Firewalls Are Critical
I remember sitting at my work bench at 1st tank battalion, the windows open to the shop, technicians scattered all over the tank ramp, and during lunch it would get quiet, and you could step out of the front door to the shop and see the entire battalion, the hillside and some of southern California. I would be eating a hot baloney sandwich that had pretty much melted in my baggy, stuffed in my brown paper lunch box and left in my car during the heat of the summer. It may have been 90 degrees but there was always a cool breeze flowing from the Pacific.
Behind me on an old FM radio that had been dropped and crushed and broken several times, lying in a heap of parts and wires, cranked out that song loud enough so the tankers could hear it on the other side of the tank ramp. That was a requested song, on the Mighty MET, KMET southern California. Just hearing it brings back memories, a lot of ironic memories.
Harry and I were brown baggers and we would eat lunch together. One of the big secrets that we kept to ourselves was the radio that we had modified on the work bench. Not the radio that played hard rock all day, but our transmission station. We had to test the radios in the tanks, so a guy would climb in, and the tankers would take us out into the boonies where we would crank up the radios and request a radio check.
“Test One, Test One, this is Test Two over.”
“Roger Test Two, this is Test One over.”
“Test One, this is Test Two, request a radio check over.”
At that time we would crank up the FM Radio, wrap a rubber band around the microphone key and set it in front of the speakers, Pat Benatar, Led Zepplin and the Kinks would rain down on southern California. Me being the last of the junior technicians to work on the transmission station, I found that I could adjust the springs on the amplifier with a heavy metal screwdriver (They were heavy copper springs) and raise the transmission wattage by 80%. That was not to spec, that was way beyond spec.
I think I was broadcasting to New Jersey.
Harry and I were eating our lunch when we received the first radio check. Harry cranked up the FM and held the mic to the speakers for about twenty seconds. That was all that a technician really needed out in the field, but after he went back and sat down the request came again. Then it came again.
At this time we both realized at the same time that all the technicians were at lunch. A tanker must have found our secret, and wanted to hear some tunes out in the field. So, Harry wrapped the rubber band on the microphone and laid it in front of the speakers and came back to eat his lunch on a stool by the front door with me. We sat in the warm California sun and we could see everything from the top of that hill.
In fact it was right about then when I noticed the giant black mobile home with radar dishes and a forest of antennae come over the hill on its way to the battalion. I nudged Harry, “Check that out.”
Then we watched the radar on the top of the truck stop swinging back and forth and focus on me and Harry.
Expletive deleted.
Harry and I both ran to disconnect the radio but it was too late. Apparently Channel 2 San Diego had Video, but was re-transmitting the Mighty MET randomly throughout the day for audio.
We were caught by the man.
They took our radio, and our transmission station. Harry and I took the blame for the battalion. Those damn tankers.
Ever since then I have been somewhat paranoid over what I transmit over a radio, or send over the internet. Someone is always listening or watching you, some of them are good guys, but mostly they are bad guys. There are people that were never taught how to behave, how to have respect for others. Those people will rob you when you are not looking, take stuff that is not theirs and stalk you.
You can’t let that happen. Your laptop or PC is not isolated, once you plug in or sign on to a WiFi connection, you don’t know who is out there and what they are going to do to you. So here are two important tips:
1. You need a firewall. There is no question. Even at home. If someone tells you otherwise they are just ignorant. A router or cable modem that turns off ports is not a firewall. A firewall will examine packets and types of traffic and can determine a threat, which a modem or router cannot do.
2. You need Antivirus software. You need it on all your machines especially at home and you need it on your firewall.
There is no way around it. It is like buying locks for your house.
I don’t care where you get it from, who makes it (actually I do, you have to have a reputable firewall) or how inconvenient it is.
Ignore this at your own peril.
Marloe Group is an IT Management Company and Consultant to small and medium sized businesses that focuses on Internet Security Issues. Our target audience is CEO's and Office Managers that have to manage a plethora of different technologies and stay on top of threats and possible business interruptions.
