09 June 2015

Risk Assessment

Administrators all know that there are risks to their systems. Data could be corrupted, information could be accessed by unauthorized persons, equipment could fail, or a natural disaster could destroy a building. In order to better understand what risks your systems face, it is necessary to perform a Risk Assessment.

Risk assessment deals with the threats and vulnerabilities of an organization, and how the loss of information or equipment would impact them. This process identifies and prioritizes weaknesses that could be exploited. Their main purpose is to inform management of the risks the organization faces, which of those need to be addressed, and the cost associated in both dollars and reputation.

How Do You Conduct a Risk Assessment?

A good place to start a discussion about risk assessments is with the National Institute of Standards and Technology. NIST is a non-regulatory federal agency within the US Department of Commerce that comes up with standards and guidelines for the Federal Government. They have published a set of guidelines called NIST Special Publication 800-30 that is titled "Guide for Conducting Risk Assessments." Although it is focused on Federal information systems these are guidelines that can be used in all organizations.

According to NIST, there are four steps involved in conducting a risk assessment:
  1. Prepare for the Assessment
  2. Conduct the Assessment
  3. Communicate Results
  4. Maintain the Assessment

Step 1: Prepare for the Assessment

During this phase the purpose and scope of the assessment is decided upon. It is here that you determine who is involved, what threats or vulnerabilities are to be addressed, and what sources of information are to be used. This allows you to develop scenarios that will help evaluate how you will deal with those risks if they occur. All equipment fails at some point, for instance a hard drive in a critical server. You should create a plan for how you are going to manage that risk and the best way to respond to that event.

This is also a good time to provide a reality check on what risks to focus on. This will help determine where you should use your resources as well as what risks are most likely to occur. For example, while the threat of a hacker injecting code into your SQL database is likely, the risk of a hurricane destroying your building in Montana is pretty low. So it seems reasonable to put more effort into preventing your database from being hacked.

Step 2: Conduct the Assessment

Now you need to perform an assessment of the risks your organization faces from a security standpoint. Some simple ways to start that process are:

  • Speak with the directors or department heads and ask them what information they feel needs additional security, and what they think are current vulnerabilities.
  • Review your network infrastructure, then research known vulnerabilities and determine what countermeasures you can take.
  • Perform a physical assessment of your building(s) and evaluate what risks need to be mitigated (i.e. sprinklers in the server room).

One of the most important tasks in the risk assessment is to prioritize. Not all risks and vulnerabilities should be weighed equally because not all events have the same likelihood of occurrence. Also, there are some risks that your organization can accept, while others would be catastrophic. One of the keys to this is identifying both assets and threats. You must first determine what it is that you need to protect and then identify what could possibly happen to those assets.

Then those risks need to be analyzed in terms of cost or severity. You can assess the risk as either quantitative (cost-based and objective) or qualitative (opinion-based and subjective). Either approach is valid and should be determined by organizational culture and the best way to communicate with management. Remember, a risk assessment provides an organization with a picture of its current situation and allows decision-makers to determine how best to respond to various scenarios.

Quantitative assessments focus on dollar amounts and use formulas for single loss expectancy (SLE), annual loss expectancy (ALE), and annualized rate of occurrence (ARO). This is really effective in determining the cost-benefit analysis of various responses to risk. It is also easy to do for physical assets, such as a lost laptop. You figure how much a laptop costs, multiply that by how many laptops you expect to lose over the course of a year, and you get a dollar figure for the year. Based on that figure, you can determine the best ways to mitigate that particular issue.

On the other hand, a qualitative assessment is best used for things that do not quite have a dollar value. Consider the loss of a file server with unreliable backups. One of the files lost was the organizational history. Perhaps this file contained all of the different variations of the company's mission statement as it changed over the years. Even though this may be a heartfelt loss, it does not have to do with the business of the organization, and thus you do not need to put a dollar figure to the loss.

Step 3: Communicate Results

This is where the assessment results are shared. It is important that decision-makers have all of the risk-related information they need in order to make the best decisions for the organization. Communicating and sharing the results can be accomplished in a variety of ways, such as executive briefings, risk assessment reports, or even an internal web dashboard. These can be as formal or informal as the organizational culture dictates, but they must provide a prioritized list of risk and guidance with response strategy.

Step 4: Maintain the Assessment

Now that you have done all of that hard work and presented the fruits of your labor, you must keep the information current. There should be a process to monitor the risk factors identified in the risk assessment on an ongoing basis. Things change all the time in a network and the assessment needs to be updated to reflect those changes. By performing risk monitoring you can determine the effectiveness of the proposed risk responses, identify changes to the system that will impact exposure to risk, and verify compliance with security polices.

