Technology Made Simple
Sunday November 27th 2022



Project communication between “non-techie” stakeholders and “techies”


In all the different jobs that I’ve had over my career, I’ve had a mix of technical and non-technical managers on projects. Most of the time, the non-technical managers just leave the technical stuff to the technical ones in the project, but sometimes I don’t believe that’s the best for a project, because each of these disciplines will come at a project in a different manner.

This dual approach may work for you, and it may not. Both teams want the same thing, for the project to succeed, but my take to projects, is you need both teams to effectively communicate for a project to have the minimum amount of issues. So if you find yourself as a stakeholder in a project, and you are non-technical working with technical resources, here are some tips.

  1. How to communicate with the technical resources?
    I list this one first, because depending on your organizations size, this may or may not be a huge problem. You may have a project or IT manager, inwhich to coordinate and communicate with, and in this case you got someone who can filter that coversation. If you don’t have one, or if they just point to a technical resource, then this question becomes even more important. Technical resources often still have day to day tasks to take care of, and you don’t want to bother them at the inoppertune times, so this question lets you understand how best to communcate with them, in a manner that they prefer. For example, I know I perfer phone calls or email, where I’ve met technicians who prefer just emails.
  2. Are you waiting on me for anything?
    Project managers keep track of opened items, but if you don’t have one, this is a great question everyone should ask. This makes sure that you’ve submitted everything that you need for the project to move forward. I’ve seen people think that they’ve completed their part, only to forgotten they agreed to somethnig else or more data.
  3. What’s Testing Look Like?
    I’ve seen many projects where the testing part of the project where things go belly up. I think it should be something that the begining of every project gets discussed. If your testing of the software or application is done correctly (and that’s something that varies), the launch will be smoother (nothing is perfect). If you test with the wrong set of users, you can see roll out identify major issues that weren’t discussed, planned for or even available to assit.
  4. How does this system impact other systems
    Some companies have lots of systems that interconnect with each other, so it’s important to identify or know how a change will affect other connected systems. As stakeholder, you should dedicate some time to thinking through how this project impacts downstream processes. If the new system connects with other exsisting systems, make sure they’re data flow is in the test strategy.
  5. What is the process, when it breaks
    This is kind of lumped in question, that is trying to understand what happens when things don’t work. This one has had different meaning based on many many roles over time, but each part is important to understand. So the easiest one, what happens when I put data in wrong or miss data. This will let you know what the data validiation of the system looks like, and if it throws are error what’s the full process to resolve. Do you contact the help desk, do delevopers need to be contacted, etc.
    If the system goes completely offline or unavailable for whatever reason, what the buisness plan to keep the processes flowing. This is more of a disaster recovery planning piece, what are the mechanisms in place that you’ll pick up if this system is unavailable. You don’t want to have to figure this out, as the unavialbility is occuring. So plan in advace, what’s going to change…are you going to pencil and paper, is the another tool you can load data into and the once availablilty is restore, then load that back in.
  6. Is there System Aduit Trail?
    This is something that from my security background, I think is important (and it comes up often), that should be discussed during the project phase. It is inevitable that some employee somewhere will do somethin that shouldn’t or you need to track down an issue. It’s important to know if there is an audit trail and what data it contians, so that if you want to see if someone accidentially deleted something or if someone changed data, who was it?
  7. Whats happens during project handoff?
    The highest risk for a project falling apart during the handoff from the tech team to the business. Make sure it is planned out exactly what happens when the testing phase is completed. You need to make sure the technical team has a solid plan for moving the system into production and transitioning from project testing to operations. This should identifying the system owner. Also make sure the technicial resources are available just incase to deal with any launch issues.
  8. What are you thoughts?
    This is a powerful question, that isn’t asked enough in my opinion in projects. The business stakeholders can gain some understanding, in the right situation, by asking this to the technical staff. I say this, because you technical staff works with the end user of the projects, they may have insight into the process or atleast let you know of any concerns. Most technical staff, wont just say this during a meeting, so by asking this question, you are giving them a chance to let you know their thoughts.

I’m sure there are a bunch of other questions you can ask at the start or early in a project to help succeed, I know I’ve looked at: 15 Questions You Should Ask Every Time You Start A Project , and there are others. These are just the ones that I’ve noticed through my time, that I think should be helpful. Are there any ones you recommend, let me know in the comments below.

