Technology Made Simple
Wednesday December 1st 2021

Insider

Archives

Don’t be afraid to fail

In the years that I have been an IT manager, there’s honestly something that most people who work for me need to learn, and even some of my former colleges and bosses need to learn to accept. Don’t be afraid to fail or let your employees make mistakes. I’ve seen many young smart talented people come into the job world and be afraid to make beneficial changes because they’ll get in trouble. Some of the best, and most lasting lessons I’ve learned during my career, have been screw ups on my part. There are lessons, I still carry with my, from my first year of working in technology, of something I messed up.

Think of it as a failure-free climate is an innovation-free zone, because people will only do the status quo to avoid trouble. Part of me thinks of the Edison quote about the failures he had while trying to invent the light bulb,, “I have not failed. I’ve just found 10,000 ways that won’t work.”, every innovation in human evolution has been preceded by failures, yet in our current society we’re focused only on successes. In my career and talking with other colleagues, I’ve seen many organizations punish failure and search out and shame the individual, not realizing that they are strangling innovation.

If your organization celebrates innovation, you need to start cultivating your team in a culture where failure is not only tolerated but celebrated as a step on the path to success. It’s easier when your whole organization is together in this process, but even on a smaller level this can work. In some positions that I’ve had employees under me, that made mistakes, and the organization wasn’t failure positive, I acted as a shield for those under me, so that I could cultivate the innovation mentality. We strive not to fail, but sometimes you do. This isn’t saying that all mistakes are to be tolerated, but if done in trying to make things better, should be weighted.

The worse corporate cultures out there (read as those that punish failure), are the corporate cultures that tend to be plagued by inaction. No one is willing to “stick their neck out” and make a decision to add or change anything, and instead hope someone else will be willing to take that risk. The most successful people in these organizations will be the people who are the most staunch defenders of the status quo.

In order to take a step in fixing this, I would suggest you consciously try, and to allow yourself to fail once per quarter. It may sound like a joke, but giving yourself a cushion to try and maybe to fail in a work setting once every few months can be extremely powerful. With permission to make an attempt, you might attempt to solve that complex technical problem and, even if unsuccessful, learn something that can be applied to similar problems.

If you lead a team, business unit, or company, giving yourself and your team permission to fail may result in a breakthrough innovation that changes the direction of your organization. While there’s a higher likelihood you’ll learn one more of the thousand ways not to succeed, you’ll still be growing stronger.

IT Mentality: Hire a problem solver

I have seen many variations of the same tweet over the years, and when I was younger, I’m sure I would of posted the same thing thinking I was cleaver. Only as I matured more, did my perception change on what this tweet really means. Younger me, was like I work in technology, which is why I don’t trust it, now I realize there’s a problem that needs a solution and while it may not be perfect that isn’t a reason not to use it. That’s a beauty of IT, is coming up with solutions to these problems in life, not to reject them.

I have some smart accessories in my house, and are they perfect all the time…absolutely not, but what IT has taught me, is to put in place controls if it does fail. That’s the big difference in how I see this thought process from when I was younger. For example, if my door lock was smart, then I have to make sure that if connectivity wasn’t there, I’d still have another way in, whether it’s Bluetooth, Physical Key or replacement battery. I have a smart speaker in my house, does it always understand me or listen..no, but I can still search on my phone if needed. Technology is often flawed, and because you know technology, isn’t a good reason to not use it. The real technology solution is what happens when it does fail, were you smart enough to plan ahead? I’m sure mechanics know why cars break, but doesn’t mean that don’t use them, when IT people post tweets like that, we look ridiculous.

If you are hiring someone for a technology, this is a good test to give them. Ask them if they were to buy a smart lock for their house, what would they look for, what happens if it stops working and how they’d troubleshoot issues with it. If they can tell you what they would or have done then it’s a good sign, if they say they’d never get it, then that’s how they’ll look at your projects. I’ve sometimes been asked to work on projects whose design I may not have loved, or how I would of designed it, but when the user called with an issue, I’d try to find a solution. Every piece of technology is flawed, but how you deal with it is what says the most about you. Don’t hate technology, work with it.

How to implement Zero Trust

After answering the question from Monday I kept thinking of how the best way to start programs from scratch. One method I usually recommend is a Zero Trust security model. Now the thing I run into when talking about this, is that people think it’s an all or nothing approach, and most have many issues they need to fix before even beginning to think about planning to implement Zero trust. This is honestly a case I’ve seen a lot of companies, they only like to work on (what I call) “home runs”, they don’t want any base hits, to draw a baseball metaphor. Yet, like any other framework, you don’t have to follow a strict guideline and can implement in ways that compliment your business and security posture.

