[Part 2 of ‘Security Threats to Your Business’]

In last month’s posting, I defined the term “hacker” and explained how the news often portrays businesses as having been “hacked” when in reality they haven’t been compromised at all.  This month we’ll talk about the opposite situation: how businesses often do get compromised – frequently through social manipulation.

In 2008 the most significant breach of US military computers began at a US military post in the Middle East. A foreign intelligence agency managed to place a virus or malware program on a USB flash drive that was later plugged into the US military laptop, infecting it. From there, the infection made its way onto a U.S. military Central Command network. According to Defense Secretary William J. Lynn III:

 “That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control.”

 “It was a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary.”

While this cyberattack was eventually neutralized, there is no telling exactly how much data the perpetrators accessed.  Interestingly however, this is a well-known method of attack to security professionals protecting the business community.

Social manipulation or social engineering, is the art of manipulating people into performing actions of divulging confidential information that they wouldn’t normally do.  Most frequently this is accomplished through trickery or deception so that the target does not even realize that they are giving the attackers access to confidential systems.

Examples

One method of attack that has been widely known for nearly a decade has been to place malware on a number of USB flash drives and then sprinkle them around in the parking lot of a target business early one morning.  The ruse can be made even more successful by labeling those same USB drives with the target company’s logo.  While not all employees will be fooled by this attack, frequently several will pick up a USB drive and plug it into their computer systems at work, thus infecting their systems and giving the hackers access.  The attack on the US military’s computer systems was just a variation on this theme.

Phishing is another frequently used technique – and it is far less expensive than using USB drives and therefore far more common.  It is the process of scamming individuals, usually via e-mail.  The target typically receives an e-mail from a source that they might believe is legitimate (like their bank, credit card provider, eBay, Craigslist, etc., etc.) and is asked to either open an attachment file or click on a link within the message to review or help verify some piece of information.  In doing so, the target frequently installs a program on the target system that will either gather information and send it to the hackers or grant those hackers remote access to the systems.

Calls Requesting Access.  Within just the last few years, we have even heard of businesses’ employees being called on the phone and told that the person on the other hand is from Microsoft and is helping resolve a computer issue that the company is having.  The trusting employee is then guided through a series of steps that will give the caller remote
access to the employee’s computer and from there to the whole company’s network.

These are just a few of a long list of tactics employed by those utilizing social engineering to manipulate employees to giving them access.

Tips for Protecting Your Business

1. The best protection is knowledge.  Share this posting with your employees; discuss it openly and often at your company meetings.  Invite a company like ourselves in for an annual lunch & learn with your employees to talk about the threats that exist and how they can be thwarted with common sense.
2. Create company policies around the acceptable use of your business’ computer systems and define what should and should not be done on company computers and network resources.
3. Have your IT provider deploy advanced firewalls which examine the contents of each packet of information coming in from the Internet and can block malicious code before it reaches your systems.  The same firewalls can also be configured for ”Geo-IP filtering” a process that can block all information packets from places like Russia, China, Nigeria etc. – which is where the majority of these attacks originate.
4. Consider having your IT provider disable floppy drives, USB ports, and even CD-ROM drives on computers to prevent employees from introducing malware into your computer systems and network.

Sagacent Technologies can help educate you and your staff with any of the above items and much more.  Just give us a call and we’ll start helping you become more secure.

- Ed Correia

[Part 1 of 'Security Threats To Your Business']

There is frequently a lot of talk about hackers in the news – and lately it seems to be a daily occurrence.  Sadly, from my perspective most of it is of little real use to the typical business owner – other than to scare you. What is really going on here?  How are these attacks being perpetrated?  And what can you do to protect yourself, is usually never discussed.  Today, I’m going to start the first in a series of articles about security threats and your business. I’ll review a number of things that have been in the news in recent months, and share with you if you really should be concerned or not and what you should or should not be doing in your business to protect yourself. Since there is clearly a lot to cover in this massive topic, this will most likely take two or three months for me to do an adequate job.