Risk assessment is the process of evaluating and cataloging threats, vulnerabilities, and weaknesses that exist in the network systems used by an organization. Once known, the process of implementing and maintaining a secure network through policies, standards, and guidelines can begin. But that is a topic for another day.

03 June 2015

Cyber Safety for Kids

The SANS Institute is a cooperative research and education organization that focuses on information and computer security. Every month they release an awareness newsletter for the common computer user called OUCH! I have chosen to share this one because the subject is cyber safety for kids.

This edition talks about the risks, educating kids, and contains resources to help parents. Every new device is connected to the Internet, the number of social media outlets is growing, and the number of apps and games that connect online is countless. It is important that we teach kids how to conduct themselves online and how to deal with inappropriate content.

I thought this was important enough to share. Here is a link to the newsletter:

OUCH! June 2015


01 June 2015

Basic Wireless Security


Since Wi-Fi transmits data over the air, it is much easier to intercept than data transmitted across a wire. Any mobile device can capture data sent across a wireless network. For instance, just look at the list of wireless networks that your phone can see right now. Your phone has the ability to read all of the data transmitted on those networks. It is also a good bet that some of that data is sensitive, such as banking or family photos. So with all of that data travelling through the air, how do we keep it private?

The best way of keeping your wireless data private is to use authentication and encryption. This is the process of encoding the data travelling through the air so that only authorized devices can access it. All modern wireless access points have the ability to use WPA2-AES to secure the network. This is the latest authentication and encryption protocol available for wireless networks and I highly recommend that it be used for home or small office networks. It requires a passphrase to be used in order to access the wireless network, so it is both secure and easy to remember. But like a password, you must choose something that is long and strong.

Now that we have encrypted the data and chose an authentication method that prevents unwanted people on our network, let's look at some other things that can help with security. One of these is called MAC Filtering. MAC stands for Media Access Control, and is the hardware address for the wireless card in your device. You can make a list of all the MAC address for all of your devices in the wireless access point and, in theory, this will keep all other devices from even communicating with your network. In reality, it requires a lot of management and anyone with a protocol analyzer can still determine what MAC addresses are on your network. It is then a very simple process to spoof, or fake, a MAC address and gain access to the wireless network. This is only security through obscurity and is not real security at all. So if you choose to use MAC Filtering remember that it is only one layer in your security strategy.

Remember all of the names that appeared on your phone at the beginning of this post when you searched for a  wireless network? It's that simple to find a wireless access point. If you are trying to secure your network and it is that easy to find it, should you even be broadcasting the fact that you have a wireless access point? Another layer of security that you can add is changing the SSID (name) of your access point, so that it is not the default or doesn't refer to your name or organization. An additional option is to disable the broadcasting all together. However, once again, if someone has a protocol analyzer they can see the SSID when someone connects. Most modern wireless devices are also able to detect "hidden" networks. So applying this process is, again, security through obscurity; but, it is one more layer that can be used with the techniques already mentioned.

Wireless networks have become very popular and standardized. They are easy and convenient to use, and we want to be sure that our data is protected. In order to do that use the latest authentication and encryption protocol, choose a strong passphrase, and change the SSID to something unique. With these basic techniques you are well on your way to keeping your data safe and secure.

12 May 2015

The Story of a Locked iPad


One of my clients recently had an employee pass away unexpectedly. This unfortunate experience led to many challenges for them. One of those challenges was a company-owned iPad that was locked. It was purchased as a trial to determine the best way mobile devices could be utilized by the company. It was then given to the employee with the understanding that they would use it on a daily basis to determine if iPad's would be useful for the rest of the staff.

Although it was owned by the company, the iPad was treated like a personal device. Other than purchase records the company had no information about the iPad available to them; including the passcode. The "owner" had set a Simple Passcode, but failed to let anyone in administration know what it was. Fortunately, another staff member was able to guess (!) the passcode and unlock the device. Having a passcode that simple will be a topic for another day.

The first I learned of this device was when a colleague and I were called in to assist with connecting it to the Apple TV the client had just recently purchased (which was news to me as well). I was able to install updates to the iPad, configure the WiFi settings properly, and connect it to the Apple TV. However, that's when we (the client and I) found out that the data they wished to present was in iCloud. And, of course, the Apple ID was under the recently deceased employee's personal email account.

One of the blessings of this whole experience is that the iPad was purchased with AppleCare+. I called Apple Support and began the process of resetting the password and security questions for the Apple ID. The client was able to provide all of the purchasing information (including credit card) and the support representative was able to send a verification code to the iPad. Once the code was verified an email was generated that was supposed to allow us to reset the password. The reset email is not delivered for 24 hours; so, we waited. When it arrived, it provided a link to a password-reset website. Unfortunately, when I attempted to reset the password, the website stated that it could not verify the link.

