Technology Made Simple
Monday June 14th 2021

Information Security Core Knowledge

Every so often, I get asked by someone who want to get into the InfoSec field, what is at the core of knowledge that is needed. Now I know a lot of people have a lot of different answers to this question, but I think there are some things that are important, that are easier to attain. These aren’t particular things to memorize, there are more skills that you need, to work effectively in the security field.

Skills

  • Reading CVEs: Most of what I do, when I hear about a new vulnerability, is immediately look at the CVE for it and understand CVSS and understand how the applies to my environments (both personal and business).
  • Understand Threat, Vulnerability and Risk: A threat is what we’re trying to protect against could be something like a DDOS or an actor. A Vulnerability is a weaknesses in software or hardware that can be exploited by threats to gain unauthorized access to an asset. Risk is The potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability
  • Understanding of Networking: While you don’t need to be an expert in networking, I come across subnetting, CIDR, IPv4, IPv6 (in some networks) and ports. These are things that I have to view multiple times a week and quickly identify
  • NMap: This is a tool, that I thought I fully knew, until I started working in Information security, I started to heavily utilize the tool, and learned that I used a fraction of it. It’s an important reconnaissance tool, that you should use to make sure you know what is on your network and what is open.

As you can see, this skills are something that people can learn, and before you get into the InfoSec field, take some time to start learning these skills. It dosn’t have to be if you want to get into InfoSec, this is stuff you should look at for any IT job.

How to rethink your backup strategy

One of the things that was drilled into my head when I was starting out in my IT career was the backup philosophy of 3-2-1. This stood for you should have 3 copies of your data (the production data and two backups), on 2 different media types and 1 of them being offsite. This is still the recommended method of CERT (see here). Yet I found it conflicted with other information that I’ve learned over the time, So why the 3-2-1 method is better than none, you really want to use that as the base of your backup plan, and add some extra steps to it.
It’s not that the 3-2-1 method doesn’t have a place anymore, but was heavily used in the area of tape backups and you only needed to take 1 thing offsite and store it. Yet maybe it was my time as an Emergency Manager, where there was always a thought of disaster, that I started to modify my thought process.

3-1-2 Method: This one I’ve come closest to seeing now-a-days, where you have 3 copies of your data (one production and 2 backups) and it’s all on disk (1 media type) and the backups are stored in two geographic locations. Ideally these locations would be on opposite sides of the world or even your country, but some locations just focus on different parts of a city/town or state. The idea behind this, is that if a disaster happens, think flooding or tornado, then the data would be in a different local and still be safe.

3-2-2 Method: This is one that I personally love, but honestly not everyone has the staff or money to pull it off. 3 copies of your data, on 2 media types, and the backups in 2 different locations. So this one you need to have the ability to save data to a tape. Usually the tape is sent to a local storage location and your disk backup is sent to the cloud or backup facility in another local.

As you can see as long as you understand the basic 3-2-1 backup methodology, you can and should tweak the numbers to best suit your backup strategy. The 3-2-1 method has been around for a while and now is the time to start thinking of ways of adding redundancy and attempt to disaster proof your plans. While is costs a lot to implement a decent backup plan, the cost of not having one can be worse. When I started, we only worried about natural disasters, now your backup strategy needs to include cyber disasters as well. What happens if your cloud backup is infected by ransomware, then an offline backup helps.

For another article on backups by me: Backups: Tape vs. Replication

Q&A Monday: Defense Against Ransomware

Question:
There has been a lot in the news about ransomware, what can I do to protect myself?

Melody Carroll
Dayton
, MN

Answer:
There isn’t a day that goes by that you don’t hear about ransomware hitting a company or targeting another industry and that can make people like yourself want to guard themselves against this particular type of attack. Before I begin, let’s just lay down classically, what is ransomware and why it’s dangerous. In short, ransomware is malicious software that “locks up” (encrypts) victims files, and keeps the person from accessing them without payment. This is usually done in cryptocurrency, which is hard to trace, and then the attacker will give directions on how to gain access back to those files. Some variants on ransomware not only encrypt the files, they also make a copy of the files on their systems, so they can add the additional threat of releasing the data if you don’t pay.