The Term “Hacking” 

Hacking used to refer to an
individual testing his wits against a computer challenge. Today, it usually refers to any unauthorized access of computers or data, often utilizing various underground software programs, techniques or tools. However, the news media often describes any attacks upon computers and networks as having been ‘hacked’ when in reality the attacks may or may not have required any actual “hacking” tools or special ability all.

Frequently we hear stories about Internet sites being “taken down”, but what does that mean?  These attacks are usually the result of what we call a denial of service attack (DoS attack) or distributed denial of service attack (DDoS attack). The technology needed to take down a website is far less sophisticated than the tools or skills needed to break in to a site and steal its information.   A typical DoS or DDoS attack means flooding an Internet website with huge amounts of illegitimate communication requests.  When this is done in sufficient quantity, the legitimate traffic can’t reach the target servers.  Thus, the end effect is that the site is extremely slow or not reachable at all.  This was exactly the case with the numerous attacks against Israeli computer networks – including the Tel Aviv stock exchange, the national airline El Al and three banks.  It was similarly the case for the retaliatory attacks against Saudi and United Arab Emirates stock exchange websites. This was a case of cyber-warfare and revenge.  Each side was wanting to hurt the other, but the attacks didn’t necessarily mean that anyone had access inside the networks, the computer systems were either extremely slow or inaccessible.

Sadly, there isn’t a lot that can be done to protect you against such attacks.  On the other hand, these types of attacks tend to be directed towards very large institutions and government entities.  So the actual threat to the typical small business owner is very minimal.

Credit Cards And Hackers

Repeatedly, you hear of large companies in the news getting “hacked” and their confidential information being accessed.  This was exactly the case recently when Internet retail giant Zappos was “accessed”.  Unauthorized individuals accessed servers in a backup storage facility containing lots of information including client data, passwords and according to Zappos only the last four digits of each credit card number.  This was an attack done for financial gain.

When break-ins like this happen the perpetrators are looking for information of value.  In cases like this there are a number of ways that the information they gained could be of used.  Here are just two of many:

The hackers could attempt to connect to various other websites using each customer’s stolen login name and password in turn.  As most people tend to have only one password and then use it again and again on different systems, there is a greatly increased likelihood that the hackers could successfully gain access to another site that the client already had an account on that the hacker happened to try.  For example, if the hackers gained Bob’s username and password from Zappos and happened to try the same credentials on Amazon where Bob also had an account using the same credentials then they could easily access his information there.  Yet, if Bob also had linked his credit card information at Amazon for easy ‘one-click’ purchases, then simply by gaining access the hackers could then purchase huge quantities of product unbeknownst to the Bob.

The hackers could also attempt to sell the information that was stolen. There is a thriving black market for any information of this nature – and masses of individuals only too willing to purchase it for a price.  The information being purchased can then be used in a number of ways including like the above and identity theft.

The first take away from this is that users should use different passwords on the different systems they access.  Using the same password on many systems is only asking for problems.  And the passwords should be complex and hard to guess.  In next month’s article I’ll go into great detail on what I mean by this.  But the resulting information should be shared with all of your employees.

The second take away, is that this type of attack can happen to any sized business – and it is happening to smaller businesses with alarmingly growing frequency.  In fact, the legal authorities speaking at conferences that I attend annually frequently say that close to 70% of small businesses have already been compromised, they just don’t know about it yet. The best way to protect your business from this happening is to put in place strong data security and training of your employees.  In fact, it is through the employees that most successful unauthorized access is gained.  But more about that next month.

–Ed Correia

After a six week shut-down, Western Digital’s hard drive plant in Thailand has been pumped dry and has resumed production – sort of.  This plant has been responsible for 60% of the company’s hard drive production.  While the six feet of water that had been filling the plant is now gone,  only some of the manufacturing processes have resumed.  However, some of the company’s hard drive manufacturing functions will likely not resume again until February or March of 2012!

