Archive

Archive for the ‘Contributed Articles’ Category

Cybersecurity: Safety and Cost Equilibrium

October 21, 2019 Comments off

by Dean Chester

Cybersecurity has been a hot topic for quite a while and it’s not likely to change any time soon.

Equilibrium

“Equilibrium” by Guido Sorarù is licensed under CC BY 2.0

Every new day brings more data breaches and more online scams. No single entity is completely safe, it seems: hackers target both private individuals and companies. The size of an organization doesn’t matter either because the security of even the largest of them such as Yahoo and eBay can become compromised.

Not all cybercriminals are ambitious enough to go after corporate giants. Sadly, some also have smaller businesses covered. And when the security of those gets breached, the losses may look negligible to companies that deal with billions of dollars. For a small, family-run enterprise, such losses often become insurmountable and lead to it going out of business.

One of the main reasons why small companies are such an attractive target for hackers lies exactly in their size. Because of it, these businesses can’t afford to spend a lot of money on their Internet security. They can’t afford large teams of security specialists that – for all the owners know – may never actually prove useful. Obviously, such an idea is wrong, but as long as there are no apparent breaches (which situation can very well be a result of the said specialists’ work), it’s hard for some people to see value in supporting such a team.

It’s possible, of course, to find free or low-cost solutions and to save on one’s cybersecurity. But is it a responsible thing to do?

It’s been said time and again that when something is free, it’s because you are the product. Money spent on providing that free solution must come from somewhere, after all.

There are a few ways in which money can be made off of customers who use free cybersecurity software:

  • They can be shown ads coming from third-party vendors. The frequency of it can vary from “relatively unobtrusive” to “all the time”.
  • Speaking of advertisers, the customers’ private info can be sold to them to expand their bases of people to target. This is especially true for shadier providers of free services such as virtual private networks and the like, that is, services that have access to the users’ Internet activity. The information gathered by such a “free” service can be then used to better understand what ads to show to their client base.
  • As a more extreme example of the above, free users’ Internet bandwidth is known to have been sold to a third party that used it for its own purposes, and those purposes weren’t benign. In fact, they included creating a botnet and conducting DDoS attacks on certain websites.
  • Pestering free users with ads has another purpose as well: it’s easy to get tired of such an inconvenience so much that getting a paid version of the same service will seem like a cheaper option.
  • Related to the last one, free versions of antivirus and other computer security software most often do not have all the features that the paid ones do, making their users consider investing money into them.

Besides that, there are definite concerns about the levels of security and protection that those free solutions can provide. As they are free, it’s somewhat unreasonable to expect them to have the best technology available.

If it’s a private individual we’re talking about, it’s obviously up to them to decide if they want to skimp on their security or not. However, as far as companies are concerned, things are more complicated.

If a business becomes a target of a data breach, it doesn’t only endanger that business. Its clients’ personal data may also be obtained by the perpetrator, and that’s bad news for both the clients and the company’s reputation.

That’s why I don’t think it’s the best decision for a business to rely exclusively on free cybersecurity software. It may be enough to protect it but the chances are not terribly high.

However, the question of money still stands. Yes, in the case of a breach the company is going to lose even more, but it doesn’t make the wherewithal to get professional security tools just magically appear. So what can be done?

  • Reinforcing the weakest link of cybersecurity: to make sure employees won’t click any suspicious links or tell anyone their passwords is supremely important. It can be done by anyone with a good grasp of IT security, really, but ideally, it should be entrusted to professionals.
  • System penetration testing: while it should be performed regularly, it doesn’t require having permanent staff and can be done\by a security company.
  • Getting cybersecurity tools at a discount: almost all major software manufacturers hold a sale from time to time, allowing small businesses to save quite a lot if they’re buying many copies at once.
  • Getting a data breach insurance: if a breach does happen, this can help with covering the losses and subsequent expenses, including those inflicted by reputation damage.

Although finding the balance between security and keeping costs neutral is not an easy task for smaller businesses, it is necessary to take care of it. In the long run, the potential price of negligence is going to be much higher than spending on protection.

Dean Chester is a cybersecurity expert and author. He is absorbed in online security and takes all measures to ensure that non-tech-savvy users can be protected on the Internet.

The Beginners Guide To Understanding Tools Available To You Through AWS

February 27, 2019 Comments off

There are thousands of “How to’s”, and “Basics 101” guides for programmers out there who are interested in learning code and developing skill sets. However, from a business perspective, you don’t want to know the algorithms, and blocks of code. All you want to know is…

Does this help my business become more profitable, right?

Which is perhaps why you are reading up on Amazon Web Services. You know all about the delays between your Developer and Operation teams. You are tired of customers waiting, and the project line falling behind.

Well, the good news is that is exactly what Amazon Web Services is designed to fix. Through this article, we will be going over all the basics you need to know moving forward with your interest in AWS, and Cloud Computing.

What Is AWS In Laymen’s Terms?

To keep things simple, think of AWS as a platform where you can utilize the various services, tools, and advantages the cloud is famous for.

In other words, it’s really just a gigantic bundle of cloud computing services readily available on an easy to use platform.