How to Improve your enterprise E-mail Security

One of the things that I’ve noticed during my time is that phishing emails, ebb and flow like the waves of the ocean. It seems like nothing significant for a few weeks, then the flood gates open and a bunch all come in a short period of time. The security, mail and support teams get flooded with what may or may not be legitimate emails. Now honestly, looking at an individual email to determine if it’s spam, phishing, or legitimate email, takes some time, but when you pile on different types, it can get hard and be time consuming.

When you team needs to crawl through all those emails to make a determination, you look for ways to make it easier on them (that doesn’t mean a silver bullet that kills all phishing emails, but gets at the low hanging fruit). The easiest target is those phishers who fake the sender of emails, those are the ones where they look like they are coming from a trusted source, or even you own company, but aren’t. Most (not all) Spam, Fraud emails and viruses come from someone pretending to be from another email address.

So the best first line defense, is verifying the identity of the sender. The best way is to utilize the three main email security protocols of SPF (Sender Policy Framework), DMARC (Domain-based Message Authentication, Reporting, and Conformance), and DKIM and these three complement one another, so it really is best to implement all of them. The three together will prove to ISPs, mail services, and other mail servers that senders are truly authorized to send an email. When properly set up, all three prove that the sender is legitimate, that their identity has not been forged. These anti-spam measures are becoming increasingly important, and will one day be required by all mail services and servers.

Now by no means are these super easy to set up, and depending on your email hosting situation may make it either easier or harder. Yet, there isn’t really a good reason that you shouldn’t invest the time and money into getting these turned on.

Sender Policy Framework (SPF)

  • SPF secures the DNS servers and limits who can send emails on your behalf. This keeps others from spoofing your domain.
  • SPF consists of three primary components: a policy framework, an authentication technique, and particular headers in the email itself that convey this information.
  • Email providers can use your SPF record to verify that a mail server is permitted to send email for your domain.
  • In short a SPF record is a DNS TXT record that lists the IP addresses that are permitted to send email on behalf of your domain.

Importance of SPF:

  • Receiving mail servers use SPF to verify that incoming email from a domain was sent from a host approved by the domain’s record. This is why it’s stored in the DNS entry.
  • The receiving mail server then uses the rules specified in the sending domain’s SPF record to decide whether to accept, reject, or otherwise flag the email message.
  • SPF improves the protection of email users from spammers. Because faked “from” addresses and domains are frequently used in email spam and phishing,
    • Publishing your domains SPF data is regarded one of the most dependable and simple anti-spam tactics.
  • Many email systems use a reputation score for you domain to decide if you are known for unwanted emails…So if you have a good sending reputation, a spammer may try to send email from your domain in order to benefit from your ISP’s good sender reputation.
    • This is where SPF authentication will show the receiving server that even though the domain may look like yours, the sending server has not been authorized to send mail for your domain.

If SPF is so great, I’ll just use that!

While I made a case for why SPF is good, like I mentioned it should be part of a 3 legged approach. Why SPF is good, it doesn’t survive the email forwarding process, so it’s not perfect. SPF only says what servers can send on behalf of your

 DKIM signing can withstand forwarding. SPF does not work with forwarding since it is merely a list of servers that are authorized to send on behalf of your domain, and a domain owner cannot maintain a list of forwarders. 

What about DKIM?

DKIM (Domain Keys Identified Mail) is an email authentication technique that allows the receiving server to check that an email was indeed sent and authorized by the domain owner. This is achieved by giving the email a digital signature that’s encrypted in the email header.

Once receiving system determines that an email is signed with a valid DKIM signature, it knows that the email among the message body and attachments haven’t been modified. DKIM signatures are not shown to end-users, the validation is done on the server side.

Like SPF mentioned above, DKIM is also used in DMARC alignment. The DNS has a DKIM record, although setting it up is a little more challenging than SPF. DKIM has the advantage of being able to withstand forwarding, making it preferable to SPF and a solid basis for email security.

Why DKIM is important:

DKIM is checks the following 3 things:

  • The sender of the email owns the DKIM domain, or is authorized by the owner of that domain.
  • The contents of an email have not been tampered with.
  • The headers in the email have not changed since the original sender sent and that there is no new “from” domain.

OK, so I’ll just use DKIM then!

While DKIM is great, you need to remember isn’t a perfect detector of validating the email sender’s identity on its own, and it doesn’t prevent the spoofing of the domain visible in the email’s header. These problems are solved by using DMARC because the domain the end-user sees is the same as the domain that is validated by DKIM and SPF.


