Cyber security survival tips: For all you Administrators out there

blake-connally-435076-unsplash.jpg

By Kari Tontarski

There are a ton of ways that you’ve tried to secure your environment. Whether it is through talking through the many risks of poor security practices, to implementing the latest technologies. Somewhere, somehow, something inevitably gets in. So, we’re going to talk about the proactive maintenance approach you can take to your infrastructure to grow your secure footprint, invest wisely with your budget, and meet your long-term goals.

 #1 Low Budget

Let’s face it, this is your bottom line. If you can show results when given nothing, there is a good chance you will get your foot in the door, so to speak, to an actual budget. So, let’s start with those low-cost tactics to build up your infrastructure security.

group.png

The Human Firewall

There is no better protection against cyber threats than a knowledgeable staff that maintains a hygienic approach to their technological use. To do this, the people you work with must be cognizant of basic security procedures. Not the inner workings of technology itself. These basic practices can be found, well, pretty much anywhere on the internet but if you want an easy to access article, here’s mine from earlier this month that is targeted toward end users.

The best way to invest in your human firewall is to establish a consistent line of communication; for example a SharePoint space, or a generic email address that sends notices. You want to institute a single space for acceptable use policies, common inquiries, notifications, education, and collaboration. Utilizing these communications consistently will help staff members stay up to date and prevent missing out on crucial pieces of information.

download.png

Follow Up

Test everyone’s skills. Not just Billy-Jean at reception, but Francois the CFO too. No one is exempt from securing themselves, their coworkers, or company data. You can do this with mock phishing emails, social engineering over a phone call, or using team building exercises to encourage collaboration and team work. Exercises can be done across the company, or even per department. The more you practice, the more creative you’ll get.

Not only will your staff be well educated and empowered, they will know they can rely on each other too. “Hey, Steve. Did you get that email from Bob? The one with the .zip file?” or “Wendy. I can’t get to Facebook. Is there something wrong with the internet?” This method keeps a lot of questions off your plate, so you can focus more on securing the technology, while they secure each other.

idea.png

Research

Because Knowledge is power! Hackers, attackers, cyber criminals are all using their knowledge, so why shouldn’t the rest of us reciprocate? Regardless of an underlying drive towards seeking out information, staying current on cyber security trends is a necessity in today’s world.

search.png

Introspection

Start on the inside of your environment. Understand the people, how the departments are run. An element of psychology ties into IT. Understanding people is crucial to the development of a safe and efficient environment for your company to operate in. Knowing the particulars of your organization can really help you identify which tools are beneficial, and which will end up being a hindrance on operational efficiency. This also ties right into your Human Firewall, so there is a good chance you’ll have this understanding by the time you’ve made it this far.

checklist.png

Maintenance

If you don’t have one already, develop a maintenance practice for… Everything. End user computing (desktops, laptops, mobile devices), servers, applications, antivirus, network gear (switches, firewalls, wireless access points, routers), and make sure you have valid backups of your network configurations, software configurations (SMTP relay, connection/use methodologies), servers, data (keep your network shares off the C Drive), and document the way your hardware is configured (RAID, JBOD, iLO). If you can implement asset management and maintain it without losing your mind, you are better than the rest of us. If you can’t, dream alongside the rest of us.

calendar.png

Audits

Regularly audit permissions to data (mailboxes, distribution groups, network drives, software) and your group policies. Ever implement a GPO to roll out a new configuration and forget to clean up afterwards? Yep. Regular audits will help with that. The better your maintain these configurations and settings, the faster and better your environment will behave and you’ll have improved your understanding of it.

tablet.png

Monitoring

It’s a common misconception that a third-party tool or some fancy technology is required to monitor your environment. It’s not required, although it does make the job easier. However, if you’re on a strict budget it is beneficial to utilize the verbose logging capabilities that your operating systems already provide. Most networking equipment comes with some type of logging or reporting capabilities. As long as you are regularly looking at usage and patterns there is a good chance you’re going to pick up something that is out of place. A good example is kicking off rogue APs from your LAN controller. You don’t need fancy monitoring equipment, just the knowledge of your MAC addresses. 