So, why is it so great? What’s the catch…

Well, some of the major advantages of AWS are:

  • Easy to use
  • Limitless Capacity
  • Provides Speed And Agility For Your Services
  • Secure and reliable platform to work on.

But of course, if there were no downfalls of using AWS it would be to good to be true. If you are seriously considering investing in AWS, it’s important to mention some of the downfalls to be on the lookout for. Including:

  • Limitations of Amazon EC2
  • There is a fee for technical support.
  • General issues known in Cloud Computing
  • There are some limitations on what you can do security wise.

AWS Services Available To Implement

So, Cloud Computing has several elements that can individually be broken down. So, let’s get into it.

Amazon Elastic Compute Cloud (EC2)

Basically, when we break it down this is the technology/computer that we use to host our data. Of course, there are different types available in terms of size and performance. Think of it as renting a server from Amazon on an hourly basis. The two big benefits of investing in this include Auto Scaling to prevent overloads and Elastic Load Balancing.

What Is Auto Scaling?

Every business/service is different. Some may need a ton of space and RAM available to deal with large quantities of traffic. Whereas others will need lower performance computing. Auto Scaling is basically the ability to increase the capacity either up or down depending on your needs.

This helps reduce spikes in performance due to higher traffic while still keeping everything budget friendly to maximize your businesses triple bottom line.

What Is AWS Elastic Load Balancing

When you are trapped under a mountain of work, oftentimes you reach out for help to ensure that everything gets done by the deadline, right?

Well, Elastic Load Shedding is basically the same principle. If one server is overloaded with the traffic coming in, another server will be implemented to keep services running seamlessly.

AWS Identity And Access Management (IAM)

It’s all good to have a secure server where users can do what they want. However, it would be a bit redundant, if not darn right dangerous to not be able to control and set limitations for these users.

Which is where IAM comes into the picture. Think of this as the bodyguard to the entire platform. Using this, you can set levels of permissions. Control different blocks of resources, and so forth.

AWS S3

This service is pretty straightforward. It’s the media center for AWS. Using this tool, we can store images and other similar data. This can also be used to manage and transfer data files between different platforms.

AWS Glacier

AWS Glacier and AWS S3 work in conjunction. Do you know how we always rant on to customers, friends, and even family members about how darn important it is to keep backups of everything? Well, business is no different. Glacier serves as a backup service for all of your data, images, and other business-critical information.

AWS Lambda

Ever wished you had a singular computer for running scripts and a completely different one to see the results and make any necessary tweaks? I bet you have, I know I have.

Well, that’s exactly what Lambda is for. It was designed to solely run scripts and nothing else.

And there you have it. Of course, there are plenty of other tools to list that you get through signing up on AWS. However, these are some of the most critical tools for you to know when looking to invest.

Contributed by Tom English of CloudConformity

6 Signs That It’s Time to Upgrade Your PC

January 17, 2018 Comments off

Your computer, no matter how powerful it is right now, will eventually succumb to obsolescence. That’s the natural life cycle of electronics, after all. One day, you’ll want to upgrade your rig – whether piecemeal or complete package – when your current one is inadequate for your needs. So, when is the best time to upgrade your computer? Here are some cautionary signs that signal the right time to do so.

  1. It takes forever to boot up.

Something is generally amiss when your PC is slow at startup. Generally, it’s an issue with too many applications being queued to run at the start. Sometimes, it’s a driver or installation thing that goes away after it’s completed. If it’s not an application or driver issue, as you’ll find out after a clean reformat, then it’s your hardware giving way.

  1. It’s generally slow at everything.

Related to #1, it may be time to upgrade your PC when everything you do is seriously sluggish. Opening your office application is slow as molasses? You can’t play Full HD videos and you’re experiencing stuttering during playback? When you launch your favorite game, it stays on the loading screen forever? A clean reformat or some cleaning and driver upgrading might do the trick and fix these problems. However, if they linger afterward, it’s time to upgrade your rig.

  1. Your storage is maxed out.

You can’t download new 1080p videos to your hard drive anymore. You can’t install new applications and games because you lack disk space. It’s high time you get new hardware then. If you’re lucky enough, you can install a new storage drive or two on your PC, if your hardware can still handle it. Another alternative would be to invest in portable hard drives, though, they’re typically more expensive than regular drives.

  1. You can’t play the latest games.

If you can’t play the latest and greatest games at the most minimum recommended specs, you’re badly in need of upgrades. At that point, given how dated your computer is, you’re better off building a new gaming rig. Rather than work with old, dated parts which may or may not be funky after years of wear and tear, it’s best to go all new for maximum compatibility and durability.

  1. You can’t install anything anymore.

It’s bad when you can’t install the latest version of your operating system. Sure, you can still run your rig with older drivers and applications. You can still play certain games with it. However, if you need the most updated software and want to play the newest titles, you’ll want a new computer with the recommended specs.

