Skip to content

Computer Security 101 - Part 8 - Malware

I might as well just come right out and say it upfront, during Part 2 of this series on Computer Security I lied when I spoke about the most common methods a malicious person uses to get a user's password. In this day and age of rapid information and application sharing, the number one method of gathering user passwords is through viruses and spyware. I would hazard a guess that it is also the number one method of gathering information for identity theft as well.

I am sure that some organization or another has put together specific definitions of what constitutes a virus versus a bot versus something else. For simplicity sake I'll provide my own definitions:

Virus - any malicious program capable of automatic self replication between computer systems, either through network links or removable media. Viruses can range from harmless pranks to programs that destroy computer files.

Spyware - any computer application or portion of an application that is designed to gather personally identifiable information from a computer. This can range from gathering the information on what websites you visit to recording usernames and passwords entered into various programs or websites.

Adware - any computer application designed to automatically display advertisements on your computer or redirect your web browser to alternate (competitor's) websites from the page you intended.

Bot - any computer application designed to perform nondestructive tasks on a computer system without the user's intervention. Bots can range from small programs that download and install other programs automatically (without the user's knowledge) to programs that perform coordinated attacks on Internet websites.
Continue reading "Computer Security 101 - Part 8 - Malware"

Computer Security 101 - Part 7 - Personal Firewall

I already covered firewalls during part 3 of my computer security series, but now that we are focusing on desktop security we once again have to review the subject. For part 3 the firewall topic was in regards to the perimeter, or network; which is usually a hardware based device. In part 7 the topic is desktop or personal firewalls.

I won't bore everyone by going into detail on firewalls again, but if you have not done so already, please read the original topic Computer Security 101 - Part 3 - Firewalls. Instead, I will be covering the importance of having a separate personal firewall on each and every desktop computer.

To most people, including many industry professionals, a personal firewall is considered overly redundant. There is a hardware based firewall keeping your network secure already, why would someone want a firewall running on their local computer? It is also an extra application running on the computer, taking up resources and slowing everything down. So why have one?

Continue reading "Computer Security 101 - Part 7 - Personal Firewall"

Computer Security 101 - Part 6 - User Permissions

I skipped ahead in Part 2 of my Computer Security 101 entries to cover passwords, or rather passphrases, despite it falling out of line with an outside-in approach to security. Entering into the actual desktop arena, I am going to skip ahead of a few items to cover the important field of User Permissions.

Assuming you have followed the best practices I have outlined previously in parts 1 thru 5, in order to gain access to a desktop a malicious person would need to either bypass your firewall, hack your wireless, plug a hard-line into your network or be sitting directly at a workstation. From there they would then need to begin cracking the various passphrases on your computer or network to do any major damage. While these are all possibilities, they fall in the realm of highly improbable; again, assuming you have followed the prior posted best practices. Instead the real threat comes from you: the user.

I'm not referring to malicious users, but rather the unintentional threats presented by your own daily activities, curiosity and, to a lesser extent, lack of knowledge. It is here that the greatest potential for attack on a computer system lies. It is here that most breaches in a system occur. Here be users.

Continue reading "Computer Security 101 - Part 6 - User Permissions"

Computer Security 101 - Parts 1 thru 5 - FAQ

Using the outside-in approach to computer security, we are now at a point to begin covering the actual computer systems. Before we get to that, I thought it prudent to put up a simple FAQ covering the common questions and/or concerns from parts 1 thru five 5. Well, really 2 thru 5, seeing as part 1 was the introduction.

This FAQ mostly covers home network security and does not replace reading the actual articles in this series, or getting help from a professional if you are completely inept in the field of computers.

1. Why are passwords important?
Passwords provide a means of proving your identity to a computer system. Without having this method of identification, everyone could pretend to be anyone they wished and the world would quickly fall into chaos, until someone finally pretended to be the guy with permissions to launch nuclear missiles; at which point the world would just end. This is all very bad.

2. How do passwords help protect me?
As mentioned in item 1, passwords provide a means of identifying you as you, rather than someone pretending to be you. Secondly, passwords are used in some systems to encrypt data so that if someone were to look at a file without the password it would appear as gibberish.

3. What is a complex password?
While the exact measurement of a complex password is system specific, the general rule requires that a password contain at least eight (8) total characters. Of those eight characters at least one must be an uppercase letter, at least one must be a lowercase letter, and one must be a number or other non-alphabetical character. This is the base guidelines, and to be honest are quite antiquated. Realistically, a password should contain at least 13 characters, with the other rules staying the same.

4. How often should I change my password?
Passwords should be changed at least once every three months, depending on what the password is for. Passwords used for more sensitive information should be changed more often than passwords used for nonsense; as an example the password to your online bank account should be changed at least once every two months, while the password for your Netflix account would not be as critical and could be changed every three months (unless you save credit card information in your Netflix account at which time it becomes more critical). Your passwords should also be changed anytime you suspect any of your accounts to have been hacked or your computer becomes infected with a virus/spyware (once the virus has been completely removed).

5. Can I write down my passwords?
Do you leave the keys to your car dangling from the door handle in the bad section of town? That was a rhetorical question. The answer is NO.

6. How do you expect me to remember all these complex passwords that change so often?
I don't. I expect you to use passphrases instead.

7. What is a passphrase?
Passphrases are sentences, phrases, exclamations or questions that are used in place of complex passwords. Passphrases are easier to make complex and are generally much easier to remember. "My6catsareallSiamese!" Often passphrases can include spaces, making them even easier to type. "My 6 cats are all Siamese!"

8. What is a firewall?
A firewall is a device (hardware or software based) that restricts certain types of traffic from entering or leaving a network.

9. Why do I need a firewall?
There are bad people in the world who think it is fun to screw up other people's lives. There are also people who want to steal from you. And then there are people who are just nosey and want to snoop. If these people can get to your computer they can do all sorts of bad things such as deleting all your files, stealing your bank account and credit card information, stealing incriminating files from your computer (nude photos, etc), or just using your computer to send out spam email messages. Firewalls can help keep these people from getting to your computer from the Internet.

10. Why should I restrict outbound traffic on my firewall?
There are many ways for bad people to get to your computer and firewalls do not stop all of them (i.e. malware and viruses). Once your computer is infected with a simple piece of malware it can be used to download more dangerous software from the Internet. The malware can also turn your computer into a tool for the bad guys, such as by using your computer to send out spam email messages or attack other computers. If you have ever wondered why it is so hard to catch the bad guys on the Internet, it is because they use "innocent" people's computers to do their dirty work. Restricting outgoing traffic across a firewall can help stop these things from happening.

11. What ports do I need to allow for email?
Some ISPs use alternate, or nonstandard, port numbers for their email, but for most you will need to allow outbound traffic on port 25 for SMTP and port 110 for POP3 (both are used, the first to send, the second to receive emails). You should also restrict which external Internet addresses (IP Addresses) these ports are allowed to connect with, so that you don't inadvertently allow the bad people to use your computer to send out spam emails (see question 9 above).

12. My wireless router came with WEP enabled, isn't this secure?
No. WEP is not secure. WEP is akin to locking the screen door on your house and thinking no one can break in.

13. What security option should I use on my wireless router?
WPA2 (Wi-Fi Protected Access 2) with AES (Advanced Encryption Standard) is currently the most secure wireless option. If you have a very old wireless device that does not support WPA2, your next best option is WPA, although you should check with the manufacturer for firmware updates to bring it up to WPA2, failing that you should replace your wireless device.

14. What is the SSID?
Service Set Identifier. The SSID is a nice friendly name used to identify a wireless network. This allows you to connect to "MrMoms Network" instead of some long convoluted string of hexadecimal characters.

15. Why should I turn off SSID broadcasting?
In order to connect to a wireless network, you have to know the SSID. When the SSID is broadcast, everyone in range is told what it is. By disabling SSID broadcasting you have added an additional level of protection to your wireless network and helped to prevent nosey people from "just browsing" through your network.