Last Note: ITIL. Read it and use it.

checked.png

Planning

This is where things get complex, time-consuming, and e x p e n s i v e. If you have made it this far… You are freaking awesome!! I suggest you take a vacation before you proceed on the following steps.

  • Step one: Set a target, or targets

Before you begin to really plan out what you want to buy, or if you want a specific tool for your ‘Adminly duties’, I suggest you take a moment to think about what you’re looking to accomplish. This target should not include hardware upgrades for devices that are end-of-life; if you have devices that have reached their life-time, then replace them. Do not purchase something you can grow into, because you haven’t decided your growth pattern. If you choose the hardware too early in your planning, testing, and deploying you’re going to experience a lot of headache and heartache.

  •  Step two: Identify compliance requirements

If you’re a company or service provider that deals with Personally Identifiable Information (medical, financial, etc) you are subject to industry regulation and government compliance. If you operate outside of your native country, you are subject to the regulation and compliance requirements for that country, and if you operate globally, you are subject to GDPR as well. Knowing these requirements will dictate what solutions you can implement and may minimize a lot of your previous considerations.

  • Step three: Identify risks

This is where it gets sticky, like dust sticky, so you may as well clean it up before you build on it. There is often a disconnect between the opinions of acceptable risk. Identifying the gaps between what you have identified and what upper management is willing to risk must be determined, and if possible, bridged. That bridge can have a massive impact on your target(s).

  • Step four: Compilation of Data

Blarg. The most tedious and time-consuming part, because this part also includes your business plan. Your proposition, so to speak. No one in their right mind likes doing this, but it is a necessary evil of business. Kind of like this blog, or blogs in general.

  • Step five: Benefit Analysis

You’ll have a comprehensive structure of your current position, where you need to be, and where you want to be. Next, divide these into three types of management processes; Risk, integration, and external participation. Once each of these areas is identified- in great detail, I may suggest, you may move forward to utilizing the ITIL Tiering methodology and breaking the risks apart.

  1. Partial: inconsistent and reactive

  2. Informed: consistent and aware

  3. Repeatable: standard and consistent in policy

  4. Adaptive: proactive or predictive threat detection

Try to align these tiers, and any other tiers you determine to correlate to what is starting to look like a plan of action. Don’t be fooled though, we’re just getting started.

  • Step six: Assessment

This is the fun part. This is where you get to stretch your legs and poke all the things you’ve been wanting to poke for however long it’s taken you to get here. Yes, it will feel good. Then it will feel terrifying. From here you can decide to be defeated or strengthened by the knowledge you’ve claimed by your poking and kicking. I suggest the following areas.

  1.  Outdated software, hardware, operating systems, and services because you will need to start here. Eat the sour candy.

  2. Create a testing environment. This is crucial for development of your environment. This is where you can validate antivirus and antimalware tools. This is where you can validate the functionality of your software for users. Next you can validate the flow of network traffic and the efficiency of a firewall.

  3. Penetration test your network. See what is opening and listening. See if you can hide information in your legitimate packet traffic.

  4. Run a vulnerability scan.

  5. Test behaviors of all employees. This includes the executives and even board members if they have access to the company data.

  6. Check how, where, and who can access company data.

Once you have all this information, rate it, identify the impact, and present it with a score. If you have a subscription to Office 365, check out their Secure Score feature. You can use that as part of this assessment too.

  • Step seven: Action on gaps

With all the information at hand, you’ll see gaps. Some small, some big, some terrifyingly deep and black crevasses with disturbing and unknown creatures of the underworld. Whatever it is, you’re well equipped to handle them, and you can address them methodically, logically, and with some seriously awesome tools.

  • Step eight: Implementation

Not the end, but the beginning of more learning and oh, please, so much documentation. These documents create training materials, processes, and wider implementation. This is right where the Proof-of-Concept part comes in. If you document your POC well, you’re going to be able to phase your implementations out smoothly and effectively. Seriously, you’ll thank yourself later for writing this $*** down.

