By Kari Tontarski

“I do this already. I am a good person online and offline.” I’m sure you are, but you’re not perfect. So, before you lay in bed at night wondering if you should have re-worded that tweet, shared that article on vaccines causing antidisestablishmentarianism, or shared details from an Onion article as fact in front of that judgmental coffee pot, let’s have a chat about what you can do now to save yourself later headaches.

We are in the Day and Age of Media!

It’s everywhere. Literally. You can’t look around you without seeing a screen, a logo, or slogan. You can’t listen to anything without an advertisement or a reference to something else. So that leaves the question, how much of what you’re seeing is accurate? Will that furnace & A/C company really bring you peace of mind? Is that brand name the best suited product to your need? Does arrogance bring in a better paycheck? My guess is that you have answers already in your head to these questions, but what if you read, saw, or felt something that made you question the answers you thought you had?

Welcome to media! A literal untapped source of “information”! Yes, that is quoted on purpose. Why? Because the “information” you’re looking at may just be what is conveyed or represented by a particular arrangement or sequence of things, verses facts. In the world of “fake news”, “fake facts”, and click-bait; you’ve got to be careful with what you’re believing. So, we’re going to go over the top 5 things to consider.

Does it Feel Right?

This golden rule applies to a lot of facets of your life. It always will. These things, the matters of the heart, are ones that I want to separate from information. Feelings are not facts. Sorry. Not really sorry. How you feel, may be all too real for you, but it is very likely nonexistent to the stranger next to you. Is what you’re reading pulling at your heart strings? Time to see if there are any facts.

Facts

Details. Figures. Statistics. Hard numbers. Hard science. Subjects that have been repeated, successfully, with the same results, over, and over, and over, and well, over again. If what you’re reading cannot be brought up in a simple Google search, there is a good chance it’s a pile of <insert offensive noun> (sorry, can’t swear here). Not really something you want to say, smear around your social circles; online or offline.

A Critical Eye

Ask the Five W’s. Who. What. Where. Why. When. And an H. How. Never forget the H. How, is the best question. It’s before Why. You can’t always answer Why, but you can almost always find How.

How…

• Did the “information” come to you?

• Did it impact your day?

• Did it impact others?

Why…

• Was this “information” posted?

• Just, why?

• Pretend you’re five, just keep asking why.

Who…

• Did it impact?

• Did it benefit?

• Wrote it?

• Published it?

• Backed it?

What…

• Did it accomplish?

• Did it damage?

• Did it make you feel?

• Did it make you think?

Where…

• Was the “information” posted?

• Is the “information” checked?

When…

• Did the “information” occur?

• Was the “information” released?

• Were you able to verify the “information”?

If you can’t answer all of these, not a big deal. If you can’t answer any of them, that may be a problem. The last question to asks is whether or not the answers have merit.

Context

Depending on how, where, and who is presenting “information”, there is opportunity for it to be manipulated. Don’t believe me? Any popular story from mythology has been told over and over. Does that make the myth anything more than what it is? A Myth? You may feel it does, you may believe it does because it’s been told over, and over, and over again. But that doesn’t make it true. This is how context is born.

Say you see an article about a “mysterious and recently discovered species that has THREE HEADS and can….”, only to click on it to find out it’s a crochet pattern, you’d be mighty disappointed. Now, say the same article has what looks like “information”. Facts. “Dr. Boop PhD in Metaphysical Cellulous Metamorphosis” found a strange “reptile” that is actually warm blooded, can speak Japanese, and only eats carrots. I say at least that Dr better come up in a Google search. Found it all? From what sites? Facebook? The Onion? BuzzFeed? Unless you see something science-related or reputable to those articles, they are less than reputable references.

Comprehension

You’re not dumb if you can’t understand something. Sometimes it’s the topic (your level of interest in the topic), the writer, or even the teacher. If you can’t comprehend what you’re reading, you can try to interpret it. If you do, I suggest you back up your interpretation with facts. It’s not a hit to your ego to not comprehend. You’re not lacking something. You’re not even really missing anything. Don’t get stuck in the information age by assuming all information is meant for you. It’s meant to be there for you, when you want to learn something you’re interested in.