Friday, September 24, 2010
Tuesday, September 7, 2010
STOP POP UPS
It happens all the time, when you go to a web site, a pop up asks if you want to sign up for a newsletter or something or you must register to see the postings.
Don’t click on anything. Be safe close your browser and start over. There is a way for hacks to make a connection to your computer once you click on that screen, even to click off the box. If you cannot find the ‘X’, - use ALT F4.
Hackers use pop ups to get you to hand over your secret information at the bank, or on common web sites, they are out there and they are not joking around. This is serious. If a legitimate organization wants you to sign in to get a newsletter or force you to register to read their public postings, then they will do so on a normal page.
Do not get in the habit of answering these pop ups, it is called social engineering and that is what they want you to start doing. You will fall for their scams much easier if you have been trained to do something and they can hijack the results.
Legitimate companies will not threaten your security, and if they aren’t legitimate you shouldn’t be there in the first place. Don’t worry; there are even Porn sites that will not threaten your security. Whatever it is you want to buy, you can find a legitimate web site to sell it, don’t get lured into the wrong places.
Don’t click on anything. Be safe close your browser and start over. There is a way for hacks to make a connection to your computer once you click on that screen, even to click off the box. If you cannot find the ‘X’, - use ALT
Hackers use pop ups to get you to hand over your secret information at the bank, or on common web sites, they are out there and they are not joking around. This is serious. If a legitimate organization wants you to sign in to get a newsletter or force you to register to read their public postings, then they will do so on a normal page.
Do not get in the habit of answering these pop ups, it is called social engineering and that is what they want you to start doing. You will fall for their scams much easier if you have been trained to do something and they can hijack the results.
Legitimate companies will not threaten your security, and if they aren’t legitimate you shouldn’t be there in the first place. Don’t worry; there are even Porn sites that will not threaten your security. Whatever it is you want to buy, you can find a legitimate web site to sell it, don’t get lured into the wrong places.
Thursday, September 2, 2010
Rule 3 Business Impact Analysis
In the Marines, there was a rating system for all the equipment needed to go to war with. When a piece of equipment was defective or downgraded enough so that it could not be used it was considered combat deadlined. I was at 1st tank battalion when I learned about this the first time, and I was indeed working on a tank. There was a damaged cable that ran under the turret so the tank would have to be disassembled in order to replace the cable. I told my gunny and he authorized it, and as usual I assumed I was done with the whole mess. I guess I figured they would throw the tank away and get another one.
Then I overheard my Gunny talking to my Lieutenant and he was the first person to say ‘Combat Deadlined.’ I think he said ‘Castro combat deadlined the tank on a Friday afternoon.’
Of course I was proud of myself until I had heard those words.
I figured they wouldn’t be done till Monday, so I was ready to go home, it was Miller time. Gunny stopped me with a few grown up words, and he explained that I was to sit next to the tank until it was done. There was no going to bed, or taking a break. I had opened a grand can of worms I did.
He left me standing there contemplating my fate. Although I had orders to get the tankers to take the turret off the tank so I could get in there, I was going to have to sit and watch them work all weekend. Suckage went up a notch, happy went down.
That night, that Friday night, I had Sergeants and Gunnery Sergeants waiting for me to tell them what to do. We located a part on the other side of the base and I had a driver go get it Friday night, and the tankers as well as the tank maintenance guys tore the tank apart all night long. They even took this giant crane tank and lifted the turret off so I could work in there. There were giant lights like at a football game, crews of maintenance guys, kitchen guys who brought us coffee and food.
I thought I was the Commandant. Sunday morning at about 3:00AM we were finished. I thought that was pretty cool on the whole.
Well, at my next duty station I learned a little more about the rating system, as I became Jr. Birdman for Combat Engineers. There were manuals on this rating system. I learned there was equipment that was not taken when we pack up and leave to go to war, there is equipment that will not leave my side, and there is equipment that is backup and standing by in case I need it. All these items were in various states of order and repair in a Maintenance shop like mine, so the first thing I did was compare what Manuel was saying with what my new shop looked like.
