I have yet to meet a security professional who has all the time required to do everything that he or she needs to, to protect his or her organization. Instead, whenever I network with security professionals, I ask them, “How’s it going?” and can usually predict the answer: “crazy busy,” “way too much going on,” “many unfilled holes,” and so on.
This problem is not limited to security. Most other business functions usually feel short on the resources they require to do what they need (or want) to do.
The question, then, is how to decide what activities truly deserve our time.
The answer to the question is, perform a risk assessment across your entire organization (or within individual business units if your organization is large). If you perform this competently and faithfully, you will end up with a list of risks. If you categorize those risks in terms of short-term impact, probability of occurrence, public visibility, cost of mitigation, and long-term impact, then you should be able to “slice and dice” your list to determine which risks truly demand your attention now, and which are lower priority.
The next task, then, is to present the findings of the risk assessment to senior management, so that they can make any adjustments to priorities and provide resources as they feel are needed.
Finally, explicitly or implicitly, you will need to document all untreated risks as “accepted” by senior management. Do it in writing, as formal (or informal) as the risk assessment yourself.
Having done all of these, you will have done your job: make senior management aware of business risks, and enable them to make informed decisions.
If you agree (more or less) with senior management’s resourcing decisions, then you are fortunate. If you vehemently disagree, it may be time for you to find some mentors in the organization who can help you to better communicate with senior management. Lacking this, you may need to consider moving on.
Backup and Data Recovery (BDR) solutions traditionally have been high priced luxuries out of the reach of many small to medium business owners. Tape drives remain very expensive hardware components, and offsite storage services are simply too expensive for many companies to use. But now, cloud based solutions are poised to bring BDR solutions within reach of every business from the sole proprietorship to the multisite enterprise.
Let’s look at what a company needs for BDR. Data must be securely backed up, available in case of need, but safe from any disaster that might strike the company. When all of your data resides only on your fileserver, it is at risk from hardware failures, theft, human error, fire or other catastrophe. Many companies use tapes to back up their systems, but do not use a reliable way to move those tapes off site to a secure storage location. The same fire that cooks your server will melt the tapes in the file cabinet, and so will the summer sun beating down on the car’s boot.
Even the least expensive courier services can cost hundreds of dollars a month, and relying on tapes to store your data means needing redundant hardware to recover your data in an emergency. Tape based solutions are simply out of reach for most SMBs, who choose instead to accept the risk of loss because they don’t have a viable solution. Or rather, they didn’t until BDR met the cloud.
Cloud based BDR solutions use your company’s Internet circuit to make a secure connection to your service provider’s network, and performs data back ups continuously. Typically an agent is installed on each server and workstation you wish to backup, and examines data changes at the block level, replicating data either directly to the cloud service provider, or to a staging appliance in your datacenter that can further compress the data, and stage most recently changed data for rapid restores if necessary.
Rather than investing thousands or tens of thousands of dollars on hardware and software, cloud based BDR solutions typically operate on a monthly subscription basis, with graduated pricing based on total data stored. This means that SMBs can start using the services immediately, and keep their costs manageable. They can select a smaller total data level to start, and raise the level as their needs grow. Because costs are monthly and subscription based, the financial treatment of these costs is frequently very attractive as well, going to operations rather than assets.
Many of the cloud based providers of BDR services offer free trials, which enables the business owner or IT admin to take the service for a test ride, ensuring that they are comfortable with the requirements, performance, and availability of the service. Some services can offer individual users with backup capabilities for their workstations that go hand in hand with server based backups, while others pool team based storage to further enhance the services available.
With your data securely backed up to a cloud provider’s network, you can rest easy knowing that if disaster strikes, your data is not lost. It is safe and secure in the cloud ready for you to pull down at need.
This guest post was written by Casper Manes on behalf of IT Channel Insight, a site for MSPs and Channel partners where you can find other related articles to disaster recovery.