How DMARC works:

Since DMAC employs both DKIM and SPF records to validate the sender of an email, DMARC is used (or highly recommended) for businesses. A DMARC record allows a sender to say that their messages are secured by SPF and/or DKIM, and it instructs a recipient what to do if neither of those authentication techniques succeeds – such as discard or reject the message.

The domain administrator publishes the DMARC policy in the DNS record, defining its email authentication practices and how receiving mail servers should handle mail that violates this policy. When an inbound mail server receives an incoming email, it uses DNS to look up the DMARC policy for the domain then checks, is DKIM Valid, Did it come from an authorized source and is the domain alignment correct. Depending on what this check the receiving server is ready to apply the sending domain’s DMARC policy to decide whether to accept, reject, or otherwise flag the email message.

The good thing about DMARC, is that the receiving server will report back to the original domain originator, as defined in the DMARC policy. So you are able to detect if anything went wrong or wasn’t handled the way it was expected.

In Conclusion:

Cyber-criminal activity is not going to end anytime soon, so the only logical thing to do is to secure your email domain from fraud.  DMARC has benefits regardless of the size of a business. It provides full domain visibility, control over the email traffic, and security from phishers and spoofers. Utilizing all three of these services, you can make sure your email systems are secure, you limit spoofing and you make sure your emails make it to the intended audience. This is a time investment for your IT team, but this is one that is worth it.

Designing and Implementing a Document Control Number System

While most mature organizations already have a well documented process for creating, approval and numbering of documents, not all do. So what do you do, when you come across one, where you a making the process. The first question, you might come across is why, do you need these documents?

Those policies and procedures for your organization help your employees have access to the resources they need to do their jobs effectively and repeatable. If each of you work departments or units have have policies and procedures, implementing a document control numbering system that will make it easier to keep track of and find these individual policies. Also if done correctly it’ll let you reference them, without needing to look at a policy key to reference them.

Consider a user-friendly Document Control Numbering System by Function

In your business you have multiple departments, separating policies and procedures by department is a user-friendly way to organize them. However you decided to number them, make sure that it’s something that everyone can easily remember. There are two popular ways of accomplishing this, that I’ve seen used in many companies.

  1. List all of your departments in Alphabetical order and then assign them each a number. For example, this way you might have your accounting department as number 1, so all accounting policy, procedures and standards start with a 1, where Sales might have a 6 and IT would have a 4. These numbers will change depending on how big or small or organizational chart is. The one downside to this, if you organization is growing and adding new teams, you either loose the alphabetical numbering order, or you have to redo all the numbers, which can lead to confusion.
  2. You can also institute an alphabetic (or alpha-numeric) numbering system, instead of just using numbers for departments like the other way. Using alphabets can help them identify the department more quickly. An example of this type would be labeling all policies from IT start with ‘IT’ or all policies from Human Resources start with ‘HR’. I recommend that if go down this path, you keep all the abbreviations the same length, but that’s a personal preference.

The Type of Document

Once we identify how you will number your policies by department, then it’s time to determine , next is typing calling out the type. businesses that have many different kinds of documents, like policies procedures,standards and guidance, so identifying what kind of document by placing it in the document control numbering system can simplify the process for users. In this example, all procedures can be identified with SOP or PROC, or Standards can be STD and all policies can be identified with POL.

This is a totally optional step, that a lot of companies don’t use, but I think it does make it easier for an end user for the end user to find exactly what they are looking for. It means, if you store them on a file share, they can sort the policies, procedure and so forth easily.

Actual Numbering

Now, we’ll number each individual policy within the departments. For example, if the Human Resources department has 10 policies, you can number them like IT POL 3, IT POL 4, IT POL 5 and so on. Some people may create sub policies, like IT POL 4.1, if it’s a separate policy that ties into the main one.

Follow Practices

The main point that you need to remember here, is making it easy for your users to find and follow the policies, so keep it simple. I have been guilty in the past of over engineering policies, procedures and after I designed a bunch, I quickly realized it wasn’t easy for anyone to follow. I added some weird tags like internal policies and external policies into the naming scheme. I then had to have a self realization, that I didn’t consider how I failed to make the document control numbering system intuitive, so my staff and users could easily identify what kind of document they are looking at without having to use a reference key, and that was a bad numbering system.