Buy secure: What to look for when researching your tech purchases

rawpixel-974545-unsplash.jpg

By Kari Tontarski

I bet you can think of at least a dozen reasons a reputable source is better than a disreputable source, because this is what immediately pops into my head:

  • Lack of support, process, knowledge and industry experience

  • Integration

  • Vulnerable

  • A gamble

  • Motivations

  • Anonymous

You may just default to the well-known brands; Cisco, Microsoft, Hewlett-Packard. And we can’t fault you for that because they do have the ability to refute concerns when making a purchase. But not everyone can afford them, I know I can’t afford a Cisco at home. So, let’s talk about how you can determine reputable sources.

The top qualities to look for during research (and why)

To appropriately assess the source of the information you’re reading, you must consider a few things about what the information contains, like when, where, and by whom it was published.

  • Time

Look for when the post was made to determine if the information you are about to read, or have already started reading, is worth your time. If the page or website hasn’t been updated in 5 years, there is a good chance the point of reading the article is nullified.

I’ve read articles that were so old that the company didn’t exist anymore. Granted, I was looking after a very old environment so it wasn’t a waste of my time, but it really could have been if I were troubleshooting the same issue on a supportable environment or looking to improve my technological footprint.

Reading outdated information will skew your view and knowledge of the topic you are researching. You may want to know more about Server 2016 and its interchangeability with your current applications and environment, but if you’re getting results from 2011, you’re not going to get the information you need.

  • Accuracy

Barring simple grammatical mistakes (a comma instead of a semicolon) or differentiation of spelling (i.e. American color to Canadian colour) you may want to dismiss information that contains spelling, grammatical and obvious proofreading errors. Consider validating the accuracy of information provided in a post that appears unpolished or unprofessional by doing more research. Typically, you can trust a common consensus.

 If there are hyperlinked articles to back up the article, author, or product, try searching for the information on your own before clicking on any hyperlinks.

If you’re reading an article that is blatantly incorrect, for example, an article that says AdBlock isn’t available for Edge, then there is a good chance the article is outdated, misinformed, or uninformed. Whatever the situation, you probably shouldn’t keep reading.

  • Concentration

Keeping a keen eye on the depth and breadth of what you are reading is a clear indicator if you should keep reading it. If what you’re reading is going from one topic to another, trying to maintain a certain point, it’s likely going to create confusion and miss key points of your discovery process.

By sticking to an article that doesn’t have a focus on what you’re researching, you’re risking your time for misinformation. You may learn things you never knew, but what is the chance you’re sticking that information in your reference vault and never verifying the actual information? I know I’m guilty of the reaction, “Oh, neat. I’ll keep that in mind.” But when the situation presents itself, that “neat” piece of information is not only incorrect but can lead you seriously astray.

  •  Exception

Technologies do relate to another, so if the author is offering links to other articles based on a quick notation or comparison, you can look further into that topic if it relates to your technological assessment. If the author does this repeatedly, it can be very distracting, and you can likely find a better written article elsewhere.

  • Author

An informative piece on the internet is almost always posted with an author, and if it isn’t, you’ll want to consider the information with a little “salt” because it’s come from either an anonymous source or a commercial source. Either way, the underlying intention of the information being provided to you isn’t as forthcoming as they would like you to believe.

 The more credible the author, the less “salt” you’ll need to add to the information being provided. So, the easier it is to find this authors website, LinkedIn, or biography on their employers’ website, the more credible they can appear. But make sure you’re reading through these pages. Is the author qualified to make the statements in the information piece posted? Can you easily identify where the qualifications came from? Is the author available for inquiries?

The less credible the author, the less you want to consider reading. If the informative piece you’re reading seems to contain a bias, ask why. Are they a competitor or a provider? Is their opinion based on experience or hearsay? Bias and opinion can compromise any information, yielding it ineffective and untrustworthy as not all opinions are informed.