16. My son/daughter/niece/nephew/neighbor's kid said I don't need to do X.
Not really a question, but if X is something I said to do above or in one of the related articles: your son, daughter, niece, nephew or neighbor's kid is an idiot. If they happen to be a CISSP and have a better alternative solution to put into place, then by all means listen to them. Otherwise, I stand by my calling that precious little bundle of joy an idiot and adamantly state that you should not listen to them.

Computer Security 101 - Part 5 - Wireless

Odds are in favor of there being a wireless network in your home or at your work. Actually, odds are in favor of there being a wireless network located at both your home and work. Even if you are one of the oddball people who do not have a wireless network setup, there is probably one broadcasting into your home or office from nearby. Wireless networks are almost everywhere and the numbers are continuing to multiply fast. Exponentially even.

In the dark ages of wireless (about a year and a half ago) there was about an 80% chance that any given wireless network was completely unsecured. Now I would gauge it at around 70% of wireless networks having inadequate security and 40% remain completely unsecured. Yes, I pulled those numbers out of my proverbial ass; but if I count the number of wireless networks that I come into contact with daily (that are outside of my control), those numbers are just about dead on.

While 40% down from 80% shows that there has been a drastic improvement in wireless security awareness over the past couple years, it is still enough to keep a person up at night. As with all things security related, I blame a lack of knowledge and lack of caring as the reasons those numbers are not down to under 10%. So let's start with the reasons for not only securing your wireless network, but ensuring it is secured properly.
1) Illegal Activities - In today's world where everything can be tracked and traced in some manner or another, it just makes sense to not use your own Internet connection if you are going to perform some sort of illegal activity. Hackers know this. Pedophiles know this. My former IT Director who tried to bring down the company network after he was fired knew this. Instead of using their own Internet connections to perform these illegal activities, they connect to one of the many unsecured wireless networks and let their activities get traced back to some unsuspecting dupe (that would be you). Of course they would have to be smart enough to change their computer name and MAC address to not get caught, but that is another story.

2) All Your Base Are - Continuing the thoughts from reason #1 above into why adequate security is necessary; if someone is going to attempt to break into a network illegally using the Internet and they are smart enough to use someone else's Internet connection to do so, I am willing to bet the farm that they are smart enough to hack a WEP secured wireless network. Although saying "WEP" and "secured" really is an oxymoron.

3) Easy Network Access - The easiest method to gain unauthorized access to a company network is through social engineering. The second easiest method, and easiest method for a home network, is through unsecured wireless. Why not just start asking people driving past if they would like to come inside and use your computer?

4) Internet Bandwidth - The speed you access the Internet is not unlimited, despite how much faster your cable modem is versus your previous AOL dialup. The more traffic running across that connection, the slower your web surfing is going to be. There are also plenty of Internet service providers who are looking at changing their billing model to include over-bandwidth pricing; meaning if you use more than what they consider your fair share of the Internet, you pay more. Now why would I want to jack up my Internet bill downloading all those adult movies when I can just attach to your wireless and make you pay the bill?
The list goes on, but these are some of the bigger reasons for properly securing your wireless network. The really nice thing is that securing a wireless network is about the easiest thing you can do. The bad thing is all the oddball circumstances that crop up in the course of normal business that have kept many companies from securing their wireless access. Being a heck of a nice guy I will cover both sides: the straight forward secured wireless network and securing a wireless network under oddball requirements. But first up, let's take a look at the various methods available to secure a wireless network.
Turn Wireless Off - I would like to say I am surprised at the number of people and companies who have a wireless network and do not even know it. Rogue Wireless Networks. I am not really surprised because I know the sheer number of devices that arrive from the manufacturer with wireless turned on. Purchase a new router for your home network? Probably has wireless built in and turned on. Have a DSL Internet connection? The new DSL modems have built in firewalls, switches AND wireless; and wireless is turned on by default. Basically, turn off wireless on each device you have if it is not needed. If you are not positive beyond any reasonable doubt that it is needed, turn it off. Something will either stop working or someone will complain if it really was needed.

Segment Wireless Networks - Hopefully you have read my previous entry entitled Computer Security 101 - Part 4 - LAN. If you haven't, go read it now. Very few businesses use wireless networks for daily operations. Very few homes do for that matter. Wireless is either accidentally left on or is put into place to meet some need or another. Usually that need is Internet access for someone with a laptop who has enough pull to make your life miserable. The beauty here is that they do not need access to your entire network, just a small section of it. Through network segmentation (you did read the article I just listed, right?) you can limit the access that particular wireless network has to your overall network and effectively mitigate many security threats in doing so.

Disable SSID Broadcast - According to some silly 802.11 standard or another, wireless devices send out a broadcast beacon. Part of this broadcast beacon is the SSID (also the channel number, but if you see the broadcast you already know the channel number because, well, you see the broadcast. See how silly 802.11 standards can be?). In order to connect to that wireless device, you need to know the SSID. If you turn off the broadcasting of that SSID you require anyone who wants to connect to your wireless network to already know the SSID. Ingenious, right? Of course you also need to set the SSID to something not easily guessed, but we'll get to that in a minute.

MAC Address Filtering - A MAC (Media Access Control) address is a hardcoded 12 character hexadecimal code set into all Ethernet devices by the manufacturer that are required to be unique for each device (another one of those IEEE standards). Most wireless devices have the ability to limit which MAC addresses are allowed to talk to it. If a device connects with a MAC address not on the list, it ignores the device. Pretty simple. Except MAC addresses are easy to spoof (pretend to be). MAC Address Filtering is a pain to setup because it needs to be maintained and is lacking on its own. In combination with other methods of wireless security it will help to protect your network, but it is still an administrative nightmare to maintain for a business and rarely worth the extra protection provided.

WEP Security - Wired Equivalent Privacy. Useless security option. Really. Most of the new DSL modems I have seen recently have WEP turned on by default (along with wireless) so the company can pretend to have cared about your network security and not get sued. Of course any computer security person would shred that argument in court, so they are depending on people's ignorance to save them from a lawsuit when someone hacks the wireless network they left on by default. WEP is useless.

WPA and WPA2 - Wi-Fi Protected Access. Another set of those 802.11 standards. WPA is the old standard that made use of TKIP (Temporal Key Integrity Protocol); and was designed to replace WEP without much fuss. Unfortunately, people were able to crack the WPA-TKIP standard in 2008. Luckily, the Wi-Fi Alliance people adopted a new 802.11 standard in 2006 that became known as WPA2-AES (Advanced Encryption Standard). The difference between the two standards really is in the encryption algorithms used. Basically, use WPA2.

Pre-Shared Key (PSK) or Personal Mode - Pre-Shared Keys were introduced with WEP and carried forward into WPA and WPA2. It is a passphrase set on any wireless access point that is used to partially encrypt the data sent wirelessly. I say partially, because the encryption actually changes once the connection is established. You can read up on the entire 802.11 IEEE standards if you really care about useless information, or just want to hit that homerun during your next technical interview. Anyway, all wireless devices are supposed to support PSK and it is more than adequate for personal home networks (hence the Personal Mode pseudonym) and even most businesses; assuming the passphrase is sufficiently complex (getting to that in just another moment).

RADIUS Server or Enterprise Mode - Sometimes mistakenly called EAP or Extensible Authentication Protocol (PSK above is a flavor of EAP, hence the mistakenly part). Enterprise mode uses a RADIUS server like Microsoft IAS or Cisco ACS to provide the authentication methods for wireless connections. A pre-shared key still exists between the RADIUS server and the wireless device, but it expires after a preset period of time and is changed out automatically. This is the mode to use for any business with a RADIUS server.

Strong Passphrases - Every wireless device has at least three passphrases that can be set. The first is the one used to access the wireless device in order to make configuration changes. The second is the SSID. The third is the Pre-Shared Key (may not be used though). Treat each of these as a secure passphrase. Each of these passphrases should be unique from one another. Each of these passphrases should be exactly that, a passphrase instead of a password. Each of these passphrases should be complex in nature, meaning include at least one upper case letter, one lower case letter and one number or symbol. Each of these passphrases should be at least 16 characters long. Do not use your name or your company's name for any of these passphrases. Read my entry entitled Computer Security 101 - Part 2 - Passwords if you have not done so already.
Wireless security is constantly changing and improving, as well as having previous methods become weakened or obsolete. A few years ago you would probably have been told an eight (8) character password was sufficient to protect against a brute force attack, two years ago it would have been 13 characters, now I personally recommend 16 character complex passphrases (thanks in part to GPU offloading). There are also newer features put forward by the Wi-Fi Alliance that will automatically configure wireless security between devices using various methods. All that being said, let's actually cover the concrete security methods that should be put in place.

