Category: communication

Moving?

If you are a CEO, or owner of a company, you know that the logistics of moving are a nightmare!

I have moved data centers while keeping the existing company going. That is what got me interested in Disaster recovery. If you are going to provide business continuity during a disaster, providing the same for a move is a little simpler.

If you have a disaster recovery plan, this would be an excellent way to test it. If you don’t; may I suggest you create one before the move and then use the move as a way to test it?

The simple facts are that most CEO’s are oblivious as to the true state of their data infrastructure. It seems to work and beside the occasional glitch, business continues.

As a DR specialist I see things way too often that are far from “best practice” and usually so sub-par that the person in charge of the mess does everything they can do to get me out of there before their boss learns the tenuous situation that they have going on.

Rule of thumb.

You don’t have to understand too much of the technology to know if you are being snowed.

Go into the wiring closets and or data center and look at how things arranged.

Are the cables dressed as they should be or are they simply plugged in with no rhyme or reason?

Is everything in the computer room labeled?

Can your CIO or manager or sysadmin produce an up to date network map?

Can they produce your software licenses in case the SBA comes for a visit?

Can they produce an accurate inventory of all of the software in your company?

Can they show you the “run book.”

These are just real simple things that you can look for to get a feel for how prepared your company is to either move, or recover after a disaster.

Usually the turnover in such a company results in messes being piled on top of messes. Before the Gordian knot becomes truly inexorable; a review is necessary.

The review turns into an audit which inevitably makes those who are responsible anxious. My job is not to point fingers, but simply point out that which needs to change.

See my blog “attention Ceo CiO etc…”

Attention #CEO #CFO #President #CIO and #hr

There are many things in there to ask of your staff.

The point to this writing today is simple this. If you are pondering a move, using your disaster recovery plan as an outline for the move, has lots of advantages.

The main advantage is that you get to test it, and work on it. While it may not be complete it is a starting point.

We live in difficult times; not having a DR plan is like driving without insurance, risky. While driving without insurance could get you a ticket, or paying for the other guy out of your pocket, not having a DR plan could cost you the entire company.

Feel free to contact me if you need some help.

Staylor AT guard-protect.com

Yes, robots see e-mails and spam me so simply replace the AT with the @

-Best

Security

Happy Friday!

Today I want to talk about security. With the recent events involving our President, along with major companies data base’s of credit card holders being hacked, it seemed timely.

Companies either focus on cyber-security, physical security or both or neither. I realize that this statement seems ambiguous but, the simple facts are that few companies think about hiring a Security Officer, much less installing the systems to make certain that their physical plant is secure; not to mention their Data infrastructure. A security Officer is well rounded and incorporates all facets of security into their repertoire.

Part of a Disaster Recovery plan is an audit of security measures taken.

Thanks to recent hacks by various outside entities, companies are becoming more in tune with things like passwords that change, that the user sets, as well as administrative passwords that also are forced to change and be “strong in nature.”

Instead of vilifying some of my clients practices which; many would find audacious, some entertaining, and some down right stupid; allow me to pontificate about “security in a nutshell.”

Let’s start with the employee.

All employees (present and future) should have a background check completed. Are they who they say that they are and do they have any criminal history? What is their credit score and, can they pass a “drug test” now and at some future date?

What someone writes on their resume is not a legal document therefore; you must necessarily have them fill out an application for employment which “is a legal document.” You can buy these at Office Depot, so there is really no excuse not to do this.

The resume is an instrument to get a person in the door for an interview, not to hire them by. What one writes on the application are grounds for termination, if fabricated. I can write that I am King of the Emirates on my CV, if that gets me in the door, so be it. Once I write that on an application, I have committed fraud.. Some would argue that the CV should me more sacrosanct than it is. That would be nice but the truth is, that few do.

There is a complete art regarding your CV and making it stand out among others. Like English 101, it is subjective, research the company to whom you are sending it to. That is why one must have several different resumes. I will not belabor that point or this subject here, suffice it so say, if it gets me past the first cut that is all that I care about. Until you are sitting in front of a person who gets to know you personally and uniquely from the masses, your resume is one of tens of thousands languishing in a sea of anonymity.

Once your HR department is satisfied that this person is a viable candidate for the job at hand; then and only then, should the hiring manager start the interview process.

Q. What difference does it make if the person has a less than stellar history?

A. If they have a track record for making bad decisions, there is nothing to stop them from doing so again. Once you hire them, they represent you and or your company.

Q. What difference does it make regarding their credit score?

A. If they have a lousy credit score that simply means that once again they have a higher probability of making poor decisions and even more germane, might be someone who has character issues.

One company I know of ran reports of how many coffee creamers, sugar and toilette paper their individual branches went through. They tied that data together with the branches that had “shorts.” (Shorts meaning the cash drawer did not balance, was missing money.) The interesting thing was that the branches that used more supplies, had more shorts thus; the criminal element was behind the counter.

Q. Piss Quiz? What does a little pot, or drinking, have to do with a person being a good and faithful employee?

A. Once again we are looking at character traits. If a person plays loose with the rules, they too will have a proclivity to play loose with your rules. Good behavior should be rewarded. If someone plays by the rules, they should be first up for the job.

Q. What about pre-employment test?

A. Having total empathy for those of us who suffer from test anxiety, I am more interested in a person’s history and track record. The EU is really big on all sorts of pre-employment test to get the “brightest and best” however; as a hiring manager for most of my adult life, I am here to tell you that test are not the end all be all. If HR does their part, I trust that I can weed out the rest. While a test may give you some idea of a person’s character, remember that if they are nervous or not feeling well that particular day, the results will be skewed. You may in fact be overlooking a diamond. Get to know the person.

Once a long time ago I interviewed with Microsoft. As it happened I was suffering from bronchitis, had not slept well but; I would have still gone to work as I could function so why not go on the interview. There were several parts of the process including test of different parts. Did I know the materiel? In truth I was over qualified for the job in so many ways but I thought that working for Microsoft would be a good thing so I went through with the interview. The last part of the interview some very attractive young lady brought me into an office and ask me “Why was a pothole cover round?” In the haze of DayQuil and the anxiety of the entire process, the question threw me. I chucked at her and looked at her like I was waiting for the real question like “what are the different layers of the OSI model and how are they relevant to data communications?” That question I could have handled and was expecting; not why is a pothole cover round.

After a short period of silence which seemed like an eternity I realized that she was quite serious. “I had never thought about before.” i said, “I suppose that it might have something to do with the fact that if it were any other geometric shape, it could fall in.”

That answer was met with a dis-approving look, which again threw me; as I could not think of any other reason why.

She then started asking me another question about a farmer, and a boat, and grain, and chickens, and a fox, and a river..

At this point in the process I ended the interview. I was not feeling well and this to me seemed like games that one might play with someone who had never worked in the industry before; not someone who had the years doing this that I had.

My next job was that of an IT Director (instead of working at Microsoft) , where I would be the one in charge of purchasing tens of thousands of dollars at at time of software from “Microsoft.” Microsoft has a tendency to hire a lot of young pretty girls to do their bidding, much like the drug industry does to push their pharmaceuticals to doctors. It is good to be a customer.

Physical Security

Physical security should be well thought out. I know of some companies that think this is too-expensive or don’t want to invest in this. They have a key pad entry that they change once a quarter or so, if they think about it. I have seen others who simply use a lock and key and they don’t even change them out when they have employee turnover.

Q. What should my building security look like?

A. Depending upon your business, let’s take a typical office environment.

The reception area has your normal door locks for after hours as well as video surveillance. Today we have technology that allows surveillance to be somewhat obscure but not so much so that the people who come into the lobby don’t notice it. Today’s casinos for instance have tons of cameras and you know that if you scratch yourself someone somewhere watched you do it. My point is that they are barely noticeable. They are there and you know that they are there but you quickly might forget. Your lobby should not be intimidating because your customers come through there too however; it should be obvious that you have security.

Each entrance to areas past the reception area should be hard keyed with electronic pass devices that respond to individual key cards. Piggy backing of employees traversing these doors should be discouraged however; video surveillance of these doors from both the inside and outside will allow you to track employee movement should the need arise.

Electronic time clocks which use RFID or even bio metrics are not only good for payroll but, once again a good way to track employee movement. Again the clock(s) should have video cameras in them and pointed at them so there is no way someone could be clocking in someone other than themselves. The more secure the area is, the more visible you should make your security.

Depending upon your organization doors, controlling access to certain areas aka HR, development, data center etc should be keyed to allow only people with a need for entrance to that area. Again these doors are also under video surveillance from both the inside and outside.

Employee cards should have a picture of the employee on them and should be visible at all times when the employee is on campus.

With unique employee key cards and programmed entrance to the areas that each unique employee will need, the only changes to the system will be when that employee leaves and it only has to change with that one person.

Not only does this give your physical building / plant a security that this day and time calls for but, it allows you to track your employees movements if the need arises.