As you may recall, the amazing flooding in Thailand has affected the whole computer industry in a major way as much of the world’s hard drive production is centered there.  Since the flooding began on October 15^th many of these manufacturers have been under several feet of water.  The result has been the loss of income for hundreds of thousands of Thais (the Western Digital plant alone employed some 37,000 workers) and a big cut in general hard drive availability to both computer manufacturers, reseller’s (like Sagacent Technologies) and consumers alike.  In many cases, we (Sagacent) have been struggling to fill the typical end of year surge in computer and server purchases and quite frequently seen a doubling and tripling of hard drive costs – if we could find them.

However, there is another lesson to be learned here, and it relates to our own businesses.  While the flooding that caused all of this was certainly unexpected and unprecedented in recent times, it was nonetheless in the list of Sagacent’s ‘top 5 things’ that I warn my clients to be prepared for from a business continuity and disaster preparedness stand point.  Western Digital’s production has suffered a significant hit at a key point in their year.  They are expecting to incur special costs of between $225 million and $275 million as a result of this disaster.  How would your business fare if it were flooded – or some other disaster impacted (1) total productivity for six weeks, (2) partial productivity for months to come, and (3) it had to incur huge costs in order to become productive again?

It should make you think. And it should make you sit down with your key management and trusted advisors and say, “how would we deal with x happening and what would we do about it?”  That is where Business Continuity Planning begins.

– Ed Correia

Looking back over my last three decades in computers (actually 34 years now), technology has come a very long way and changed a lot.  I saw the introduction of the personal computer, the very first computer networks, email, the dawn of the Internet, only very recently Cloud computing – and now tons of personal mobile devices.

And these new personal devices are now making their way into nearly every business environment in a multitude of ways, but most concerningly as: USB memory sticks or jump drives, smart phones, laptops and tablet computers.  These personally purchased and unmanaged devices are becoming integrated into business environments that already had business-purchased and securely managed laptops, smart phones and tablet PCs.  In fact, many businesses are now encouraging their employees to BYOD – or Bring Your Own Device.

So now the business networks that we care for are quickly becoming networks of previously un-imanageable complexity.   The world of technology is clearly changing again and my business must change too – and find solutions fast!

Our immediate challenges to be answered greatly center around MDM (or Mobile Device Management):

• How do we manage business data on so many different devices?
• How do we manage all of these devices, even those not actually owned by the company?
• How to we protect the business data and isolate it from people and devices that are not authorized?
• If required, how do we remove business data from a personal device without harming the personal data?
• How do we then maximize the usability,function and productivity of these environments and all these new devices?

While a lot of people and vendors are already proposing products and solutions to address these issues, the truth is that no one knows all these answers – yet.  But we are already attending industry conferences with peers, participating in online seminars, meeting with vendors and looking at lots and lots of products.  Some of the early answers that we are sharing with clients today include:

• Making business owners aware of these challenges and discussing options.
• Estabishing computer usage policies and acceptable use agreement for employees.
• Only allowing personal devices access to company data if that device can be remotely managed and if required, remotely wiped of all company data.

Relatedly, but not exclusive to managing personal mobile devices, we have been encouraging clients to allow us to initiate:

• Regular automated remote backups of laptops.
• Encryption of data or hard drives on laptop computers.
• Purchase laptops, or programs for them, which allow the easy segregation of company-owned and personal data.

So change is nothing new for technology, and as usual, it is never boring – the answers are out there and we’ll find them for you.

–Ed Correia

While not hitting North Carolina or New York with the full ferocity feared, Hurricane Irene did cause widespread destruction in upper New York State and Vermont.  And even though Irene was not as strong as Katrina, it still caused severe and widespread damage.  High winds downed power lines, interrupting electricity for hours to days.  The wind also uprooted and toppled trees and caused building damage.  Heavy rains caused widespread flooding of streets, buildings and even washed away a number of bridges.