Practice “Cyber Hygiene”

Luckily keeping yourself safe from ransomware is not much different than from any other type of malware. Now to start out you don’t need to go crazy, just some basic steps you can do, can keep your computers safe.

  • Multi-Factor (two-factor) authentication: Now this is a great way to protect yourself with only a little effort. Most websites and/or applications let you use another factor outside of your password to get into your accounts. Now the method will vary by websites but you’ll be able to choose between and email, text or authenticator code to get into the website. Most banks have been doing this for years and most sites I use let me set this up as an option. So now with my password, I’ll get a code to log me into the site. This keeps people from guessing your password or even having it leaked from another site.
  • Backup Data Offline: Most people rely upon a cloud service like google, Dropbox, icloud or onedrive to backup important stuff or pictures. While this is great, if your computer is compromised, then it may sync those encrypted files to the cloud storage platform. The best way to protect yourself is offline backups. Purchase an external hard drive that you disconnect after you backup your files. This way, if your files are encrypted, you have a backup that is safe, but only works if you disconnect after every backup. I use a reminder to remind myself to backup and disconnect.
  • Utilize Guest Network at Home: In companies, they segment their networks (or should), to keep hackers from easily moving from one system to another. If you have technical expertise you can do this at home, but it’s not for everyone. The simplistic solution I recommend, is that if your router supports it, you turn on your “Guest Network” feature and put some things on that segmented network. For example, I’ve recommended people put the IOT devices on there, like their cameras, alarms, toasters, assistants, etc. Should any of those devices become compromised, it would make it harder for an attacker to get to your computers, as they’re on a different network.
  • Password Security: This is easier said than done for most people. Make sure that your passwords are unique and complex for each website or application that you use. Attackers if they get a username and password will try that combination on all the popular sites. I recommend that you use a password manager, to keep track of the unique passwords for each site and that you make sure it’s complex. Then there’s making sure that you change the password on a regular basis, to make sure that you keep that secure.
  • Don’t use remote tools: There are a ton of applications out there that let you, control your computer at home or send files to storage at your house. Anytime you let yourself have access to things from outside your home, you let hackers have the same path. While some of this can easily be mitigated using MFA or complex unique passwords, its something that you need to consider.
  • Suspicious Emails: At this point there isn’t a person who knows about Spam Emails, and most of us can point them out easily, yet lesser known is the phishing email. Most workplaces will cover this, but I recommend that if you get an email from a business that you do, do business with and you weren’t expecting it, don’t click any link in that email, and instead go directly to the website itself. Unless you are comfortable with looking at the email address or headers of an email to determine if it’s legitimate…but honestly, I can do that, and most of the time I’ll go to the website directly. These are tactics of either getting your login details or getting malware onto your computer.

Now to be clear, there isn’t a foolproof way of protecting yourself, but the more defenses you put up, the more likely an attacker is to move to the next victim. I was once told, why would a car thief break into a car, when the one next to it is already opened. If someone wants it bad enough, they’ll get you information, but you don’t have to make it easy. I hoped that helped.

——————————————————————————————–
If  you have any questions that you want Jim to answer, from business servers to home computers, drop him a line at me@jimguckin.com, and he’ll try to answer your question.  Check back every Monday for a new Question and Answer session, and check back Wednesday and Friday for other technical insights.

Q&A Monday: Remove URL from Auto-complete in Chrome

chromelogo.jpgQuestion:

I have an incorrect website address that appears in my autocomplete list every time I start typing and I always accidentally click on it.  I tried clearing my history and it’s still there, can you help me.

