Unsecured Wireless

September 8, 2010

Like most office buildings, ours has a small custodial office located in a mechanical room off of the ground floor.

A few days ago I was having a brief chat with a building heating / ventilation contractor and commented that I have been seeing him here a lot – and that I hoped that there was nothing major that was wrong with the building!

His response?

He told me that the unsecured wireless network that someone in this building has was great for him to check his email.

The SMB Takeaway

If you have any wireless access points in your facility, and they are unsecured, it may not just be the HVAC repair guy that is accessing your network

Unsecured Wireless

Photo Credit verdammtescheissenochma via flickr


When IT Abuses Trust

April 23, 2010

IT Theft

You follow every good practice in the book to ensure that your data is secure from prying eyes and security threats.

Then you find out the prying eyes are your IT staff.

Here is another incident reported by Mike Schaffner in this post titled; Keeping Data Safe From IT Snoops

Let me be clear: It is theft. And I am sure it happens more often than we realize.

Larger SME’s, you must play with the big kids on this one. Create, implement, monitor and audit your network and physical security policies.

For smaller organizations it can be harder due to lack of resources. But it is not impossible.

Along with some of the tips in the above article, I have some more in this post titled: IT And Ethics

Photo Credit  Kiwi-Lomo via flickr

You are a manager in the small to medium business. Security issues are only for the big guys right?

Writing for the Globe And Mail, Omar El Akkad reports

According to the study, IT security breaches – everything from viruses to intellectual property theft to abuse by employees – cost the average Canadian organization $834,149 in 2009

Need I say more?

If you want me to say more, security breaches and theft from insiders, that is your contractors or staff;

that number has more than doubled to 36 per cent.

You can get updates to this blog by clicking the RSS icon on the Home Page!

The Top Ten Passwords

February 8, 2010

Top 10 passwords

From CIOZone

There’s just no other way to explain why 300,000 out of 32 million people would choose “123456” as their password.

The other 9 most commonly used passwords are in that article.

By the way, being in the top 10  is not a good thing in this case.

You can get updates to this blog by clicking the RSS icon on the Home Page!

Photo Credit Richard Parmiter via flickr

If you run a Microsoft Windows Computer you are already familiar with the autoupdate feature that automatically installs the latest security patches and software updates.

I call it unfortunate, but if you use Windows servers, that auto update feature will do the same thing to your servers.

It sounds like a time saver right? All updates and security patches installed on your servers automatically with no human intervention required?

But here is the problem!

I am sure that you have noticed that  for some of these automatic  update patches or upgrades,  that your computer tells you that it needs to reboot to finish that installation? – and that sometimes it just starts shutting down without warning?

Do you really need that to happen to your servers?

There you are typing an email and your MS Exchange Server decides it is time to reboot…..

Another issue with this automatic rebooting when it occurs on your servers, is that if several servers start to reboot at close to the same time, there can be errors or service failures depending on which servers start rebooting and in which order. For example, a Microsoft SQL Server with a Domain Services account would fail to start properly if the Domain Controller servers are still rebooting.

And the second problem I have with the auto update feature on a server;  The Microsoft automatic update software has no idea what you are using each server for. So it installs all updates and all patches regardless of whether or not you need it.

Do you want that server rebooting for a patch to the Media Player application? – When no one will ever use it on that server and it is blocked behind firewalls? Of course, if a server is publicly accessible, needless risks like Media Player should be removed anyway.

The SMB Takeaway

When it comes to servers, review all the patches and updates that Microsoft publishes every month.  They are published on Microsoft Technet, and you can even subscribe to security alerts via e-mail.

If the update applies to your environment, it may be critical to install it, but schedule it on your time. Schedule it after hours so servers don’t start rebooting during business hours.

You can get updates to this blog by clicking the RSS icon on the Home Page!

Facebook As Attack Vector

January 20, 2010

Great warning about what we call Social Engineering in this CIO Zone article titled; Hacking In With a Facebook Profile and Fake Badge by Robert Siciliano.

Social Engineering is simply a con game where the attacker convinces an individual that they are legitimate, and the duped individual provides the keys to the kingdom.

Standards or Wild West?

Gary Hamel writing on the Wall Street Journal blog blasts corporate IT departments for enforcing technology standards with a post titled; Why Don’t IT Departments Give Employees More Freedom? The premise is that if the best tool for the job is something that an employee provides themselves, or downloads from the Internet, so what? In Mr. Hamel’s words;

How is it that employees can be trusted to take care of important customers, safeguard expensive equipment and stay within their budgets, but can’t be trusted to use the Web at work, choose their own IT tools, or download programs onto the workplace PCs? Do IT staffers really believe that conscientious, committed employees turn into crazed, malicious hackers when you give them a bit of freedom over their IT environment?