Q. Why would I need to track an employee?

A. Lets say you have an area of production that is suffering and you don’t know why. What if you pulled a report and found that your manager of that area was spending a lot of time in places other than where he or she should be? This actually happened at one of my clients. They had several thefts one night and found that by tracking the people that came and went and correlating those times with security footage were able to actually see the person perpetrating the crime. This person spent some time behind bars and the company was quickly able to remove undesirable elements from their work staff.

Q: Is there any other physical security measures that I should look at?

A: Glass breakage detectors, motion detectors, smoke and gas detectors and I like to add water detection equipment. The later inclusion would have come in handy a couple of times in my career. We were in the middle of a remodel and one of the plumbers forgot to solder a fitting. They turned on the water and it held pressure so they left. Sometime over the weekend the fitting let loose and the entire building was flooded. Water detection sensors would have kept the damage to a minimum instead of flooding an entire high rise. Since most fire suppression system are water, this too would let you know if something failed with that system.

Note: there are several different fire suppression system and water is good for general purpose however; a data center needs a little more thought.

How about your computer systems? While the above is an abbreviated look at employee and physical security, what about your data?

Passwords that change
Cable infrastructure
Admin passwords that change and are strong
Firewalls with the appropriate updates and configurations
SNMP manageable devices that are updated and set to user specific user name and passwords
Physical cable plant that is locked down to only allow access from expected devices.
WiFi that is locked down
VLANS segregating departments and traffic
Servers with specific access to files and or data needed by departments and or users.
S.A.M. (Software Asset Management) in place and kept up to date
VPN encrypted access with security token
All outside connections to the network identified and locked down.
Roaming profiles up dated and checked for security
No remote control software on company computers either remote or host.
Admin access to user computer restricted or not at all.
Thumb drives and laptops encrypted.

You would be shocked if I told you how many times I find loose if not non-existent password policies. It is almost as if they are begging for industrial espionage or begging some disgruntled employee to have their way with them.

Much like having a PC without a locking screensaver is down right idiocy; these folks beg to be burned.

User passwords must change every 90 days at max and should be strong, meaning special characters, numbers and so forth. One company that I know of keeps a spreadsheet of everyone’s assigned password that never changes. That keeps the sys-admin from re-setting passwords but opens the company up to so many security violations it is unbelievable. This practice is in direct violation of policies set forth for publicly traded companies, and those that follow ISO standards.

Admin or super user passwords should also change on no particular date but often, more often than every 90 days but with no predictability. There might be some inventive programmer who could write an app that would randomly go off and invoke a password change for administrators and not let you continue on until you have done so.

Another ambiguity with our illustrious data folk is a lack of documentation with their data plant. Why is that important?

In the server room that contains the switches should be a map. This map should contain a map of each floor and the data drops. Not only should these drops be labeled as such they should be secured. How do you secure a data drop and why?

Let’s start with the Why? If I were a bad guy I might come in disguised as a janitor. I would have a small laptop and that would have on it some software to sleuth your network with my goal being to get into your servers. The first thing that I would do is find a data port that had nothing in it and plug right in “assuming that there was no wifi that I could get into.”

Now if you do your cable management correctly, that vacant port that I just plugged into is not hooked up via the patch panel. That forces me to go unplug a computer or printer and try it there as that is an active device so it is cabled.. In our switch we can have it only talk to the device if it is the MAC address that it is programmed to expect. The idea is to make it is difficult as possible for the would-be intruder to gain access to your data.

In most shops, we have no idea what drops are live, and where they are or what they are, much less what is plugged into them.

With VLAN’s we offer yet another layer of security in that if this guy plugs into some port that the secretary uses, he will not be able to get access to the engineers VLAN.

Many times I see networks where more ports were needed so a switch was just thrown into the drop, problem solved. This is poor on many levels. Anyone with any networking sense knows better but yet I see it every day. You take a multi-thousand dollar cable plant and install a $30 switch screwing up collision rates, security, traffic throughput and so forth rather than do it right.

Jumping down the list to S.A.M. While most things on this list are common sense S.A.M. might not be that intuitive.

Q. Why do I need to keep up with what is on each and every computer and how does that relate to security?

A. Really good question. In running an audit of all software on all computers within an organization you will quickly find that your organization has a lot of software that the business owner is responsible for. If some disgruntled employee calls the Business Software Alliance http://www.bsa.org/ and reports that you are using pirated software; it then becomes your responsibility to prove otherwise.

Can you show proof of purchase for all software within your organization?
Can you show the license keys for that software, if so, prove it to yourself.
Do you know what each and every executable is on each and every desktop?
Do you have software on computers that is not being used?

The long and the short of this exercise is that I do an inventory of software on PC’s as part of a DR. While this is a painful exhaustive process, it is important because you have to know what you have, if you want to re-create it in the case of a disaster.

I always find software that the company was unaware of.

I most always find Trojans, viruses, games and more importantly, I find remote control software.

While this is a real good reason why people should not have access to the administrative rights on their computers, it is also a real good reason to do this inventory.

The normal computer user does not need to modify their computer to use word, excel and power point. IT should be in charge of adding software and then the PC should stay fairly static.

Remote control software is used to either allow a user to take control of their computer from outside the building or control another PC outside the building or inside the building. Maybe that is perfectly legitimate or very possibly it is not. That Is why I insist that things like copy inhibit, and auditing, be enabled on the servers. If forensic investigations are needed down the road, we have the tools to do so, we simply must use them.

Industrial espionage is real and the business owner should take it real seriously. There are “certifications for data security experts” out there. What I know of this stems from over 30 years of doing this. It actually might be interesting to go through the class and see what I have not thought of.

A word about industrial espionage.

People often wonder if I struggle with paranoia. I assure you that I am purrrfectly normal, I don’t struggle, I submit to it; everyone has their children followed, and thinks that their cats are spying on them, right?

So I am not a comedian..

The idea that I wanted to mention here is really from WWII. “Loose lips sink ships.” The idiom means “beware of unguarded talk.” No, I am not that old but; I am a student of history among other things. We live in a high-tech world and we live in a social world. We have several areas of town where there are high tech industries and where employees of those industries gather for lunch, or to have a beer and shoot pool after work. Too many times I am in ear shot of engineers talking shop, in public. If you own or manage a company that has “secrets” I would caution your employees about talking shop in public. There are most likely posters that someone sells that you could hang on the wall as a subtle reminder about this subject.

The above picture proves that this concept is not lost on today’s companies.

If I worked at company Y who had company X as a competitor, I might very well have someone go down to the area where company X was and scope out restaurants where there were known hangouts for their engineers or technical guys. I might also; if I were unscrupulous, have someone go stake out the place and make certain that I had them there when their folks had lunch. In this day and age where there is a complete science behind “blending in,” it would be rather easy to go eaves drop. In this day of technology, bugging someone would not be out of the realm of possibility. When fountain pens that are a self-contained Digital Video Camera / Recorder which can record up to an hour per charge are less than $20; you had best beware that your cats may very well be spying on you. Ok, not your cats, but certainly your employees or strangers.

Thinking back to Mission Impossible, where the tape recorder would start spewing smoke out ten seconds after the message had been listened to, devices are worth mentioning here.

Devices that leave the confines of the building; in this case laptops and thumb drives need to be secure. Folks it is downright foolish not to have these things encrypted. We have so many different types of encryption techniques available today. Encrypting your data should it fall into the wrong hands will still make it useless to those who take it. Even the smart phone has a failsafe built into it.

Because we store so many things on our Smartphone’s, they are more than just a phone. The courts recently rules that police can no longer take your phone and access it to see what you have been up to as the phone is so much more than a simple phone. My iPhone for example after X attempts to guess my password will wipe itself. Can we write such security programs for thumb drives and laptops? Not a programmer; well since COBOL, but I am guessing that it is do-able.

Is the Cloud safe?

At this point in time, I would say no. As much as we hear how safe that it is, each and every day we also hear about how it was violated, or how some major organization was hacked.

Back up your data and send a copy to your safe deposit box at the bank. Make certain that your safe deposit box is a few miles from your office or residence so that if a tornado or other type disaster takes out your business or residence, your data stored in that safe deposit box and is still there. Utilize a service to take your data off site if you like, or set up your own “cloud” via a secure tunnel over the internet to another location.

Hard drives are cheap and UNIX or Linux is not all that difficult to use to set up an FTP server. While anything is better than nothing, have a strategy and test it; even if you do use the cloud.

With the White House being violated by a crazy person, the president in an elevator with a known criminal with a gun, not to mention the secret service allowing him to go to Mandela’s Funeral and speak just a few feet away from the translator who was not who he said he was, we must question everything.

The only way to really trust that your data is safe and for that matter your business or residence; is to test your plan once you implement it. There are people you can hire “good guys” that will test your security from different angles as well as your disaster recovery plan.