Make sure once you settle on one you communicate your document control numbering system to all employees before or at minimum once you implement it. Let them know where your policies and procedures can all be found and make it easy for them to get to, searching for them isn’t ideal. Also I recommend you add a table of contents or index so everyone can easily locate a specific policy.

Document Control Numbering Discussion

I talked a lot about different methodologies for numbering your documents, but there is a great little forum, that I saw when first looking at this question a few years ago, in which a bunch of people where discussing the best way to do it. The forum discussion Any suggestions on a document control numbering system? It’s a dated post now, but that doesn’t mean the information wont be helpful, to see how others discuss their document control number system.

Don’t be afraid to fail

In the years that I have been an IT manager, there’s honestly something that most people who work for me need to learn, and even some of my former colleges and bosses need to learn to accept. Don’t be afraid to fail or let your employees make mistakes. I’ve seen many young smart talented people come into the job world and be afraid to make beneficial changes because they’ll get in trouble. Some of the best, and most lasting lessons I’ve learned during my career, have been screw ups on my part. There are lessons, I still carry with my, from my first year of working in technology, of something I messed up.

Think of it as a failure-free climate is an innovation-free zone, because people will only do the status quo to avoid trouble. Part of me thinks of the Edison quote about the failures he had while trying to invent the light bulb,, “I have not failed. I’ve just found 10,000 ways that won’t work.”, every innovation in human evolution has been preceded by failures, yet in our current society we’re focused only on successes. In my career and talking with other colleagues, I’ve seen many organizations punish failure and search out and shame the individual, not realizing that they are strangling innovation.

If your organization celebrates innovation, you need to start cultivating your team in a culture where failure is not only tolerated but celebrated as a step on the path to success. It’s easier when your whole organization is together in this process, but even on a smaller level this can work. In some positions that I’ve had employees under me, that made mistakes, and the organization wasn’t failure positive, I acted as a shield for those under me, so that I could cultivate the innovation mentality. We strive not to fail, but sometimes you do. This isn’t saying that all mistakes are to be tolerated, but if done in trying to make things better, should be weighted.

The worse corporate cultures out there (read as those that punish failure), are the corporate cultures that tend to be plagued by inaction. No one is willing to “stick their neck out” and make a decision to add or change anything, and instead hope someone else will be willing to take that risk. The most successful people in these organizations will be the people who are the most staunch defenders of the status quo.

In order to take a step in fixing this, I would suggest you consciously try, and to allow yourself to fail once per quarter. It may sound like a joke, but giving yourself a cushion to try and maybe to fail in a work setting once every few months can be extremely powerful. With permission to make an attempt, you might attempt to solve that complex technical problem and, even if unsuccessful, learn something that can be applied to similar problems.

If you lead a team, business unit, or company, giving yourself and your team permission to fail may result in a breakthrough innovation that changes the direction of your organization. While there’s a higher likelihood you’ll learn one more of the thousand ways not to succeed, you’ll still be growing stronger.

IT Mentality: Hire a problem solver

I have seen many variations of the same tweet over the years, and when I was younger, I’m sure I would of posted the same thing thinking I was cleaver. Only as I matured more, did my perception change on what this tweet really means. Younger me, was like I work in technology, which is why I don’t trust it, now I realize there’s a problem that needs a solution and while it may not be perfect that isn’t a reason not to use it. That’s a beauty of IT, is coming up with solutions to these problems in life, not to reject them.

I have some smart accessories in my house, and are they perfect all the time…absolutely not, but what IT has taught me, is to put in place controls if it does fail. That’s the big difference in how I see this thought process from when I was younger. For example, if my door lock was smart, then I have to make sure that if connectivity wasn’t there, I’d still have another way in, whether it’s Bluetooth, Physical Key or replacement battery. I have a smart speaker in my house, does it always understand me or, but I can still search on my phone if needed. Technology is often flawed, and because you know technology, isn’t a good reason to not use it. The real technology solution is what happens when it does fail, were you smart enough to plan ahead? I’m sure mechanics know why cars break, but doesn’t mean that don’t use them, when IT people post tweets like that, we look ridiculous.

If you are hiring someone for a technology, this is a good test to give them. Ask them if they were to buy a smart lock for their house, what would they look for, what happens if it stops working and how they’d troubleshoot issues with it. If they can tell you what they would or have done then it’s a good sign, if they say they’d never get it, then that’s how they’ll look at your projects. I’ve sometimes been asked to work on projects whose design I may not have loved, or how I would of designed it, but when the user called with an issue, I’d try to find a solution. Every piece of technology is flawed, but how you deal with it is what says the most about you. Don’t hate technology, work with it.