Why the security war will never be won
At security trade shows like RSA, we are purposefully given the impression that if we just employ some new defensive technique or purchase some new defensive tool, we will be able to keep intruders out of our systems for good.
How many times have we heard this? And how is this different from remedies that promise to solve other problems like our finances or our physical appearance?
The information security war will never be won.
Never.
As long as people, or groups of people, have accumulated wealth of any kind. Other people try to steal it. We can keep ahead of the thieves for a time, as our defenses sometimes prove better than their offensive capabilities. But the wealth is still there, proving to be such a tempting challenge to some that they will use all of their imaginative powers to find a way in.
In our homes, we have better locks, stronger doors, better windows, better alarm systems – for what? It doesn’t seem like the problems of residential burglaries is getting any better, despite these improvements. Thieves simply improve their techniques and find a way around our defenses.
In our information systems, we have better firewalls, application firewalls, intrusion prevention systems, anti-malware, and a host of other defensive (and even some offensive) security controls. But intruders still find a way in.
There are times when it proves very challenging to break directly in to information systems. That is when intruders switch tactics: they target personnel who are employed in the organization that owns the systems, using a variety of techniques to trick users into performing seemingly harmless tasks that give intruders the beachhead they need.
Why do intruders persist? Because of the wealth that lies in the target systems. Whether this is direct monetary wealth, or information that can be traded for monetary wealth, as long as the information is there, and no matter what measures are used to protect the information, intruders will find a way to retrieve it. This is true, even if you have all of the latest defenses, tools, training, and so on. Your defenses will only slow down a determined intruder, and maybe only be a small margin.
- We must protect all systems. An intruder will attack the system of his choosing.
- We must protect from all types of attacks. An intruder will use an attack method of his choosing.
- We must protect our systems at all times. An intruder will attack at a time of his choosing.
- We must teach all personnel to be aware of threats. An intruder will attack the person of his choosing.
- We must obey all laws when defending our systems. An intruder may break any law of his choosing.
- The intruder will always choose the path of least resistance, the weakest link, at our most vulnerable time.
- Intruders are patient and resourceful, and often well-funded, and often more motivated by the prospect of success than we are by the prospect of intrusion.
Cloud service providers and the U.S. PATRIOT Act
The U.S. PATRIOT Act has a lot of non-U.S. companies wondering whether it is a sound practice to store data in a U.S. based cloud services organization. The concern is this: the cloud services provider may be obligated to turn over stored data on receipt of a National Security Letter, which is essentially a subpoena with a gag order.
But what if the customer is the legal owner of the data, and not the cloud services provider?
If legal contracts between the cloud services provider and its customers define customers as the owner of stored data, what happens when the cloud services provider receives a National Security Letter asking for that data? Can the provider say, “sorry – this is not our data, you need to ask the owner for it”?
I could see this going both ways. Using the precedent of wiretapping, the law enforcement agency issuing the subpoena might argue that data ownership is irrelevant.
* * *
While we’re on the topic of PATRIOT… I often wonder about non-U.S. companies’ concern about it. Rationale I sometimes hear is that storing data in the U.S. is riskier because of PATRIOT.
Let me assert this: in the interest of national security, any nation’s law enforcement or intelligence agencies are going to search and sieze data as needed, whether there are laws on the books or not. The fact that the U.S. has its PATRIOT Act only means that the U.S. is being more transparent about a practice that we all know is pervasive around the world. Taking this argument further, you could argue that storing data in the U.S. is safer, because at least the U.S. has laws governing the use of search and seizure in the name of national security. In countries without such laws, what will limit the reach of law enforcement and intelligence agencies?
* * *
Finally, I want to say that I am not expressing an opinion about PATRIOT – whether I agree with it or not. It is simply a fact to be dealt with.
* * *
References:
The Patriot Act and your data: Should you ask cloud providers about protection? - InfoWorld article, January 2012.
Patriot Act Threatens American Cloud Computing - Wall Street Cheat Sheet, January 2012.