The framework above is an excellent starting point. Trust me when I say this, many CEO’s have no idea how vulnerable they are as they trust that their CIO or SysAdmins know this stuff. Each and every DR that I do, I find that most do not. The more that I dig; the more truculent these folks become and are really happy when I leave. They don’t want their boss’s to know the truth. While I would happily work with them to fix these things and offer as much, they would rather hide the facts from those that should know their vulnerabilities.

If you are a CIO or head of a company that is interested in this, read my blog “attention CIO CEO ….

-Best to you and those that you care about!

Good Luck Jim

The below is an addendum to this article which really puts things into perspective…

FOR IMMEDIATE RELEASE

Tuesday, September 30, 2014

Four Members of International Computer Hacking Ring Indicted for Stealing Gaming Technology, Apache Helicopter Training Software

Four members of an international computer hacking ring have been charged with breaking into computer networks of prominent technology companies and the U.S. Army and stealing more than $100 million in intellectual property and other proprietary data. Two of the charged members have already pleaded guilty. The alleged cyber theft included software and data related to the Xbox One gaming console and Xbox Live online gaming system; popular games such as “Call of Duty: Modern Warfare 3” and “Gears of War 3”; and proprietary software used to train military helicopter pilots.

Assistant Attorney General Leslie R. Caldwell of the Justice Department’s Criminal Division, U.S. Attorney Charles M. Oberly III of the District of Delaware and Special Agent in Charge Stephen E. Vogt of the FBI’s Baltimore Field Office made the announcement.

“As the indictment charges, the members of this international hacking ring stole trade secret data used in high-tech American products, ranging from software that trains U.S. soldiers to fly Apache helicopters to Xbox games that entertain millions around the world,” said Assistant Attorney General Caldwell. “The American economy is driven by innovation. But American innovation is only valuable when it can be protected. Today’s guilty pleas show that we will protect America’s intellectual property from hackers, whether they hack from here or from abroad.”

“Electronic breaking and entering of computer networks and the digital looting of identities and intellectual property have become much too common,” said U.S. Attorney Oberly. “These are not harmless crimes, and those who commit them should not believe they are safely beyond our reach.”

Nathan Leroux, 20, of Bowie, Maryland; Sanadodeh Nesheiwat, 28, of Washington, New Jersey; David Pokora, 22, of Mississauga, Ontario, Canada; and Austin Alcala, 18, of McCordsville, Indiana, were charged in an 18-count superseding indictment returned by a federal grand jury in the District of Delaware on April 23, 2014, and unsealed earlier today. The charges in the indictment include conspiracies to commit computer fraud, copyright infringement, wire fraud, mail fraud, identity theft and theft of trade secrets. The defendants are also charged with individual counts of aggravated identity theft, unauthorized computer access, copyright infringement and wire fraud.

Today, Pokora and Nesheiwat pleaded guilty to conspiracy to commit computer fraud and copyright infringement and are scheduled for sentencing on Jan. 13, 2015. Pokora was arrested on March 28, 2014, while attempting to enter the United States at the Lewiston, New York, Port of Entry. Pokora’s plea is believed to be the first conviction of a foreign-based individual for hacking into U.S. businesses to steal trade secret information.

According to the superseding indictment and other court records, from January 2011 to March 2014, the four men and others located in the United States and abroad allegedly hacked into the computer networks of Microsoft Corporation, Epic Games Inc., Valve Corporation, Zombie Studios and the U.S. Army. The defendants and others allegedly obtained access to the victims’ computer networks through methods including SQL injection and the use of stolen usernames and passwords of company employees and their software development partners. Once inside the victims’ computer networks, the conspirators accessed and stole unreleased software, software source code, trade secrets, copyrighted and pre-release works and other confidential and proprietary information. Members of the conspiracy also allegedly stole financial and other sensitive information relating to the companies – but not their customers – and certain employees of such companies.

Specifically, the data cyber-theft allegedly included source code, technical specifications and related information for Microsoft’s then-unreleased Xbox One gaming console; intellectual property and proprietary data related to Xbox Live, Microsoft’s online multi-player gaming and media-delivery system; Apache helicopter simulator software developed by Zombie Studios for the U.S. Army; a pre-release version of Epic’s video game, “Gears of War 3;” and a pre-release version of Activision’s video game, “Call of Duty: Modern Warfare 3.” The defendants also allegedly conspired to use, share and sell the stolen information.

The value of the intellectual property and other data that the defendants stole, as well as the costs associated with the victims’ responses to the conduct, is estimated to range between $100 million and $200 million. To date, the United States has seized over $620,000 in cash and other proceeds related to the charged conduct.

In addition to those charged in the United States, an Australian citizen has been charged under Australian law for his alleged role in the conspiracy.

An indictment is merely an allegation, and the defendants are presumed innocent unless and until proven guilty in a court of law.

This case is being investigated by the FBI, with assistance from the Criminal Division’s Office of International Affairs, the U.S. Department of Homeland Security’s Homeland Security Investigations and Customs and Border Patrol, and the U.S. Postal Inspection Service. The investigation also has been coordinated with the Western Australia Police and the Peel Regional Police of Ontario, Canada.

The case is being prosecuted by Trial Attorney James Silver of the Criminal Division’s Computer Crime and Intellectual Property Section and Assistant U.S. Attorney Edward J. McAndrew of the District of Delaware.

The CIO

Frequently young people ask me what it takes to be in IT or even the CIO.

Over thirty years of OJT has taught me a thing or two about management.

When I was working in Corporate America, often times I would do things that were for the “good of the company,” that my subordinates may not have liked.

In one of my previous post I speak about documentation being the bane of IT people. As a manager of this group, documentation is key.

Many times I go into a situation to “trouble-shoot” and when I ask for the network documentation, I am met with blank stares. If I task you with driving from Baltimore to LA without a map or GPS, the odds are good that even with the occasional road sign to assist you, you would make a few wrong turns along the way. While this is a real simplistic metaphor for the problem, you get the point.

While I encourage the creation and continual update of a “run-book,” most IT people laugh. One of them even told me straight up “that will never happen.” He was terminated soon after that remark. Attitude is a key component of any employee, and crappy attitudes I can do without. It happened, it just did not happen with him.

The data center and the associated infrastructure does not belong to you the geek; but the company. You are entrusted with its care and feeding. The direction of how, when, and why, comes from somewhere else. Understanding your role in this universe is salient advice, that I would give any techie that wants to stay employed.

While I have stepped on a few toes over the past 30 years; most of my previous employees would follow me to a new company if I asked; and have done so on many occasions over the years.

What does it take to be the “guy in charge?”

It takes a person who firstly loves technology. Eating and breathing the newest technology I believe is a trait that is indicative of a successful CIO.

Second, it takes business acumen. Technology is great; having the business prowess to realize that there is a bottom line and in order for the company to stay viable, purchases should be made with business objectives in mind. I cannot tell you how many times I see things that were ill-advised purchases, which were no longer in use, and lost revenue.

Having a vision of where the company is headed is key to purchasing the correct hardware and software.

If you have read any of my other blogs you know that I believe in leading by example. Gaining the mutual respect of your employees is paramount. Sometimes a new broom must sweep clean, and that too has been the case on a few occasions.

Be smart enough to utilize a VAR. The business case is simple…

Yes, they markup their products that they sell you however; you gain the expertise of their staff who see what works and what does not. They are in multiple businesses and have the advantage of working with all of the latest and greatest. They stand behind what they sell you. If it breaks, they deal with it. They deal with all of the major vendors and know what is coming down the road. Having access to their insight is invaluable.

Never buy from internet “cheapie” stores and here is why? If they have it and it is discounted, there is a reason. It may be buggy or is no longer supported or outdated.

If you want to take a chance for your home stuff, go for it. Business applications are more traffic intensive than your home network or pc. If you have routing issues or excessive collisions at home, the odds are good that you will never know it unless it becomes critical. In business, you have possibly hundreds of computers hooked to the network thus stressing the networks ability to perform. Do you really want to do that with cheap, no-name or outdated hardware?

If you want to shop your toner, go for it, other office supplies; have at it. Networking equipment, do not be tempted. The few dollars you “think you saved” will most probably cost you big time in the end.

Realize that there are things like hardware asset management and make sure you follow through. Repairing and putting new software on old hardware is a fool’s mission in that the license most likely dies with the hardware. Old hardware is already outdated and slower than what you would have today. There is also S.A.M. or software asset management, which also is a key element to the bottom line.

Desktops last no longer than five years.
Laptops, around three years.
Smartphones about two.

Since the software cost much more than the hardware you can see how keeping that old boat anchor alive is probably not a good idea. XP is dead, get over it and move on.

This is one reason why leasing for large companies might make good sense.