Moving on…

The “Information” Finale

This article is just like the rest of the “information” on the Word Wide Web. Take it, learn from it, verify it, fight it, share it. At the end of the day, we’re all kind of just making it up as we go along. Just try not to be the person who ruins it for everyone else with a bunch of misinformation

By Kari Tontarski

There are a ton of ways that you’ve tried to secure your environment. Whether it is through talking through the many risks of poor security practices, to implementing the latest technologies. Somewhere, somehow, something inevitably gets in. So, we’re going to talk about the proactive maintenance approach you can take to your infrastructure to grow your secure footprint, invest wisely with your budget, and meet your long-term goals.

 #1 Low Budget

Let’s face it, this is your bottom line. If you can show results when given nothing, there is a good chance you will get your foot in the door, so to speak, to an actual budget. So, let’s start with those low-cost tactics to build up your infrastructure security.

The Human Firewall

There is no better protection against cyber threats than a knowledgeable staff that maintains a hygienic approach to their technological use. To do this, the people you work with must be cognizant of basic security procedures. Not the inner workings of technology itself. These basic practices can be found, well, pretty much anywhere on the internet but if you want an easy to access article, here’s mine from earlier this month that is targeted toward end users.

The best way to invest in your human firewall is to establish a consistent line of communication; for example a SharePoint space, or a generic email address that sends notices. You want to institute a single space for acceptable use policies, common inquiries, notifications, education, and collaboration. Utilizing these communications consistently will help staff members stay up to date and prevent missing out on crucial pieces of information.

Follow Up

Test everyone’s skills. Not just Billy-Jean at reception, but Francois the CFO too. No one is exempt from securing themselves, their coworkers, or company data. You can do this with mock phishing emails, social engineering over a phone call, or using team building exercises to encourage collaboration and team work. Exercises can be done across the company, or even per department. The more you practice, the more creative you’ll get.

Not only will your staff be well educated and empowered, they will know they can rely on each other too. “Hey, Steve. Did you get that email from Bob? The one with the .zip file?” or “Wendy. I can’t get to Facebook. Is there something wrong with the internet?” This method keeps a lot of questions off your plate, so you can focus more on securing the technology, while they secure each other.

Research

Because Knowledge is power! Hackers, attackers, cyber criminals are all using their knowledge, so why shouldn’t the rest of us reciprocate? Regardless of an underlying drive towards seeking out information, staying current on cyber security trends is a necessity in today’s world.

Introspection

Start on the inside of your environment. Understand the people, how the departments are run. An element of psychology ties into IT. Understanding people is crucial to the development of a safe and efficient environment for your company to operate in. Knowing the particulars of your organization can really help you identify which tools are beneficial, and which will end up being a hindrance on operational efficiency. This also ties right into your Human Firewall, so there is a good chance you’ll have this understanding by the time you’ve made it this far.

Maintenance

If you don’t have one already, develop a maintenance practice for… Everything. End user computing (desktops, laptops, mobile devices), servers, applications, antivirus, network gear (switches, firewalls, wireless access points, routers), and make sure you have valid backups of your network configurations, software configurations (SMTP relay, connection/use methodologies), servers, data (keep your network shares off the C Drive), and document the way your hardware is configured (RAID, JBOD, iLO). If you can implement asset management and maintain it without losing your mind, you are better than the rest of us. If you can’t, dream alongside the rest of us.

Audits

Regularly audit permissions to data (mailboxes, distribution groups, network drives, software) and your group policies. Ever implement a GPO to roll out a new configuration and forget to clean up afterwards? Yep. Regular audits will help with that. The better your maintain these configurations and settings, the faster and better your environment will behave and you’ll have improved your understanding of it.

Monitoring

It’s a common misconception that a third-party tool or some fancy technology is required to monitor your environment. It’s not required, although it does make the job easier. However, if you’re on a strict budget it is beneficial to utilize the verbose logging capabilities that your operating systems already provide. Most networking equipment comes with some type of logging or reporting capabilities. As long as you are regularly looking at usage and patterns there is a good chance you’re going to pick up something that is out of place. A good example is kicking off rogue APs from your LAN controller. You don’t need fancy monitoring equipment, just the knowledge of your MAC addresses. 

