winnond at FreeDigitalPhotos.net
Depending on your current level of cynicism, the news that the CIA exploits technology vulnerabilities to pursue their various agendas will probably come as no surprise. However most everyone should be able to enjoy the irony of their current predicament: actual evidence of this practice comes to us courtesy of a leak of their own documents that lay out their repertoire with eye-opening detail. However, unlike Snowden’s exposure of the NSA which led to worldwide shock and outrage over the brazen invasions of privacy perpetrated by nation-state surveillance programs, the papers published on Wikileaks delve instead into the technical methods and tools the CIA had at their disposal – trade secrets in the most literal sense.
At the time of writing this blog, the news is barely 24 hours old, and the set of documents released on Wikileaks is only part of a larger collection of nearly 9000 files which will require time and resources to verify. Former intelligence officials are saying that the currently published documents are likely legitimate based upon the type and detail of information they contained despite an obvious, “No comment,” verification refusal from the CIA itself. Even more interestingly, the online security community, rather than panicking at the level of exploits documented, seemed to be nodding their heads in collective affirmation, as if to say, “I knew those spooks were hoarding these zero-days for themselves.”
What this means for you:
For the rest of us, this is merely a confirmation of what we suspected (and Hollywood depicted) all along: the CIA, just like any other hacker out there, was using technology weaknesses and flaws to pursue their own interests, often at the expense of someone’s privacy and maybe even their constitutional rights. If you had something to hide that might be worthy of the CIA (or some nation-state’s) interest and you used technology to store or transmit that data, it’s likely they already know about it, as the leaked documents detail programs and technology exploits going back at least four years.
Unfortunately for us, exposure of the CIA secrets is yet another Pandora’s Box of exploits that are now available for anyone, not just morally questionable but somewhat accountable government agencies to use. It also draws even more divisive lines between USA and Russia in the ongoing tangle over alleged Presidential election influence and collusion allegations leveled against the current White House administration. We may have breathed a sigh of relief when 2016 was over, but it looks like it might have been a hastily drawn in light of the dunking we have ahead of us.
Remember when there was nothing more innocent and incorruptible as a child’s teddy bear? For all the potential good the internet can bring, there are some things that should just not get connected, at least until we can secure data properly. The latest black eye for the “Internet of Things” (IoT) comes in the form of a line of stuffed animals that can record and relay messages back and forth between parent and child. While wholesome and lovely in theory, the whole implementation is undermined by poor security and what appears to be a non-trivial amount of carelessness, all the ingredients for a disastrous internet breach. Reports vary, but anywhere from 500k-800k “users” data was exposed to an unknowable number of unauthorized eyes. This data included both identifying information as well as the actual voice messages from both adults and children.
What this means for you:
If you happened to be the (no longer) proud owner of a CloudPet, you have the unenviable responsibility of trying to explain to your child why they can’t use the thing that made this toy special. Hopefully it won’t be traumatizing. While you may be able to enjoy some schadenfreude from the possibility that the company appears well on it’s way to failure, this also means that there will be no recourse or recompense for saddling you with a toy that violated your family’s privacy. Not a CloudPet user? Regardless if you are a parent, relative or even just a friend, think twice before giving a small child an internet-connected toy. Very clearly, we, and the internet, are not ready for such a thing.
Given all the reported breaches Yahoo has reluctantly publicized, not a small number of analysts and pundits were surprised that Verizon was still in discussions to purchase the beleaguered Internet company. Even more surprising was the amount of money being offered for what many see as a dying brand. It seems Yahoo can’t get sold quickly enough, as reports are now rolling in that Verizon’s engineers believe that some Yahoo systems may still be compromised. The cost of selling used and damaged goods? Another $350M off the table, bringing the current deal down to just under $4.5B.
What this means for you:
If you are still maintaining a Yahoo email account or hosting your website with their Small Business services, you should urgently consider migrating to a more reliable and reputable provider. Regardless of whether Verizon is somehow magically able to revive any of Yahoo’s flagging applications, the fact that Yahoo infrastructure might still be compromised after more than a year means your information is at high risk and Yahoo has not invested enough effort in making sure you are safe. If you don’t use any Yahoo services, their plight illustrates two valuable lessons:
- Breaches aren’t necessarily an “in and out” type of event – this isn’t a real-world burglary. If they are breaching your system for the purposes of stealing information, attackers will try to stay undetected for as long as possible, and will spread to as many systems as they can while keeping below the radar.