How to implement Zero Trust

After answering the question from Monday I kept thinking of how the best way to start programs from scratch. One method I usually recommend is a Zero Trust security model. Now the thing I run into when talking about this, is that people think it’s an all or nothing approach, and most have many issues they need to fix before even beginning to think about planning to implement Zero trust. This is honestly a case I’ve seen a lot of companies, they only like to work on (what I call) “home runs”, they don’t want any base hits, to draw a baseball metaphor. Yet, like any other framework, you don’t have to follow a strict guideline and can implement in ways that compliment your business and security posture.

Like most technology projects, I like to take a more incremental approach, so that you don’t overwhelm any part of the business or IT staff. To start I like Forrester’s Zero Trust Model which splits the model into 7 different pillars: data, people, workloads, devices, networks, automation and orchestration, and visibility and analytics. Other Zero Trust Models use six pillars: Users, Devices, Networks, Applications, Automation and Analytics, which ever one you decide to use, can be the beginning guide for implementation of the framework. Either way, I strongly recommend that you look at this as an incremental project, that way you get results, but you can show measurable improvement.

When you need to show short term wins in a longer project, I recommend that you target a single system or a small group of systems that would most benefit from going to Zero Trust first. Target a critical application that is higher profile, that will show executives the benefit of this project and prioritize downward. Now with any IT project, this will be a learning process and you may need to change your approach depending on the scenario you are working with, so give yourself breathing room. One area that you business may need to adapt is how things use to work, and more how things will work more securely. This means education for everyone, people may have been use to doing things a certain way, and that way doesn’t work anymore (same with any technology project).

Now that you’ve identified your zero trust security priorities above, you’ll next want to choose one of the Zero trust pillars to tackle first. Please don’t answer all of them, trying to tackle all of them will be overwhelming and counter productive, and honestly you may doom this project. Now if you are not sure, or can’t come to an agreement, there are tools out there that let you fill in information, find the gaps and then tell you which pillar(s) your organization need to focus on.

Once you get the pillar identified, then you need to figure out the exact controls that you need to implement. There are a lot of controls and documents that exist out on the web that will give you the framework or ideas on what to do to make progress in that one. So example, maybe you’ve identified data as your pillar, and one way might to be network segmentation so that everyone or everything on your network can’t get to to that data.

Like most projects, you’ve narrowed down your systems, controls and pillar, you’ll need some data to make sure you do this effectively. While this isn’t just an IT project it’s a business project, you’ll need them to work with the business side to fully understand the needs and make sure you create effective policies around this. In order to do that, you need as much information/data as possible. Also around this time, applications flows should be mapped out with the access required, so that you’ll understand the flow of the data, what it’s dependent on and what the impact of your policy may have on it.

Now that we’ve spent a lot of time discussing, planning and debating, comes the phase where you start to implement your Zero Trust model. Unfortunately, that’s not the end of the discussions. When you implement your system(s), you need to validate that everything works the way your planning said that it should. Then monitor both the business and technology workflows and make sure everything is stable.

At this point you should have a repeatable process for your systems, and focus on different pillars and systems and make progress over a period of time. As you can see this can be an involved process and if you tried to do this across your environment will all pillars at once, is just the recipe for disaster and failure. Security is something that doesn’t need to be all at once, every step that you make to more secure, is better than before and it’s a never ending project, but take it in small chunks makes it a traceable win!

Q&A Monday: Starting a Cyber Security Program


I work for a small company and my boss recently tasked me to start to strengthen our defenses against a cyber attack, but I’m not a security expert, whats the best way to plan this out before I get started.

Oda Cox


Thanks for the question, I’m glad you kept it at planning level because it’s not something that you can do quickly, it’s a process that never ends. One of the places to start you planning is to (if you don’t already have it), draw out your attack surfaces. The systems and hardware that are externally available. You’ll can’t start the planning process or even the process of prioritizing the work without getting a view of your attack surfaces.

Once you have your attack surface mapped out, then make sure you scan your systems to find the vulnerabilities in those systems. Once you know your attack surface and the vulnerabilities, then you need to sort those vulnerabilities from the most significant to the least and this will let you know what order you need to plan these systems. I’m sure business priorities and processes will play into the planning phase, where you might have to wait to take down some serious vulnerabilities if it’s part of a major system.