Last Note: ITIL. Read it and use it.

Planning

This is where things get complex, time-consuming, and e x p e n s i v e. If you have made it this far… You are freaking awesome!! I suggest you take a vacation before you proceed on the following steps.

• Step one: Set a target, or targets

Before you begin to really plan out what you want to buy, or if you want a specific tool for your ‘Adminly duties’, I suggest you take a moment to think about what you’re looking to accomplish. This target should not include hardware upgrades for devices that are end-of-life; if you have devices that have reached their life-time, then replace them. Do not purchase something you can grow into, because you haven’t decided your growth pattern. If you choose the hardware too early in your planning, testing, and deploying you’re going to experience a lot of headache and heartache.

•  Step two: Identify compliance requirements

If you’re a company or service provider that deals with Personally Identifiable Information (medical, financial, etc) you are subject to industry regulation and government compliance. If you operate outside of your native country, you are subject to the regulation and compliance requirements for that country, and if you operate globally, you are subject to GDPR as well. Knowing these requirements will dictate what solutions you can implement and may minimize a lot of your previous considerations.

• Step three: Identify risks

This is where it gets sticky, like dust sticky, so you may as well clean it up before you build on it. There is often a disconnect between the opinions of acceptable risk. Identifying the gaps between what you have identified and what upper management is willing to risk must be determined, and if possible, bridged. That bridge can have a massive impact on your target(s).

• Step four: Compilation of Data

Blarg. The most tedious and time-consuming part, because this part also includes your business plan. Your proposition, so to speak. No one in their right mind likes doing this, but it is a necessary evil of business. Kind of like this blog, or blogs in general.

• Step five: Benefit Analysis

You’ll have a comprehensive structure of your current position, where you need to be, and where you want to be. Next, divide these into three types of management processes; Risk, integration, and external participation. Once each of these areas is identified- in great detail, I may suggest, you may move forward to utilizing the ITIL Tiering methodology and breaking the risks apart.

1. Partial: inconsistent and reactive

2. Informed: consistent and aware

3. Repeatable: standard and consistent in policy

4. Adaptive: proactive or predictive threat detection

Try to align these tiers, and any other tiers you determine to correlate to what is starting to look like a plan of action. Don’t be fooled though, we’re just getting started.

• Step six: Assessment

This is the fun part. This is where you get to stretch your legs and poke all the things you’ve been wanting to poke for however long it’s taken you to get here. Yes, it will feel good. Then it will feel terrifying. From here you can decide to be defeated or strengthened by the knowledge you’ve claimed by your poking and kicking. I suggest the following areas.

1.  Outdated software, hardware, operating systems, and services because you will need to start here. Eat the sour candy.

2. Create a testing environment. This is crucial for development of your environment. This is where you can validate antivirus and antimalware tools. This is where you can validate the functionality of your software for users. Next you can validate the flow of network traffic and the efficiency of a firewall.

3. Penetration test your network. See what is opening and listening. See if you can hide information in your legitimate packet traffic.

4. Run a vulnerability scan.

5. Test behaviors of all employees. This includes the executives and even board members if they have access to the company data.

6. Check how, where, and who can access company data.

Once you have all this information, rate it, identify the impact, and present it with a score. If you have a subscription to Office 365, check out their Secure Score feature. You can use that as part of this assessment too.

• Step seven: Action on gaps

With all the information at hand, you’ll see gaps. Some small, some big, some terrifyingly deep and black crevasses with disturbing and unknown creatures of the underworld. Whatever it is, you’re well equipped to handle them, and you can address them methodically, logically, and with some seriously awesome tools.

• Step eight: Implementation

Not the end, but the beginning of more learning and oh, please, so much documentation. These documents create training materials, processes, and wider implementation. This is right where the Proof-of-Concept part comes in. If you document your POC well, you’re going to be able to phase your implementations out smoothly and effectively. Seriously, you’ll thank yourself later for writing this $*** down.