All the radios were dead or broken, we had one of twelve jeeps working and none of the mine detectors would pass a basic test. So I combat deadlined each one of them.
Unbeknownst to me, I combat deadlined the entire battalion.
Giant cracks appeared in the foundations of the Earth, the sun went dark and I think I saw a unicorn die. The Colonel called me into his office. A real Marine Colonel, I had seen one once, I think he controlled the lightning. As I walked through the crowd of Marines who quietly parted and removed their hats for me, I wondered if my family knew where I was.
Well, turns out, my Colonel was a cool guy. He told me the Pentagon was sending people from the IG’s office to meet me. Most guys would probably be excited, or proud. I had to change my underwear.
I was given authority to go anywhere on the base and exchange my equipment, radios, mine detectors, jeeps, with anyone else out there, it was awesome. For a Lance Corporal in a Staff Sergeant’s billet, I was king boss high banana but no one had any respect for me. That’s another story altogether.
I was just a Lance Corporal, but within 72 hours I had the battalion back up to 99% readiness.
In the IT world we have the same thing. It is called a Business Impact Analysis Rating, and we rate computers, people and processes.
What this means is that if this item, person or process is so important to your business that it could shut down the company for a few hours even, you must take extra-ordinary measures to protect it, to prevent that downtime. As a business owner you must determine in your mind what is important enough that you would want to spend the money protecting it.
You have to be able to estimate the cost and expense of a business interruption. In some cases it can be devastating, and a simple computer failure has caused businesses to close. (That data, he’s so funny.)
What we have learned from disasters and terror strikes is you can’t prevent the inevitable. So we don’t say ‘Disaster Prevention’ anymore. We say ‘Disaster Avoidance’. You can’t prevent a disaster, but you can minimize the effects, and avoid a complete disaster. It starts with the first five steps…
To take care of IT you must do five key things:
1 Document it – In the event of a disaster, theft, robbery or damage, you have paperwork to prove what it did either for insurance purposes or for procedural purposes. Businesses will insure their important people, they will spend money to protect themselves from losing money. In IT we must do the same thing. Document your devices, people and procedures.
2 Minimize the risk of loss or failure. Do this by protecting it, making it more resilient to threats and even replicating it. Be that a person, device or procedure. For devices, we put Uninterruptable Power Supplies on it, and we mirror the drives, backup the data.
3 Secure it. Protect it by locking it behind doors, putting it behind a firewall, password protecting it or even physically locking it down.
4 Prepare for the possibility of a failure or loss. We duplicate the training on multiple key personnel, we duplicate the processes on several machines or locations, or even have parts standing by in case of failure.
5 Obsolesce it. This is part of minimizing the risk of failure, by not allowing the device to get too old, or the people to leave without training a replacement.
This is the Rating system we use:
• A Critical Equipment, damage loss or failure will result in a business interruption. An example would be the primary network switch. If it fails, the entire company will be impacted.
• B Critical Equipment that would not directly cause a business interruption but will definitely affect production, such as the primary shipping computer. Without it people are running all over to do the job that was done on that one machine. Failure of this machine will not shut down the company but it will be tough to get all the shipments out that day.
• C Non Critical Equipment that will affect some aspects of production, but mostly will be easily replaced or repaired. A good example would be the receptionist’s computer.
• D Non Critical, collateral equipment that is used as extra or to help facilitate better performance and production. More than likely in the ‘who cares’ department, an example would the receptionist’s monitor.
Every business owner should examine his departments and personnel to establish the BIA rating for all possible events, from hurricanes to theft. Once the rating has been established, the next important piece would be to assign the obsolescence rules that apply to those devices.
• A For devices we do not want them to get older than 2 to 3 years. For procedures we must audit them every quarter. For people we have alternates trained weekly in some cases.
• B For devices we do not want them to get older than 3 to 4 years. For procedures we must audit them once a year, verify that they are still valid and update documentation. For people we have alternates who swap jobs periodically or share responsibilities.