  1. You spend most of your time fixing it.

Whenever you do video editing, your PC crashes while you’re rendering. A graphically-intensive scene in your favorite game bluescreens your PC and forcibly restarts it. Your rig experiences random reboots for no discernable reason. Despite all your maintenance and spring cleaning, it’s still on the fritz. You’ve spent countless hours testing and gauging your hardware’s reliability, and yet you still haven’t found a solution. It’s time to move on.

How To Take Proper Care of Your iPad

December 6, 2017 Comments off

iPad in useArticle contributed by Tara Desquitado.

Like most gadgets, your iPad needs to be taken care of to keep it running well. Although it does not require as much care as a laptop or desktop, it still needs a little bit of maintenance. In this article, we have listed down ways for you to take proper care of your iPad and keep it in check so that it can be of use to you for as long as it can.

Don’t leave it charging
You shouldn’t be leaving your iPad to charge all day and night. Overcharging it will only reduce its battery life. Avoid completely draining its battery as well. It’s best to let the battery down to 5% or less and then plug it in to charge. To help get the most out of your iPad’s battery life, you should also shut it down every now and then. Powering it down once a week can help extend its life.

Keep iOS Updated
Updating your iPad not only gives it more features, it also downloads the latest security updates too. Since iOS products are becoming more ubiquitous, there has been an increase in malware directed to target it. Updating your iPad equips it with better defenses. It also fixes old bugs found in the previous versions, making your iPad to run more effectively.

Add a passcode
Keeping your iPad secure from others is very important. Others may reconfigure its settings or come across personal or sensitive information. Adding a passcode can remedy this. It allows you to leave your iPad without having to worry about someone using it without your permission. If you can, you should also add biometric protection to your iPad. This ensures its security to privacy even more.

Use a screen protector
Although an iPad’s screen is made of a relatively durable material, it is the area of the iPad that is most likely to get damaged first since it receives the most contact. Using a screen protector is one way to safeguard your iPad’s screen from unwanted scratches and cracks. Make sure to apply it after its screen has been thoroughly cleaned as well. It is best to apply the screen after washing your hands so that oils will not end up on the screen when the protector is being placed.

Use a protective case
Since the iPad is designed to be extremely thin, a simple accidental drop may severely damage it. The best preventive measure is to suit it up with a protective case. There is a great selection of iPad cases to choose from. It is suggested to pick one that is made of durable material and fits the iPad’s form. Avoid loose-fitting cases as they are usually used for aesthetic purposes and provide little protection for the iPad.

Conclusion
Maintaining your iPad isn’t a process that falls under a long and tedious checklist. All you have to know is the hazards that are most likely to damage it and keep it away from those. Make sure you keep it protected, avoid overcharging it, keep it away from moisture and extreme temperatures and you’re good to go. Make it a point to clean it every now and then when you can find the time to do so as well and you’ll have your iPad running smoothly and effectively.

Be sure to visit macfixit.com.au for all your favorite Apple and Apple-compatible products and accessories.

The Future of IT: Hype vs. Reality

December 16, 2016 Comments off

SpiceworksSpiceworks launched a new report today –Future of IT: Hype vs. Reality – that examines organizations’ adoptions plans of emerging technology like IoT, AI, VR, and 3D printers and the expected impact in the workplace.

The survey results show that among these emerging technologies, IT pros expect IoT devices and AI technology to have the biggest impact in the workplace. They don’t expect mass adoption to take off for VR and 3D printers, but some industries have significantly higher adoption rates than the industry average.

Key findings:

  • Artificial intelligence

o   Apple Siri is most commonly used in the workplace, but Cortana expected to overtake Siri in next 12 months

o   Over next 5 years, 60% of companies plan to adopt machine learning; 72% plan to deploy business analytics with AI; 32% plan to deploy self-learning robots

  • Internet of things

o   As with AI, security is the top concern with IoT in the workplace

o   Healthcare industry has highest adoption rate for IoT at 28% with an additional 50 percent planning to adopt it

  • Virtual reality

o   Only 7% of companies use VR and 13% plan to adopt it; Construction/engineering industry has highest planned adoption rate at 27%

o   Cost is biggest barrier to adoption; security/privacy is the least concern

o   IT pros surveyed named Oculus the most innovative leader in VR

  • 3D printers

o   Only 11% of companies use 3D printers and 22% plan to adopt them; Education industry has highest current adoption rate at 45%

o   As with VR, cost is biggest barrier to adoption and security is least concern

[Ken’s Notes]

No VR for BusinessThis report, like all reports from Spiceworks, is excellent and accurate. There’s a lot of hype around virtual reality (VR) tech and it will have some adoption in universities and in specialty businesses, but for most of us, don’t invest too heavily in anything VR-related. Most businesses don’t need VR and those that do, already have it in some form.

One point I disagree on, and it’s not uncommon for me to do so, is artificial intelligence (AI). For the past many* years, I have thought that AI would be the one technology that really surpassed all the others in terms of adoption, especially for voice-controlled applications, like Siri, Alexa, and Cortana. I’ve waited for 20 years for a decent voice-recognition program so that I don’t have to type, but can just dictate. Yes, I know about Dragon, and it’s pretty good. But I want something that’s truly ready for prime time.
For me, voice recognition is the first step in AI. Once you have voice recognition, then you can create programs to respond to commands and to perform complex functions. I need for it to be better than my R2D2 robot and the current state of Siri, Alexa, and Cortana. There are a lot of applications for voice recognition, but we just haven’t tapped into them yet.