Sounds Great In Theory -But Tell Me, Who Pays?

When it comes to business computers, the actual total cost of ownership of an IT asset can be as high as five times the purchase price, no not one time – annually! And a significant portion of that cost is supporting that IT Asset. Support is defined as direct, an example being technical services staff paying a visit to fix something, as well as indirect support. This latter support is when you spend your time helping a neighbor (or they help you) trying to figure out why that mail merge is not working properly.

Now, in my smaller business, we are pretty relaxed about people utilizing their own tools of choice as stated by Mr. Hamel. But in the past three or four months – that choice has cost me over 10 grand to do it. (more on that later)

Who Fixes What? (Or When I Just Go Home!)

Just in the past few weeks, I recall reading  about a larger organization (if I find it again I will update with a link) that has allowed its employees to provide their own computers or laptops. With the caveat that corporate support would not be able to help them if they chose the non-standard devices. In other words – you are responsible for getting it fixed if it breaks.

OK, So what happens when it does break?

In larger organizations, if a notebook or PC software or hardware dies, it will be either re-imaged with clean versions of the software, or new PC dropped into place with the corporate tools pre-loaded. Job done. In fact this type of computer support can often be done remotely.

So if I chose to forgo the corporate supplied PC, and provide my own Mac, and it dies. Lets see, I unplug it and trek off to my repair outlet of choice. They tell me it will be back to me by Wednesday.

OK. Do I sit twiddling my thumbs until Wednesday?

Maybe call my my clients and say; “Hey – can’t help ya until next week, will call you back then!”

Somehow I don’t see that going over well with your clients. So the question is;

If staff supplies their own IT assets, and they are responsible for repairing them, what productivity loss do you face when they don’t have their machine until next Wednesday?

Next: How About The Cost of Security?

Leaving hardware failure out of the picture, lets assume we allow everybody to install their software of choice on business computers. Read the following quote from an Information Week article by Avi Baumstein after  audits found peer to peer file sharing software on PC’s;

The results were shocking and scary–loads of confidential business documents and enough personal information to ruin any number of lives and create PR nightmares for quite a few companies. Among the business documents were spreadsheets, billing data, health records, RFPs, internal audits, product specs, and meeting notes

As smaller businesses, we are not immune to this either!

In this previous post, I wrote about a small business owner that was fired by three network support vendors.

And why did three IT Services companies fire this customer?

After every abusive , screaming support call, the service providers found the affected PC to be riddled with viruses and spy ware from the kids playing on business PC’s. His attitude was that he should never have problems in spite of his own irresponsibility.

My Personal Experience

At the beginning of this post I mentioned above the 10 grand dollar value.

As an organization, we are pretty liberal on what people do with their PC’s. And of a staff of about 20, three of them use that advantage more than others.

And yes. I have to rebuild or fix those three users computers every couple of months. In fact I just finished fixing one again that took a few days to repair. But lets leave out those softer productivity and labour costs for a minute. After all, maybe you don’t consider these type of things as costs. (but you should!)

How about hard dollar accounts payable costs? Does that strike a nerve?

One of these three individuals configured a three way data synchronization with our email server, his iPhone, and his Google calendar.

Immediately after he did this, I started getting errors on our e-mail server, all coming from his account!

Even after removing the e-mail server part of this synchronization, the errors rapidly escalated in severity and number.

Articles and support notes suggested completely deleting this individuals email account, taking the server off-line and running certain database repair & diagnostic tools.

To avoid bringing critical e-mail to a halt during business hours, I planned that work for late on the next Sunday.

Unfortunately – my e-mail server did not last until the next Sunday.

That Friday morning was nothing but a complete nightmare of error messages and failures that completely crashed the server. The crash completely corrupted all message stores, the file system, the works. At one point we could not even get that e-mail server to actually run the operating system.

After a few hours of work, I contacted one of my preferred vendors who specialize in this type of disaster recovery. It still took myself and two of their experts 3 days to get a complete rebuild of that server, a restore of all that data from backup tapes, and then use the database tools to clean up the corruption.

Three days and a 10 grand service bill

The SMB Takeaway

It is easy to say; let everybody use what they want.

But you better be willing to pay for the excess costs! Because somebody has to pay them.

You can get updates to this blog by clicking the RSS icon on the Home Page!

Photo Credit peppergrass via flickr