Block Javascript in Adobe Acrobat
Simple how-to instructions for blocking Javascript in Adobe Acrobat Reader in Windows, Linux, and Mac systems.
Reducing the attack surface in Adobe reader is an important step in reducing malware attacks. The vast majority of all PDFs do not contain Javascript, but Javascript-embedded PDF files is a well known method used to attempt to compromise end user systems. This can occur in phishing scams where e-mail messages contain infected PDF files, or links point to infected PDF files hosted on web sites.
Adobe Reader on Mac. Click for full size image.
Here is how to block Javascript in Adobe Acrobat 10 for Mac. Go to Acrobat > Preferences > Javascript and uncheck Enable Acrobat Javascript. Then click OK.
Similarly, in Adobe Reader X on Windows, go to Edit > Preferences > Javascript and uncheck the Enable Acrobat Javascript, then click OK.
Likewise, for Adobe Reader 9 on Linux, go to File > Properties > Javascript and uncheck Enable Acrobat Javascript, then click OK.
Adobe Reader on windows. Click for full size image.
Click the thumbnails to view screen shots for Mac, Windows, and Linux.
Adobe Reader in Linux. Click for full size image.
Why Disaster Recovery Requires a Plan
Why Disaster Recovery Requires a Plan
Guest post from Casper Manes on behalf of IT Channel Insight
Whether you are a commercial pilot, an astronaut, a submarine weapons officer, or a Cylon, you know the importance of having a plan. There are certain tasks that, no matter how repetitious they may seem, are so important to get right the first time, and every time, that they have been boiled down to a checklist which any reasonably skilled and trained individual can walk through, step by step, in order, to accomplish the task. They are designed to be easy to follow, to spell out exactly what needs to be done, and the order in which it must be done, to get things going, and to require a minimum of creative thinking. Tasks are performed by rote, and verified each step of the way. That’s the perfect way to approach disaster recovery, and in this article we’ll discuss why you need a disaster recovery plan that is a little more detailed than “don’t panic!”
What is a disaster?
Let’s consider what, in business terms, can constitute a disaster. Sure, things like hurricanes and blizzards come to mind, perhaps even fires in the datacenter, but a disaster is more than just a weather phenomenon or catastrophic loss; it’s anything that significantly disrupts the normal operations of your business. If we limit ourselves to an IT perspective, that can include prolonged Internet outages, a severe flu epidemic that takes out half the staff, a virus that shuts down key servers, or a SAN failure. It can also include HVAC failures, power outages, or hardware failures on critical, but not redundant, systems. Anything that causes a significant and protracted impact to normal operations may be enough to declare a disaster situation, and require that you implement your recovery plan.
Disaster declared, now what?
In the best case disaster, you have experienced a hardware failure that will eventually be corrected by the vendor. But while systems are down, your phone is ringing off the hook, you’re getting pinged on email and IM, and someone is probably sticking their head in your cube every 30 seconds asking if it’ fixed yet. In the worse type of disasters, you and your colleagues are probably more worried about your family and your own property more so than the company’s, and that’s assuming all your team even made it into the office. Hurricanes, blizzards, and other region impacting events can leave you with only a skeleton crew, and most of them are going to be worried about more than just how to get the website back online and email working. That’s why you want to work the plan.
By the numbers
Think back to how this article opened. When failure is not an option and there are countless distractions going on, you want people to have something to anchor themselves with, and to keep the need for creative thinking to a minimum. You also need to make sure that things are done in a certain order, and that nothing is missed, because most things have dependencies. A plan is the guide that your team will use to enable them to focus on specific and discrete tasks, without having to make it up as they go along. Make use of checklist; I mean actual paper documents on clipboards with check marks that each step is complete, so that;
a) If something distracts you, it is easy to pick up where you left off without missing anything,
b) You can hand off to someone else and they know exactly where to start
c) Someone can audit that each step was done.