Overall, this is a very thorough report. I like the visual statistics and the comparisons. I think that you’ll find it enlightening. Use the Comments section to tell me how closely these statistics come to your reality.

*many – A bunch. More than I’m going to tell you about.

Why a Seamless Digital User Experience Matters

November 3, 2016 Comments off

Pem GuerryGuest post by: Pem Guerry

As the digital space evolves, new applications, services and platforms are introduced to the market each year. This multitude of digital tools have certainly proved beneficial in the workplace and at home, but because so many of these programs work independently, users often miss out on the benefits of a truly seamless digital experience.

Integrating, or combining, two or more digital services into one fluid application greatly improves efficiency, usability and the overall user experience. This can be seen in the most robust e-signature integration—where a company combines a third party e-signature service with its own user platform for a swift signing process.

E-signature integration isn’t new to the digital conversation, but the technology behind these integrations has continued to improve—enabling you to offer a completely seamless signing experience for your clients.

API Integration

The most effective way to integrate e-signatures is through an application programming interface (API), which acts as a bridge between multiple applications, allowing you to manage them from a single platform.

The catch is looking for the degree of integration that an e-signature service can provide. There’s a difference between simply connecting two software workflows together and building a truly cohesive, integrated experience for signers. Most e-signature services will be able to provide a rudimentary-level integration where users can flow from one digital service, like a CRM portal, to an e-signature platform—an automatic connection from “Point A” to “Point B.”

Far fewer are able to provide a true private-label integration—where it’s virtually impossible for a user to tell that there are two technology engines behind their digital workflow. However, some technology providers and development resources have capabilities that allow you to customize an e-signature dashboard to match your own user interface with the same colors, fonts, logos, navigation menu and more. Because the end user does not have to switch back and forth between your site and an e-signature site, it’s a transparent process for him. This allows you to appear as the only source your clients must go through to submit approval, providing him with a smooth and easy signing experience.

Why does this level of detail matter? Why not simply take users from Point A to Point B? Two primary reasons:

  1. Client Trust

Client trust is a top priority – especially for members of highly regulated, high-stakes industries such as financial services, real estate and healthcare. Your clients are familiar with your brand, have had positive experiences using your software and have grown to trust you.

So think about how they’ll feel if they’re suddenly shuffled to an outsider for a portion of a transaction. For a homebuyer about to sign a real estate contract worth hundreds of thousands of dollars, going from the lender’s original website to a third party e-signature site could suddenly raise suspicion and cause hesitation. An integrated approach gives users a single, consistent and secure platform throughout the entire process.

  1. Brand Retention

In a world full of competition, creating a memorable brand—including company personality, logos, slogans and more—is key if you want to stand out in consumers’ minds. E-signature integration contributes to brand retention and exposure by eliminating third party branding and keeping your company name at the center of the signing process.

When searching for an e-signature service, make sure that you’re not leaving the aesthetics out of the conversation. With a cohesive, easy-to-use platform, your clients will complete seamless transactions and have more positive encounters with your company, furthering their loyalty to your brand.

###

Pem Guerry is the Executive Vice President at SIGNiX, a digital signature solutions provider that makes signing documents online safe, secure, and legal for any business. SIGNiX offers the only independently verifiable, cloud-based digital signature solution, which combines workflow convenience with superior security. Learn more about what makes SIGNiX different at www.signix.com.

iPhone 7 Release: How to Save Money on Smartphones

September 6, 2016 1 comment

Guest Post by Andrea Woroch

For gadget heads and Apple fans, the wait is over. The much-anticipated press event held by Apple every year is scheduled forSeptember 7, at which the company is expected to unveil new iPhones and possibly new MacBook Pros and the Apple Watch 2.

While early adopters are likely making plans to line up at the nearest Apple store, the average consumer would rather not pay full price for the latest-and-greatest gadget. To help reduce the cost of your next smartphone upgrade or replacement, follow these seven tips.

Check competitor offers.
Whenever Apple releases their newest iPhone and other devices, competitors often feel the burn with a drop in sales and offer discounts in an attempt to grab attention away from Apple products. In the past, we’ve seen retailers like Walmart and Best Buy as well as wireless carriers such as Verizon and AT&T slash prices on Samsung, LG, Motorola and other Android devices. Keep your eyes peeled for similar deals this year!

Save big on previous models.
With the arrival of the iPhone 7, prices of previous-generation iPhones typically drop by as much as $150. Since the design and functional differences between the iPhone 6 and iPhone 7 are reportedly minimal, buying a previous-generation iPhone at a reduced rate is hardly a compromise. Same goes for Android devices: the Samsung Galaxy S6 was offered for just $1 with a two-year contract in April of this year, ahead of the S7 release.