Like most technology projects, I like to take a more incremental approach, so that you don’t overwhelm any part of the business or IT staff. To start I like Forrester’s Zero Trust Model which splits the model into 7 different pillars: data, people, workloads, devices, networks, automation and orchestration, and visibility and analytics. Other Zero Trust Models use six pillars: Users, Devices, Networks, Applications, Automation and Analytics, which ever one you decide to use, can be the beginning guide for implementation of the framework. Either way, I strongly recommend that you look at this as an incremental project, that way you get results, but you can show measurable improvement.

When you need to show short term wins in a longer project, I recommend that you target a single system or a small group of systems that would most benefit from going to Zero Trust first. Target a critical application that is higher profile, that will show executives the benefit of this project and prioritize downward. Now with any IT project, this will be a learning process and you may need to change your approach depending on the scenario you are working with, so give yourself breathing room. One area that you business may need to adapt is how things use to work, and more how things will work more securely. This means education for everyone, people may have been use to doing things a certain way, and that way doesn’t work anymore (same with any technology project).

Now that you’ve identified your zero trust security priorities above, you’ll next want to choose one of the Zero trust pillars to tackle first. Please don’t answer all of them, trying to tackle all of them will be overwhelming and counter productive, and honestly you may doom this project. Now if you are not sure, or can’t come to an agreement, there are tools out there that let you fill in information, find the gaps and then tell you which pillar(s) your organization need to focus on.

Once you get the pillar identified, then you need to figure out the exact controls that you need to implement. There are a lot of controls and documents that exist out on the web that will give you the framework or ideas on what to do to make progress in that one. So example, maybe you’ve identified data as your pillar, and one way might to be network segmentation so that everyone or everything on your network can’t get to to that data.

Like most projects, you’ve narrowed down your systems, controls and pillar, you’ll need some data to make sure you do this effectively. While this isn’t just an IT project it’s a business project, you’ll need them to work with the business side to fully understand the needs and make sure you create effective policies around this. In order to do that, you need as much information/data as possible. Also around this time, applications flows should be mapped out with the access required, so that you’ll understand the flow of the data, what it’s dependent on and what the impact of your policy may have on it.

Now that we’ve spent a lot of time discussing, planning and debating, comes the phase where you start to implement your Zero Trust model. Unfortunately, that’s not the end of the discussions. When you implement your system(s), you need to validate that everything works the way your planning said that it should. Then monitor both the business and technology workflows and make sure everything is stable.

At this point you should have a repeatable process for your systems, and focus on different pillars and systems and make progress over a period of time. As you can see this can be an involved process and if you tried to do this across your environment will all pillars at once, is just the recipe for disaster and failure. Security is something that doesn’t need to be all at once, every step that you make to more secure, is better than before and it’s a never ending project, but take it in small chunks makes it a traceable win!

Q&A Monday: Starting a Cyber Security Program

Question:

I work for a small company and my boss recently tasked me to start to strengthen our defenses against a cyber attack, but I’m not a security expert, whats the best way to plan this out before I get started.

Oda Cox
Norway

Answer:

Thanks for the question, I’m glad you kept it at planning level because it’s not something that you can do quickly, it’s a process that never ends. One of the places to start you planning is to (if you don’t already have it), draw out your attack surfaces. The systems and hardware that are externally available. You’ll can’t start the planning process or even the process of prioritizing the work without getting a view of your attack surfaces.

Once you have your attack surface mapped out, then make sure you scan your systems to find the vulnerabilities in those systems. Once you know your attack surface and the vulnerabilities, then you need to sort those vulnerabilities from the most significant to the least and this will let you know what order you need to plan these systems. I’m sure business priorities and processes will play into the planning phase, where you might have to wait to take down some serious vulnerabilities if it’s part of a major system.

While you are working on the vulnerabilities, the best thing to do, is work on improvements (or implementation) to your security practices and policies. One practice, that’s easy to do, hard to implement if you don’t currently have it, is a strong patching plan. Another good practice to get in the habit of, is testing your backups…if you backup and don’t test..then you really don’t know if you need it…if it will work. If you can, make sure that you segment your network where you can, stay away from flat network designs.

If you aren’t already doing it, or have the software, get a monitoring system. In the event someone does breach you systems, without a monitoring system (like a SIEM), you wont be able to tell. This is also amazing at helping to see what is being changed in your environment.

With monitoring, should come the testing of systems. You should get some penetration testing software to test your systems. This goes hand in hand with the monitoring, since you should be able to see the testing in the logs. If you don’t, means you need to retool your monitoring systems. Penetration tools, will give you feed back that you can use to fill back in your vulnerability list.

