5 key things you should know about computer security

March 6, 2013

Computer security does not come easily.  It requires awareness of the ways in which computers and data are compromised.  To guard against loss, there are 5 key things you should know.

1.   Anti-virus programs are essential, but they’re not enough.

Anti-virus programs will not keep you safe from all attacks.   They are good for blocking older, known viruses, but they’re only as good for that if you keep them up to date.  Since there are always new viruses out there, the time between the virus discovery and an updated version of the virus library is a vulnerable period.

To maximize the effectiveness of your anti-virus program, update it every day.

2.   Vulnerability to malware is PRIMARILY a human-knowledge problem

Many scams are perpetrated by email “phishing” attacks.  These attacks work because the emails look to be legitimate, such as from your bank or a known vendor, complete with logo.

Even worse, it isn’t too hard for attackers to learn about your company by researching public information, and then targeting specific individuals in your company with “spear-phishing” emails.  These emails sound even more convincing because the person’s role is known and maybe even the person’s boss’ name.

There is no substitute for caution: Never click on a link in an email without first examining the detail of where it is going to take you.  You can do this in most browsers by hovering the cursor over the link.  When in doubt, don’t click!

3.   Passwords are often inadequate

When we log in to online services, we depend on passwords to identify and protect ourselves.  But we don’t want to bother with passwords that are long and un-memorable, so our logins are vulnerable to guessing.  In addition, we often use the same password over and over, so once one service is compromised, others can soon follow.

To protect yourself, use a password-generating program to make passwords long and un-guessable.  You can buy a program (such as “1Password”) and use it to keep a secure list of passwords on your computer.  Then you don’t need to remember your passwords and in addition you’ll have a central repository for all of them.  And you won’t use the same one over and over.

4.   Data loss is often caused by human action

There are lots of ways to lose data, and only some of them are caused by hardware failures.  For example, you may mistakenly delete a file, or you may modify data in a file without having a backup.  Also, you may delete your backup files.  Pay attention to what you’re doing when you’re moving or deleting files.  Make extra backups before doing a lot of file operations.

Then of course, you may not have any backups at all, because you haven’t set up an automatic process.  This is unwise.  Always set up an automatic mechanism that will back up your files.

5. Nothing can stop an insider who wants to cause damage

Pay attention to disgruntled employees & visitors.  Be aware of which computers are accessible to anyone who comes to your desk (or other desks).  Set up automatic “log-out” mechanisms, so that if you leave your computer, it will require a password to log back in.  And, of course, know who your visitors are.

Security depends a lot on what you know, what you do, and your willingness to invest the time and money to have the right tools.  Don’t blame insecurity on the malware.  Fix the tools and procedures in your own shop.

 

John will be on a panel Startup Candy: How to Be the Startup Everyone Wants to Work For on March 27 at 6:00 PM in San Francisco.  For a free ticket, visit Founders Space and enter “Levy” as your promotional code.  See you there!

The fastest way to kill your startup is with B players.  How can you attract–and hold onto–hot talent? Get ideas, real-life stories and advice on increasing your odds of funding, innovation, and success when you add smart, creative people to your team.  Our panel will discuss:

  • Why your team matters to investors
  • How to create a killer team
  • How to showcase your team to investors, partners and customers
  • How to identify and reach out to talented individuals
  • How to keep your team engaged
  • How to keep your talent from jumping ship for better opportunities
  • How to position your company as a hot career opportunity

Presenters: Josh Breinlinger of Sigma West Venture Capital; Max Shapiro of PeopleConnect; and John Levy of John Levy Consulting.

Filed Under: Agile Management, Painless IT Tagged With: , , , , , , , , , ,

Avoiding mishaps with Data in the Cloud

November 28, 2012

What might happen to your data while it is in the cloud?  In the last article, we discussed why you might want to have software and data in the cloud.  In this article, I list 9 things you can do to keep your data safe

What can happen to my data when it is in the cloud?

Most of these things can also happen to your data while it is on your desk or in your own data center.  It’s not necessarily the fault of the cloud that mishaps occur.  The focus of the following is choosing the best countermeasures to cloud-based data mishaps.