• C For devices we do not want them to get older than 4 to 5 years. For procedures we consider them Ad Hoc, they are not necessarily important enough to write down or spend time training. For people we have an HR department or person who keeps these positions filled.
• D Collateral
Armed with this information, a business owner can predict the costs associated with maintaining the IT equipment. Servers should not be over three years old as the risk of failure goes up astronomically. This is not just hardware, but software obsolescence and application support. If a drive goes out on the server raid subsystem, does it have to have the exact replacement drive for it to function properly? In five years will you even be able to get that model? In five years will anyone remember how it was set up? You know you could lose all your data that way right?
Don’t risk it. When a business is interrupted it costs much more money than people realize. You’re paying people to stand around and watch you pay other people to fix what’s broken. All the while you lose money and customers because you can no longer provide the same level of service your customers are used to, they go somewhere else in a hurry. It is a domino effect that is just about money. Save the money by taking care of issues before they become issues.
That is why big businesses don’t talk about downtime. They talk about Uptime. Being up 99.999% of the time. They are down less than 5 minutes a year. Why? Prevention, they take care of their equipment before the risk of failure hits their books.
Then I overheard my Gunny talking to my Lieutenant and he was the first person to say ‘Combat Deadlined.’ I think he said ‘Castro combat deadlined the tank on a Friday afternoon.’
Of course I was proud of myself until I had heard those words.
I figured they wouldn’t be done till Monday, so I was ready to go home, it was Miller time. Gunny stopped me with a few grown up words, and he explained that I was to sit next to the tank until it was done. There was no going to bed, or taking a break. I had opened a grand can of worms I did.
He left me standing there contemplating my fate. Although I had orders to get the tankers to take the turret off the tank so I could get in there, I was going to have to sit and watch them work all weekend. Suckage went up a notch, happy went down.
That night, that Friday night, I had Sergeants and Gunnery Sergeants waiting for me to tell them what to do. We located a part on the other side of the base and I had a driver go get it Friday night, and the tankers as well as the tank maintenance guys tore the tank apart all night long. They even took this giant crane tank and lifted the turret off so I could work in there. There were giant lights like at a football game, crews of maintenance guys, kitchen guys who brought us coffee and food.
I thought I was the Commandant. Sunday morning at about 3:00AM we were finished. I thought that was pretty cool on the whole.
Well, at my next duty station I learned a little more about the rating system, as I became Jr. Birdman for Combat Engineers. There were manuals on this rating system. I learned there was equipment that was not taken when we pack up and leave to go to war, there is equipment that will not leave my side, and there is equipment that is backup and standing by in case I need it. All these items were in various states of order and repair in a Maintenance shop like mine, so the first thing I did was compare what Manuel was saying with what my new shop looked like.
All the radios were dead or broken, we had one of twelve jeeps working and none of the mine detectors would pass a basic test. So I combat deadlined each one of them.
Unbeknownst to me, I combat deadlined the entire battalion.
Giant cracks appeared in the foundations of the Earth, the sun went dark and I think I saw a unicorn die. The Colonel called me into his office. A real Marine Colonel, I had seen one once, I think he controlled the lightning. As I walked through the crowd of Marines who quietly parted and removed their hats for me, I wondered if my family knew where I was.
Well, turns out, my Colonel was a cool guy. He told me the Pentagon was sending people from the IG’s office to meet me. Most guys would probably be excited, or proud. I had to change my underwear.
I was given authority to go anywhere on the base and exchange my equipment, radios, mine detectors, jeeps, with anyone else out there, it was awesome. For a Lance Corporal in a Staff Sergeant’s billet, I was king boss high banana but no one had any respect for me. That’s another story altogether.
I was just a Lance Corporal, but within 72 hours I had the battalion back up to 99% readiness.
In the IT world we have the same thing. It is called a Business Impact Analysis Rating, and we rate computers, people and processes.