I once worked for a CIO who did not even have a PC at home. He reminded me of the old guy that did not even want a cell phone as there was nobody he wanted to talk to bad enough to have one. My point is that you must have a balance between the financial aspects of the business at hand, and the technological aspects. This guy cost the company millions of dollars because he was so inept where technology counted. While he did not have an abacus on his desk; he definitely was old school and inflexible.

Too many times I have been in companies where the CEO or owner wanted to play IT rather than run the company. The CEO did not get there by being stupid but, IT is not his forte’; it is yours. Unlike we “the nerds of the world” who eat breath and defecate this stuff on a daily basis; he or she may read something in some periodical and think, wow this looks good “do this!”

Your relationship with this person should be on a solid enough footing where you can tell them the truth of the matter.

Falling back to re-group and gather pricing, TCO and an ROI is always a crucial part of the decision, not to mention, does it make business sense to do it in the first place.

Don’t be afraid to tell the truth. I have had a yes man working for me that I had to get rid of. I depend upon my subordinates to debate with me if they think that I am wrong. They might very well loose anyway but, differing opinions are necessary, and crucial to the process. Having the humility to listen to them is part of being a good CIO.

Project management is a key part of being an IT manager. Yes, you can hire a project manager but let’s face it; it is really not all that difficult. We have all of these certifications for everything in the world. While a piece of paper gives the clueless hiring entity a metric of your ability, it is not the end all be all.

I have inherited “certified employees” that were academically sharp but, not able to do the job at hand. They can read and regurgitate information but could not turn a screwdriver. Book sense and practical; not one or the other.

I was a project manager before there were such things, at least certified project managers.

I ran as many projects as 30 at one time, most in a spreadsheet, well several spreadsheets. I knew what it was going to cost and how much I was going to have spent on each and every milestone. I knew who would be doing which task at what time and how long it should take. If I can do that in Excel, do I really need to hire a PMP?

In order to be a good manager having the ability to do each and every job, makes life much simpler. You cannot be “BS’ed. Can you do it as fast as someone who does it day in and day out? Probably not but, you could do it if needed which gives you a leg up and makes each and every employee under you “expendable.”

I don’t mean to sound harsh. There is this attitude among most IT guys that if they are the only person who can do it, they are sacrosanct. So, they don’t document their job and of course they don’t let on their tricks or where the bones are buried. Nobody in any company should be untouchable.

This is dangerous for you the CIO and damned hazardous for the company.

This is why the owner or CEO of any company should have a disaster recovery plan and test that plan with people other than his or her employees. If a technical group of people can bring your company back from the brink, in an offsite location, in a short amount of time, than your documentation is solid. If not, than your guys have some “splainin to do.”

Plans such as these rarely work perfect the first time and I expect that. That is the process by which the documentation is refined in such a way that it will work. No one can get every detail the first time around but eventually you can nail it down in such a way that the company would survive if a disaster was declared.

These have been my precepts from day one of management. There are lots of things that go with this but you can see the logic and of course you can see how this would intimidate the person who may be out of their comfort zone to start with. This is one of the problems that I am forced to deal with when I am called in to do a DR plan. The employees are seldom on board with giving me information, which means that I have to go and get it. This is where I end up stepping on toes. If I have to go dig it up, it is much more costly and it extends the project time. Nobody wants their “mess” exposed during the audit so it is seldom easy to get through this process. Even though upper management is on board, the employees are most of the time, evasive if not truculent; and unwilling to share.

So my last thing that I would offer is patience. Weekly meetings with upper management your progress will ferret out issues like, uncooperative employees.

-Best to you and those that you care about.

Bash or ShellShock!

Bash!

Sounds like something out of Batman.

This however is no lighthearted matter.

Bash is a UNIX shell that has been exploited in a most dangerous manner. Shellshock, a program “virus” written to take advantage of a Bug in Bash could be used to take over millions of computers world-wide.

I talk a lot about anti-virus software and why you should really buy the best that you can but, still, “day in and day out” I get computers that are infected with tens of hundreds of viruses.

“Free anti-virus software is not worth what you pay for it!”

Free software is not taken care of remotely as well as that which companies that take in revenue can afford programmers to keep on top of it. Using free is foolhardy at best; and dangerous at worst. Why?

Let’s say that your computer becomes infected but, not to the point to stop you from working with it, maybe it just slows it down a little.

Meanwhile, lurking within the bits and bites of software there is a Trojan waiting to be activated from some nefarious ne’er do well. This person or people could use yours and millions of other computers to simultaneously attack systems in other countries, our country, and so forth. They might target government systems or air traffic systems etc. With so many computers attacking a system, it would most certainly bring it down.

My argument that I am trying to make here is this. Every day we hear of new virus’s that are being released or discovered. Using the “best” anti-virus software is not only a good idea for you but, it is also patriotic in that you really don’t want your computer to be attacking some government server.

Practice safe computing, use good anti-virus software and pay attention to your computer if it starts acting “wonky!”

Yes, “Wonky” is a technical term.. Ok, maybe not but, you know what I mean.

A trick that I do is run the little widgets that come with Windows 7 and 8 that display memory usage and CPU usage. When your computer boots from a fresh installation take note at where those needles are setting during normal usage. This is much like the gauges on your car. When you are going down the road, you know where the temp gauge should be and where the RPM, voltage etc should be. When they are acting “wonky” (not in their usual spot) you get it looked at. Your PC is no different.

“Shellshock” is particularly dangerous in that it affects UNIX systems, Mac’s and even Smartphone’s that use the Android operating system.

A lot of servers run UNIX; this might explain the recent hacks pulled off against Home Depot, and nude pictures of celebrities being taken from their personal accounts on “The “Cloud.”

Some of these programs can go un-noticed and sit idle for years before someone notices them. Generally when some “hack” is perpetrated than “White Hat Hackers” are called in to find out how. Forensic computer guru’s who know what each and every little file in a UNIX system is for example, and what it should look like, size and usage, might be called in to see; “what is wrong with this picture.”

The days when your Mac and your Linux / UNIX system were relatively safe are gone.

Do your backups and test them. No backup is complete until you test your backup! Make certain that your anti-virus software is of good quality, and up-to-date.

“Which is the best”

I know, I beat you to the punch.

First off, I buy my entire anti-virus software’s full price and am not in bed with anyone!

I have many different flavors as there is no silver bullet.

I use Esetnode 32 on my main system and, I use Trend Micro on my backup system. I also use Norton on my laptop although I have seen way too many machines which run Norton infected.

As far as mobile and iPad and iPhone, I use Trend Mobile.

Having said this, please understand that there is no warranty expressed or implied by this blog. For legal-ease, you should consider this and all my blogs “entertainment.” There are no warranties of usability or anything else.

Isn’t it simply pitiful that we live in such a litigious world that disclaimers have to be put on “blogs?”

All opinions here are my own, unless otherwise stated.

Now go take on the day!

-Best

A virus to end all viruses!

My favorite Anti-Virus software was sullied by something this week.

While downloading the hundreds of e-mails I get each day, my PC decided to “stall.”

One of the reasons that we “who know these things” get paid well for what we do is this.

When a PC, server or any other piece of computer hardware fails to act as it should; is that we go through a methodical litany of troubleshooting techniques, that we know to do.

This is a fairly old PC, is it hardware?
Is it software?
Is it operator error?

One of the first steps I do, is assume nothing.

The answer to the three above questions is “possibly.”

I check for viruses as that is what one does, checks for a virus. If there is no smoke or other obvious hardware issue, you check for viri.

The “only” way to do this properly is remove the hard drive from the machine, install it in an external device that hooks up to another “known good PC” with good anti-virus on it, and scan it. I could explain why but it would add several paragraphs, so just trust me.

One of the first mistakes one makes is use a machine that has the anti-virus on it that you already use. Hello…. If it is a virus and it got past your anti-virus what makes you think it won’t screw up this machine as well?

As a professional, I have several top of the line packages that I purchase and keep up as there is “no silver bullet.” I don’t screw with free, as free is not worth what you pay for it! Anyone that does is playing with fire!

This process can take hours, so I use the time to blow out the machine, check for bad caps, lethargic fans, change the CMOS battery, dust out the CD-ROMS and so forth.

As part of the process I noticed that the video card fan was running, but not up to speed. This was not an expensive card so I took this opportunity to upgrade it to something newer, faster, onboard GPU and a killer fan.

Problem: Newer video cards need more power than the old 300Watt Dell power supply can muster; must change the power supply as well.

Problem: Dell uses proprietary power supplies. Getting a higher power, power-supply from Dell, if they even make one for this PC, would be cost-prohibitive.

Plan B: What exactly is different about this power supply vs. the standard off the shelf power supply? The placement of the power receptacle is lower, and there is an off-on switch on a “generic” power supply. The case has metal where that would be.

It did not take long to modify the case to accept a generic, higher power, power-supply with a larger fan and double the watts! There is a tool called a “nibbler” that you can get that will allow you to remove small chunks of metal at a time until you make a suitable hole for the new power-supply. I also used a dremel tool to smooth the metal, so there were no sharp edges.