- A security incident, even if handled properly, can significantly damage the value of your company and brand, and if not handled correctly and diligently from the start, can continue to wreak havoc on your bottom line.
Let’s face it – regardless of the amount of money and time spent, technology is going to break. You could be the world’s foremost technology expert, or the richest business tycoon and it won’t mean one iota in the face of technology failure. For the most part, it will always be unpredictable, and will always happen at the worst possible moment. All we can do is control how we respond to these failures, and in many cases, we can save both money and time by responding thoughtfully and deliberately instead of panicking. It would be impossible to suggest responses for every technology failure scenario, but I can outline the most common ones and the responses that can help you regain control of the situation, or even overcome the failure.
Failure #1: Virus Infection
- Don’t panic. Take out your smartphone and take a picture of the screen, or record a video if it’s making sounds/noises as well.
- Power down the machine. If it’s not responsive, physically remove the power, either by holding down the power button, or by removing the power source via cord or battery.
- Assess the chain of activities leading up to the infection and write them down in as much detail as you can recall. Answer these questions: What were you doing leading up to the infection? How did you know you were infected?
- Notify your designated IT professional OR
- If you are going turn the device back on, make sure you are disconnected from any network. Unplug Ethernet cables, switch off W-Fi, or if you can’t find the Wi-Fi switch, move the device out of range, or turn off the Wi-Fi network.
- Run a full scan with your installed antivirus software. Carefully read all screens and results of the scan.
Failure #2: My internet/network is not working
- Check to see if anyone else on the same network is also offline.
- Just you – wired connection: check for link lights. Most Ethernet-connections on devices have green and amber LEDs that are lit when a connection is active. No LEDs mean no connection. Look for a loose wire, and follow the connection “upstream”. Red or steady flashing amber? Some other network issue, possibly upstream, but also try a reboot.
- Just you – Wi-Fi connection: turn Wi-Fi off and back on. Forget the network and re-add it again. Reboot the Wi-Fi access point (most likely your router). Reboot your computer or device. If you have “Hot-spot” service on your smartphone try using that to verify your computer Wi-Fi is working properly. Alternately, pick up and move to another Wi-Fi source, eg. coffee shop, another office or neighbor.
- Everyone is offline – reboot the router. Reboot the cable/DSL modem if it’s separate from the router. Still nothing – time to call your ISP. Tech support numbers are usually printed on a label on the ISP modem/router, but not necessarily on a router you installed yourself.
Failure #3: My computer won’t turn on
- All types of computers: make sure you aren’t mistaking a malfunctioning (or off!) monitor as a full device failure. Are the power LEDs lit? Do you hear fans or other mechanical noises, such as drives spinning? Watch the monitor carefully when powering on the machine: do you see any output at all, or does the screen stay completely dark?
- Desktops – check the power: check for loose cords. Try plugging the device into a different power outlet. Try a known-good electrical device, eg. desk lamp.
- Laptops – check the power: loose cords? Drained battery? Try unplugging the battery (if removable) with just the AC adapter plugged in. Try the reverse. If you have a spare AC adapter, try that one, or borrow a co-workers AC adapter – make sure you use one that matches the voltage required by your laptop.
- Still nothing? Don’t panic – your data is likely intact on your hard drive, which can be removed and connected to another device to retrieve your information.
- Contact your designated IT professional.
Failure #4: On boot, computer says operating system is missing
- Don’t panic. Try powering down the system and rebooting.
- Remove all attached USB devices. Remove any DVDs or CDs in your optical drive (if you have one). Reboot.
- Still no love? Contact your IT pro or local repair shop.
- Assess your backup situation. Don’t have one? Prepare yourself for possible data loss.
Failure #5: My computer is “pausing” randomly and/or my hard drive is making strange clicking noises
- Save any open work. Close all open applications.
- Assess your backup situation: if you have a backup system in place – confirm the last known good backup and skip to step 5. No backups? Prepare yourself for possible data loss.
- If the computer is only intermittently “pausing” copy any important files to an external USB drive, especially anything that you might need urgently while waiting for a backup restore or repair. This may require patience if the machine seems to pause while accessing certain files or folders. Depending on the damage, even small files may take awhile to copy. Wait as long as you can bear it.
- If you don’t get far with step 3 try turning off the machine for at least an hour. Reboot. Retry step 3.
- Contact your IT pro or local repair shop. Drive failures typically result in data loss, but recovery is possible though usually expensive.