Here is a list of things that could happen to your data while it is in the cloud:

Mishap #1: My data is temporarily inaccessible

When your data is in the cloud, you may not be able to access it.  This can also happen when your data is in your own data center.  The reasons for inaccessibility can be any of these:

  1. Scheduled maintenance (downtime) — The system is offline for maintenance that was planned & scheduled.
  2. Unscheduled maintenance (outage recovery time) — The system is offline while recovery is performed for an unscheduled outage.
  3. Administrator error (system offline) — The system is offline because an administrator of the system made a mistake.  The specific causes range from configuration errors to improper responses to simple failures that would normally be recovered quickly.
  4. Failure of a storage system (but there is a backup copy) — Your data is temporarily inaccessible while the system switches over to the backup copy.
  5. Loss of internet access — You can’t get to your data because you have no access to the Internet.
  6. Overload on a cloud server.  Causes of this (overload) mishap can be any of the following: (a) Inadequate resource planning at cloud vendor; (b) The storage servers ran out of capacity (for storage or for accesses) due to inadequate planning for growth; (c) Denial of service attack (general) — A malicious person or entity has created excess demand for service from the servers your data is stored on.  The attack is aimed at the service provider or one of the provider’s other customers, without regard for the fact that you and your business are affected; (d) Denial of service attack (specific to me and my data) — A malicious person or entity created excess demand for service from servers your data is stored on, and the purpose is specifically aimed at disabling your business.

Mishap #2: My data is lost forever

  1. There was a failure in a storage system and the data was not backed up.
  2. There were multiple failures, and both the primary copy and the backup copy are gone.  This very unlikely, except when there was an administrator error after a storage system failure.

Mishap #3: Accessed by unauthorized person

  1. Accidental access from within the cloud vendor’s domain. — Someone in the cloud vendor’s data center accessed the data by accident.  Typically, this does not result in any loss, but the event should be reported so that it can be avoided in the future.
  2. Malicious attack — Someone outside of your company and your cloud vendor accessed your data, usually with the intention of misusing it.  This is a serious breach that may have to be reported to state or federal authorities.

Mishap #4: Data was corrupted by storing the wrong information

This can be caused by human error or by software error.  Human error may be as simple as someone entering the wrong data into a form, or by someone misunderstanding the meaning of some data.  It can also be caused by software error, either by some sort of error termination, or by a database transaction that fails to complete and leaves the data in an inconsistent internal state.

Things to do to prevent or minimize losses

Here are 9 things you can do to help your organization keep your data safe.

Understand how data is stored in virtual environments

Be sure your IT people know what sort of storage is provided in the virtual machines and cloud-based storage that your organization is using.

Plan for failures

Follow the rule that everything that can fail will fail.  Use regular disaster drills, including actually taking live data offline to see how the systems and people react.

Know your SLAs

Understand the implications of your service-level agreements in your cloud vendor’s contract.  Make sure that you are not putting critical data in a storage system that has only “normal” uptime commitments, such as you might get with a single disk drive.

And read the fine print of your contract.  Is an “outage” defined as more than 10 minutes of unavailability?  Can your business stand to have multiple outages that are 9 minutes long?

Know where your data is

Be aware of your cloud data storage vendor’s locations, levels of redundancy, and what the backup and recovery procedures are.

Also, since data is often corrupted by human error, it’s not enough simply to have backup copies – they will all be wrong if someone has entered the wrong information.  You also need checkpoints where the whole consistent set of data was backed up and can be retrieved after something has gone wrong.

Data recovery service

Since many cloud and virtual storage vendors don’t include recovery from software or human-caused data corruption, add a data recovery service provider in your contingency plans.

Arrange for education & education

Ask your cloud storage vendor to train or educate your staff on how to recover from a data disaster or handle data recovery in the cloud.

Prepare for vendor switching

Make sure that you have a plan for moving your data from one cloud vendor to another.  This includes knowing what it takes to download your data from the current vendor (or your backups) and then to upload it to a different vendor.  Anything less than this will leave you locked in to the current vendor and vulnerable to their shortcomings.

Implement stringent system access controls

While you want everyone who needs it to have access to data, you should restrict access to the data center systems, software and applications to the few people who need to manage those systems.

Don’t underestimate the cost of cleanup

After you suffer a security breach in your data, you have a lot of things to do to clean up and re-secure your data.  There may also be reporting to be done.  A recent survey found the cost of this kind of cleanup to be over $200 per data record.  Take this into account when you are justifying training and/or other security measures for your data storage.

Don’t let all of these potential disasters keep you from storing data in the cloud.  You can count on cloud vendors to be highly motivated to keep your data safe, and often they will spend much more on security than you would in your own data center.  But arm yourself with information, so you know what could happen and what to do about it when it does.

Filed Under: Painless IT Tagged With: , , , , , , , , ,

My data in the cloud?

November 12, 2012

What’s the Cloud?

“The Cloud” refers to computers, storage and software connected to the Internet and accessible via the World Wide Web.  The first question you may have about the cloud is whether your data is safe there.