Alice L. Lowery
Ormond Beach, FL

Answer:

You need to open chrome and start typing incorrect URL until auto-complete suggestion appears. Then you can use your keyboard’s arrow keys to highlight the suggestion from the drop-down menu that will appear below the address bar.  Once highlighted press Shift+Delete keys  at the same time, and you’ll be rid of that incorrect site in the list.  Next time you type, it’ll be gone.

——————————————————————————————–
If  you have any questions that you want Jim to answer, from business servers to home computers, drop him a line at me@jimguckin.com, and he’ll try to answer your question.  Check back every Monday for a new Question and Answer session, and check back Wednesday and Friday for other technical insights.

 

Looking for a candidate hire a learner

Interview

Over the last couple of months, I’ve done more interviewing than in the previous years of working in IT.  I’ve had a very good time training and helping employees improve their skill sets and unfortunately take positions in other companies.  So I’ve had a lot of time thinking about who I wanted to hire for my open positions and I don’t take the hiring of someone lightly, this is a decision that impacts me.  Yet, because candidate that I look at is considered an entry level position, it’s sometimes hard to find someone with the level of experience or the flushed out resume with experience that I would like.  This leaves me with a unique position to think outside of the box a little bit and make sure I’m getting the level of candidate that I can use.

My number one advice, is to hire people who are willing and constantly wanting to learn, as apposed to someone who is set in their ways.  In my opinion IT people generally fall into one of two categories: Niche fillers and Learners.  For the longest time in IT or business in general, is to want to gravitate to the people with Niche knowledge, someone who is an expert at what they do.  I have many friends who are this kind of IT, they know their job well, and they get uncomfortable when things vary from their knowledge base.  I on the other hand of had the career path, of not being Niche, but as someone who will figure out the new tools or learn a new skill to get a job done.  I don’t necessarily know if this was something  I had set out to achieve or if it was something I achieved out of necessity.  Through my career a lot of my jobs required me to constantly push my comfort zone, we didn’t have money for a web developer, so I had to learn PHP and SQL or we didn’t have money for a real backup solution, how do we accomplish a backup solution.  I don’t want it to appear, I’m totally knocking the Niche players, I’ve had my share when I needed to rely upon them, it was just more complex that I could understand.  There’s defiantly a place for that kind to worker, just not every  position.

I’ve found in my career, that while companies are attracted to the Niche worker, because their resumes are usually well polished, they generally have held positions for longer, the generally have certifications and specific education and knowledge from year ago that may no be common in your newer technicians.  Plus as technology becomes more and more complex Niche workers have the correct keywords on their resume that tends to get recruiters and hiring managers attention.  Yet, even though they make a great resume, that does not always mean will that translate well into your organization.

Remember Abraham Maslow’s saying “if all you have is a hammer,everything looks like a nail”, this can apply to Niche workers as well, they specific knowledge in their field can cause them to rule our or over analyze (sometimes incorrectly) and issue just because their expertise.  On the other hand Learners can quickly adapt to a scenario and have a larger knowledge base to pull possible solutions and different methods of attacking a problem.  Also in my experience, Learners tend to be software or tool agnostic, it doesn’t matter the tool they are using it will adapt and change over time.  Some of the tools I started out using, I’ve ditched and used other tools that better got the result for me.

It’s important to remember, that not ever Learner is the same and not every Niche worker is the same.  Make sure you know what the best fit will be for your organization and position, and do your due diligence in your hiring process.  Some companies may be very resistant to hiring the Learner over the Niche worker, but it may pay off for you and your company in the long run to have these discussions.  Remember identifying and hiring lifelong learners will take an effort during the hiring process, but it can provide you with a flexible technology employee that will last far beyond whatever the “next big thing” in IT becomes.

 

Q&A Monday: Security Question Safety?

SecurityQuestionsQuestion:

With all the talk about making a password secure, I noticed that someone with enough knowledge of me would be able to reset my password using the security questions. These questions are similar across almost every site that I visit and a friend or determined enough hacker could easily guess the answers, any idea on a way to help keep my accounts secure with the security questions?