If Andy Anonymous says Cisco is bad for <blank> use and with <blank> as an explanation, there is a good chance that Andy has ulterior motives. If a blog says, “here are my vetted notes on every printer problem I’ve ever come across in my five years of service desk support”, there is a chance that this person wants to prevent some suffering in the world. If a company releases a new product, but never posts the issues they have encountered and overcome, don’t buy it because they either aren’t being honest with you, or won’t support you when you need help.

Staying Secure

Keeping current, accurate, objective, and authoritative information at hand will ensure you have reliable, reputable, and effective tools to assess the solutions you need and want for your organization.

Last tip I can impart is to ask. Ask a Managed Services Provider, a friend, a colleague, and a forum (if you’re desperate). Remember that you have a community, so if you’re not finding the results you need to make an informed a decision, reach out.

Dude, where's my file? How a Digital Workplace can un-trap critical knowledge.

How advanced is your file strategy?

photo-1503551723145-6c040742065b.jpg

For many organizations, document collaboration still means creating a file, storing it on a local hard drive, emailing it back and forth to make changes, and trying to keep track of the latest version. This is hard enough when only two people are collaborating. Get three or more people in the mix, and it’s nearly impossible to keep up as emails go back in fourth and every person puts in their two cents. Others have found that corporate file repositories, FTP servers, and shared network drives help to some degree. Rather than emailing files back and forth, everyone can access a document in the same storage location. But that doesn’t mean everyone can access it or make changes at the same time. This results in multiple versions of the same document, with everyone’s initials appended to the filename, and changes that need to be merged into a final version.

Organizations that have embraced cloud-based productivity platforms have fundamentally overhauled their approach to collaboration and file storage. Thanks to solutions like Office 365, it’s easier and faster than ever to work with collaborators inside and outside an organization. Because now, everyone can work on the same file – at the same time.

Where Office 365 shines.

According to Gartner, Inc., a research and advisory firm, a 2015 Gartner online survey of more than 2,000 respondents about the state of the digital workforce indicated that 70% of digital workers use cloud file storage and sharing tools for their work activities. A fourth of all respondents characterized by a stronger digital dexterity tend to have sentiments, behaviors and preferences that are clearly oriented toward personal, unsanctioned technology tools, including cloud storage and sharing service for productivity (which means IT isn’t involved, and may not even know). Increasingly, employees are tapping into cloud storage solutions from anywhere they choose, to boost productivity and make work easier. But not all of this is happening outside IT’s control. Factor in the wide, enterprise-approved uptake of Microsoft Office 365 for productivity and collaboration, and it’s easy to understand why collaborative platforms have become business-critical.

Collaborating using Office Online

Using Office Online for true co-authoring of a file will result in the following productivity gains, on top of those with using Office 365 Document Libraries: almost no turnover time!
True co-authoring can occur, because all reviewers can work in the same file at the same time – in the browser, or in their Office application – resulting in almost no turnover time. It’s like sitting in the same room all writing on the whiteboard at the same time. There is no waiting on each other’s work, and on top of that the reviewers can communicate about their work using Skype Chat, or comments.

Collaboration is like making music together

Compare collaborating on a file in a sequential way – as with Email attachments – with collaborating on a file simultaneously – as with Office Online – with the following analogy:
Musicians that each play an instrument in a song each record their part separately and sequential in a studio and finally it is all merged into a song. But suppose they would all play their instrument together. I mean, not as a band live show, but REALLY together.

Co-authoring impact

Co-authoring is a creative process and has impact on both the quantity and the quality of the contributions. If you want to calculate the value of co-authoring, you could look at gain in time (cost reduction), and the gain in result (quantity and quality of the content).

Working together has a positive impact on the co-creation. Through social interaction colleagues learn and build on each other’s knowledge. Pleasant cooperation results in a state of pleasure. People will always pursue this feeling, so will continue to do this. Resulting in an increase of the quantity of co-authoring content. Because these colleagues visit each other again and again, give each other feedback, vote and appreciate the quality of the content is also increasing. By the aggregation of information by groups working in co-creation, the results (decisions, proposals, contracts won) are much better than one could achieve as a single individual. Something known as ‘Wisdom of the crowds‘.