Once you are comfortable with these systems in place (as I mentioned its an ongoing process), and you can convince your higher ups, hiring an auditing company to audit your processes and systems is a great idea. Even the best security professionals need a second set of eyes to make sure they didn’t miss something. Tunnel vision often happens and the report at the end will help you guide the security program forward.

——————————————————————————————–
If  you have any questions that you want Jim to answer, from business servers to home computers, drop him a line at me@jimguckin.com, and he’ll try to answer your question.  Check back every Monday for a new Question and Answer session, and check back Wednesday and Friday for other technical insights.

Information Security Core Knowledge

Every so often, I get asked by someone who want to get into the InfoSec field, what is at the core of knowledge that is needed. Now I know a lot of people have a lot of different answers to this question, but I think there are some things that are important, that are easier to attain. These aren’t particular things to memorize, there are more skills that you need, to work effectively in the security field.

Skills

  • Reading CVEs: Most of what I do, when I hear about a new vulnerability, is immediately look at the CVE for it and understand CVSS and understand how the applies to my environments (both personal and business).
  • Understand Threat, Vulnerability and Risk: A threat is what we’re trying to protect against could be something like a DDOS or an actor. A Vulnerability is a weaknesses in software or hardware that can be exploited by threats to gain unauthorized access to an asset. Risk is The potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability
  • Understanding of Networking: While you don’t need to be an expert in networking, I come across subnetting, CIDR, IPv4, IPv6 (in some networks) and ports. These are things that I have to view multiple times a week and quickly identify
  • NMap: This is a tool, that I thought I fully knew, until I started working in Information security, I started to heavily utilize the tool, and learned that I used a fraction of it. It’s an important reconnaissance tool, that you should use to make sure you know what is on your network and what is open.

As you can see, this skills are something that people can learn, and before you get into the InfoSec field, take some time to start learning these skills. It dosn’t have to be if you want to get into InfoSec, this is stuff you should look at for any IT job.

How to rethink your backup strategy

One of the things that was drilled into my head when I was starting out in my IT career was the backup philosophy of 3-2-1. This stood for you should have 3 copies of your data (the production data and two backups), on 2 different media types and 1 of them being offsite. This is still the recommended method of CERT (see here). Yet I found it conflicted with other information that I’ve learned over the time, So why the 3-2-1 method is better than none, you really want to use that as the base of your backup plan, and add some extra steps to it.
It’s not that the 3-2-1 method doesn’t have a place anymore, but was heavily used in the area of tape backups and you only needed to take 1 thing offsite and store it. Yet maybe it was my time as an Emergency Manager, where there was always a thought of disaster, that I started to modify my thought process.

3-1-2 Method: This one I’ve come closest to seeing now-a-days, where you have 3 copies of your data (one production and 2 backups) and it’s all on disk (1 media type) and the backups are stored in two geographic locations. Ideally these locations would be on opposite sides of the world or even your country, but some locations just focus on different parts of a city/town or state. The idea behind this, is that if a disaster happens, think flooding or tornado, then the data would be in a different local and still be safe.

3-2-2 Method: This is one that I personally love, but honestly not everyone has the staff or money to pull it off. 3 copies of your data, on 2 media types, and the backups in 2 different locations. So this one you need to have the ability to save data to a tape. Usually the tape is sent to a local storage location and your disk backup is sent to the cloud or backup facility in another local.

As you can see as long as you understand the basic 3-2-1 backup methodology, you can and should tweak the numbers to best suit your backup strategy. The 3-2-1 method has been around for a while and now is the time to start thinking of ways of adding redundancy and attempt to disaster proof your plans. While is costs a lot to implement a decent backup plan, the cost of not having one can be worse. When I started, we only worried about natural disasters, now your backup strategy needs to include cyber disasters as well. What happens if your cloud backup is infected by ransomware, then an offline backup helps.

For another article on backups by me: Backups: Tape vs. Replication

Q&A Monday: Defense Against Ransomware

Question:
There has been a lot in the news about ransomware, what can I do to protect myself?

Melody Carroll
Dayton
, MN

Answer:
There isn’t a day that goes by that you don’t hear about ransomware hitting a company or targeting another industry and that can make people like yourself want to guard themselves against this particular type of attack. Before I begin, let’s just lay down classically, what is ransomware and why it’s dangerous. In short, ransomware is malicious software that “locks up” (encrypts) victims files, and keeps the person from accessing them without payment. This is usually done in cryptocurrency, which is hard to trace, and then the attacker will give directions on how to gain access back to those files. Some variants on ransomware not only encrypt the files, they also make a copy of the files on their systems, so they can add the additional threat of releasing the data if you don’t pay.