Sadly, even after the lessons of 9/11, Hurricane Katrina, and the Japan Earthquake a lot of businesses were still caught unprepared.

According to the experts:

• “A Company that experiences a computer outage lasting more than 10 days will never fully recover financially.  50 percent will be out of business within five years.” – Jon Toiga, Disaster Recovery Planning
• “70 percent of small firms that experience a major data loss go out of business within a year.” – Price Waterhouse Coopers
• “Eighty percent of small businesses that are not up and running within 10 days of a
  natural disaster go out of business within a year.” – Gene Marks, Huffington Post

So, what should businesses do to prepare?  Well, at a very minimum, here are five suggestions:

5 Essential Disaster Preparedness Tips for Small Businesses

1. Discuss with your business advisors all possible business interruptions and planned reactions.
2. Ensure that your business insurance policies cover all potential problems that you might experience.
3. In addition to complete onsite backups – also have automated offsite backups.  Have them tested.
4. Relatedly, maintaining copies of important documents and policies offsite is also recommended.
5. Confirm that systems are in place to allow employees to work remotely and that they are trained to do so.

Sagacent Technologies can help you with all of the above items.  Just give us a call and we’ll start helping you prepare.

- Ed Correia

We are so pleased to announce that Sagacent is now offering phone systems again!  It’s been a few years since we started and then stopped offering Microsoft’s Response Point solutions.  Well, we’ve been looking at a number of providers for quite a while now and doing a lot of testing.

Over the first week of August, I completed product training and my engineers completed installation and configuration training.  So I am very pleased to announce that Sagacent Technologies is now VoIP certified with FreedomVoice and offering hosted VoIP solutions featuring Polycom phones!  While these solutions can work well in any sized business – they are simply amazing for smaller businesses that have never enjoyed the robust features of a high-end corporate phone system:

• Traditional PBX Features
• Dynamic Auto Attendant
• Unified Voice & Fax Messaging
• Salesforce & Outlook Integration
• Softphone Software for Your Computer or SmartPhone
• Internet Control Panel
• Voicemail to Email Transcription

And all without having to buy an expensive PBX box to hang on the wall!

Please contact me directly if you would like to learn more.

–Ed Correia

Last week I had a very interesting discussion with a key executive at great new prospect.  While he felt that backing up his company’s data to tape was an ‘old method’, it was probably okay since the business was located in “class A” office space.  In his mind, they weren’t likely to be effected by many disasters.  While I agreed, that in my company’s history we hadn’t seen any businesses hit by earthquakes, fires, major floods or tornados either, [knock on wood], those weren’t the things that I was most worried about.

What I do worry about most for our business clients are the things that still happen only occasionally, but MUCH more frequently than natural disasters.  Over Sagacent Technologies’ 11.4 years, I have seen:

• Several servers ‘just die’.  A key part like a system board or hard drive backplane just fries and you are dead in the water.
• Three cases of theft, where the bad guys not only took the desktops and monitors, but the server as well!
• Two cases where servers were destroyed by water damage.  (And we only ‘just’ narrowly avoided a third case this month where a power failure resulted in water backing up and coming to within AN INCH of the servers!)

In all of these cases, there was NO SERVER to restore any of the company’s data onto to begin with.  So the first challenge was to get a new server or build a new server ASAP and then start restoring from backup.  In each case, hardware identical to the original server just wasn’t available, so we had to do the best we could, often going with today’s hardware over yesterdays.  Another big problem is finding a tape drive compatible for the old tapes.  I’ve seen this become a major stumbling block in itself. However, once we do have a server and a compatible tape drive, then the restores can begin.