After finishing the hardware upgrade with a larger power-supply and a video card that is really meant for gaming; as well as replacing the CMOS battery, the diagnostic screen came up just perfectly. Removing lots of dust did not hurt things either. The drive was still scanning, so a wait was still in order. At 75%, Trend Micro had found no viruses….

Finally; about 3 hours after the start, the drive was pronounced clean by Trend Micro so now it was back to possibly a hardware issue, or was it?

Installing the drive upon boot up I was presented with the options of safe-mode or regular boot. Always choose safe. In safe mode you can poke around without all of the other files loaded.

Once booted in safe, I installed the new video drivers and was happy that “in safe mode” the PC behaved as expected.

Reboot to normal, normal quickly turned to atypical to say the least.

I like to have the widgets on my desktop that show me the processor usage and the memory usage. I know what they should look like so if they change, I can quickly react vs. waiting until things just die.

Watching the widgets, the processor usage would tank at 100% and the memory usage would gradually increase until the PC was non-responsive. That is the earmark of a virus, or a program that is behaving badly.

Manually shutting off the machine and bringing it back in safe mode I use something called CCleaner. I actually pay these folks for this program as it is that good! You can get it for free but anyone that writes a program like this I will support them.

www.piriform.com

I allow it to clean; which removes all kinds of crap hence “crap cleaner.”

I then run the registry cleaner and allow it to do its thing.

After that I go through which programs and services I want to allow to start than kill everything that I don’t recognize. I am different from the normal folk; as I recognize what those programs and services are. If you are not sure about this; research with another computer what you are killing. Failure to do so could result in you killing your operating system.

The trick is to get rid of all the “junk in the trunk.”

“Junk in the trunk”

I use the analogy of hauling rocks in your trunk.

Many years ago Lucy from the “I Love Lucy Show” and her husband made a movie called the “Long Long Trailer.” If you have not seen it I will not spoil it but, part of the plot is that Lucy wanted to collect a rock from each place that her and her husband went on their honeymoon, while pulling this travel trailer with a car that was probably ill equipped for the task. While the rocks in this case were in the trailer, the metaphor still works, as this car was now pulling more than it could possibly handle while traversing the mountains!

We do that with our PC’s every day! We load them down with all kinds of programs that live in the tray. We have lots of different things running at one time, and unfortunately we have to add to this load an anti-virus software and anti-malware software and god only knows what else, just to surf the web!

Depending upon your car, Mustang with a 5.0 or Prius, it will allow you to haul some stuff. As far as I am concerned, I want a PC that will get the job done and handle the software necessary to keep the computer safe and allow me to run production apps. I drive a full size truck with lots of power. My PC is not a gaming PC but, it could play WOW or some other graphic intensive game, if I so chose to do so.

If you are a gamer, you want a Ferrari or Lamborghini. I advise those shopping for a new PC to get one that will play games; even if you don’t intend to use it for that. Why?

If it will play games, it will run your production apps and the necessary stuff to keep it safe from the bad guys!

Having a sport car does not give you license to drive down the road faster than traffic or the speed limit; it merely gives you the ability to do so. Just because you have a PC with lots of power, there is no need to install a bunch of stuff like “weather bug.”

A PC is kind of like a baby. Every thing that you do to it or with it from the day it is “virgin software” changes it. Loading all kinds of stuff on your PC, even getting updates from the different software vendor’s “change it.” PC’s are very dynamic and that is why it is important to use the widgets like I spoke of earlier. Know what normal for your PC, and when it is not normal, get some help. When your car’s temperature gauge goes out of the normal range; you take it to the shop don’t you? If not, you certainly should. Someone needs to write into the operating system a “check engine light.”

Diagnostic software came about with the PC years ago; the first that I remember was PCTools.

After removing all of the junk, booting my PC back up into normal mode still left me with a PC that had a runaway program that slowly degraded the performance of the PC until it died.

Another boot to safe and than another boot to normal allowed me to quickly bring up task-manager before the eventual slow down, so I could monitor all processes “from all other sources besides just my login.” That is key as some services and processes will not show up under what you have loaded under your profile.

Long story short, ESET was the malfunctioning process. ESET would eventually use up over a Gig of ram and most of the CPU horse power and…the mystery still is that it was sending something over the internet or at the very least causing all sorts of network traffic. I no longer have a hub so loading a protocol analyzer on another PC would have only shown me broadcast traffic. I elected to simply uninstall ESET from “safe mode” and see what happened then. That fixed the problem. I installed Trend Micro and have run the PC for over a week with no issues.

My guess is that someone wrote a program specifically to attack the anti-virus software and ESET was not equipped to handle it. Next week or next month it may very well be Trend that fails. There are many on the market and there is “No Silver Bullet.” It came in through e-mail I suspect.

Moral of this sad tale is this: backup those things that you care about and back up often.

I would love to know what attacked ESET NODE32, so if anyone else has a similar story please share it. I will make certain to share it with my readers.

Call me paranoid but here is my suspicion. There are many different anti-virus programs out there all trying to get your dollar. There are some really good programs and than there are some programs that are not so good. While free is better than none, it is not much better. You get what you pay for.

I suspect and this of course is coming from a 30 plus year veteran of working with this stuff, that someone who works for or worked for one of these companies wrote and released this bug. Someone writes these things and if they don’t get remuneration from it, why do it?

Why in God’s name would someone sit around in their mother’s basement in their underwear writing programs that are meant to disrupt or destroy people’s software or ability to get on the internet or work or what have you? Sorry for the visual but I can just see some pimple faced kid with empty candy wrappers, half empty red bull cans and possibly an ash tray full of butts and old pizza boxes typing away at the computer till the wee hours, trying to outdo his buddy. I think I see roaches too…Another bug!

I understand writing software to steal an identity and sell those things to the highest bidder.

I understand robots to use millions of computer to attack some target with a DOS.

If a virus was written to attack a specific anti-virus package; that action would bespeak of an inside job, or possibly someone that had a grudge against that company.

Full disclosure: I do disaster recovery planning for companies. Having been in this field since before the Internet, Bill Gates and Mr. Jobs, I have seen much, done much, and carry a wealth of both computer and business skills and acumen with me to the clients site.

When I got out of school, the secretarial pool was still in vogue; and Greg Shorthand was still practiced. I put dictation equipment on executive’s desk and later computers, replacing the all day process of creating a document to the executive typing his or her own document or e-mail.

I am also a science fiction / fantasy writer who enjoys blogging…

-Best

To My IT friends

How many times a day or week or month does your phone ring from a family member or friend and when you answer that phone the sentence starts out with, my computer…. what does it mean when…. what software …… and the list goes on?

Do you ever get tired of not hearing a hello, how are you doing?

For thirty odd years this has been my life. I am sure that you too have heard this from everyone from your friend to you mom.

Here is the thing, if they were doctors and you called them up with “what does it mean when I have this pain….?” How would they respond?

Don’t get me wrong, I love my family and value my friends enough to overlook their lack of manners. Here is the problem as I see it. My time and expertise is my “stock and trade.”

I have invested thousands of dollars in books and equipment and classes to get to where I am. I have spent thousands of hours of my life learning what I do. Unlike a doctor or heart surgeon or dentist my craft is incredibly dynamic! It changes daily. You snooze for one day you may not learn about the latest threat or the newest bug or what have you.

A heart is still a heart and a tooth is still a tooth. Am I saying that their fields are not dynamic? Of course not! They are however more static than ours. Breakthroughs in medicine don’t happen all that often, do they?

My point is that just because I am not cutting into someone’s chest are my skills any less valuable?

Why am I assigning a value to this?

If you give your skills away, you are by definition cheapening what you do in the mind of the person receiving it. If I don’t have to pay something for your efforts I may very well expect them again and again for free.

How often do you think your doctor or dentist would put up with that?

Thirty four years or so ago the internet was not as you see it today. Using the internet back in those days was a command line system consisting of commands like “telnet, gopher, ftp and so forth” Knowing Unix was a plus as a lot of the commands were similar like ls.

Bill Gates and later Steve jobs came up with a Gui or Graphical User Interface that made what we have today possible for everyone. Actually Xerox came up with the first GUI and the first mouse and when Bill saw it he quickly went to the college that was working on the “open source code” and came up with Windows.

I don’t know how Steve came up with their GUI and I am not sure how IBM came up with their idea of a GUI with OS2.

Xerox lost out because their system was way too expensive and some bean counter was trying to get all of their development dollars back on the first sale.

IBM lost out as everything that they did was costly and proprietary. Even their NIC’s which were the first real solid networking card lost out to a less efficient method as IBM licensed their software and technology with each card. One card could cost upwards of $500 odd dollars. That might get your 4mbts of speed.

Ethernet using a different transport method was much more cost effective and as the software improved by 1983, became a standard through the cooperative efforts of several companies; Xerox, Intel and DEC and of course 3COM which was formed by the inventor of Ethernet, Bob Metcalfe.