Practice “Cyber Hygiene”

Luckily keeping yourself safe from ransomware is not much different than from any other type of malware. Now to start out you don’t need to go crazy, just some basic steps you can do, can keep your computers safe.

  • Multi-Factor (two-factor) authentication: Now this is a great way to protect yourself with only a little effort. Most websites and/or applications let you use another factor outside of your password to get into your accounts. Now the method will vary by websites but you’ll be able to choose between and email, text or authenticator code to get into the website. Most banks have been doing this for years and most sites I use let me set this up as an option. So now with my password, I’ll get a code to log me into the site. This keeps people from guessing your password or even having it leaked from another site.
  • Backup Data Offline: Most people rely upon a cloud service like google, Dropbox, icloud or onedrive to backup important stuff or pictures. While this is great, if your computer is compromised, then it may sync those encrypted files to the cloud storage platform. The best way to protect yourself is offline backups. Purchase an external hard drive that you disconnect after you backup your files. This way, if your files are encrypted, you have a backup that is safe, but only works if you disconnect after every backup. I use a reminder to remind myself to backup and disconnect.
  • Utilize Guest Network at Home: In companies, they segment their networks (or should), to keep hackers from easily moving from one system to another. If you have technical expertise you can do this at home, but it’s not for everyone. The simplistic solution I recommend, is that if your router supports it, you turn on your “Guest Network” feature and put some things on that segmented network. For example, I’ve recommended people put the IOT devices on there, like their cameras, alarms, toasters, assistants, etc. Should any of those devices become compromised, it would make it harder for an attacker to get to your computers, as they’re on a different network.
  • Password Security: This is easier said than done for most people. Make sure that your passwords are unique and complex for each website or application that you use. Attackers if they get a username and password will try that combination on all the popular sites. I recommend that you use a password manager, to keep track of the unique passwords for each site and that you make sure it’s complex. Then there’s making sure that you change the password on a regular basis, to make sure that you keep that secure.
  • Don’t use remote tools: There are a ton of applications out there that let you, control your computer at home or send files to storage at your house. Anytime you let yourself have access to things from outside your home, you let hackers have the same path. While some of this can easily be mitigated using MFA or complex unique passwords, its something that you need to consider.
  • Suspicious Emails: At this point there isn’t a person who knows about Spam Emails, and most of us can point them out easily, yet lesser known is the phishing email. Most workplaces will cover this, but I recommend that if you get an email from a business that you do, do business with and you weren’t expecting it, don’t click any link in that email, and instead go directly to the website itself. Unless you are comfortable with looking at the email address or headers of an email to determine if it’s legitimate…but honestly, I can do that, and most of the time I’ll go to the website directly. These are tactics of either getting your login details or getting malware onto your computer.

Now to be clear, there isn’t a foolproof way of protecting yourself, but the more defenses you put up, the more likely an attacker is to move to the next victim. I was once told, why would a car thief break into a car, when the one next to it is already opened. If someone wants it bad enough, they’ll get you information, but you don’t have to make it easy. I hoped that helped.

——————————————————————————————–
If  you have any questions that you want Jim to answer, from business servers to home computers, drop him a line at me@jimguckin.com, and he’ll try to answer your question.  Check back every Monday for a new Question and Answer session, and check back Wednesday and Friday for other technical insights.

Q&A Monday: Remove URL from Auto-complete in Chrome

chromelogo.jpgQuestion:

I have an incorrect website address that appears in my autocomplete list every time I start typing and I always accidentally click on it.  I tried clearing my history and it’s still there, can you help me.

Alice L. Lowery
Ormond Beach, FL

Answer:

You need to open chrome and start typing incorrect URL until auto-complete suggestion appears. Then you can use your keyboard’s arrow keys to highlight the suggestion from the drop-down menu that will appear below the address bar.  Once highlighted press Shift+Delete keys  at the same time, and you’ll be rid of that incorrect site in the list.  Next time you type, it’ll be gone.

——————————————————————————————–
If  you have any questions that you want Jim to answer, from business servers to home computers, drop him a line at me@jimguckin.com, and he’ll try to answer your question.  Check back every Monday for a new Question and Answer session, and check back Wednesday and Friday for other technical insights.

 

Looking for a candidate hire a learner

Interview

Over the last couple of months, I’ve done more interviewing than in the previous years of working in IT.  I’ve had a very good time training and helping employees improve their skill sets and unfortunately take positions in other companies.  So I’ve had a lot of time thinking about who I wanted to hire for my open positions and I don’t take the hiring of someone lightly, this is a decision that impacts me.  Yet, because candidate that I look at is considered an entry level position, it’s sometimes hard to find someone with the level of experience or the flushed out resume with experience that I would like.  This leaves me with a unique position to think outside of the box a little bit and make sure I’m getting the level of candidate that I can use.