While you are working on the vulnerabilities, the best thing to do, is work on improvements (or implementation) to your security practices and policies. One practice, that’s easy to do, hard to implement if you don’t currently have it, is a strong patching plan. Another good practice to get in the habit of, is testing your backups…if you backup and don’t test..then you really don’t know if you need it…if it will work. If you can, make sure that you segment your network where you can, stay away from flat network designs.

If you aren’t already doing it, or have the software, get a monitoring system. In the event someone does breach you systems, without a monitoring system (like a SIEM), you wont be able to tell. This is also amazing at helping to see what is being changed in your environment.

With monitoring, should come the testing of systems. You should get some penetration testing software to test your systems. This goes hand in hand with the monitoring, since you should be able to see the testing in the logs. If you don’t, means you need to retool your monitoring systems. Penetration tools, will give you feed back that you can use to fill back in your vulnerability list.

Once you are comfortable with these systems in place (as I mentioned its an ongoing process), and you can convince your higher ups, hiring an auditing company to audit your processes and systems is a great idea. Even the best security professionals need a second set of eyes to make sure they didn’t miss something. Tunnel vision often happens and the report at the end will help you guide the security program forward.

If  you have any questions that you want Jim to answer, from business servers to home computers, drop him a line at, and he’ll try to answer your question.  Check back every Monday for a new Question and Answer session, and check back Wednesday and Friday for other technical insights.

Information Security Core Knowledge

Every so often, I get asked by someone who want to get into the InfoSec field, what is at the core of knowledge that is needed. Now I know a lot of people have a lot of different answers to this question, but I think there are some things that are important, that are easier to attain. These aren’t particular things to memorize, there are more skills that you need, to work effectively in the security field.


  • Reading CVEs: Most of what I do, when I hear about a new vulnerability, is immediately look at the CVE for it and understand CVSS and understand how the applies to my environments (both personal and business).
  • Understand Threat, Vulnerability and Risk: A threat is what we’re trying to protect against could be something like a DDOS or an actor. A Vulnerability is a weaknesses in software or hardware that can be exploited by threats to gain unauthorized access to an asset. Risk is The potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability
  • Understanding of Networking: While you don’t need to be an expert in networking, I come across subnetting, CIDR, IPv4, IPv6 (in some networks) and ports. These are things that I have to view multiple times a week and quickly identify
  • NMap: This is a tool, that I thought I fully knew, until I started working in Information security, I started to heavily utilize the tool, and learned that I used a fraction of it. It’s an important reconnaissance tool, that you should use to make sure you know what is on your network and what is open.

As you can see, this skills are something that people can learn, and before you get into the InfoSec field, take some time to start learning these skills. It dosn’t have to be if you want to get into InfoSec, this is stuff you should look at for any IT job.

How to rethink your backup strategy

One of the things that was drilled into my head when I was starting out in my IT career was the backup philosophy of 3-2-1. This stood for you should have 3 copies of your data (the production data and two backups), on 2 different media types and 1 of them being offsite. This is still the recommended method of CERT (see here). Yet I found it conflicted with other information that I’ve learned over the time, So why the 3-2-1 method is better than none, you really want to use that as the base of your backup plan, and add some extra steps to it.
It’s not that the 3-2-1 method doesn’t have a place anymore, but was heavily used in the area of tape backups and you only needed to take 1 thing offsite and store it. Yet maybe it was my time as an Emergency Manager, where there was always a thought of disaster, that I started to modify my thought process.

3-1-2 Method: This one I’ve come closest to seeing now-a-days, where you have 3 copies of your data (one production and 2 backups) and it’s all on disk (1 media type) and the backups are stored in two geographic locations. Ideally these locations would be on opposite sides of the world or even your country, but some locations just focus on different parts of a city/town or state. The idea behind this, is that if a disaster happens, think flooding or tornado, then the data would be in a different local and still be safe.

3-2-2 Method: This is one that I personally love, but honestly not everyone has the staff or money to pull it off. 3 copies of your data, on 2 media types, and the backups in 2 different locations. So this one you need to have the ability to save data to a tape. Usually the tape is sent to a local storage location and your disk backup is sent to the cloud or backup facility in another local.