Search for refurbished.
One of the best ways to save on any smartphone is to search for deals on previously-owned and certified options across brands and carriers including Apple, Samsung, AT&T or Verizon to save 20% to 40%. Even sites like Overstock offer certified-refurbished phones. For example, a refurbished iPhone 5s Unlocked GSM starts at $381.99, compared to $450 for a new iPhone 5s from Apple.

Wait it out.
Jumping on the latest release of any new gadgets means you’re going to pay a premium. Wait for deals to come out later in the year and mark your calendar for Cyber Monday, the one day every year that Apple releases deals on their popular gadgets. Last year, for example, Best Buy offered the iPhone 6s for $99.99 with a two-year activation with Verizon during Cyber Week, a $100 price drop from when the phone was released in September.

Repair first.
If you’re considering upgrading or buying a new phone because of a faulty mechanism or cracked screen, consider repairing it first before shelling out big bucks for a new one. Common issues such as cracked screens, broken charging docks and diminished battery life can be fixed for low fees at sites like RapidRepair.com, saving you hundreds of dollars.

Unload your old device.
Once you buy your upgrade or new device, think about what to do with the old one. Sites like Gazelle.com pay surprisingly well for a number of phone models. For instance, a quick search revealed that they offer $168 for an unlocked iPhone 6S 64GB in good condition and $45 of a Samsung Galaxy Tab 3 10.1 tablet. Otherwise, Apple offers their own trade-in program, while retailers like Walmart and Best Buy are also getting in on the action.

Buy extras online.
Spending on a new smartphone doesn’t end with the device. You’ll likely buy a case, screen protector, additional chargers or even upgraded headphones (especially if the iPhone 7 doesn’t have a headphone jack, as rumored). Before loading up with these extras from a traditional retailer or your wireless carrier, know that most stores mark up mobile accessories by up to 60%. Instead, save big by shopping for these accessories online at sites like Amazon or AccessoryGeeks, and search for coupons before checkout. For example, deals’ site CouponSherpa.com recently featured several Amazon promo codes for $4 to $7.50 off popular iPhone accessories.

Keep an emergency smartphone stash.
30% of smartphone users admit to breaking their device by dropping it, while others cite irreparable water damage. Though Apple’s new upgrade program includes coverage for up to two incidents of accidental damage, the best insurance comes in the form of an emergency fund. Set aside a few hundred dollars in a separate account to cover the full cost of replacing your device.

Feel free to share “iPhone 7 Release: How to Save Money on Smartphones” with your audience, giving proper attribution to the source.

###

Andrea Woroch is a money-saving expert who transforms everyday consumers into savvy shoppers by sharing smart spending tips and personal finance advice. As a sought-after media source, she has been featured among such top news outlets as Good Morning America, Today, CNN, Dr. OZ, New York Times, MONEY Magazine, Consumer Reports, Forbesand many more. In addition, Andrea’s stories have been published among leading publications and sites such as Yahoo!, AOL Daily Finance, CNN Money, Huffington Post, LearnVest and New York Daily News. Check out Andrea’s demo reel or visit her website at AndreaWoroch.com for more information about booking an interview or requesting an original written article. You can also follow her on Twitter or Facebook for daily money tips.

IT Security as a “Gated Community”

August 9, 2016 Comments off

Why workers are a threat organizations can no longer ignore

shadow-3By Stacy Leidwinger, VP of Products at RES

When one thinks about keeping the home and family secure, the first thought is to take up residence in a secure location – ideally, a guarded and gated community. The second is to carefully secure the perimeter of the house itself: the doors and windows – the points of ingress. Sensors are wired to each opening, cameras and motion detectors are aimed at carefully selected places, and monitoring is switched on. When it’s all plugged in and working, we are confident that our homes are safe. But we also need to keep track of the residents of the home and ensure their cooperation with security measures. Who has a key? Or a garage door opener? Do they routinely close and lock the windows? Because even the finest perimeter defenses are readily breached by the actions, intentional or not, of residents. What can happen when someone leaves a key under the doormat for an expected visitor? Or a garage door is mistakenly left open as the owner drives off to work?

In our gated community example, our traditional defense is focused on securing entry and exit points, and assuming that residents will make no action to breach security. And in the vast majority of cases that will prove just fine. But we in our houses are not continually subject to attackers seeking to trick or cajole us into one simple mistake; a mistake that, once taken, will crack the most airtight security, exposing our homes to the depredations of criminals.

When cybersecurity measures are focused entirely on the perimeter, the organization does nothing to mitigate its greatest risk: the workers whose actions can breach the most secure perimeter defense with a single, careless mouse click.

Secure perimeters require secure workers

An organization’s workers are its chief assets – the means by which value is delivered. But they’re also a massive liability in terms of cybersecurity. And new trends within the technology-enabled workforce are making things far worse.

Today’s IT organizations are expected to equip their workforces with the devices that make the most sense for the organization, while also satisfying the ever more demanding individual worker. Whether it’s supporting preferences between Mac and PC, providing immediate access to apps and services, or allowing workers to use their own mobile devices for work, the workspace has truly become digitized – and therefore more vulnerable, compared to the days when each worker had his or her own locked-down desktop PC, and worked exclusively from the office. But as IT continues to support mobile work-style requirements, a whole slew of security-related IT issues are being raised; and the most serious threats to today’s security are stemming from the inside.