First thing is first. Shutdown all wireless access points and routers that are absolutely not needed. Move onto the next step if you are doing all this for your home or a small office (two paragraphs down); otherwise grab yourself a laptop with a wireless card and start walking your perimeter. You will want a wireless card that supports at least 802.11 b and 802.11 g network standards; 802.11 n is currently an added bonus, but is increasingly becoming a requirement. As you walk around refresh the available wireless network screen and see what you see. Write down each and every wireless network you find and the locations you find it in. Write down the SSID if it is available. Write down the security level (WPA2-AES, WPA-TKIP, etc) that each wireless network lists as being used. Connect to unsecured wireless networks and see if it is part of your network or perhaps something from the Starbucks next door. There are free tools available on the Internet to help in all this (mostly for Linux, but still plenty for Windows), just don't spend any money.

Now that you have identified all the Rogue airwaves (not necessarily Rogue Networks) in your company space, see what you can identify. Use a little common sense in this practice. If a wireless network is strongest in the eastern region of your building, talk to the departments in that area. If there are other companies in the Eastern region, see if they are running wireless. Pretty simple stuff. Once you identify all that you can identify, the rest is considered a Rogue Network and needs to be found. Again, there are freely available software applications and instructions elsewhere on the Internet (like making a focused antenna with a Pringles can). Find these Rogue Networks (assuming they are actually on your company's network) and eliminate them.

Assuming you need a wireless network to not be shutoff, the next thing to do is setup an actual secured wireless network. The best possible combination of security layers available is to segment the wireless network (at work, probably not home), use WPA2-AES protocols, disable SSID broadcast, and use strong passphrases (complex and 16 characters or longer). A company that has a RADIUS server should make use of Enterprise mode WPA2. Discuss with whoever handles your RADIUS server as to which EAP types are available. Everyone else has to use EAP-PSK, or Personal mode; again with a strong passphrase. MAC Address filtering provides very little added benefit at this point, so ignore it. It would be like putting an umbrella over a submarine to protect against the rain.

There. Done. That is currently the best configuration available for an active wireless network setup. The problem is each device (laptop, PDA, tablet, etc) that is going to connect to the wireless network must be setup now. This is generally not a big deal as it requires each device to only be setup once (set-and-forget). The real problem comes from C-level executives who believe they are tech-savvy and, worse still, salespeople (regardless of their tech level).

Both of these groups of people generally have no idea why they need an IT department to begin with. All those damn geeks do is make things more complicated than it needs to be. They do not want to call IT when their 4 year old is using mommy's laptop in the office and needs wireless access, or when a salesperson has a client in who needs to check their email. This is where wireless becomes unsecure once again. Ideally there is a strong CIO (CSO would be even better) who will insist that policy is policy and the wireless has to remain secure. Even without that CIO you still have a few things you can do to keep your network secure.

The first thing to do in the above scenario is to pick a good location for the "open" wireless. Conference rooms near the center of a building between floors two and five are excellent choices (first floor gets the most non-work traffic. Too high up in a building and, because of signal bounce, you can become a radio station broadcasting to the world). Picking locations like this for open wireless access points will reduce the likelihood of outside persons gaining access to your wireless network. Some wireless routers and access points offer further assistance here by allowing the signal broadcast strength to be reduced, thus decreasing the distance available to connect to the wireless network. Almost every sales person or C-level exec will be satisfied with someone telling them "There is wireless available in the third floor conference room," as opposed to not at all.

The next step is to segment the open wireless network from the rest of the network. As much as is possible that is. A little guided research is required to discover what the use of the wireless network will be. Leading questions are great here such as, "I can setup the third floor conference room for wireless Internet access. Will that work for your sales team?" The answer will be "yes" and you can segment that wireless network from everything but Internet access.

The last step is to turn off the wireless. A good majority of commercially available wireless routers have some sort of scheduling built-in. This can range from allowing wireless access during certain times on certain days, to perhaps blocking certain Internet protocols (block any any) during certain times of the day. These functions can be used to restrict the wireless access to business hours only, which increase the wireless security level slightly (only the truly bold are going to connect illegally to a wireless network when the IT staff is there and alert).

Under normal circumstances the obvious choice is to put into place the most secure wireless settings possible. Failing that, virtually ever business scenario for not having restricted wireless access can be mitigated by combining the various methods of securing a wireless network listed above. A little thought process combined with a few leading questions and you can once again sleep soundly at night.

Computer Security 101 - Part 4 - LAN

Continuing the outside-in approach to security, once you make it past all the routers, firewalls and Demilitarized Zones (DMZ) you eventually come upon the local area network, or LAN for short. Stop! Hold it! Router? DMZ? Why didn't this stuff get covered? How can we possibly move on when I just mentioned two things that were not covered on the way in from the Internet?

The short answer is that they were covered, just not spoken about directly. As I mentioned during Part 3, a firewall is a specialized router. If you are using a router as part of your security approach, you are using it as a firewall. As to the whole DMZ thing, well that is just the area of a network that lies between the Internet and your local network. This is usually the "optional" network port off of a firewall or, ideally, the space between an external firewall and an internal firewall. There. Happy now?

For the majority of computer networks out there, your entire network is your LAN. A good chunk of companies have wide area networks (WAN) of one flavor or another, but with technology the way it is these days, the wide part has gotten really thin. Without a geographic map for a guide, it has become increasingly more difficult to tell the difference between a local resource and a remote resource. In effect, a WAN should be treated as just another segment of your LAN.

You might have noticed that the word segment was a link up there. That's because segment is an important word when it comes to LAN security and I wanted to make sure everyone knew what it meant. The first definition listed will do. A segment is just a section or part of the whole. Nothing overly technical about that. It is important because segments are what help secure a LAN.

In order to understand this, we need to delve into a little technical mumbo-jumbo. All networks have some sort of addressing scheme, Internet Protocol (IP) addressing is the most common (FYI, there is NO SUCH THING as TCP/IP addressing, there is only IP addressing), so we will use IP addressing for this example. Every device on a network has some sort of address attached to it, again, usually an IP address. In order to talk to a device from your computer you need to have that device's IP address. With me so far?

There are three main ways to get a device's IP address. The most common method is through domain name service resolution (DNS). DNS is the IP address resolution method of the Internet and most networks. It basically works like calling telephone directory information to get a phone number. Your computer knows to dial 411 when it needs an address; the DNS server is the operator that answers 411 and tells your computer what the IP address is for a given device.

A second, older method of getting an IP address for a device is through WINS resolution. WINS has been made obsolete by DNS, but there are some networks out there that continue to use it for one reason or another. WINS works in the same way as the DNS-operator analogy above.

The last method of your computer finding an IP address (that it does not know already) is to send out a broadcast. Most network communications are unicast, meaning one device to one device. Basically like a normal phone call. Broadcast is a scream out to an entire network segment, meaning one device to every device. It is comparable to a mom in the grocery store whose 4 year old has wandered off to the cereal isle. Everyone knows little Timmy is missing.

Broadcasts might be good to find little Timmy in a grocery store, but on a network they tend to be bad. When mom screams out "Timmy" in that oh-so-shrill voice of hers, EVERYONE stops what they are doing and looks up. Broadcasts on a network are the same way, every device has to take the moment to recognize the broadcast and either ignore it, or respond. The primary security problem is in that response, notice I did say primary though.