Joann Power
Portland, OR

 

Answer:

This is a great question, and I apologize for holding it a little while until National Cyber-security Awareness Month, but this was just too good to pass up.  I prefer a different method (when available) to secure my online account, but I’ll talk about that later in my response and answer your questions directly.  Now to help better secure your security answers, is easy, it’s something I call, answering a different question.  The best example I can give you:

Security Question:
“Name of your favorite book”

Answer:
Xbox

OR

Security Question:
“Name of your childhood friend”

Answer:
Purple

 

Now there is some pre-planning that needs to go into this, you’ll need to make sure the questions and answers are the same (or similar) across all the sites….I have about 8 questions that cover all the sites I visit….and you need to make sure you reset them on every site.  All this does, is keep someone from being able to gather enough information about me to guess correctly at my questions.  I’ll be honest, it took a little bit of time where I had to refer to a note to be able to correctly answer the questions, but eventually I was able to remember the question and answer combination without thought.

As I mentioned, there is an even better way to secure the account, and that’s with two-factor authentication, but unfortunately it’s not universal yet, and usually only major companies (Google, Dropbox, Microsoft, Twitter, Facebook, etc)have it. This send either a text to your cell phone with a code or some sites have a piece of software that is on your phone and generates a code that the website will ask you.  The reason I like these, because even if a hacker has your password and can guess your security questions they can’t get in without the second authentication piece your cell phone.  Admittedly this can be a little annoying when, before you can log in, you need to enter a code to get to your favorite websites, but in the end security is the best policy.

Computer Download Saftey

Secure Computer  Technology has made strives to make the internet as cross platform as possible, meaning regardless if it a Windows, Apple or Mobile device most sites work across all these platforms with minimal or no downloads.  Yet, we still can’t get completely away from the downloads, whether it is games or specialized applications for watching videos or even site plugins and this is where malicious programs love to hide, in the areas where you still need to download file.
There are tons of bad sites out there that host legitimate looking files or just a link to a file that you may need (or think you need), and that’s when you download the program and it may or may not work, but unbeknownst to the user, malware or viruses have been installed on your device.  This is bad for several reason, mostly because you don’t want software on your computer doing anything you don’t want it to do.  So now that you are scared (hopefully) what can you do to protect yourself.

 

  1. Only Download files from trusted sites
    This sounds easy, but can really be difficult to sort out online.  The best recommendation I can give you, if in doubt google the site name with the word scam after it…you’ll get a good idea if the site is legitimate or not.
  2. Don’t download anything from emails, unless you are expecting it
    This is new twist on a common issue, I’ve gotten emails from people I know, with a convincing body to the email with a link to download a file.  We use to just not download from stangers but now, don’t download if you aren’t expecting and email from a person.  I email a lot of people back and ask if they really did send it.
  3.  Run a malware/adware software regularly
    While most virus scanners have malware or adware support built into them, I’ve never really found them that useful on their own.  I usually have atleast 1 other malware scanner on the computer, which I run regularly just to catch anything.

These are some simple tips that can help keep you safe while download.  It’s not foolproof, but every step you make to keep yourself safe makes the likelihood of having a computer infected with viruses and malware, and a chance of loosing private or sensitive information to hackers, down to as close to zero as possible.

 

Are there any tips or tricks you use to download files are keep yourself safe, let me know in the comments section below.

2014 National Cyber Security Awareness Month

National Cyber Sercutiy Awareness MonthI’ve been a fan of the Department of Homeland Security’s National Cyber Security Awareness Month for a little while now.  This year marks the 11th annual year of the month long event.  If you are not aware this month is designed to educate the public about cyber security issues and things you can do to protect yourself as our lives become more and more tangled online.

Over the next month, I’ll be tailoring my tweets and blog post on promoting and educating you on how to better protect yourself and businesses online.  If there are any questions that you have about protecting yourself (or your business) online, please e-mail me@jimguckin.com and I’ll answer them during the Monday’s Questions and Answers blog entries.