My point to this little divergence into history is that it was not too long ago that you had to be a geek to use this stuff. In order to “network” computers you really needed to understand what a datagram was and how it worked. The OSI model was something that you studied and understood each and every layer so if there was a failure you would know where to look.

Not long ago I was consulting with a company where the head IT guru was trying to convince me and a few others that this computer was conflicting with itself. He was convinced that this computer had somehow had a duplicate IP address and was conflicting with itself knocking itself off of the network.

Now this guy clearly has never heard of the OSI model and has no idea what a datagram is and for that matter never heard of a sniffer or protocol analyzer. I knew he was clueless but not to make him look stupid I loaded up WireShark and tried to show him how some of it worked.

When he was still lost, I shut off the PC in question and showed him a simply ping to the offending IP address which responded. There was another device with that same ip address as someone had loaded another DHCP server, and it was handing out addresses as well.

When you don’t have a change control or change management committee, or some sort of method for controlling what is on your network you get the Wild West.

How many of your phones ring when you are in bed and it is the office, something is not working?

We are in a global competition for our jobs and our lives revolve around this stuff. Companies are trying to convince the powers that be that we need more H1B folks as there is nobody in America with the skills that they need!

Ever been to a job fair Mr. hiring manager? 5000 folks will show up for a half dozen jobs.

The fact is that there is plenty of talent here in this country right now. I know because I talk with them daily. A lot of them can’t find work as they are too old, (over 50.) Once you get seasoned you are at the top of the pay range and you expect to make decent money. Companies don’t want to pay you for what you are worth so they convince someone in Congress or whoever makes the laws regarding H1B employees and they drag them in by the thousands!

Much like the illegal’s taking non-skilled jobs; we have the H1B people taking the skilled jobs because they will work cheaper. They can also be terminated more easily.

I ran into a programmer working behind the counter at a hardware store the other day. He was surly and I could not let that go. I kept making conversation with him until I learned that he was a DBA and could not find work. He was good at what he did and after a few more minutes I figured out that he had reached the top of his pay scale and once you do that, companies look for cheaper labor. Still want that raise?

I know too many in similar situations, and as long as we have H1B folks and we have Peggy type folks with call centers in parts of the world that no one ever heard of, nothing will change.

The talent is there; they are just under employed and if they stay that way for too long they will never regain entry in to the work force in the capacity that they were.

If it is not with H1B workers it is companies outsourcing things to different countries. We are creating hostile environments for companies in this country so why not take it overseas.

I sell a product made here in this country that if it were made in China, I could get it for a tenth of the cost. Those are tough dollars to overlook. I like selling things that are made in America and those things are hard to find.

So what is the value of your education, your time, and your personal time being interrupted by family and or friends needing computer help?

I am actually thankful that their computer is broken so at least I hear from them. When they start the conversation with “my computer is… I reply with I am fine, how are you?”

-Best to you and those that you care about!

Bulletin: #Lois Lerner’s #Email has been lost!

Bulletin: Lois Lerner’s Email has been lost!

As an IT expert I have to say, “REALLY!” “How stupid do you think the American people are?” I realize that is a rhetorical question because obviously there are either some awfully stupid people or awfully gullible people or even awfully greedy people who vote; but this is over the top!

There are federal laws that govern how e-mail is to be stored and for federal agencies, it is not on the desktop.

As a disaster recover expert again “do you really expect us to believe that the IRS does not store files in a redundant fashion either using RAID or SANS or the cloud…

Let’s examine the issues here.

Firstly as a publically traded company (which the IRS is not, but they are aware of the standards 😉 you are required to keep all e-mails under SOX. For that purpose you would use something called e-mail journaling which keeps a copy of the e-mail in a separate area that cannot be deleted. One would think that a federal agency would at least be required to do that.

Secondly, there is FISMA (Federal information security management act of 2002.) According to FISMA, the term information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability. This is the FREAKING IRS, do they really expect us to swallow that her e-mails were only stored on her local computer?

Thirdly; there are multiple types of redundant technology available and I would have to guess that the IRS takes advantage of Either NAS, OR SANS or the cloud and of course Tape Backup, just in case. NAS (network attached storage) or SAN (storage area network) allow data from the “email store” to be stored on multiple drives in something known as a RAID configuration meaning, if a drive fails the data is stored on multiple different drives so there is no data loss. With VMWare they can have multiple servers with multiple copies of the data so the e-mail system is incredibly robust. They have access to all the money in the world; do they really expect us to believe that all of her e-mail was on a laptop?

There is also FIPS200 which is part of FISMA… FIPS 199 (Federal Information Processing Standard Publication 199, Standards for Security Categorization of Federal Information and Information Systems) is a United States Federal Government standard that establishes security categories of information systems used by the Federal Government, one component of risk assessment. FIPS 199, along with FIPS 200, are mandatory security standards as required by FISMA.

FIPS 199 requires Federal agencies to assess their information systems in each of the categories of confidentiality, integrity and availability, rating each system as low, moderate or high impact in each category. The most severe rating from any category becomes the information system’s overall security categorization.

http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf

Just for grins and giggles let’s assume that the IRS is really that deficit of IT talent. There is forensic software out there that can get e-mails and other data off of purposefully deleted drives or crashed drives. Often time’s data that has been removed via formatting the drive can sometimes be recovered. If the NSA wanted it; they could get it!

My final thought on this; the IRS is supposed to manage Universal Healthcare. All of your personal information will be out there at their disposal; umpteen millions of us will be out there. Is she going to keep it on her laptop?

This “excuse” is an affront to anyone with a brain; much less anyone with any IT knowledge.

-Best

Attention #CEO #CFO #President #CIO and #hr

Here is some food for thought for you who own or control or have vested interest in corporations.

If you were to go to your CIO or your IS manager and ask the following; what would their response be?

Can you show me the network map?
Can you show me the documentation on the V-LANS?
Can you give me an accurate inventory of the servers that we have including their age and configuration?
Can you tell me what is on each server or device and what it does?
Who has access to what on each server and who decides what that access is?
Can you tell me how they are connected to the network, is there a redundant path?
Can you produce an inventory of what software is on each server?
Can you show me the recent log files of each server and tell me about what concerns you have regarding what those log files say?
Where is the actual software that is on the servers and where are the license keys?

No Excuses!

You would be surprised how many Sysadmins tell me that they don’t keep the software, they just download it when they need it. Really, you have just had a disaster and your internet is down and will not be up for at least 72 hours, now what? Not only does it make sense to have the disk for this reason but it takes time (valuable time) to go and find and download software. They have argued that it is not the most current on the disk. Why not? Why have you not updated your Software Library? There is a lot to being a Sysadmin, (SA) it is not about sitting on your butt in your office surfing the web, reading the news and updating Facebook while being annoyed by the occasional request for a password reset! Old software that is a few versions behind the curve is still better than none! Even if you “don’t have time” to keep your library updated; something is better than nothing.

Speaking of passwords, most companies really need a security officer and really don’t understand why. I have seen some Sysadmins that are so lazy that they assign passwords to people and then keep an excel list of them on the server. These are not really Sysadmins because that is genuinely stupid. To open the company to so many different kinds of fraud, industrial espionage, and other forms of abuse of the system; just because the guy does not want to be bothered with password resets is incredible. This guy would not be working for me as there is no excuse for this! I don’t care how “nice a guy he is.” Laziness and stupidity are a bad combination for a Sysadmin to have.

What software revision level are we at and is it the most recent? If not, why not?
Are Firmware rev levels kept up with and checked regularly?
Are the drivers up to date?
Can you produce a list of the passwords for each server?
What are the power requirements for these servers?
What are the cooling requirements for the equipment and are there any issues?
How long can we run if there is a power outage?
When is the last time that the batteries were changed out in the UPS’s?
Is each and every device in the server room labeled?
Is all networking cable installed in a manner that not only makes sense but looks like it belongs there vs. haphazardly plugged in on the run?
Can you show me a map of the switches, what port is doing what?
Tell me about load leveling.
Have all of the intelligent devices SNMP passwords been changed from the default?
If so, what are the passwords? If not, why not?
Are there traps being sent to a syslog server?
Who reads the logs, how often; and are there any concerns?
How are the concerns addressed?
Show me the notes from change control or change management meetings?
Are these notes managed in a responsible manner and are all changes noted in the living document?
What is the average age of the workstation on the floor/building?
Describe the policy regarding passwords? How often are they changed?
Describe your Hardware asset management strategy?
Describe your Software asset management strategy?
Who handles the maintenance on the HVAC in the server room?
When was the HVAC last serviced?
Tell me about your fire suppression.

It has been my experience as an IT manager and a Disaster Recovery Specialist who does many audits; the majority of Sysadmins do a horrible job of Hardware and software management much to the loss of the company and chagrin of the CFO.