So began another call to Apple Support. After another lengthy discussion about our issue, I learned that the original representative was not supposed to have honored our request for a password reset; which may be why the link could not be verified. The case was escalated and I eventually spoke with a support manager. He was very helpful and we were able to work through the process. I was able to change the primary and recovery email addresses for the Apple ID so that it was associated with the client. And after another 24 hours I received a password reset email that provided a link that actually worked. Success!

The client did have to open an additional case with Apple Support in order to reset the security questions; but that process was very smooth. I would like to give a shout out to the Apple Support team for giving us all of the service and support that they did, and for following up several times just to be sure that all of the issues were resolved. Thank you.

There are several valuable lessons to be learned from this experience:
  • Communication is a two-way street. As a consultant who is not always present at a company I need to stay in contact with them on a regular basis and discuss current and future projects. But because I am not always on-site, the client should know that they need to keep me abreast of new developments in their technology plan. One of the challenges I have is helping my clients understand that anything that connects to the network needs to be brought to my attention.
  • It is vital that proper Documentation be completed. Since this is a company-owned device, they need to know all of the account and security information that accompanies it. There is a lot of data that needs to be recorded such as serial numbers, Operating System versions, apps purchased and installed, WiFi connections, data plans (if it has cellular capabilities), and much more.
  • In order to assist with all of the above, a Mobile Device Management solution is a must. As mobile devices are being brought into the business world, we need to balance securing company data with productivity. Ideally an MDM solution would allow for centralized management of applications, data flow, configuration profiles, and update settings. Granted we were only dealing with one device here, but obviously the company was planning to deploy more devices to staff members. 
  • Mobile devices are far more susceptible to damage than the traditional desktop computer. As such, I highly recommend purchasing a protection plan such as AppleCare. Most warranties last a short time and are very limited. Extended warranty plans; however, usually cover accidental damage and software support. I am very glad that company had the foresight to include this with the purchase of their iPad.

05 May 2015

Holistic Consulting

To paraphrase Miyamoto Musashi, "Rhythm is something that exists in everything, but the rhythm of computer networks in particular are difficult to master without practice."
Universities classify IT and MIS as sciences; but, the practice of network and system administration is certainly an art. There is planning, design, implementation, security, management, maintenance, and, of course, users . They all need to be balanced for the outcome to be successful. Once in place a network definitely has a heartbeat, a rhythm if you will. This living, breathing thing needs to be monitored and cared for; and to do that takes knowledge and practice.

I have been working with an outsource IT company for over 15 years. We service small businesses and non-profits that do not have (or cannot afford) an on-premise system administrator. That means we take care of their entire IT infrastructure; from the Internet to printing. Yes, I work with a team of people; but, each client has a lead consultant. I am the system administrator, network engineer, security architect, cable installer, and help desk technician for several companies all at the same time. In the performance of my duties I have found that I must be a Master of Many Things.

It is not an easy task to handle end-to-end management by a single person or entity. We liaison with the ISP, manage edge security, design/plan/implement upgrades and changes, deploy servers/clients/mobile devices, and perform help desk duties for users. Backups need to be monitored and tested, email needs to be filtered and archived, user accounts and access are always changing.

In order to be successful one needs to have a wide array of skills; there are no specialists in holistic consulting. The consultant needs to know how to accomplish a lot of different tasks, and requires hands-on experience. Nothing replaces real world exposure to the trials and tribulations of a production network. That said, there are a number of basic techniques that need to be mastered:
  • Organization: Staying organized is a necessity. Maintaining to-do lists and calendars go a long way to ensure client follow-through. Dropped requests and missed appointments are very frustrating to clients. A consultant needs to develop a reputation for excellent response.
  • Time Management: This is extremely difficult because our jobs are interrupt-driven. We respond to people's requests. Remember that the clients do not see our hard work; they only see what we have accomplished. Successful consultants focus on results achieved not on effort expended.
  • Communication: Issues with communication are usually at the heart of all problems. Learning how to communicate is crucial to being a successful consultant. Not only is it necessary to be able to communicate technical issues, but also be able to translate that to non-technical people. 
  • Constant Professional Development: It is absolutely necessary to receive the training required to improve and maintain your skills. The computer world is changing all the time and it is difficult to keep up with those changes. Some of the ways to keep current are reading, workshops, and organizations. Read books, trade journals, blogs, and magazines. Workshops and seminars tend to focus on a particular technology or skill; while conferences provide an opportunity to consider the big picture. Finally, membership in an IT association allows us to volunteer in the community, write articles for newsletters, and speak at meetings which can go a long way toward developing our reputation and careers.
Overall it is a very rewarding experience. Happiness means different things to different people, but for me it is looking forward to work each day and having a good relationship with clients and coworkers. It's feeling like I am sufficiently in control of my work life and have a good social and family life. At the end of the day I feel like I have accomplished something and derive a lot of satisfaction from my job.