As you can see as long as you understand the basic 3-2-1 backup methodology, you can and should tweak the numbers to best suit your backup strategy. The 3-2-1 method has been around for a while and now is the time to start thinking of ways of adding redundancy and attempt to disaster proof your plans. While is costs a lot to implement a decent backup plan, the cost of not having one can be worse. When I started, we only worried about natural disasters, now your backup strategy needs to include cyber disasters as well. What happens if your cloud backup is infected by ransomware, then an offline backup helps.

For another article on backups by me: Backups: Tape vs. Replication

Q&A Monday: Defense Against Ransomware

There has been a lot in the news about ransomware, what can I do to protect myself?

Melody Carroll
, MN

There isn’t a day that goes by that you don’t hear about ransomware hitting a company or targeting another industry and that can make people like yourself want to guard themselves against this particular type of attack. Before I begin, let’s just lay down classically, what is ransomware and why it’s dangerous. In short, ransomware is malicious software that “locks up” (encrypts) victims files, and keeps the person from accessing them without payment. This is usually done in cryptocurrency, which is hard to trace, and then the attacker will give directions on how to gain access back to those files. Some variants on ransomware not only encrypt the files, they also make a copy of the files on their systems, so they can add the additional threat of releasing the data if you don’t pay.

Practice “Cyber Hygiene”

Luckily keeping yourself safe from ransomware is not much different than from any other type of malware. Now to start out you don’t need to go crazy, just some basic steps you can do, can keep your computers safe.

  • Multi-Factor (two-factor) authentication: Now this is a great way to protect yourself with only a little effort. Most websites and/or applications let you use another factor outside of your password to get into your accounts. Now the method will vary by websites but you’ll be able to choose between and email, text or authenticator code to get into the website. Most banks have been doing this for years and most sites I use let me set this up as an option. So now with my password, I’ll get a code to log me into the site. This keeps people from guessing your password or even having it leaked from another site.
  • Backup Data Offline: Most people rely upon a cloud service like google, Dropbox, icloud or onedrive to backup important stuff or pictures. While this is great, if your computer is compromised, then it may sync those encrypted files to the cloud storage platform. The best way to protect yourself is offline backups. Purchase an external hard drive that you disconnect after you backup your files. This way, if your files are encrypted, you have a backup that is safe, but only works if you disconnect after every backup. I use a reminder to remind myself to backup and disconnect.
  • Utilize Guest Network at Home: In companies, they segment their networks (or should), to keep hackers from easily moving from one system to another. If you have technical expertise you can do this at home, but it’s not for everyone. The simplistic solution I recommend, is that if your router supports it, you turn on your “Guest Network” feature and put some things on that segmented network. For example, I’ve recommended people put the IOT devices on there, like their cameras, alarms, toasters, assistants, etc. Should any of those devices become compromised, it would make it harder for an attacker to get to your computers, as they’re on a different network.
  • Password Security: This is easier said than done for most people. Make sure that your passwords are unique and complex for each website or application that you use. Attackers if they get a username and password will try that combination on all the popular sites. I recommend that you use a password manager, to keep track of the unique passwords for each site and that you make sure it’s complex. Then there’s making sure that you change the password on a regular basis, to make sure that you keep that secure.
  • Don’t use remote tools: There are a ton of applications out there that let you, control your computer at home or send files to storage at your house. Anytime you let yourself have access to things from outside your home, you let hackers have the same path. While some of this can easily be mitigated using MFA or complex unique passwords, its something that you need to consider.
  • Suspicious Emails: At this point there isn’t a person who knows about Spam Emails, and most of us can point them out easily, yet lesser known is the phishing email. Most workplaces will cover this, but I recommend that if you get an email from a business that you do, do business with and you weren’t expecting it, don’t click any link in that email, and instead go directly to the website itself. Unless you are comfortable with looking at the email address or headers of an email to determine if it’s legitimate…but honestly, I can do that, and most of the time I’ll go to the website directly. These are tactics of either getting your login details or getting malware onto your computer.

Now to be clear, there isn’t a foolproof way of protecting yourself, but the more defenses you put up, the more likely an attacker is to move to the next victim. I was once told, why would a car thief break into a car, when the one next to it is already opened. If someone wants it bad enough, they’ll get you information, but you don’t have to make it easy. I hoped that helped.

If  you have any questions that you want Jim to answer, from business servers to home computers, drop him a line at, and he’ll try to answer your question.  Check back every Monday for a new Question and Answer session, and check back Wednesday and Friday for other technical insights.

 Page 2 of 20 « 1  2  3  4  5 » ...  Last »