Desktops last about 5 years, Laptops 3. When they are put into service a clock should start running to replace it in X years. You don’t want employees working on outdated equipment, and you don’t want to install new software on old computers as the license may very well die with the computer.

I have seen too many companies try to get everything they can out of a box. Amortize the box and when the IRS says it is dead, let it go. If there is a use for it in some non-critical function, “user discretion,” but add no more software and remove it from critical areas.

I have seen many people struggling along on a machine that is well past its usable life. Loosing files or data or waiting around for the machine to catch up cost money. While it may be soft dollars those soft dollars turn into real dollars quickly if you lose enough data and or time.

I used to install older computers in the break room with internet access and the usual windows Facebook type games. Employees could use them for their private needs before or after their shift or while on break or lunch, and they were non-critical and on their own V-Lan where company data could not be accessed!

Not everyone in the company needs a full version of Office? A lot of companies have a standard load for all computers. That should be re-visited as it is wasteful. While Microsoft would like you to purchase everything for every computer that is simply laziness and wasteful.

Software and Hardware management is in itself a job and proper management of it will produce and ROI. This is necessary also to provide a budget requirement which the CFO might cringe when he or she sees the request but, at least it is planned and not a surprise!

What antivirus software is on them? How did you decide on that software?
Are the workstations locked down?
Do any users have admin rights? If so, why?
Are the USB ports locked down?
Are the CD burners locked down?
What ports are allowed through the firewall?
Is the firewall updated to the latest software?
Are traps from the firewall being sent to a syslog server?
Who has access to their workstation PC from home? Why?
Who has access to their home PC from work? Why?
What software is on each workstation?

I run an inventory program like Spiceworks or some other commercially available software, to obtain an inventory of all of the software on all of the boxes and then go through the task of identifying each executable. I have found numerous Trojans and viruses, remote control software, games galore, software that was not licensed and oh yes, software that they used and did not know that they had as it was installed by previous regimes. This type of activity is mandatory if you want to recover in the case of a disaster. It is also mandatory if you want to be licensed properly and not have your neck on the line if some employee gets upset and calls the software police.

Recently the SBA has been advertising a lot trying to get employees to snitch on their company. The rewards to the snitch are inconsequential as the penalties and fines to the company are enormous. Having that inventory and those licenses and even receipt in a safe place I would think to be a really good idea.

Some companies are so cheap that they use free anti-virus software which is not worth what you paid for it. I fight viruses daily. Free is not an option. If you think that it is, you are diluted and clearly, don’t know what you are doing.

Free software by definition cannot be maintained as well as commercial software. Who in the hell has money to pay for programmers and security experts and then give the product away?!

Good Anti-Virus software is Patriotic

I made the argument the other night at a speaking engagement that it is actually patriotic to use good anti-virus software. Why? If millions of computers are taken over at the drop of a hat by some “bad guys” and they target let’s say the FAA or the FEDS, or some other institution and are able to cripple the banking industry, or what have you, and your computer is part of the problem; what then. A Trojan could be sitting on your computer unknown to you, just waiting for the instruction to start a DOS attack. Stop being cheap and buy the damned software and protect your computer(s) from being controlled by “evil.”

If a government had more than two neurons firing in their collective heads, they would create a “government approved” anti virus software and give it to its citizens. Now I know how that would be received by most, if I had a choice I would buy my own as I really don’t want anything big brother has to offer on my computer, but lets face facts. You probably have things on your computer right now made by the Russian Mafia or worse! I am certain that a government grant could be created to support a group of “white hat hackers” to help keep America Safe from cyber terrorism. If you do this remember whose idea it was…

Here are a few more questions for you CIO, /owner types who might actually have some skin in the game.

Do you have licenses for that software?
Where is that software?
Where are the licenses kept?
Can we prove that we bought a license for each and every piece of software in the building? If so, do it. If not, why not?
How many employees use laptops?
Are they secure?
Are they encrypted?
Are USB drives or thumb drives that are necessary for business use, encrypted?
Do the laptops have up-to-date anti-virus software on them?
How old are they?
Do they use a VPN to get into the servers from outside of the office?
How secure is their VPN? What challenges, if any are there?
Do you use security tokens?
Can you show me a map of the building depicting which PC is hooked up to which drop?
If you are using VOIP can you show me that same map for the phones?
Is the map updated as changes occur?
Describe your backup policies and procedures.
Where is the data being sent off-site?
Are we using the cloud for backup?
Walk me through the procedure of getting access to the data if this building is blown away.
Walk me through the procedure of restoring the servers in another location.
Tell me who can do this if the Sysadmin is not available?
Have we tested a restore of the data, if so when was the last test and where are the results; if not, why not?

These few questions and comments are off the top of my head and it took about ten minutes to list them. There are plenty more but, this gives you a small flavor of the kinds of information you should already have and that I gather in a disaster recovery project.

The simple facts are that IT people are loath to document anything. It is kind of like editing your own work, you know what you meant to say and your mind fills in the blanks. Documentation should be written in such a way that a technical person not familiar with your company should be able to pick up the document and pieces and re-build your company without you there.

Often I am met with complete truculence and arrogance and lots of attitude by the IT staff of a company that I do a DR for. They don’t want me there as they don’t want me messing around in their sandbox. Truth be told they don’t want the the facts that they are remiss in their jobs to get to their boss who thinks everything is running perfectly, until it isn’t!

About Me:

If you happen to watch or ever have watched Hells Kitchen, or Kitchen Nightmare, or know who Chef Ramsay is than, you have a clue of who I am, without the foul mouth. I take IT departments and fix them, and I take no prisoners (no excuses). Not only do I fix the hardware and software components, but I fix the personnel issues as well. It may be a training issue or an employee that is a poor fit. It may be a lack of people as most companies try to run too thin on staff. There should be no one person who is sacrosanct. In a disaster you may lose them, so we need things documented in such a way that a rent-a-geek can restore your company. If there is no documentation, I create it. Through a test of the DR, we can then hone that documentation to a fine point.

I am a troubleshooter. Not only am I a problem solver; I have been in management of IT for a large part of my life. I get to the bottom of issues and take corrective action. IT is ancillary to the business. IT is a tool that has to be running smoothly; like a Swiss watch. Your job as CEO is to run the company, not IT. I have built data centers from the ground up, as well as re-built them while the business kept going all over the country.

From Data, fire suppression, HVAC, power requirements, UPS requirements, floor height, easy access to the equipment, MDF and IDF design’s Data and Voice, from the east coast to the west from the north to south. I have worked in Union areas of the country to the Wild West where “anything goes.” Been there done that.

Go ask your IT people some of these questions and see if you are satisfied. After 30 years in this business, I would be surprised if you were.

From me, or someone like me, among the deliverables, will be the documentation that so many just don’t do. Without that documentation, you are playing with galloping dominoes. Your risk might be small as you yourself know something about it, or it may be huge in that you, like most who run a company, run it from 20,000 feet, through your management. There are seldom any pleasant surprises in business.

Has anyone at your company done a risk assessment? Where are you located geographically? Are you in an area that is prone to earthquakes, Hurricanes or Typhoons? How about tornadoes or fire?

One of the largest risks to a company surprisingly is none of the above. It is employee error. I have worked for companies where the Owners were the issue. One company had their child who played video games work on the equipment and of course screwed it up constantly. Stay away from those companies as they don’t want to hear the truth. Their child is perfect, knows everything about anything so it must be the fault of the internet or the software or something else. I worked for companies where the owners themselves who ran the company, also thought they were the end all be all of IT. Pride comes before a fall; and believe me, when you own a company you really don’t want to have that fall. Stick to what you know best and leave the technical things that change daily to those that keep up with it. We who know this stuff are constantly involved with forums and our peers. What works today may not work tomorrow. Unless you can devote your life to this, let those of us who do, do it!

“NO”

One owner takes a passing interest in the latest greatest through a magazine and orders or asked his IT guy to make it so. If you have a yes-man working for you, do your self a favor and fire him. Your people who do this for a living should have the ability to say no. If they say no, you should listen to them. If you want a second opinion, call your VAR. If those two don’t jive call another. Bottom line is you never install REV 1.0 of anything into production, ever! If your guy cant be honest with you, get real and hire a person who will tell you “no!” It may save you tens of thousands of dollars, if not your company. I have had yes men working for me in the past and got rid of them. I depend on Team Cooperation, and that means I need their input. While humbling oneself to listen to a subordinate can be a challenge at times, they may know something that you don’t.

I once worked for a guy who ran a company selling and servicing office equipment. This was actually my first real job out of school. The guy was from Georgia and had been a tank commander in WWII. His manner was gruff, but he was sincere as the day was long. We became close over the years as I have always made it a point to look at what successful people are doing, how they got there, and basically what made them tick.

He promoted me to the position of service manager of one of his locations. He drove me over there to introduce me to the new team and show me around. While on the road, he told me that one secret of a successful person is to hire people smarter, or at least as smart as you were. To me, that was probably one of the most salient bits of advice that I could pass on. That means that the man had humility and, also he must have thought something of me.

While I still struggle with humility today, I am aware of it and work on it.

Hours of Operation.

I had a guy interview with me. Towards the end of the interview, he asked me if there would be any overtime as he had obligations after work and on weekends. This guy clearly had no clue about the job for which he was applying. Hourly jobs are Burger King, not Sysadmin or Network specialist, etc. We get paid well because this becomes the biggest part of our life! If you are a 9 to 5 guy, don’t look at IT as a career.

As anyone who has been in IT any time at all can attest; this is not a nine-to-five job. One never knows when something will stop working and you are suddenly pulling an all-niter to fix something. With VMware and the technology we have today, we can minimize that risk which is something that we do through proper configuration of the servers, building in some redundancy and keeping up with the age of our hardware.

Once you get past a twelve hour day, statistics show that you are much more error-prone, thus shooting yourself in the foot; and possibly the company. Best practice planning and implementation from the beginning mitigates this risk. Having up to date documentation as well as partnerships with VAR’s will allow you to recover faster, and employ fewer full-time people. Staff augmentation through a VAR is an excellent way to keep the number of FTE’s down but, that relationship really needs to be solid.

If you want to experience what “cold running blood is” come in late at night to update some software on the server, reboot it and then you see the prompt, drive 0 not found. This was before the days of raid. This was when ginning a server started with installing 25 5.25 inch floppies followed by a 12-hour compsurf. We have come a long way since then, and so have the folks who create viruses. This is one of the most dynamic industries that I am aware of. One really must be dedicated to be any good at this.

By dedicated, I mean just that. Keep up with what is going on through periodicals, peers in the industry, and again I can’t stress this enough at least one good VAR.

On one of my data center re-builds a vendor was doing our cable plant. They ran long into the night and someone made a mistake. Instead of pulling the old data lines and stopping, they cut and pulled the phone lines as well. On another cable job that I was aware of about 3 in the morning a 32 pair conductor cable got stuck. Instead of seeing why the installer reared back and pulled for everything that he was worth. He snapped an ionized water line and flooded the computer room in a huge hospital. Water poured out of the elevator shaft like it was some sort of an elaborate fountain. Thank goodness that was not my job.

Much like driving less than 500 miles a day on vacation is a good idea; so are the number of hours worked by each person, as mistakes happen. Make sure you have adequate staff to do the job, especially when you are taking on a new project. How do you do that? Proper project management methodologies and relationships with VARS… That is another story…

That is another story…

Here is an example of what a sysadmin is as defined by this site.

http://www.supportingadvancement.com/employment/job_descriptions/advancement_services/system_administrator.htm

ESSENTIAL FUNCTIONS:

The System Administrator (SA) is responsible for effective provisioning, installation/configuration, operation, and maintenance of systems hardware and software and related infrastructure. This individual participates in technical research and development to enable continuing innovation within the infrastructure. This individual ensures that system hardware, operating systems, software systems, and related procedures adhere to organizational values, enabling staff, volunteers, and Partners.

This individual will assist project teams with technical issues in the Initiation and Planning phases of our standard Project Management Methodology. These activities include the definition of needs, benefits, and technical strategy; research & development within the project life-cycle; technical analysis and design; and support of operations staff in executing, testing and rolling-out the solutions. Participation on projects is focused on smoothing the transition of projects from development staff to production staff by performing operations activities within the project life-cycle.

This individual is accountable for the following systems: Linux and Windows systems that support GIS infrastructure; Linux, Windows and Application systems that support Asset Management; Responsibilities on these systems include SA engineering and provisioning, operations and support, maintenance and research and development to ensure continual innovation.

SA Engineering and Provisioning

Engineering of SA-related solutions for various project and operational needs.

Install new / rebuild existing servers and configure hardware, peripherals, services, settings, directories, storage, etc. in accordance with standards and project/operational requirements.

Install and configure systems such as supports GIS infrastructure applications or Asset Management applications.

Develop and maintain installation and configuration procedures.

Contribute to and maintain system standards.

Research and recommend innovative, and where possible automated approaches for system administration tasks. Identify approaches that leverage our resources and provide economies of scale.

Operations and Support

Perform daily system monitoring, verifying the integrity and availability of all hardware, server resources, systems and key processes, reviewing system and application logs, and verifying completion of scheduled jobs such as backups.

Perform regular security monitoring to identify any possible intrusions.

Perform daily backup operations, ensuring all required file systems and system data are successfully backed up to the appropriate media, recovery tapes or disks are created, and media is recycled and sent off site as necessary.

Perform regular file archival and purge as necessary.

Create, change, and delete user accounts per request.

Provide Tier III/other support per request from various constituencies. Investigate and troubleshoot issues.

Repair and recover from hardware or software failures. Coordinate and communicate with impacted constituencies.

Maintenance

Apply OS patches and upgrades on a regular basis, and upgrade administrative tools and utilities. Configure/add new services as necessary.

Upgrade and configure system software that supports GIS infrastructure applications or Asset Management applications per project or operational needs.

Maintain operational, configuration, or other procedures.

Perform periodic performance reporting to support capacity planning.

Perform ongoing performance tuning, hardware upgrades, and resource optimization as required. Configure CPU, memory, and disk partitions as required.

Maintain data center environmental and monitoring equipment.

KNOWLEDGE/SKILLS:

Bachelor (4-year) degree, with a technical major, such as engineering or computer science.

Systems Administration/System Engineer certification in Unix and Microsoft.

Four to six years system administration experience.

COMPLEXITY/PROBLEM SOLVING:

Position deals with a variety of problems and sometimes has to decide which answer is best. The question/issues are typically clear and require determination of which answer (from a few choices) is the best.

DISCRETION/LATITUDE/DECISION-MAKING:

Decisions normally have a noticeable effect department-wide and company-wide, and judgment errors can typically require one to two weeks to correct or reverse.

RESPONSIBILITY/OVERSIGHT –FINANCIAL & SUPERVISORY:

Functions as a lead worker doing the work similar to those in the work unit; responsibility for training, instruction, setting the work pace, and possibly evaluating performance.

No budget responsibility.

COMMUNICATIONS/INTERPERSONAL CONTACTS:

Interpret and/or discuss information with others, which involves terminology or concepts not familiar to many people; regularly provide advice and recommend actions involving rather complex issues. May resolve problems within established practices.

Provides occasional guidance, some of which is technical.

WORKING CONDITIONS/PHYSICAL EFFORT:

Responsibilities sometimes require working evenings and weekends, sometimes with little-advanced notice.

No regular travel required.

———————————————————————————————————

This is close, but I would add to this list… I see nothing in this description about documenting anything. Maybe that is why it is not done in so many places? Does your SA do this type of thing?

-Best

Cell phone / tablet

I have decided that the cell phone needs to be redesigned. Apple and others need to make the phone in such a way that the battery can be replaced by the end user.

These things cost hundreds of dollars and the “normal” person is ill equipped to replace their battery. Secondly and most importantly, if I want to make sure the damned thing is off when I turn it off! If I can remove the battery, I know it is indeed off. Currently these phones, tablets, and other smart devices could be hijacked by who knows who and used for nefarious purposes.

Apple, Samsung and the rest need to make this happen!

While I would truly love to have an app that would tell me what my phone is doing or has done, I am not certain that the app (log) could not be circumvented by the hijacker. The only way to know for sure is to ” kill” it!

Without electrons it cannot be hacked. Maybe people will think I am being paranoid but , I am a security guy so paranoia to some extent is a good thing. Trust no one or nothing that you don’t have 100% control over.

These devices accompany us everywhere. They live in our bedrooms, bathrooms or wherever and if hijacked , video and or audio could be transmitted to who knows where!

Give me a replaceable battery Apple! I don’t need a new $400 phone and a new contract every 2 years, I need a $10 battery!

-best

Scam Tri-Fecta

Are you getting the idea that this is rampant…

Here are three that each tries to get you “me” to open that attachment!

Notice the enticement that they try to use…

This is some sort of sales order that I am to look over…

Oh no, the better business bureau is after me, I had best open the document to see what is up…NOT

From somewhere I have received a fax, but not on my fax machine….Think I should see what this is about????

It doesn’t stop with BS e-mails but also comes in the form of phone calls via people fishing for information. Today I got a call from someone telling me that they are able to keep the IRS from enforcing my tax lien.. “Oh good!” Wait, I don’t have any stinking IRS problems…. Think I should give them my social security number to check “just in case?” Holy crap, it never ends.! Some people fall for this stuff and that is why I am here today… Don’t! Tell your friends, family and neighbors and countrymen… LOL

If you find any of this useful spread the word for me. Sometimes I feel like I am typing all this simply to amuse myself….

-Best to you and those that you care about.