My number one advice, is to hire people who are willing and constantly wanting to learn, as apposed to someone who is set in their ways.  In my opinion IT people generally fall into one of two categories: Niche fillers and Learners.  For the longest time in IT or business in general, is to want to gravitate to the people with Niche knowledge, someone who is an expert at what they do.  I have many friends who are this kind of IT, they know their job well, and they get uncomfortable when things vary from their knowledge base.  I on the other hand of had the career path, of not being Niche, but as someone who will figure out the new tools or learn a new skill to get a job done.  I don’t necessarily know if this was something  I had set out to achieve or if it was something I achieved out of necessity.  Through my career a lot of my jobs required me to constantly push my comfort zone, we didn’t have money for a web developer, so I had to learn PHP and SQL or we didn’t have money for a real backup solution, how do we accomplish a backup solution.  I don’t want it to appear, I’m totally knocking the Niche players, I’ve had my share when I needed to rely upon them, it was just more complex that I could understand.  There’s defiantly a place for that kind to worker, just not every  position.

I’ve found in my career, that while companies are attracted to the Niche worker, because their resumes are usually well polished, they generally have held positions for longer, the generally have certifications and specific education and knowledge from year ago that may no be common in your newer technicians.  Plus as technology becomes more and more complex Niche workers have the correct keywords on their resume that tends to get recruiters and hiring managers attention.  Yet, even though they make a great resume, that does not always mean will that translate well into your organization.

Remember Abraham Maslow’s saying “if all you have is a hammer,everything looks like a nail”, this can apply to Niche workers as well, they specific knowledge in their field can cause them to rule our or over analyze (sometimes incorrectly) and issue just because their expertise.  On the other hand Learners can quickly adapt to a scenario and have a larger knowledge base to pull possible solutions and different methods of attacking a problem.  Also in my experience, Learners tend to be software or tool agnostic, it doesn’t matter the tool they are using it will adapt and change over time.  Some of the tools I started out using, I’ve ditched and used other tools that better got the result for me.

It’s important to remember, that not ever Learner is the same and not every Niche worker is the same.  Make sure you know what the best fit will be for your organization and position, and do your due diligence in your hiring process.  Some companies may be very resistant to hiring the Learner over the Niche worker, but it may pay off for you and your company in the long run to have these discussions.  Remember identifying and hiring lifelong learners will take an effort during the hiring process, but it can provide you with a flexible technology employee that will last far beyond whatever the “next big thing” in IT becomes.

 

Q&A Monday: Security Question Safety?

SecurityQuestionsQuestion:

With all the talk about making a password secure, I noticed that someone with enough knowledge of me would be able to reset my password using the security questions. These questions are similar across almost every site that I visit and a friend or determined enough hacker could easily guess the answers, any idea on a way to help keep my accounts secure with the security questions?

Joann Power
Portland, OR

 

Answer:

This is a great question, and I apologize for holding it a little while until National Cyber-security Awareness Month, but this was just too good to pass up.  I prefer a different method (when available) to secure my online account, but I’ll talk about that later in my response and answer your questions directly.  Now to help better secure your security answers, is easy, it’s something I call, answering a different question.  The best example I can give you:

Security Question:
“Name of your favorite book”

Answer:
Xbox

OR

Security Question:
“Name of your childhood friend”

Answer:
Purple

 

Now there is some pre-planning that needs to go into this, you’ll need to make sure the questions and answers are the same (or similar) across all the sites….I have about 8 questions that cover all the sites I visit….and you need to make sure you reset them on every site.  All this does, is keep someone from being able to gather enough information about me to guess correctly at my questions.  I’ll be honest, it took a little bit of time where I had to refer to a note to be able to correctly answer the questions, but eventually I was able to remember the question and answer combination without thought.

As I mentioned, there is an even better way to secure the account, and that’s with two-factor authentication, but unfortunately it’s not universal yet, and usually only major companies (Google, Dropbox, Microsoft, Twitter, Facebook, etc)have it. This send either a text to your cell phone with a code or some sites have a piece of software that is on your phone and generates a code that the website will ask you.  The reason I like these, because even if a hacker has your password and can guess your security questions they can’t get in without the second authentication piece your cell phone.  Admittedly this can be a little annoying when, before you can log in, you need to enter a code to get to your favorite websites, but in the end security is the best policy.

 Page 2 of 20 « 1  2  3  4  5 » ...  Last »