We'll use another example to see exactly what the problem with that response is. In this example Timmy is a little mentally slow (all the screams from his mom melted his brain), but he is carrying a knapsack with $1,000,000.00 in it (Timmy is very strong). Timmy is someplace in a clothing store; in order to get that cool million bucks you just need to find Timmy. Clothing stores are generally wide open areas, with little to block sound, so when you yell out, "Timmy," he is going to respond back with a nice loud, "Here!" As I said, he is a little mentally slow, so he'll respond to anyone saying his name. One million dollars in the bank later and you are a happy camper.

Now what if Timmy was someplace in a multi-floor, multi-company office building? Walk through the front door, yell out for the kid, and you are not getting anywhere. Oh, you might get really lucky and find him standing there in the lobby, one finger in his nose, the other scratching who-knows-what; but given the number of floors, companies and rooms, the odds are against you. Makes it a lot more difficult to find that million dollar prize. Also, the more you wander the building yelling out for Timmy, the more likely someone is going to take notice and have you escorted away by security.

Relating Timmy's story back to your network, if your LAN is one big happy segment (the clothing store) with all the devices on that same segment and a hacker gets onto your LAN, it makes his life really easy to find the million dollars by using broadcast shout outs. If you divide your network up into multiple segments (the office building), you just made the hacker's job a lot more difficult. Just like with the office building, the more the hacker has to wander your network to find something, the better a chance of getting caught or, at the very least, leaving a nice trail of breadcrumbs back to them.

The second security problem with broadcasts is that everyone looks up to see mom screaming before ignoring her again. It is only an instant of time, but imagine if the grocery store was full of 1000 screeching mothers looking for Timmy. Not much shopping is going to get done in that grocery store. That is the equivalent of a broadcast attack on a LAN. Not very common, but it has happened and will bring a network to a screeching (pun intended) halt. Segmentation helps with this as well.

The better you can isolate sections of your network from one another, the more secure your LAN becomes. This is done by using subnets, which is the IP address way of breaking up a network into segments. You can think of a subnet as a telephone area code, limiting which numbers are available before you have to change to another area code. In order to do this, and make it count, you will have to use switches instead of hubs (if you are not already). You will also need to ensure your switches are not set to forward broadcast packets (usually the default setting), but are set to relay DHCP requests to a DHCP server (as needed).

Subnets can be either physically broken up networks or more practical Virtual LANs (VLAN). In the physical world, you would decide that everything attached to Switch-A belongs to Subnet-A, Switch-B to Subnet-B, etc; and then place some type of routing device between each. That can mean a lot of pieces of physical hardware. Explaining VLANs fully is a bit beyond the scope here, but using VLANs (which most modern switches support) you divide up each switch into multiple subnets based on different criteria; usually the jack number on the switch (for untagged) or with tagging. As a result of not needing tons of extra hardware, VLANs are a much more practical approach to segmentation.

Through proper network segmenting you can not only provide for a more secure LAN, but also speed up network traffic across your network. If you know accounting uses only one server and little else, you can move that server directly to the accounting subnet. You can also control what information is passed by a DHCP server to each subnet; allowing you to set everything from which DNS server a given subnet uses, to stopping Internet traffic for one particular subnet. Combine that with the above broadcast scenarios and segmentation becomes a very good thing for increasing your LAN security.

Computer Security 101 - Part 3 - Firewalls

When it comes to computer and network security, I believe in an outside-in approach. Start as far away from your computer as possible and work your way back, putting up as many roadblocks in the way as you can. This approach has served me well in the past, and will likely continue to do so in the future. And so we will continue delving into computer security at the network perimeter with the firewall.

Before we begin I should point out that passwords were covered first and foremost due to their very nature. That is to say, everything has passwords of one sort or another. Firewalls included. So it would have been negligent of me to not cover passwords first. Now we can move on. Thank you for your patience.

There are a lot of people out there who do not know what a firewall really is, let alone understand what it does. This group of people includes many IT professionals, even very seasoned professionals. I often get a look of disbelief during technical interviews when I am asked about experience with a particular firewall or another, because I always respond with something along the lines of "a firewall is a firewall."

Usually my resume is directly in front of them and lists my Check Point Certified Security Administrator NG, Cisco Certified Network Associate, and Certified Information Security Manager certificates; as well as a plethora of various hardware that I have worked on (such as PIX or Watchguard firewalls). So when the person across the desk asks me if I have experience with a Sonic firewall, well, "a firewall is a firewall" is about as polite an answer as I can give. Sometimes I just blow the interview right there and go into sassy mode. But I digress.

A firewall is a firewall is a firewall. Period. Some are better than others, but they all do the same basic thing and are configured the same way. The interface might be different, but just because one car has a digital speedometer does not make it any more difficult to drive than one with a standard needle (analog) speedometer. Let's dive in to what that same basic thing is.

In the beginning we had routers. Routers route network traffic. Then someone said, hey, let's make a specialized router that does the same thing, only less of it, call it a firewall and charge additional money for it. Thus the firewall was born.

If you were to think of your network as a company, with the computers as departments and the software running on the computers as people; firewalls would be the mailroom. Any type of parcel has three things that are readily available to be seen: 1) The address the parcel was sent to, 2) The address the parcel came from, and 3) How the parcel was delivered (FedEx, UPS, USPS, etc). A good mailroom looks at these three things and determines what to do with the parcel. Simple and easy.

A mailroom example of what is taking place with that parcel: A letter arrives addressed to the CEO of the company, there is no return address, and the letter arrived with a bulk mail (USPS) stamp on it. What do you think the mailroom is going to do with that letter? Were I a CEO, I would fire a few people for delivering junk mail to me; thus the mailroom might trash the letter outright or they might decide to deliver it someplace else, say the CEO's secretary (sorry, administrative assistant). It really would depend on the instructions given to the mailroom, right?

Next a big brown box arrives that is addressed only to the company itself. The box arrived via UPS ground. A good mailroom is going to look at the packing slip to find a little more information. They immediately notice the parcel arrived from Dell Computer Corp, and move the box on down to the IT department without a second thought.

Mailroom gets a letter for Jane Smith, well there is no Jane Smith here: RETURN TO SENDER. And the mailroom never accepts C.O.D. parcels.

This is exactly what a firewall does. It is behaves like a good mailroom staff with instructions on what to do with each parcel that arrives; only it deals with data as its parcel. There are three things that are readily available to a firewall: 1) The address the data is sent to, 2) The address the data came from, and 3) What port the data is being delivered on. Simple and easy.

Configuring a firewall is about the same as giving instructions to the mailroom. "Only allow marketing to send out bulk mailers." "Anything that comes in from Dell goes to IT." "Only John can send out packages using the freight company." Etc, etc. The only differences are in what the address looks like (hint, it's an IP address instead of a postal address) and instead of saying "UPS Next Day Delivery," we use port numbers.

The bulk of setting up a firewall comes before you even touch it. Before you can set it up, you need to know what the instructions are going to be. The best instruction is always return everything to sender that comes in and don't let anyone use the stamp machine to send out. In firewall terms, this is "deny any any". It should always be your starting point; everything else gets built on top of that and creates a pecking order for what happens with the data parcels. This works for a firewall just like a mailroom: John can use the stamp machine. You are not John; therefore you get denied the use of the stamp machine.

Coming up with the instructions to give the firewall are relatively easy, but usually takes a few minutes to do. It involves a little research to see what software applications are used to do what on your network. This includes sending and receiving email, browsing the web, running a SageTV placeshifter server or playing online games. If something needs to talk to the Internet, it needs a rule for the firewall. You just need to figure out (look up) what those rules need to be.

A few simple guidelines for setting up rules:

1) Permitting all outgoing traffic is a very bad thing. So don't do it. Spend the 15 minutes to find out what traffic needs to go out and to where.

2) If you have a dedicated email server, it should be the only thing on your network that can send or receive email. That is to say that POP3 (port 110) and SMTP (port 25) should only be permitted to and from that server.

3) If you do not have a dedicated email server (meaning you get your email from your ISP) you should block incoming SMTP & POP3, and allow outgoing SMTP & POP3 **ONLY** to your email provider (these are the addresses that look like that you put into Outlook when you setup your email account).

4) If you have a dedicated DNS server, it should be the only thing on your network that can send out DNS lookup packets (port 53).