To answer that question, let’s have a look at how access to data has changed over the past couple of decades.  When the Internet and the World Wide Web (the Web) first became widely available in the 1990s, we were accustomed to the Desktop model:

I’m sitting at a desk with the computer, the software, and the data storage on disk all within reach.  If I have Internet access, it’s probably a wired connection over Ethernet to a cable or DSL modem; I can interact with servers on the Web using my browser, and some of these servers may keep some data that I put into them.

By the mid-2000s, most of us were using the Laptop model:

My laptop computer is with me wherever I am, and the software and storage are inside the laptop.  Storage may be on a disk or a solid-state disk (SSD).  I’m connected to servers on the Web using a wireless (WiFi) connection or a wired (Ethernet) connection.

These days, many people are using the Smartphone model:

The smartphone is in my pocket when I’m not using it.  When I use it, software is running both in the phone (an App) and in the cloud (on a server somewhere).  My data is in the cloud (on a server somewhere).  I’m connected to the Web using a wireless connection (WiFi or the cellphone network).

Software in the cloud

Why would we put software in the cloud?  There are several reasons for this trend.  The main advantages are:

I can rent the software rather than buying it.  This could save me money in the short run.

I don’t have to keep the software up to date – the vendor I rent from does that for me.

I don’t have to configure the software in my computer.

When I want someone else in my company to have access to the same data and use the same software, it’s easy to do – I just add them to the list of users of the software service (and pay the rent for them).

The disadvantages of software in the cloud are:

If I lose my Web connection, I can’t use the software or access my data.

I can’t customize the software very much – I have to use the same features that are available to everyone.

Data in the cloud

Why should I put my data in the cloud?  There are some advantages:

There’s no limit on how much data I can store in the cloud, and the cost of renting space for it is relatively low (if I shop around). I don’t have to buy a new disk to store more data.

The storage vendor does automatic backup of my data (and replication – that is, storing a copy at another site, if I want them to).

The storage vendor typically uses privacy and security measures that I couldn’t afford on my own.

The disadvantages of data in the cloud are:

If I lose my Web connection, I can’t get to my data.

At the beginning of using cloud storage, I have to upload all of my data.

There is always the possibility that someone will break into my data (a data breach).  But then, isn’t that possible even when the data is in my computer?

The storage vendor could go out of business or fail to protect my data. That’s why I should be sure that the vendor is reliable, reputable and stable.

I should probably keep a copy of my data somewhere else as well.  But I had offsite backup copies before, didn’t I?

If my data is in the cloud, do I still own it?

If you’re concerned about ownership of your data, make sure you have a contract with the storage vendor that specifies not only who owns the data, but also how how easily you can copy your data and move it somewhere else.

Check the regulations in your state and your country with regard to data.  When you have customer’s personal information as part of your data, you have legal obligations.  You may be obligated to keep the data in the country, for example.  You also need to have a policy for dealing with data security.  If you do suffer a data breach, you may be obligated to report it.

For example, “California law requires a business or state agency to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person. (California Civil Code s. 1798.29(a) and California Civ. Code s. 1798.82(a))

Any person or business that is required to issue a security breach notification to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General. (California Civil Code s. 1798.29(e) and California Civ. Code s. 1798.82(f))”  (from the Attorney General of California website at http://oag.ca.gov/ecrime/databreach/reporting)

There are other resources that may be useful to you if you’re concerned about malware (software that invades your systems or your data with malicious intent) and cybercrime.  Visit some of these websites:

http://www.rsa.com/rsalabs/

http://www.cylab.cmu.edu/

http://www.us-cert.gov/

I hope this answers some of your questions about data and the cloud.  If you have other questions, please add your comments to the blog.

Filed Under: Agile Management, Painless IT Tagged With: , , , , , , , , , , , , ,

What do I need to know about mobile devices and social networks?

October 10, 2012

Mobile devices and social networks are the fastest-growing trends in today’s world of IT.  Even though most of us have a smart phone and may have a Facebook account, we may not have perspective on what’s happening inside the device & the network.  Here is a review of key things to know about mobile & social, and a list of security issues to think about.

Mobile devices

Smartphones are still telephones, they allow you to communicate by voice with people on other phones using the cellular telephone network.  The cell network covers most of the world, but not everywhere.  There will be places where you get “no signal.”

In addition, a smartphone is a complete personal computer, with all the complexity that this implies.  There is an operating system, a network data interface, and all of the application software (apps) that you have decided to run on the smartphone.

Your voice and your data may or may not be carried over the same network.  For example, when your smartphone is near a WiFi base station that it can connect to, your data will be sent and received using that WiFi path rather than the cell network.