Q&A Monday: How DHCP Works

questionmark.jpgQuestion:

Please don’t laugh at me, but I’ve wondered how my computer gets an IP address from my router?

Renee Newcomb
Ferndale, WA

Answer:

I love questions like these, every computer, tablet, phone or laptop gets an IP address when connected to the internet, but rarely do we think of the process that takes place. So to go over the basic way a new laptop at your house gets a computer.

  1. When a new devices connects to your network (either plugged in or via WiFi), it send a broadcast message on the network. This broadcast message is open for anything to respond to, since it doesn’t know the network settings.
  2. A DHCP Server (or a router acting as one), will hear the broadcast message and reply to the device with the information that is needed to connect. This would contain the IP address, DNS, how long it can use the IP before needing to check back in.
  3. The device then responds back to the DHCP server saying that it wants to use the IP it was offered
  4. The DHCP server, then lets the device know it can use them.
  5. Now with an IP address, you can see the other devices on the network that are on the network subnet.

I hope that helps you understand the process of DHCP when a devices connects to the network, I tried to make it as simple as possible, and it can get more complicated in a larger network.

 

——————————————————————————————–

If you have any questions that you want Jim to answer, from business servers to home computers, drop him a line at me@jimguckin.com, and he’ll try to answer your question. Check back every Monday for a new Question and Answer session, and also during the rest of the week for other technical insights.

Q&A Monday: Data Center Teirs

ServerRoom.jpg

Question:

I am a small business owner looking to go with a cloud provider for our IT services.  Each of the vendors mentions their data center level, and I’ve tried doing research to figure out what these levels mean, but I can’t find anything describing them in plain English, can you help?

Vickie Downs
Watertown, NY

 

Answer:

I will try my best to break the Data Center Tiers down into plain English for you.  The first thing you need to know when looking, is how mission critical are your servers, this will help you decide what data center is right for you.  Also it should be know that the higher the data center tier is, the more you are going to pay.
    OK, now to the explanation.  When you hear the term Data Center Tier (1 to 4) this is just a standardized methodology used to define availability (“uptime”) of data center. 

Tier LevelRequirements
1
  • Single network infrastructure and connection to the internet
  • Non-redundant servers and power
  • Basic site infrastructure with expected availability of 99.671%
2
  • Meets or exceeds all Tier 1 requirements
  • Redundant site network, power or server with expected availability of 99.741%
3
  • Meets or exceeds all Tier 2 requirements
  • Multiple independent infrastructure serving the IT equipment
  • All IT equipment must be dual-powered and fully compatible with the topology of a site’s architecture
  • Concurrently maintainable site infrastructure with expected availability of 99.982%
4
  • Meets or exceeds all Tier 3 requirements
  • All cooling equipment is independently dual-powered
  • Fault-tolerant site infrastructure that includes generators and/or UPS and power outlets/breakers with expected availability of 99.995%

    As we can see from the chart above, Tier 4 data centers  are considered to be the most robust and less prone to failures.  Generally Tier 4 Data Centers are designed to host mission critical servers and computer systems, and they include fully redundant subsystems (cooling, power, network links, storage and servers) and have separated security zones controlled by bio-metric access controls methods. On the opposite end of this chart naturally is a Tier 1 data center used by small business or shops that don’t need or can’t afford the higher levels.

*Important Note*

Now people tend to brush off those availability numbers since they are only  .324% off from each other, but those number can add up to significant changes in downtime.  Below is the chart of allowed downtime in a given year at each tier level:

Tier LevelMinutes of Downtime
11729.224 minutes
21361.304 minutes
394.608 minutes
426.28 minutes


——————————————————————————————–
If  you have any questions that you want Jim to answer, from business servers to home computers, drop him a line at me@jimguckin.com, and he’ll try to answer your question.  Check back every Monday for a new Question and Answer session, and also during the rest of the week for other technical insights.

 Page 1 of 18  1  2  3  4  5 » ...  Last »