Now clearly, in situations like these where the company is totally down and unable to work, we need to work extremely fast – and finding or building a new server can take time.  Happily business owners typically understand that it might take a day or two to get the hardware for the server ready for the data restore and cut us a little slack.  But what they never seem to never understand is how their decision to use tape dramatically lengthens the time required to get back up and running.  In the past, I have seen several cases where restoring an entire server from tape, (granted they had a lot of data!) added 3
to 5 days to the rebuilding of the servers.

This is because tape restores are very slow when compared with today’s best technologies and the restores will often require many tapes – not just one.  Add to this the fact that most tape backup programs do a really poor job of capturing a server’s entire ‘system state’ – so that while you may get back all the data that the company created, the server is often never quite exactly the way it was and requires lots of manual effort to recreate users, user security rights, user preferences, and many other things, etc., etc.

However, if you contrast ‘tape’ with say an ‘image backup to disk’, restores (and backups as well for that matter) are MUCH faster and almost always result in an exact replication of the original server.  You could even go a step further, where many of the disk backup solutions we put into place for our clients are servers in their own right – and can even ‘virtualize’ a backup image and then stand in for the downed server!  This allows the business to get back to work while we build the replacement server.  Talk about great fault tolerance!

Anyway, hopefully you can see why at Sagacent we just won’t install tape as the primary backup method any more – period.  Sure, it is fine for archiving data, but for your primary backup method, there are much better, faster, and more robust solutions available that pay for themselves many times over when real problems do arise and the chips are down.

If you’d like to learn more please let me know and I’d be glad to schedule a meeting.

- Ed Correia

It seems that a lot of changes are occurring in business these days. The economy has placed increasing pressures both on businesses and business owners in recent years. But the last few decades have forced many industries to adapt, improvise and overcome the many changes pushed upon them or face extinction. This is particularly true for IT.

In the IT industry, the need to be offering true proactive managed services rather than merely reactive support after something has broken has been the rage for the last 6 or 7 years. I’ve watched as nearly have a half dozen competitors closed up shop because they weren’t able to adapt. I’m proud to say that this idea was actually a founding principle for Sagacent Technologies over 12 years ago when I was planning the company.

However, today the ‘cloud’ is beginning to cast its shadow over the IT industry. In the coming 3 to 5 years industry pundits and I believe that at least half or even the majority of small businesses (5 to 99 employees) will turn to cloud or Internet hosted e-mail, files and servers. As such, the Gartner Group (one of those IT industry pundits I mentioned) forecasts that up to 70% of IT providers will cease to exist.

At Sagacent, we saw the trend coming and started slow and began our first offerings of ‘cloud’ or hosted services about 5 years ago with Internet-based:

• Offsite Data Backups & Backup Data Archives
• Anti-virus, anti-malware, and anti-spam e-mail filtering
• E-mail caching and archiving

Today we have increased our hosting service offerings with the addition of:

• Server Hosting
• Data & File Hosting
• Email & Exchange Hosting
• Offsite Data Backup Hosting
• Website Hosting

We still believe that small and mid-sized businesses have enough frustration and hard work struggling to just survive – let alone worry about managing your business’ IT infrastructure yourself. That is a role for Sagacent Technologies. Our job is the offer improved performance, value, and support while also guaranteeing overall system security – whether your systems are on premise or hosted in the cloud. And Sagacent will continue to evolve and grow as future changes dictate.

If you have questions or comments, please don’t hesitate to contact me.

– Ed Correia

About 20 days ago I posted some thoughts around my great dissatisfaction with the way most IT support is done. This was prompted by the fact that three of the last five businesses we signed-up for support with us were found to be in very sad shape.  Since that last posting I have received a number of e-mails and communications from people who were adamant or disbelieving that my technicians were somehow “gods in the world of IT” and “never did anything wrong” – two quote two individuals. Actually, nothing could be further from the truth.

My technicians and engineers are people.  And people make mistakes.  They get distracted, they get busy and things get missed.  In fact, I haven’t worked with a perfect technician yet, myself included.

In my opinion, the secret to ensuring that IT support is done correctly is to build a process around it – systematize everything. In fact, I think there should be a process around everything that a business does.