5) If you do not have a dedicated DNS server you should only allow outgoing DNS traffic to go to your ISP's DNS server (your ISP gave you this address someplace).

6) Unless you handle your own DNS services for an Internet server, you should block incoming DNS requests.

7) Explicitly stating where any outgoing traffic is going to is a very good thing. If your game requires port 9110 to be open, then only allow port 9110 to be open with an outbound address of the game server.
You can't surf porn without allowing web traffic, so odds are you will want to allow outgoing HTTP (port 80) and HTTPS (port 443). Not much you can do there, but it does provide a big loophole. Other programs use these ports to bypass firewalls, and that is a bad thing. The fix is an Application Layer Firewall. If you are setting up your firewall for home use, don't worry about it. If you are doing it for a company and you have not yet purchased your firewall, or have the budget to "upgrade" your firewall, get an Application Layer Firewall.

Continuing the mailroom analogy... A fruit basket arrives addressed to Gertrude in Accounting delivered by the flower delivery guy. Every company accepts deliveries from the flower delivery guy. The flower delivery guy is HTTP on Port 80. So the mailroom rushes that fruit basket over to Gertrude, only instead of pineapples, the fruit basket contained pineapple grenades. Boom. Poor Gertrude. And poor everyone in Accounting.

An Application Layer Firewall is like if the mailroom X-rayed every piece of mail that came through there. More so, they were allowed and required to open every parcel that comes and goes to take a quick peek to make sure the package is what it says it is. That is exactly what an Application Layer Firewall does, because the Internet is chock full of people trying to send pineapple grenades to Gertrude; and Gertrude (bless her little heart) is trying to send socks to her nephew in Utah using the company's UPS account.

A last note on firewalls, primarily for corporate IT people: Two firewalls are better than one. The best setup for a firewall is to have an external firewall that handles incoming traffic, such as allowing traffic to your web server, and a second internal firewall that handles outgoing traffic. The external firewall can be in drop-in mode (meaning it knows all the external IP addresses that your company uses, but is not performing NAT translations, just filtering). The internal firewall connects to the external firewall, gets one of those external IP addresses, provides NAT translations (using that external IP) and should be an Application Layer Firewall. More internal firewalls are even better, but two should suffice. Between the two firewalls are your outside only services (web servers, email forwarders, porn, etc). You can even get creative and place honey pots between them, but that is a bit beyond the scope here.

Firewalls are as complicated as you want to make them, but really you should be making them very simple. Keep in mind that a firewall performs the same tasks as a good mailroom. If you do your homework to determine what traffic you need to allow (port numbers), where the traffic should be coming from, and where it should be going to; then you have 99% of what it takes to setup a secure firewall. The other 1% is just punching in that information.

Computer Security 101 - Part 2 - Passwords

As I have already mentioned, I have worked for a variety of different companies. Each one has had their own policy on account passwords and those policies have been as varied as the companies themselves. Most have not been very secure at all.

One good example of this always comes to mind when I talk to people about account passwords. About 14 years ago I worked for (contracted with) a well known company in Ohio, that also happens to have one of the largest repositories of legal information in the world. My position within the company was along the lines of desktop support where we would get assigned support tickets to fix users problems. Our performance was based mostly off volume completed and the time each support ticket was open.

Invariably there would be times where I would arrive at a user's desk to fix some problem, only to discover they had left for an extended lunch (Executives were great for this) or had taken a few days off from work. As luck would have it, it was also extremely likely that the support ticket had something to do with the user's profile on their computer (a "profile" is all the settings on a computer that pertain to that particular person, such as the wallpaper or screensaver they have chosen). This meant that without being on the computer as that user, the problem could not be fixed, the ticket would remain open, our (my) performance level would go down (kind of a crappy way to do things, but it was what it was), and if cuts came, well you know the story.

To solve this problem I would immediately turn the keyboard over and look for a little piece of paper taped to the bottom of it containing the user account password. About 50% of the time, it was there. The little pull out writing tables that are part of some desks were another great place to look. And when all else failed I would open their picture frames on their desk and find their children's names. I had about a 90% success rate in getting into the computer as the user. Pitiful.

Nowadays I would verbally reprimand myself for doing that. I would write-up (or outright fire) the user. My, how times have changed. Except they haven't. I no longer "hack" into user accounts in this manner, but far too often those user passwords are still written down someplace on that desk. The excuses are always the same, "I have too many passwords to remember" or "IT makes me have too difficult of a password to remember." Well, I have a solution.

The first part is to forget about passwords. Passwords suck. Passwords are like relatives you have to visit, but go into convulsions at the sight of. Passwords are so 1990s. For you retro-people, that is not a good thing. Instead of passwords, passphrases are the way to go. It is one of those new industry best practices, and it is a smart one.

A password is a bunch of letters and numbers thrown together to let you log onto the computer. In order to increase security, IT departments have required that passwords be a set minimum length and contain a certain level of complexity (usually something like it must contain one uppercase letter, one lowercase letter and one number or other symbol. Sound familiar?). Users write these down. Passwords are bad.

A passphrase is a phrase or sentence that is easy to remember. Passphrases are easy to create that will meet any level of complexity requirements. Users do not need to write down passphrases. Passphrases are good.

Here's an example of the difference between a password and passphrase. For this example let us say that the "password" must be at least 10 characters long, contain at least one uppercase character, one lowercase character, one number and one symbol. Relatively complex and difficult to brute force (brute forcing is throwing characters at a password until the right combination is obtained, more on that in a minute).

For our password we have: Id10t.Error
For our passphrase we have: Mydaughteris17yearsold.

Which is easier to remember? The first one has 11 total characters, the second 23 characters; yet the second would be easier to remember for any parent. Heck, a lot of systems will even allow you to use spaces as characters, thus making the passphrase much the same as typing a sentence. The second is also more difficult to brute force attack due to the increased length, and given such a huge range of possible passphrases that a person might pick, pretty much impossible to simply guess.

Now a word on cracking passwords. There are a few methods for getting a password, the most common is for the user to tell you; either directly or by writing the password down. Flat out guessing, or making educated guesses is the second in the list of most common and easiest. Lastly comes cracking the password (there are other methods, but these are the most common). This is generally done using brute force attacks, so named because it is similar to a physical brute force attack in that a would-be hacker just continues to pound away at the possibilities until security falls away. A variation (although some consider it completely different) on brute force attacks is the use of dictionary files, where entire words are thrown at a password, alone or in combination. Still qualifies as a brute force attack in my opinion.

Brute force attacks are generally done using specialized programs that allow the hacker to set a few parameters, such as minimum password length, and the program does the rest. Character by character these password crackers plug-in sequential combinations of letters and numbers until a successful password attempt is achieved (aaaaaa, aaaaab, aaaaac, etc). These attacks take time, based on the possibilities for a given password. The more confined the password requirements are, the less time a brute force attack will take. The fewer characters in a password, the less time an attack will take. The fewer types of characters in a password, the less time an attack will take. Using dictionary files instead of strictly sequential attempts also reduces the attack time. And to top it off, each year computers get faster and faster, allowing more password attempts to occur over a given period of time, and thus, the less time an attack will take.

After touting passphrases over passwords I present the doom and gloom. Bad, bad Andrew. There is good news though, I promise. The first piece of good news is that if you read back you will see that brute force attacks are third on my list of methods for gaining someone's password. That means that the other two items are far more likely. Using complex (containing numbers and letters with a minimum set length and no, or very high, maximum length) passphrases over passwords greatly reduces the likelihood of a person ever guessing a password. Passphrases, as mentioned, also increase the likelihood of a user remembering their password, and as such greatly reduce the likelihood of someone finding it written down.

That leaves one further part from the list of the three methods: telling people your password. Don't do it. Not ever. Never ever. Your passphrase is yours and yours alone. Do not, under any circumstance, tell anyone your passphrase. Not your spouse, not your manager, not the CEO of the company, and especially not someone from IT. People always try to tell me their passwords. I make loud noises and cover my ears until they stop, and then proceed to tell them that they are trying to do something bad. No one, let me repeat, no one needs your password but you. In the unlikely event that someone someplace needs to access your account, IT can reset your password. The glory of this is that it creates a paper trail showing that someone changed your password, and you will know it has been changed.