Your basic phone subscription fee doesn’t include data transmission, so you’re paying extra to get data service for your phone.  And unless you’re very lucky, you don’t have unlimited data access.  If your data usage goes over a limit, you will pay extra.

The designers who made your smartphone have worked hard to overcome the constraints of the phone, compared with a PC:  the small size of the screen, the absence of a keyboard, and the need to maximize the battery life.  As a result, you’re learning to deal with the digital world using your fingers in a new way.

Extra security issues:

Your smartphone is connected to the cell network all the time. As long as it’s switched on, even when you’re not talking, it is communicating information about where you are back to the network every minute or less.

While you’re using data services of your smartphone, it may switch from a WiFi network to the cell network and back automatically.  This may have implications for how much you’re charged for data, particularly if you’re overseas.

Communications with WiFi networks may be vulnerable to being overheard by other devices and are not as secure as the voice network.

Everyone who uses a smartphone has a certain amount of personal usage.  After all, we all get personal phone calls, receive personal emails & text messages, and browse websites that are not business-related.  So if you’re concerned about employees using their company-provided smartphones for personal goals, quit worrying – they will.

Personal usage also includes music listening and video viewing which can load the data network greatly.  You may need to consider limiting the amount of bandwidth (data network usage) that people in your company use – at least while they’re connected through the cell network.

Your smartphone has a GPS device built in.  So it “knows” where you are all of the time.  In addition, the location information it has can be shared with any App running on the smartphone.  Make sure you want your location information to be shared in this manner.  If you don’t, change the settings on your phone to turn off the GPS location sharing.

Similarly, pay attention to the fact that the web browser on your smartphone keeps a browsing history.  This history may be visible to running Apps on the smartphone.

There are some new apps that have strong security boundaries (see, e.g., a new startup called kumoso.com).  Explore apps like these if you are concerned about the security of your communications.

Coming soon: ads & spam

Have you noticed that you’ve started receiving junk text messages?  I have, and I’m sure it won’t be long until we get spam in many forms on our phones.  Beyond emails, it will include text messages, unwanted pop-up ads in the browser, maybe even unwanted calendar items.

If you’re managing a corporate network of smartphones, you’ll need to add the mobile devices to your list of possible targets for spam and malware.  Get filters (software) that will help keep this stuff off of your mobile devices.

Social networks

Social networks, including Facebook, Twitter and LinkedIn, are now being used by nearly everyone who has either a PC or a smartphone.  There can be many advantages to using social networks, including:

having quick access to status information on your colleagues

posting short information to a large number of connected colleagues who need it (such as via Twitter)

connecting with new people using colleagues who are already in your network (such as through LinkedIn)

sharing articles and notes with people who may find it interesting and useful

Here are few things to consider as you indulge in social networks:

1. You have decided that your need for connectivity exceeds your need for privacy.  You actually want to hear from your friends & colleagues about what they’re up to, what they need, what they’ve done or read.  You don’t mind if what you share with them can be seen by anyone who cares to look you up or to Google your name.

2. You don’t mind that your history (what you’ve posted, poked, tweeted & connected to) is a public record.  Always assume that you cannot erase anything you’ve posted or tweeted.  The online record of social media is now a popular way for exploring vulnerabilities or skeletons in the closet of people who are lawsuit targets. Potential employers may search for your tweets to see what you’ve been saying before they offer you a job.

3. You don’t mind being open to well-targeted ads.  The more you share online, the more the advertisers have access to what you’ve expressed an interest in.  They will use this information to make their ads closely match your interests.

Summary of security issues

Be willing to receive all the incoming messages, texts and tweets that are in store for you.

Make sure you want the exposure in a public record of what you’ve shared with others.  Think before you tweet – this may be a permanent record.

 

New webinar series

October 30, 10 AM:  free one-hour webinar, “The 10 Danger Signs of a Failing IT Project

Register here: http://www.anymeeting.com/PIID=E158DD888848

November 13, 10 AM:  free one-hour webinar, “How to Save a Failing IT Project

Register here: http://www.anymeeting.com/PIID=E158D787854D

I’ll share with you a lot of the insights I’ve gained over the last 30 years in identifying and responding to problem in project management and other aspects of getting things done in implementing IT capabilities.

Join me in a two-webinar series on IT Projects, coming up on October 30 and November 13.  The first webinar covers the red flags you should watch for in major IT projects, and the second one gives more details about how to save a project that looks as if it’s headed for failure.

Filed Under: Agile Management, Painless IT Tagged With: , , , , , , , , , , , ,