Building technology support processes first starts with identifying all the key components of a given network and thinking carefully about what needs to happen, what needs to be managed, how often and in what way. It continues with building forms, templates and tools that must be completed on a regular basis to consider the job to be done. And finally, there must be oversight – either another process or a person that is responsible for checking on the work of the other.

I know it sounds pretty simple, but it actually takes quite a bit of time initially.  However, once these steps are taken and the processes are put into place network support becomes much easier and identifying what is occasionally missed is no longer like finding a needle in the haystack.  Instead of expecting people to be perfect, we expect people to be imperfect and for things to be occasionally missed.  Now our processes cause the error or omission to jump out in front of our face and tell us that something is amiss so the problem can be addressed.

At Sagacent, we either have or are developing processes for everything.  And we’re making more of them all the time. We have a process for how each technician should begin his or her morning.  A process for how a client should be documented. A process for how each client should be managed and what work should be done when we visit them. A process for how service tickets should be written-up, completed and by when. And another process for following up on the work after it is ‘said’ to be done.  These are just a few of the processes that we have in place for our Technical Services Group.  There are still more, and many more still for other departments and functions within Sagacent.

So our technicians are not gods or even infallible, but the processes help insure that what needs to be done gets done and that there is a reasonable system for discovering when something is not done properly.

If you have questions or comments, please don’t hesitate to contact me.

-Ed Correia

——————————————————

Side note:  I feel it necessary to give credit where credit is due.  My initial education about the importance of building processes in business came with my first reading of ‘The E-Myth: Why Most Small Businesses Don’t Work and What to Do About It’ by Michael Gerber.  In the years since my first exposure, I have re-read this book and its updated re-printing ‘The E-Myth Revisited’ nearly a half dozen times.

In his book, Gerber explains the failure-rate for small business: 40% fail in 1 year. Of those who survive 1 year, 80% will fail in 5 years, and of those who survive 5 years, another 80% will fail.  Contrasted with franchises, where everything is systematized and clearly documented, 75% of franchises succeed to 5 years.  Gerber argues the point that the success of these franchise companies is because of operations manuals, detailed procedures, and a consistent sales approach – every detail of running the business is specified down to dress codes and wall paper.

I highly encourage any business owner or person thinking about starting a business read this book.  Then, read it again.

Over the last few months we have added several new clients to our TechAssure ^SM management technology program.  But what awaited us on three of these new clients was startlingly bad.

The first site was almost literally a ‘house of cards’ waiting to collapse.  Our predecessor had tried to develop a new computing environment built on numerous open source products that he hoped to sell one day.  So, he had used this client as his guinea pig.  What resulted was a hodgepodge of free and commercial products from around 2000 with absolutely no support available.   Almost as bad, he was manually backing up some parts of the system (about 30%) periodically.  To say this firm was vulnerable would be a huge understatement.

The second site had numerous design and deployment errors including two computers that weren’t even part of the normal security system of the network (one was the firm’s owner’s PC!), the server lacked 27 security updates, but worst of all also hadn’t had a data backup since March 12^th 2010!  My eyes almost popped out of my skull when I saw it.

The third site, hadn’t had a functional anti-virus system since 2009!  And their three servers were also not being backed up for as far back as we could see.  Yes, the software was installed, it just wasn’t running.  And no one noticed!

All three of these firms are ultra-professional and depend on their systems to be available and fault-tolerant.  They trusted that their IT partners knew about what they said they knew and they depended on them to do all they told them they would do. Yet their previous IT support hadn’t seen fit to do a good job for them.  Sadly, most IT firms don’t know, what they don’t know – and their clients often end up paying the cost!

Do your friends a favor, refer them to Sagacent Technologies for a ‘Second Opinion Assessment sm’ before it is too late.

If you have questions or comments, please don’t hesitate to contact me.

-Ed Correia