In a time of “do more with less,” IT departments are struggling to provide basic protections against malware, ransomware and spyware, and to secure firewalls to prevent outsider attacks. But is enough attention being paid to those they trust the most – their own workers?

This insider threat is no secret. A recent global study by Kensington entitled “Voice of IT” revealed that IT executives pegged the following as their biggest pain points when it comes to IT: human error, lack of process and workers not following established processes.

What can companies to do streamline IT processes and find solutions to insider threats? After all, within the “gated community” of organizational security, the user is the last line of defense.

A Gap too Big to Span?

One of the biggest debates in recent years when it comes to the digital workspace is bridging the gap between worker enablement and security. It’s an old conundrum in IT: new technologies are constantly being layered into the infrastructure, but hardly anything is ever thrown away. The result is a hodgepodge of hybrid technologies seeking to solve the same problems. And this is far from invisible to workers, who are often required to shift from app to app, from physical to virtual, in an awkward sequence of steps that has them longing for the relative simplicity of the consumer technologies they enjoy at home.

And IT security is perhaps the greatest culprit in the disruption of worker productivity. Is your organization overwhelming your workers with too many checkpoints to cross and too many updates to install? Are your existing security systems working together? And if so, are they working together seamlessly?

Organizations must create a safety net around their workers – the risks of cyberattack are too great to do otherwise – but they must do it in a way that doesn’t inhibit individual productivity, allowing workers to work when and where they choose, on the devices that are most productive for them. And all this must be accomplished with safety controls in place to prevent them from being the source – witting or otherwise – of security threats.

Yes, there are Solutions

IT must be continually on the defensive, protecting workers and the infrastructure from easy-to-make, yet potentially tragic mistakes. And, good news: there are several decisive steps an organization can make that will secure the organizational community without undue hampering of workers.

  • Deploy automated, context-aware access controls

Automate the many processes and workflows that govern the access each worker has to apps, databases and services within his or her digital workspace. Technology is available now that will:

  • Govern what resources can be accessed for each person, based on their immediate working contexts (including the devices being used, physical locations and time of day)
  • Automatically provision and de-provision those resources as needed based on that working context
  • Track that access gathering data necessary for guaranteed, easy audits.
  • Low-maintenance whitelisting with automation

Human behavior is your greatest security risk. And today’s cybercrooks are becoming increasingly creative in their attempts to exploit human inattention. Context aware whitelisting and blacklisting can ensure that only permitted apps can be executed; and the list of permitted apps can be governed by IT based on what the business chooses to allow, and each individual worker’s context at the moment access is attempted. Whitelisting adds a thick layer of protection by only allowing approved executables to be opened.

Although many organizations have some form of whitelisting in place, maintenance burdens can be high for traditional solutions. A new approach can not only use automation to better maintain the whitelist, but can add user safeguards by automatically verifying unique file signatures. This ensures that the files being executed are authentic and that workers aren’t being tricked into opening different infected files.

  • Automate the onboarding and offboarding of workers

More than 13% of workers can still access a previous employer’s systems using their old credentials. And there’s much more. In a study on rogue access, Intermedia found that 89% of ex-workers retain access to at least one app from a former employer. 49% actually logged into an account they were supposed to no longer have access to. 45% retained access to confidential data.

When employees leave the organization, that is the moment they pose perhaps the greatest risk to the organization. IT must tightly integrate de-provisioning processes into existing human resource apps, project management systems and other enterprise identity stores. Doing so allows worker access qualifications to be automatically managed and altered each time a worker’s identity status is changed in those systems. With a more holistic approach to identity lifecycle management, organizations can significantly improve productivity, compliance and security – and prevent former employees from exposing the organization’s data and systems to extremely high risk.

  • Stamp Out “Shadow IT”

Today’s crop of workers are productive like never before, thanks to the incredible technology available through modern digital workspaces. But this productivity also breeds an “I need it right now” attitude towards new technologies. And if IT can’t provide it “right now”? Often the worker’s solution is just a log in or credit card away, with ubiquitous cloud-based solutions studding the skies overhead.

The risks are great. IT must prevent employees from taking matters into their own hands to solve IT issues. But is shadow IT best prevented by hiring an army of alert IT professionals, available 24/7? Or is there an easier (and cheaper) solution? Yes! Through automation, IT can provide on-demand self-service access to the apps and services workers need, and prevent workers from circumventing access rules. This can include password management, access to a new data drive, or a request for a particular workspace app. The best way to prevent workers from going around procedures is to give them an instantaneous, trackable and reliable way to get what they need from IT. No hassles. No tickets. No violations.

Security should come naturally to an organization, but it will likely never become second nature to many of your workers. When we’re at home, we’re surrounded by a sense of security – no matter how real or illusory it truly is. Many of us don’t truly think about security unless our perimeter is breached. But IT can build a powerful security shroud around its systems, its data and its workers, by using automation and self service to simplify security processes, empowering workers to focus on their responsibilities without disruption, and keeping the enterprise safe from intrusion.

