Thursday, July 26, 2012

A Security Nightmare

This is getting bad.  Very bad.  Keeping a company safe from hackers has always been difficult.  However, in recent weeks, things are getting worse.  Consider these three items that I tweeted about in the last couple weeks:
This power strip is not what it seems!
What happens when devices that look like one thing are something else?  What happens when virus start to infect things that have always been safe in the past?  What happens when pretty much anything is hackable?  Even "safe" .pdfs

Security Fails. 

It's not the fault of the users.  The attacks are getting too advanced.  Even experienced, somewhat security-aware admins can fall victim for these things.   I have a 39-character password.  I've been infected. I've had malware. It's a pain!

@DaveAitel, is starting to suggest that its' a waste of employees time to be trained in security awareness. I disagree.  There has to be a balance.  Users are not security experts.  Even if they were, we can't train users about things that don't yet exist.  There has to be a holistic approach.  Train users, but have defense in depth.  Use best practices.

If you can reduce your attack vectors, all the better.  But at a minimum, please secure your environment: 
  • regularly patch and test everything for vulnerabilities.  (How fast can you patch your PCs and servers? Is it hours, days, or weeks?)
  • segment your network  Keep confidential data isolated.
  • encrypt confidential data (hash and salt password!) 
  • no open WIFI access points, no open mail relays, etc.
  • require strong authentication (pass phrases, hard tokens, etc.)  and check for good passwords.  As said by xkcd:
Through 20 years of effort, we've successfully trained everyone to use passwords that are hard to remember but easy for computers to guess

Just remember, there's always unlimited resources to resolve a security problem once CNN learns that your company has been hacked, a USB key is lost, or  laptop full of medical records, financial aid applications, or space station codes 

Thursday, July 19, 2012

Why retail shopping drives me [insane | online]

We needed new patio furniture.  Ours is about 14 years old, rusting, and really needs replacing. We've been out a couple times looking, but still haven't found what we were looking for.  My wife saw an ad in the local paper for resin wicker chair and table set.  Not the highest end, but given our weather, it might just work.  So she sent me on a mission--find them.   We called the closest store, and they were all out.  We called the next closest, and they said they had the tables we were looking for.

I arrived, couldn't find it, so asked for help.  The manager looked up their inventory and it said they had the table and 5 chairs in stock.  It was near closing time, so I paid for the purchase while they pulled it from the stock room.

When we finished, the stock room they could only find 4 chairs.  No table.After doing a "return" of the missing items I left somewhat frustrated.  After 7 visits to 4 different stores, I have all 8 chairs I wanted, but still no table.  I'm very very frustrated, because they don't know what they have, where they have it, and where it's going. They're 30 years behind the times.

1)  Even on clearance items, an organization should know their inventory, across the chain.  Not having real-time inventory in inexcusable in 2012.  (I understand shrinkage and other inventory issues, but generally, you should know what's where!)

2)  You should know what's coming in, and when it is expected.  I can go to Amazon and pull up the tracking number from the order I placed December 12, 2002 (almost 10 years ago!)  How can you not know what's coming?

3)  Figure out a way to take a phone order.  One store had the tables I needed.  I was ready to pay by credit card over the phone.  Their "systems" could not handle it.   Both tables were gone by the time I arrived 45 minutes later.   Certainly added to my frustration.

Not a smarter business.

One of the table/chair sets.
I want to support local business, but compared to how easy it is for me to go on line and find what I'd like, it's getting harder and harder to do it!

P.S. After calling around to each of the 5 stores near me, twice a day, we came home with both tables and 8 chairs. 

Thursday, July 5, 2012

Would you panic if your laptop disappeared?

During a recent trip, I watched in horror as a man realized that he had left his laptop sitting in a train station.... 3 hours previous. He was in total panic.  Fortunately for him, some kind soul had turned it in  and he was able to recover it at the lost and found department.  But it got me thinking.  I've never lost an actual laptop

  • I did leave my iPad on a plane early this year, but the Delta ground crew helped me get it back before the next flight departed and it disappeared. 
  • I have had three hard drives die in the last year, but with good backup practice (and the help of Carbonite), I restored all my data. 
  • I had my car broken into and my blackberry stolen, but one phone call to my IT department and it was remotely wiped. 

But I never actually "lost" the whole laptop.   

Thinking about it, the loss is two fold: 
1)  How do I get my data back?
2)  Is there any concern about the data on missing device? 

The first part is easy.  I am an extremely strong believer in automatic backup. I use and strongly recommend Carbonite, but there are several very good products out there.  I also have a local external drive but only backup there occasionally.  

It was the second part that really got to me.   Now it was my last data recovery that got me thinking as I looked at all the files that were being restored (lurie-peter-federal-state-taxes-2011.pdf being one, downloaded copies of credit card statements, etc) as there's a lot of information on my laptop.  And my wife has confidential files on her computer too.  

I don't know if my work laptop is encrypted or not (I presume it is) however, my personal laptops are not.  Should they be?  Probably.  Can I find a way to do it transparently, inexpensively, and relatively securely?  Maybe... I'm going to play with TrueCrypt and write up results later.  

Meanwhile, until I get everything locked down, I guess I have to keep track of my laptops. :)