Paper checklists also have the distinct advantage of not relying on technology. I once saw an organization who kept all their DR procedures online; which looked great until they couldn’t get to them while the datacenter was down!
It’s a journey, not a destination
Disaster recovery planning is an ongoing process. Plans must be tested and revised as the company grows, new systems are brought into the environment, and old systems are deprecated. Real disasters don’t happen on schedule, so training must be thorough and testing must be performed to ensure that whoever is on the clock can handle the early steps of the process until more people can get online. Staffing changes will mean that this must happen frequently, and repeatedly. It’s just a part of the overall process, so accept it. And make sure that at least two people know how to perform any part of the disaster recovery plan since you have no way to know in advance whether everyone will be able to make it into the office when a disaster strikes. Redundancy of equipment is no more important that redundancy of skillsets, and a single point of failure could be the one guy who can’t get into the office because the roads are closed.
This article was written by Casper Manes on behalf of IT Channel Insight, a site for MSPs and Channel partners where you can find other related articles on how to setup a disaster recovery plan.
Like this:
What does a network scanner bring to the company?
Guest post from Emmanuel Carabott of GFI Software Ltd.
Whenever someone does research on the best methods to secure a company’s network, they are sure to come across articles recommending network scanners. But what value do network scanners really provide any organization?
Network scanners generally provide two distinct important functionalities – information gathering on the network they’re scanning and information on any security issues found on that network.
Information on the network
Administrators need to keep up with the constant changes made to the network. Some might see change management as unnecessary, but this is an essential part of the process to keep a network in excellent shape. There are various reasons why administrators would want to know what software and hardware is running on their network, but the main reasons are security and the need to make sure that the changes administrators make will cause conflicts within the existent network infrastructure. When new software is installed, or updates are made to the existing installation through patching, certain configurations can make the system unusable (blue screens, for example) or unstable. To avoid this from happening, the administrator should keep a test environment which mirrors the network where these changes will be made before they’re pushed onto the live server. If users install new software on their systems without notifying the administrator, the test environments will not match the current network and therefore any pre-deployment tests will be inconclusive and not a true reflection of the current status.
Some hardware can pose a security risk to the network. It is imperative that administrators are immediately notified when a new device is connected to the network so that they can determine if there is a real risk to the company. The company’s security policy might specify that the administrator must be notified before any new hardware is connected to the network but that alone does not guarantee employee compliance. A network scanner, however, can periodically monitor the network for changes and notify the administrator as these happen.
Security issues on the network
A network scanner will also look for a number of security issues on the network it is scanning.
These generally include:
- Vulnerabilities
- Missing patches
- Unwanted open ports
New vulnerabilities affecting the network can arise on a daily basis, often due to changes in configurations, new exploits being discovered, and because of new software being installed on the network. For these reasons alone, an administrator needs a network scanner that can monitor the network for any vulnerability on a regular basis.
Next on the list is patch management. Vendors continuously fix security issues in their software and then, release patches for the end user to install. Keeping track manually of all patches released can be a daunting task, but a network scanner helps the administrator to stay on top of the problem and apply any patches that are required.
Finally there are applications that communicate through the internet, such as web servers’ open ports for others to connect to. Every open port is a potential security risk because malicious persons will try to find exploits in these connections. It is highly recommended ports that are not in use are closed immediately. An administrator should be informed as soon as a new port is opened on a network machine. This usually happens when an employee may have installed a new application or due to a malware infection. Since the network administrator cannot be everywhere or see everything happening on the network all the time, a network scanner is an essential tool.
A network scanner is a very useful tool for administrator, making his life a lot easier. Having a ‘virtual consultant’ is a much better option that having to check each and every machine manually.
Companies that use network scanners will save time and money, while administrators can focus on more important issues that require manual intervention. Why add more work when tasks can be automated using a network scanner?
This guest post was provided by Emmanuel Carabott on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Read more on the importance of using a network scanner.
All product and company names herein may be trademarks of their respective owners.