To be sure, no security solution is perfect. But we owe it to our organizations and our fellow workers to do our very best.

Pokemon GO Away: Top Apps to Find Things You Actually Need

July 29, 2016 Comments off

Guest post by Andrea Woroch

When you respond to the mention of Pikachu with, “bless you!,” you know you’re aged out of the latest app craze. Pokemon GO is inescapable right now, whether you’re grocery shopping, watching the evening news or simply driving your car. The game, which reportedly has about 9.5 million active daily users despite debuting just a few short weeks ago, has increased smartphone-related oblivion to an all-time high, resulting in car accidents, robberies, breakups and a few near-death experiences.

Despite the apparent omnipresence of these cartoon creatures, not everyone is overcome with the desire to catch them. If you prefer to use your smartphone to find something you actually need, consider the following app recommendations that don’t require the ceaseless pursuit of pocket monsters.

Find fee-free ATMs with ATM Hunter.
According to recent reports, the average out-of-network ATM withdrawal fee is $4.52. That’s the cost of a fancy latte just to access your own funds! Use the ATM Hunter app to find nearby cash withdrawal machines that won’t charge you fees and save that money for your next caffeine fix.

Find inner peace with Calm.
Who couldn’t use a little calm these days? This app offers guided meditation to newbies who are interested in the practice but aren’t sure where to start. While the free app has plenty of great content, users can upgrade to paid subscriptions for $9.99 per month or $39.99 a year for access to more robust meditation programs.

Find coupons and savings with Coupon Sherpa.
Don’t fear this cartoon character: Coupon Sherpa lists coupons for real savings from top national brands and local shops and services. For example, you can currently use a Home Depot coupon to save $5 off your $50 purchase. The “nearby” function also highlights offers available near your location, including local restaurants, hair salons and other service providers.

Find happy hour deals with Happy Hour Finder.
Observing the downward spiral of humanity into the make-believe world of Pokemon GO calls for a stiff drink. Use the Happy Hour Finder to locate the best booze specials at nearby restaurants and pick your poison accordingly without blowing your budget.

Find new digs using HotPads.
Sick of your roommate? Find a new room or place with HotPads. The app features apartment listings nationwide along with neighborhood details, such as nearby schools and a “walk score” of the area to help you pick a place to live that suits you best.

Find a place to go using Sit or Squat.
When you gotta go, you gotta go, right? This app identifies nearby public restrooms on a map offering user reviews and ratings to help you find a clean place to stop.

Find the fastest route with Waze.
Wherever you’re heading, this community-based traffic and navigation app will get you there sans construction slow-downs and insidious rubber neckers. You’ll get real-time traffic and road information from other drivers in your area, saving you time and gas money on your daily commute.

Find your travel deets with TripCase.
Frequent fliers take note: TripCase is your ultimate digital travel assistant. The app sends notifications about flight delays, gate changes and baggage claim information, often more quickly than the airlines themselves. Plus, you can also store hotel, transportation, meeting and entertainment confirmations and reservations for quick reference.

Andrea Woroch is a money-saving expert who transforms everyday consumers into savvy shoppers by sharing smart spending tips and personal finance advice. As a sought-after media source, she has been featured among such top news outlets as Good Morning America, Today, CNN, Dr. OZ, New York Times, MONEY Magazine, Consumer Reports, Forbes and many more. In addition, Andrea’s stories have been published among leading publications and sites such as Yahoo!, AOL Daily Finance, CNN Money, Huffington Post, LearnVest and New York Daily News. Check out Andrea’s demo reel or visit her website at AndreaWoroch.com for more information about booking an interview or requesting an original written article. You can also follow her on Twitter or Facebook for daily money tips.

What the Juniper Revelation Means To You

December 23, 2015 Comments off

The Sixth FlagPete Kofod, December 22, 2015

Juniper Networks, a leading networking equipment vendor, announced on December 17, 2015 that they had discovered “unauthorized code” in their ScreenOS software.

ScreenOS is the operating system used to run their widely deployed firewall and VPN equipment.   The software appears to have been surreptitiously inserted, granting attackers full access to the firewall and the ability to read encrypted traffic.

To make matters worse, it appears this intentional “back door” has been a part of the ScreenOS since 2012.  Given how much sensitive traffic is protected by Juniper equipment, the consequences will likely prove to be disastrous.

Juniper is the firewall vendor of choice for the Unites States Department of Defense as well as for the banking sector.    Consequently, this vulnerability impacts virtually every government agency, Fortune 100 Company as well as the broad technology sector including social media firms and their customers.  In other words, everybody is impacted.

While Juniper and their customers go about analyzing the extent of condition and remediation, we should also consider this to be a teaching moment and an opportunity to review our assumptions about how we secure systems.

Defense In Depth is Not Enough

Most IT professionals, and certainly all security professionals, are familiar with the concept of Defense In Depth.  The principle states that security functions should be layered, forcing adversaries to successfully compromise multiple layers before successfully reaching a network’s “inner sanctum.”