What this means is that if this item, person or process is so important to your business that it could shut down the company for a few hours even, you must take extra-ordinary measures to protect it, to prevent that downtime. As a business owner you must determine in your mind what is important enough that you would want to spend the money protecting it.
You have to be able to estimate the cost and expense of a business interruption. In some cases it can be devastating, and a simple computer failure has caused businesses to close. (That data, he’s so funny.)
What we have learned from disasters and terror strikes is you can’t prevent the inevitable. So we don’t say ‘Disaster Prevention’ anymore. We say ‘Disaster Avoidance’. You can’t prevent a disaster, but you can minimize the effects, and avoid a complete disaster. It starts with the first five steps…
To take care of IT you must do five key things:
1 Document it – In the event of a disaster, theft, robbery or damage, you have paperwork to prove what it did either for insurance purposes or for procedural purposes. Businesses will insure their important people, they will spend money to protect themselves from losing money. In IT we must do the same thing. Document your devices, people and procedures.
2 Minimize the risk of loss or failure. Do this by protecting it, making it more resilient to threats and even replicating it. Be that a person, device or procedure. For devices, we put Uninterruptable Power Supplies on it, and we mirror the drives, backup the data.
3 Secure it. Protect it by locking it behind doors, putting it behind a firewall, password protecting it or even physically locking it down.
4 Prepare for the possibility of a failure or loss. We duplicate the training on multiple key personnel, we duplicate the processes on several machines or locations, or even have parts standing by in case of failure.
5 Obsolesce it. This is part of minimizing the risk of failure, by not allowing the device to get too old, or the people to leave without training a replacement.
This is the Rating system we use:
• A Critical Equipment, damage loss or failure will result in a business interruption. An example would be the primary network switch. If it fails, the entire company will be impacted.
• B Critical Equipment that would not directly cause a business interruption but will definitely affect production, such as the primary shipping computer. Without it people are running all over to do the job that was done on that one machine. Failure of this machine will not shut down the company but it will be tough to get all the shipments out that day.
• C Non Critical Equipment that will affect some aspects of production, but mostly will be easily replaced or repaired. A good example would be the receptionist’s computer.
• D Non Critical, collateral equipment that is used as extra or to help facilitate better performance and production. More than likely in the ‘who cares’ department, an example would the receptionist’s monitor.
Every business owner should examine his departments and personnel to establish the BIA rating for all possible events, from hurricanes to theft. Once the rating has been established, the next important piece would be to assign the obsolescence rules that apply to those devices.
• A For devices we do not want them to get older than 2 to 3 years. For procedures we must audit them every quarter. For people we have alternates trained weekly in some cases.
• B For devices we do not want them to get older than 3 to 4 years. For procedures we must audit them once a year, verify that they are still valid and update documentation. For people we have alternates who swap jobs periodically or share responsibilities.
• C For devices we do not want them to get older than 4 to 5 years. For procedures we consider them Ad Hoc, they are not necessarily important enough to write down or spend time training. For people we have an HR department or person who keeps these positions filled.
• D Collateral
Armed with this information, a business owner can predict the costs associated with maintaining the IT equipment. Servers should not be over three years old as the risk of failure goes up astronomically. This is not just hardware, but software obsolescence and application support. If a drive goes out on the server raid subsystem, does it have to have the exact replacement drive for it to function properly? In five years will you even be able to get that model? In five years will anyone remember how it was set up? You know you could lose all your data that way right?
Don’t risk it. When a business is interrupted it costs much more money than people realize. You’re paying people to stand around and watch you pay other people to fix what’s broken. All the while you lose money and customers because you can no longer provide the same level of service your customers are used to, they go somewhere else in a hurry. It is a domino effect that is just about money. Save the money by taking care of issues before they become issues.
That is why big businesses don’t talk about downtime. They talk about Uptime. Being up 99.999% of the time. They are down less than 5 minutes a year. Why? Prevention, they take care of their equipment before the risk of failure hits their books.
Subscribe to:
Posts (Atom)