Returning to the doom and gloom of brute force attacks, there is more good news. A big help with stopping these attacks is in changing your passphrase on a fairly regular basis, at least once every 60 days, preferably 30. On that note, when you change your passphrase you should not use the same one you have used previously. At least not for a year or two. The reason? In the event that a passphrase is compromised (meaning you told someone who called up and said they were from IT), it is only good for a certain period of time. Then poof, it is a new password. This also hurts brute force attacks, because if they get a password and it is changed, they have to start all over again. IT personnel should set these options in their systems to force regular password changes to occur.

The last note on passphrases is for the IT persons out there: set an automatic failed attempt lock-out. Huh? Almost all systems that use passwords have a setting that will lock out a user account if the wrong password is entered X number of times within a given time period. You can even set the lock-out to expire after X period of time automatically on many systems. A good setting level is to have automatic one hour account lock-out after 3 failed attempts. This effectively reduces the success level for any brute force attack to 0, because three attempts in an hour will take many, many lifetimes.

To sum things up, here is the simplified version of all the junk above. Learn it. Live it. Love it.

1. Use passphrases instead of passwords.
2. Ensure your passphrases contain both upper and lower case characters, as well as numbers. Symbols are also good.
3. Never write your passphrase down anywhere.
4. Never tell anyone your passphrase.
5. Change your passphrase at least once every two months, preferably once a month.
6. Do not reuse a passphrase for at least a year.
7. For IT: Automatic account lock-outs are your friend.

There. You have your 20 minutes of security work for the week. And it didn't even cost you a dime, imagine that. Next up we'll move out to the network perimeter and start working our way in. Stay tuned for Part 3 - Firewalls. Until then, be safe.

Computer Security 101 - Part 1 - Introduction

I have worked professionally in the computer industry for almost 20 years now. Throughout this career I have found employment within a plethora of differing companies, as both a W2 employee and contractor. Whether the company was large, medium or small in size, housed hundreds of servers or none, possessed an IT staff to rival Microsoft or none at all, and regardless of the industry, one thing has remained a constant; computer security has been lacking across one or more areas.

Lack of knowledge, lack of funding, lack of training and, pitifully enough, lack of caring are the culprits for this. As Information Systems go further into the 21st century, these culprits are starting to dwindle, but are far from gone. Almost all companies have heard of the need for some level of computer security or another by now, yet still the systems tend to be piecemealed together, assuming they exist at all. I blame this on a lack of knowledge and understanding by the IT professionals, as well as a lack of readily available information on the various security subjects.

Just about every IT person knows you should have a firewall for your Internet connection, even most home users know this; but few of those know how to set it up correctly. This even pertains to many security specialists. Once again, a lack of knowledge and understanding.

"But Andrew," you say, "security systems are expensive. Security training is even more so. We just don't have the budget for this." To which I say, "Yes. Yes you do." Aside from the obvious, "You can not afford NOT to invest in security" (gotta love double negatives), computer security does not have to be expensive, nor should it be.

There are only two things you need to purchase to maintain a good level of security on your computers (aside from the necessities like the computer itself) and those are a good desktop antivirus program (hence forth called client A/V) and a firewall or router. Odds are you have those already or they can be placed in any budget without a second glance. The rest of it is all just best practices (those annoying things everyone talks about, but no one ever says what they are).

That is what I will be covering in this series of blog entries, computer security best practices. It costs nothing upfront but a little time, and saves tons of time on the back-end, while also saving money in the short and long run through reduced break/fix costs, consulting fees, loss of reputation, lawsuits, regulatory fines, etc, etc, etc. For less than 20 minutes per week, you too can have rock-solid abs, umm, I mean a secure network. Best of all, I'm going to give you all that information for free in simple terms that even I can understand. So stay tuned for Part 2 - Passwords.

Out With The Old

I have had my SageTV PVR computer setup and running smoothly for a little over two and a half years now. Aside from swapping out and adding a few different recording devices, the box has remained the same throughout this entire time and I could not have been happier with it. A Pentium 4 3GHz processor, 1 GB of RAM, a 300GB SATA drive, and an eVGA 6600GT video card are the guts that comprised this system; nothing flashy, but it made for an excellent entertainment system.

On various posts in the SageTV forums I have read of problems people have had with Sage, or other PVR software products, ranging from blue screening to playback stuttering to system hang ups, but have experienced none of these problems myself (except when I tinker too much). As a matter of fact, with my basic system using the nVidia PureVideo decoder I have had remarkable image quality playing back SD TV content, DVDs, and even HDTV content. Given all this, why would I decide to upgrade my system?

The first reason is the release of Hauppauge's new HD PVR tuner. This little USB device allows for the recording of HDTV using component video feeds. What that means is it will allow recording of high definition television from the cable company's set top box (STB), allowing me to record all of my HD channels as HD, instead of only those broadcast in an unencrypted format (more or less the local network channels). Discovery HD here I come! The only problem is the listed minimum requirements for the HD PVR sights both a dual core processor and a graphic card with 256 MB of memory; neither of which my Sage box had. Granted, given my Sage box already played back HD content recorded with the HDHomeRun, I am still a little skeptical at the Hauppauge requirement.

The second reason for the system overhaul is BluRay. Now that the battle between HDDVD and BluRay is at an end with BluRay emerging the victor, I thought I might give the high definition movie arena a shot. Again, my existing Sage box played back HD recordings without a problem so I imagine it could tackle BluRay content, except for the industriy's lovely little catch: HDCP. HDCP is the movie industry's latest means of preventing copyright violations and movie piracy (which, mind you, as a software developer I am all for copyright protection). Unfortunately, every piece of the BluRay puzzle has to be HDCP compliant, and my poor eVGA 6600GT video card missed the boat. Considering this is an AGP card, I figured if I was going to have to replace the card, I should upgrade to the PCIe standard in the process.

The last reason, and most important, is that I finished my Six-Sigma paper and the Operations Management course with an A- (transfers over to a 4.0 back at Excelsior). So, damn it, I deserved a new toy. And what a toy I built. The new system uses a Gigabyte GA-P35-DS3L motherboard, an Intel Core 2 Duo E7200 2.53GHz processor, a Maxtor 500GB drive, 2 GB of RAM, a Gigabyte 8600GT video card, and ASUS BluRay SATA drive (I really need a Tim Allen sound bite here). You're jealous, I can tell.

I spent the better part of this weekend getting the system put together, software installed, and migrating all of the files over. When all was said and done...pretty much the same as my old system. The big improvements were in upgrading SageTV to the newest beta version (6.4.3), which held a few nice items I have been waiting on. Mostly convenience sake kind of things, but Sage also added some nice techie improvements such as H.264 support (for the Hauppauge HD PVR among other H.264 devices). The best part of this new Sage version is that despite it being a Beta release, everything I have tried has worked without a flaw. Impressive.

Once I had Sage running, I still found myself wanting to be "WOWed" with my new rig, so I went out and purchased a couple of BluRay movies and watched them using CyberLink PowerDVD Ultra 7.3 (SageTV does not currently have support for the BluRay menu stuff). Instead of being wowed, I found BluRay to be very disappointing. I guess SageTV and the nVidia PureVideo decoders were too far ahead of their time when it comes to video playback and up scaling, because DVDs on my old Sage box looked just as good as either of the BluRay movie I watched on the new.

All and all, the upgrade has been a mixed bag, the pluses of finally getting away from AGP, meeting the requirements of future enhancements, and the improvements with Sage; the minuses of no visible improvement in video playback and the disappointment of BluRay versus my old system and DVDs. So much for being "In with the new".

To Be Secure

There is a saying in IT, "The only secure computer is one unloaded, unplugged and locked in a closet." More or less a true statement, but with computers everywhere at the workplace and home, it is not a very realistic approach. Plus I would be out of work, and who would want to see me on a street corner begging for money, right? I would make a pitiful vagrant. Really.

Why do I mention this? Well, the issue of computer security came up when I recently helped a friend fine tune a paper for one of her graduate classes. The paper was on the misuse of company resources, in relations to IT and HR departments; and, as just about everything does, it got me thinking (I really need a short vacation from doing that).

In the Information Services industry, security and misuse prevention go hand and hand, or rather, are two sides of the same coin (where do these sayings come from anyway?). The practice of keeping an Internet-connected-network secure from outside threats falls in the same arena as keeping users from going to inappropriate websites. Preventing illegal software, or even spyware, from being loaded by an employee on a company computer is in line with keeping time-wasting games off the computers (solitaire anyone?). The same with phone services, email and any number of other IT sub sects. If you are hitting one side of the issue, odds are you are hitting the other. And hopefully, in this day and age, you are taking information security very seriously.

My friend had covered most of this in her paper when I first proof read it for her. She also went into the discussion of monitoring and surveillance of employees versus privacy issues. Basically, the arguments of big brother at work against "this is a private email to my sister that is very important" (blah blah blah). If you have ever heard an argument for employees' rights at work regarding technology resources, or perhaps even argued for them, you can disregard what you have heard or said. In the United States, Germany, and many other countries around the world you don't have those rights for privacy when it comes to company resources. Big brother can, and probably does, watch you. He reads your email. He tracks your phone calls. He knows what fetish porn sites you are into. And, to protect the company that both you and he work for, he should be able to do all of that.

But he shouldn't have to do so much of it. That is what I brought to the table with this paper. The point of view of increased training and awareness, and it is something that helps everyone out more than any other action (or inaction). I am not the first, and won't be the last to say this but, proper training and awareness for employees regarding acceptable use is a must have for any company. Further, proper training and awareness on basic security risks should also be a must have. Two sides of the same coin.

Had I finished my paper on Six Sigma (procrastination really is an art form), I would probably be inclined to dig up statistics and facts on what I am saying. Instead I will go with the common sense approach. If you, as an employee, knew that not only could (and likely would) your emails sent to or from work be read by someone in IT, but also your manager and supervisor, wouldn't you be less inclined to use it for personal messages? What if you knew that your manager would be reading those little flirtatious chat messages you have been sending to that cute girl in accounting? Would you really be looking at that new teddy from Victoria's Secret during your lunch hour if some guy in IT and your supervisor knew you bought it?

For the other side of this coin there is just one phrase that rings home on why training and awareness of security issues is important for employees. "I didn't know." It's been heard a million times, and a lot of the time they really didn't know. Instead, imagine if they did know about scam/phishing emails, the damage malicious software could do, social engineering attacks, why giving ANYONE (even IT members) your password is bad, the dangers of loading software from the Internet, or even just the dangers of browsing to the wrong website. Users would suddenly become your number one security defense, instead of a security breach waiting to happen.

Give it some thought when your budgeting rolls around this year. Instead of, or at least in addition to, looking at that multi-thousand dollar device or piece of software to track everything under the sun on your network (until that buffer overflow attack compromises it), look at setting up a proper *ongoing* employee training regime for your company. Or just unplug the computers and lock them away in the closet.

It's All About Perception

I spent the majority of my time this past weekend divided between cutting and gluing straws, and completing the first section of my Operations Management course. There were a few other tasks thrown in throughout my two days of rest, which ultimately resulted in a very productive weekend. A lot was accomplished that needed to get accomplished.

I also made time to relax, which, laced with the recently absorbed chapters on service management from my textbook, brought about some reflection on the IT service industry. More to the point, the role of management within the IT field, and in particular the roles I have played throughout my career. In the forefront of this is a short coming of mine (and most in the field) that I have been endeavoring for some time to overcome.

Information Technologies is a very behind the scenes service field; it is something that is rarely noticed save for when a system stops working. If the people performing the work within an IT department do their jobs correctly and efficiently most of their fellow employees will never even know they are there. I have always related the IT field to the people in the nuclear missile silos; you know they exist and you pay them well to be there, but you almost never see them and hope you never have to use them in an emergency.

Although the wording might be different, this is the general view most senior managers have for the IT departments within their companies; and it can lead to problems. If you work in the industry, you know there is far more going on behind the scenes than simple break fix. Technology initiatives created and put into place by IT service personnel save thousand and millions of dollars for a company each and every year. A good department will pay for itself in savings through these cost and time saving projects, a great department can save a company more with the right projects than all other cost cutting strategies implemented by a company combined.

Throughout my career I have been part of many major cost cutting projects within various organizations; from team projects implementing new technology, to developing simple applications that can automatically manipulate data, to upgrading existing processes and procedures that make them more efficient. And I never was bothered when during each company meeting an administrative assistant would get an award for saving the company $1000 by purchasing pens in bulk, while the IT department was ignored after saving $50,000 through one of its latest projects. It is what was expected of us.

Then I became a manager and suddenly it bothered me. I am not sure if my perspectives had changed with taking on more responsibility or if it was something else entirely, but my people deserved better than that. They deserved the recognition they had earned, to be seen as the valuable employees they were, the people who earned the salaries they were given and, further, deserved raises, not the first thrown up onto the chopping blocks when it was time for layoffs. Only, that is the way of the Information Technology field. Or at least how it was.

Times have changed for many corporations. Smart executives who have learned to leverage technology to the benefit of the company are bringing with them an understanding of the departments that previously went unnoticed. These companies are still far from the norm, but their numbers are growing and the reason is something I should have learned a long time ago: Marketing.

Savvy IT leaders have not only learned to leverage the resources of their departments, but have also made a concerted effort to promote those resources to others within the organization. These leaders make certain that every project, every cost saving endeavor, and every time cutting process is heard about by every employee within the company, not just senior management. It is something we should have been doing all along, because in the end it is all about perception.

Unfortunately for most of us in the IT arena, myself included, marketing is something we have never been very good at, or at least never saw a reason for. It is, however, a skill I have been working to hone, and will continue to work at. After all, I spent the majority of my time this past weekend divided between creating the base propulsion structure for an autonomous mobile robot, and enhancing my managerial skill-set through further study and education.

A Little Home Tech - Home Automation

In the personal project arena I have been known to overdo things on occasion, to jump in with both feet and go full bore into the task at hand. Some might see it as obsessive, but I prefer to view it as doing things right. I imagine it is a fine line between the two, a line that blurs into the reality that are Andrew Maxim projects. Few other home projects could provide a better example of this than my home automation system; it wasn't just feet first, it was head first through dry wall and electrical wiring and fiberglass insulation.

I had known about home automation only in the vaguest of senses; computer based answering machines, X-10 lighting and whole house audio systems. What I knew really did not interest me much. Surprisingly, or perhaps not so surprisingly, it was my PVR system, SageTV that eventually sparked the interest. In going through the user created add-ons for Sage, I came across one that integrated with a home automation system known as HAL, and the things I read on it I found intriguing.

HAL stands for Home Automated Living and is one of the many companies involved in the home automation "revolution", as well as the name of their software product line. It was their website that first began showing me what this field had become since the days I had first heard about and dismissed the concept as "not being ready". Once my eyes were open, however, I began my usual research phase, looking into all sorts of products from high-end hardware devices to open source software products to user's personal web pages. The more I read, the more I decided this was something I was going to implement in my home.

Primarily as a result of two different people's personal websites, I eventually I narrowed my search down to two competing base products, the previously mentioned HAL system and HomeSeer. Controlling your house through a computer or touch panel is a pretty neat concept and is something almost all the packages out there offer, but controlling your house with your voice is just plain cool and was what narrowed things down to these two products. Paul Koslowsky (using HomeSeer) and Jim Lipsit (using HAL) both had accomplished home automation voice control and provided terrific documentation on the subject matter, as well as a plethora of additional information and abilities of their respective systems. Not to say that other people had not integrated voice control with their systems, but the knowledge shared by these two deserves a definite nod of appreciation.

Both systems had their own quirks and abilities, different ways of handling the same things, different equipment supported, and even different levels of user activity. HomeSeer users are far more vocal on their message forums, which is something I find very appealing in a product that makes use of user customizations. The decision between the two systems finally came down to pricing. The base packages for each were priced about the same, but where as HAL includes all features of a product in that product, HomeSeer charges for a majority of plug-ins to encompass the features which HAL includes.

I wound up purchasing the HAL2000 system from Home Automated Living, actually I purchased HALdeluxe and upgraded to HAL2000. For the electrical control system I went with a UPB based system for the reliability, making use of both HAI and Simply Automated switches and devices, dependent on what they were for and current pricing. A combination of the ClearOne XAP 800, the Russound CAA66, several Crown PZM and MB microphones, and a dozen generic ceiling mount speakers make up the home audio portion of the project. Lastly an Applied Digital Ocelot provides control over sensors and audio equipment.

The system is far from complete, as I not only have several light switches and outlets left to replace, but also am patiently waiting on a few things to happen in the industry. Aside from things like the need for a UPB based ceiling fan control, I am anxiously awaiting the release of HAL version 4 in order to finish off the long standing project of complete audio control. Not that the new version includes this functionality, but rather the HALi interface for version 4, which allows programmers to write additional plug-ins, is rumored to contain the features needed for me to continue forward with my own plug-in entitled HAZ (Home Audio Zoning). Even once that is complete, it will be an ongoing project with my Home Automation system that will likely always be a work in progress, but it's just plain cool to have.

Application Security

As part of the requirements to maintain my CISM designation, I regularly attend ISACA e-Symposium events. These web events are held once a month and, to be completely honest, while my primary purpose of attendance is the 3 cpe received, I do tend to learn a thing or two on the subject matter offered. Sometimes what I learn is just in what I spout out while yelling at the screen (I am known to do this quite often with scientific documentaries on TV), but it gets me thinking at the very least. Yesterday's e-Symposium entitled "Application Security The New Gateway" was no exception; I learned some and spouted off at the non-replying screen more.

The two things that will get me talking back to a screen, computer or television, are when an important subject matter is glossed over or when something simple is over complicated. Experts always seem to like to over complicate things. In an effort to be completely fair to the e-Symposium, each presenter only has a limited time span to cover a wealth of information, so a lot will be glossed over to provide time to focus on their primary topic (which sometimes is a sales pitch).

One of the items glossed over was a statistic from Gartner stating that 75% of attacks occur at the application level. The statistic itself was not glossed over, but rather the reason it is 75% rather than 25%, and I feel that reason is important: System Security. Hackers didn't just decide one day to change their attack methods from network/system infiltration to application hacks; they did it because of path of least resistance. Once upon a time networks and systems were not very secure and allowed an easy path into all sorts of information, but system security became a hot spot and made accessing data through the "old school" methods far too time consuming and difficult. The number of web-born applications has also increased, presenting a doorway to data. And so application level attacks became the way to go.

I actually find it insulting to the security industry that the statistic is not 90+% in favor of application layer attacks, given the amount of time and volume of information regarding the need for good system security practices. It is what it is though, and some people and companies will always prefer to pay tons of money and time in a year or two than to pay a relatively small amount now to protect their investments. They would be better off selling their companies and spending the money at the craps tables in Vegas, a roll of the dice is just that and will always be in favor of the house, but at least this way they would only be wasting their own time and money and not hurting other people.

The second bit of spouting at the screen for this e-Symposium had to do with the over complication of things. Again, to be fair, each of the presenters represents a company and that company would like to get something out of the three hours of otherwise billable time for their expert, so the presentation becomes a partial sales pitch and things get over complicated. And as I said, experts like over complicating things. In reality, application security is not an over complicated item.

There are two main culprits for flaws in any program, lack of security knowledge by the developers and lack of testing during the SDLC (software development life cycle). Both were covered in the e-Symposium, but the solutions really were not, and they are, in theory, the easy parts. First, companies need to require their developers to be trained in development security best practices. It is an investment on both the part of the developer and the company, but it is time and money well spent. Again, pay a little now or a lot later. The SANS Institute now offers training and testing in development security through their Software Security Institute programs. A little costly, but the benefits are huge long term and, as I previously stated, promotes employee retention, which saves more money.

The second part of the solution is something that has been yelled and screamed from the rooftops for as long as companies have been developing software. Give QA the time and resources to properly test software. Yes, deadlines loom and developers get behind schedule, but cutting QA time to meet a launch date is far more costly and time consuming than pushing back a release schedule in order to get the software right. There are a ton of stats available from all sorts of independent groups on that subject, or just look at Microsoft and their reputation as a result of forcing projects to market. Further, QA personnel need to be trained in application hacking and exploitation techniques and it needs to become part of the testing process. Once again, this is time and money well spent in the short and long term of a company.

If those two items are taken care of during application development we will see a vast shift in security incidents. The overall number of incidents might not drop, hackers will continue to do what they do, but the percentages of types of incidents will shift dramatically away from application level. My prediction would be that we will see a number around 60% of all hacks being related to social engineering instead. Some companies, after all, will always want to pay more later than a small amount now. For those who "get it", a little proactive effort will go a long way towards Application Security and keeping your company profits up in the coming years. Just don't forget to cover social engineering.

A Little Home Tech - The PVR

As I have stated previously, I loves me some technology, thus I thought it prudent to cover some of the pieces of technology I use at home in my everyday life. It goes without saying that I have a few computers at home, seven currently in use to be exact, as well as a host of other pieces of technology such as a television, microwave, etc. These are all things I think most people own (ok, maybe not seven computers) or at the very least use daily, and have become an integral part of a lot of people's lives, so it would be a waste of time to talk about these things. Instead, there are a number of "systems" that have become just as integrated into my life, as a television is integrated into the lives of others.

The first is my home PVR system. By now most people have at least heard of the mass market DVR systems available, and a good majority likely owns one flavor or another of the devices. DVR stands for Digital Video Recorder and does exactly what the name implies. It records television shows onto digital media (hard drives, RAM drives, etc) for later viewing, much as the VCR of days gone by did on tape; and for many people these devices have become an integral part of daily life, allowing viewing of television broadcasts at your leisure as opposed to on a set schedule.

Hopefully you noticed that I referred to my home PVR system above and not a DVR system. The difference overall really is a small one in the grand scheme of recording and watching television and mostly entails the PVR being a system running on an actual personal computer, as opposed to a prefabricated hardware device. What that difference means for me, however, is customizations.

While a typical DVR system is capable of recording one or two television broadcasts at a time, the system I am running is currently setup to record five simultaneous broadcasts (and I can add more if need be). A bit extreme one might think, but considering that the past fall television primetime lineup for Tuesday night had 90% of the television shows I watch, all aired around the same time, I would have missed several of the shows with a typical DVR package. On nights such as those, the system will usually be recording four television shows over the course of two hours, with a slight overlap on each recording schedule to allow for early and late starts so as to not miss the beginning or end.

Mostly on the recommendation of my friend, Anthony, but after almost no research, just a trial, I chose SageTV for my PVR system. I know, it is so unlike me to not do much in the way of research, but I was hooked after the trial because of, above all else, the customizations. And not just customizable options created by SageTV the company, but rather the whole host of options and add-ons (most of which are free) created and supported by the SageTV user community.

Aside from recording a few television shows, SageTV is a complete multimedia package; allowing playback of DVDs, music libraries, online content, and, my favorite feature, a personal video library. All at the click of a few remote control buttons. There have been a few hiccups along the road of setting up, tweaking and upgrading my system; some more frustrating than others, but it is well worth the effort when I can pick one of my many movies to watch without having to get up from the couch and search through the stacks of DVDs I own. The ability to watch the BBC television show The IT Crowd through the online content is just one huge added bonus, as was watching my television lineup from a laptop during trips out of state.

All and all, SageTV has definitely won me over, and I hope beyond hope that it will be able to maintain with the eventual switch to encrypted digital broadcasts by the cable companies (search for "cablelabs" and "OCUR" off Google if you want to know what the heck I am talking about). Only time will tell on that front, but until then I will continue to rejoice in my PVR system.