Security LayersWhile this is certainly a worthy security guideline, there are good reasons to believe it may not fully meet its intended mark.  Defense in Depth historically is a network as opposed to application concept.  Simply, it is classic network security involving access lists on border routers, packet inspection by firewalls and restrictive routing policies inside the perimeter.

Unfortunately we have seen that many applications do not include detailed, multi-layered application security, choosing instead to rely on external resources (“the security team”) to save them, except the point and mandate of Defense in Depth is that each layer should include relevant and effective security.

This trend has only become more pronounced as application development has converged around web services.  Vulnerability exploitation has followed the trend and moved “up the stack.” This makes the security engineer’s responsibility far more challenging as applications, including exploits and attacks, are moving communications to HTTPS.

Defensive technologies such as Web Application Firewalls have stepped into the gap in an attempt to mitigate such attacks, but clearly they are not always successful and should not be considered the sole or even primary remedy.  Security is everybody’s responsibility, especially application developers and owners.   In addition to Defense in Depth, technologists should consider adopting cell structure approach to security.

Importance of the Cell Structure approach to Security

Cell Structure Security is the idea that the impact of system compromise can be sufficiently mitigated regardless of which system is affected.

The term traces back to how clandestine resistance groups organize themselves.  In a resistance movement organized in a cell structure if a member of a cell is captured and compelled to spill the beans, the compromise does not go beyond the individual or, at worse, the members of the cell.

To be clear, Cell Structure Security does not ask the question of whether a system can be compromised, it assumes compromise can and will occur at any level and therefore focuses on limiting the damage post-failure.

In a world of directory services and central authentication, this may seem like a tall order but analyzing the feasibility of implementing such an architecture is a worthwhile exercise nonetheless.

In the context of the current mess, it is all but certain that organizations have seen elevated credentials traverse their Juniper VPN connections completely unprotected.  The extent of condition for Juniper’s customers is still largely unknown but it should be assumed that the impact reaches far beyond just patching the Juniper systems.  In fact, the skunk may  well still be inside the walls as internal systems are likely to have been targeted based on the attackers’ reconnaissance of compromised VPN traffic.  The collapse of a single system has compromised the entire enterprise.

Premise is NOT inherently more secure than public cloud

Security remains a persistent concern for organizations considering the public cloud as a software and infrastructure platform.  Whether restricted by cultural or regulatory considerations, events like the Juniper incident should force technology managers to assess whether premise-based systems offer more effective security.

Public Hybrid PrivateWorries have understandably been fueled by well-publicized security breaches of cloud application vendors, but even a cursory review shows lax software and system design were more often than not to blame as opposed to inherent structural flaws of the cloud.

The truth is that the public cloud, in the hands of a responsible and security conscious team should be seen as an asset that can strengthen, as opposed to weaken, system security.  Top cloud service providers offer rich security functionality, but it is up to the software vendor and client to avail themselves of it.

An interesting exercise for technology leaders to undertake is to consider the architectural differences between premise and cloud-based systems.  Odds are that if they are both well-designed, the differences are not going to be significant and the public cloud may in fact offer security features such as 2-factor authentication and web application firewalls at a fraction of the cost of premise-based solutions.

Technology teams should also challenge themselves to answer the following question:  “If we were to move all systems to the public cloud, how would we do it in a manner that is consistent with our security objectives?”  After doing that, the team should compare the move with maintaining their existing premise-based architecture.

If the team finds itself implementing security measures in the cloud, which have not been currently implemented on premise, the team should ask why that is the case.

Conclusion

While the full impact of Juniper’s security lapse will not be known for some time, it should serve as an urgent opportunity for technology teams to question fundamental security assumptions, not just vendor selection.  What happened to Juniper can happen to anybody, vendor and customer alike.  IT leaders need to spend more time guiding their teams in evaluating consequences of security failures.

While vendors tend to define problem narratives in terms of known solutions, customers should not confine themselves to following that path.

About Pete Kofod

Pete Kofod has over twenty years of technical and leadership experience in Information Technology, including the development of secure hosted services for the transportation industry as well as designing and managing networks in the utility and defense sectors. Pete is Principal of Raleigh-based Datasages Consulting Group LLC, a firm he founded in 2008 that is dedicated to providing enterprise management services to industrial and transportation customers. Pete is often called upon to lend expertise to large-scale transportation projects. He has been a material contributor to the implementation of Positive Train Control in the United States, particularly as it applies to security and availability in a hosted environment.  Pete is also cofounder of The Sixth Flag, Inc. He can be reached at pete@thesixthflag.com

Experimental Film Fest

A refuge for art house, avant-garde, experimental, exploratory, and silent cinematic creations

False Pretense Films

Films with a Twist

I'm Just Trying to Help

Helpful Hints, Tips, Tricks, and Info

5K a Day 2017

Our 2017 fitness goal

The securityNOW Podcast Show

Cybersecurity News and Interviews

LoneStarFreedomPress

Phoenix Republic - The Lone Star Gambit / Sovereign's Journey

%d bloggers like this: