IT Support Blog for Small Business Owners

David S. Mulvey

Recent Posts

Think like a Hacker: How would you break into your company’s IT?

Posted by David S. Mulvey on Fri, Dec 30, 2016

Do You Have Weak Domain Passwords?

A company’s own users are usually the most vulnerable point of attack; and unfortunately, the most common point of entPassword-Hacking.jpgry for a hacker. Weak domain user passwords can easily be guessed and discovered. But you can avoid this with strict user authentication standards. Businesses have to teach their employees about proper password best practices. For instance, secure passwords should be at least 8 digits long, include a capital letter and a number and a symbol. You should also require that user passwords are updated every 90 days.  By implementing these two simple practices you can make a hacker’s job almost impossible to break your domain passwords and gain access to your network.

Local Administrator Password Attacks

Once a hacker has access to your administrative passwords, they essentially have control over your whole network. Local IT administrators can become lax in their password security, especially if they work in a small office that has not had a recent cyber security scare. All non-IT employees in a company should not have administrator access rights. Only provide domain administrator rights or the keys to the kingdom to a manager and your IT employee or IT service provider. By securing most of your employee’s access rights you really increase your chances of not being hacked.

Written Passwords Are Easy Prey for a Hacker

Passwords that have been written down are always considered to be a risk factor. Who has access to your office and can copy down all of your written passwords? Your night time cleaning company, a plumber, a visiting client or vendor? It’s extremely important to let your employees know that it is a company security policy to not write down any user ID’s or passwords.  Discuss your policy with everyone, insure that writing down passwords is akin to giving your company checking account out to non-employees.

Insufficient Password Segmentation

Another issue that often arises within smaller businesses is that a single password may create a domino effect, giving a hacker access to your entire network. With insufficient network segmentation, a hacker only need to be able to hack a single password, and with that single password, gain access to every server, every application and all of your company data. Implementing password segmentation, a hacker will only be able to access a very limited amount of data, designed for a single user. You can also ask your IT department or IT service provider to isolate critical databases from other servers on your network. Using physical isolation is just as effective as using limited password segmentation.

You can see here, that by implementing some passwords best practices, which are not that difficult to add, you can drastically improve your chances of not being hacked. Dont ignore recent cyber security attacks!  Remember to think like a hacker, and secure the easy stuff before you work on the harder and more expensive stuff. Chances are, by taking a few simple actions you can make a hacker move on to an easier target to attack.

Security Management

Topics: IT security, IT Cyber Security Issues, IT Password Security, Hacker

How to Make the Microsoft Windows Server 2003 End-of-Support Easy.

Posted by David S. Mulvey on Tue, Jan 13, 2015


Windows Server 2003 EOSMicrosoft has announced the official end of extended support for Windows Server 2003.  Microsoft believes there are over nine million instances of Windows Server 2003 in production today in North America!  The deadline for End-Of-Support (EOS) is July 14, 2015 and I suspect Microsoft will not move that date because they didn’t extend the Microsoft XP EOS date.  Essentially on July 14, 2015 Microsoft will stop patching the Windows Server 2003 operating system and they will no longer issue security updates. What should an IT Manager do? Hackers all over the world will be focusing on attacking an unprotected operating system. Needless to say, IT managers must get all of your Windows Server 2003 instances discovered, documented and migrated.

In addition to upgrading the server operating system, many companies also have their Windows Domain running under Windows Server 2003, so a Domain migration is thrown into the mix.  Plus many companies have taken the plunge into Virtualization and are using Hyper V or VMware with Server 2003.  So many older Windows Server 2003 instances need to be upgraded and virtualized.  Almost everyone is migrating to the current Server Operating System Windows Server 2012 R2.  So what’s the best way to go about assessing your IT server environment?

Microsoft to the rescue: Microsoft has written a free downloadable piece of code to assist an IT manager with all aspects of a Windows Server 2003 migration.  The Microsoft assessment tool is called the Microsoft Assessment and Planning Toolkit or (MAP). You can download a free MAP COPY HERE. The MAP toolkit makes it easy to assess your IT infrastructure in order to migrate away from Windows Server 2003.  You will receive an inventory of hardware, software and a migration plan.

The Microsoft Assessment and Planning Toolkit is an agentless, automated, multi-product planning and assessment tool for server migrations.  MAP provides detailed readiness assessment reports and executive proposals with extensive hardware and software information, and actionable recommendations to help in the IT infrastructure planning process. MAP also provides server utilization data for Hyper-V server virtualization planning identifying server placements, and performing virtualization candidate assessments.

If you subscribe to Microsoft TechNet (and you should be) you can also find great MAP RESOURCES HERE.  Microsoft has documented a 4-step migration process:

  1. Discover: The first step is to discover and catalog all of the software and workloads running on Windows Server 2003/R2. There are several self-service tools that can help with this process, such as the Microsoft Assessment and Planning (MAP)
  2. Assess: Once you have a catalog, you will need to assess what’s in it. This means categorizing and analyzing your cataloged applications and workloads based on type, criticality, complexity, and risk.
  3. Target: Choose a migration destination for each application and workload. Available options include Windows Server 2012 R2, Windows Azure, Cloud OS Network, and Office 365.
  4. Migrate: Choosing the right migration plan may require some additional analysis and assistance. Several vendors offer do-it-yourself tools to assist in the decision-making process and in the migration itself, including Cisco and Dell.

Microsoft Windows Server 2003 has been an extremely stable and reliable server operating system; ANP has been using the product for over ten years. Its always sad to say good bye to a great friend, but I can share, that if you haven’t worked with the new Windows Server 2012 R2, you will be amazed with some of the slick new features!

Feel free to download and play around with the new Microsoft MAP toolkit.  If you are too busy and would like the help of an expert, ANP is offering a free Windows Server 2003 Survival Assessment.  Please CHECK HERE TO REGISTER

Windows Server 2003 Survival Assessment

Topics: Windows Server 2003, Windows Server 2003 End Of Life, Windows Server 2003 End Of Support, Windows Server 2003 EOS, ANP Survival Assessment kit

What Your Employees Are Doing Online? You need Content Filtering!

Posted by David S. Mulvey on Wed, Nov 12, 2014

Content FilteringDo you ever wonder what your employees are doing on the Internet at your office?  If you really haven’t thought about it, you should be, you are at risk! I will be talking about recreational use of your business Internet connection, what I mean by that is any type of network traffic that is not directly related to your business activities.  Have you ever found yourself walking around the office and you notice that an employee quickly erases their browser as you walk by?  Unfortunately today’s employees are inundating company LAN’s with their recreational Internet traffic, of which some types can grind your network to a crawl. 

Streaming media like YouTube, Pandora Radio, FTP sites, and WeatherBug are all peer-to-peer (P2P) applications that stream data packets over the Internet to your employees PC, not to mention the conventional Internet sites like, Facebook, LinkedIn and Twitter.  Approximately 40% of Inbound Internet traffic is recreational and P2P.  Beyond the cost of lower productivity by employees not performing their work, recreational Internet applications drive enormous volumes of data traffic over organizations' Internet links.  And this high volume of data traffic increases Internet and LAN operating costs by forcing organizations to upgrade their Internet bandwidth and invest in high capacity LAN switches.  Recreational Internet traffic also increases congestion and competes with business-critical applications for available Internet and LAN bandwidth, creating delays, frustration and lost productivity when employees need to access their key applications on the LAN.

Perhaps your LAN, already strained to the limit supporting your business-critical web-based applications, is increasingly vulnerable to the adverse effects of recreational Internet traffic.  A single bandwidth-hogging employee illegally downloading a movie using a P2P application like Bit-Torrent may result in the entire company workforce suffering from slow access to their business applications.  Recreational traffic is not merely an IT issue. When we talk about application performance, we're really talking about employee efficiency and overall business performance.

Aside from application performance and cost issues, organizations may also face moral and legal imperatives to control recreational Internet traffic due its questionable content.  Here at ANP we have an Internet Usage Policy which defines how an employee may use the company’s Internet connection. It is part of the employee’s employment agreement.  You want an agreement in place so that should an employee do something illegal or another employee is offended by his colleague’s behavior on the Internet you have some legal ground to stand on.  The company LAN is an important asset that should not be used for delivering illegal or inappropriate content such as pornography or content that violates copyright laws.

An effective strategy to automatically control how employees can use your Internet connection is to deploy “Content Filtering.” Deploying Content Filtering is easy and fairly inexpensive.  If you believe you are losing employee productivity to recreational Internet usage deploying Content Filtering will pay for itself in less than a week.  There are two types of Content Filters: standalone appliances which only perform Content Filtering, and most Firewalls also have a less sophisticated form of Content Filtering.  Lets take a look at both approaches: A dedicated Content Filter will be installed in between your Firewall and your LAN. The appliance will essentially look at every Internet outgoing packet and evaluate if it’s allowed to pass onto the Internet or should be stopped or filtered.  The Content Filter will also log all usage by each employee so you can begin to profile what your employees are doing with the Internet connection and who is taking advantage or doing things that you or your employees would be offended with.  I often find that once a Content Filter is deployed and its been announced that each employee’s Internet usage is being monitored, employees will self-modify their recreational Internet behavior. Employers may see fit to open up the Internet connection at lunchtime and allow their employees to use Facebook, and LinkedIn during their lunch break.

More expensive Content Filters also come with a monthly subscription fee, which pays for a monthly update to the Content Filters threat list of bad Internet sites. This is the most comprehensive way to stop porn, sports, and bit torrent sites because as they appear on the Internet and the sites are catalogued, the new sites are sent to your Content Filter. Less expensive Content Filters, which do not offer a monthly subscription service, can still be effective at blocking porn, sports and social sites, although they do it in a different fashion.  The less expensive filter will scan for the words that you have determined to be recreational usage; for example, if you wanted to filter out “sports” usage words like football, NFL, NCAA, and baseball would the types of words that you could program your Content Filter, effectively stopping most sports sites from passing through the filter. 

No matter which Content Filtering approach you take, active updates or static word scanning, your HR department will get a snapshot of each employees Internet usage both approved and filtered.  You can also program a Content Filter to not monitor the usage of select employees and managers.  As our society becomes more litigious, and as business owners we are responsible for delivering a safe and non-offensive workplace to our employees, Content Filtering can help an owner demonstrate they were diligent in trying to secure the workplace.  A Content Filter can also help a business owner insure that work is really getting done on the LAN and that employee productivity remains as high as possible. A Content Filter is a great business tool to invest in!

Get Started Right Now: ANP can sit down and discuss your content filtering goals.  We can also perform a quick free assessment and take a look at what your employees are doing on the company Internet connection.  Please let me know if you have questions.

Request A Free Network Assessment

 

 

 

 

 

 

Topics: Content Filter, Internet Content Filtering, Internet security policy

Time for a Wireless LAN Assessment? Do you have Ghosts & Goblins?

Posted by David S. Mulvey on Thu, Oct 30, 2014

October in Philadelphia is extraordinary; between the crisp dry days, vibrant fall colors, and eerie decorations covering houses with orange spooky carved pumpkins all over town, it's easy to get caught up in the Halloween spirit.

So, as I wondered what to say in my blog this week, I couldn't help but see monsters, goblins and ghosts everywhere! There are monsters quietly hiding inside every company; foul creatures in our very private wireless LAN’s. Ghouls so deadly, so insidious, they can attack your company data and steal it or corrupt it without your knowledge or consent! These demons, if you continue to let them run wild long enough, can destroy your IT systems and possibly your company. So in this ghostly Halloween time of year let’s focus in on an unseen and relatively misunderstood component of your IT infrastructure, your WiFi wireless LAN.

What better way to focus in on your WiFi wireless LAN than through shining a bright light on it through a Wireless Assessment. A thorough audit of the WiFi 802.11 infrastructure equipment and an analysis of coverage and interference present within your office or campus. The Wireless LAN Assessment includes discovery of your access points, the access points near your office and detection of signal bleed outside the facility. A complete audit includes a wireless assessment checklist that will review all of the wireless infrastructure diagrams and wireless connection policies, security protocols that would be enforced, how many users are allowed to be associated with a specific access point and penetration testing to attempt unauthorized access to the wireless network. A Wireless Assessment will also analyze interference sources, including common problems like microwave machines, blue-tooth accessories such as wireless keyboards, wireless headsets and wireless pointing devices.

The assessment can be focused on a WiFi environment that is already in service or the wireless audit can be performed in a new WiFi environment where the client is looking for a wireless site survey, coverage recommendations and a final design of how many access points would be required and where they should be located. In the case where you are designing a new wireless environment, the assessment report would be written as a Bill-of-Materials and a technical description of the future security protocols and user density so that the WiFi network could be put out to bid to various WiFi manufacturers.

Why do you need a Wireless Assessment?

WiFi networks are becoming pervasive; in fact, many companies have deployed a WiFi network with little to no regard for securing their company LAN through the WiFi network. Many companies have such poor performing WiFi networks that employees take it upon themselves to go and buy $100 access points and bring them to work and hook their rogue access point up to your company LAN, without permission and without any security protocols enabled! The scary end result is that your company data is then available for any WiFi hacker to connect to the rogue access point and then get unfettered access to everything on your company LAN. So a Wireless Assessment can first and foremost, ferret out any rogue devices and then document the WiFi coverage and WiFi security posture of the wireless LAN.

Another motivating reason to perform a Wireless Assessment is because of the popularity of smart cell phones that have WiFi capabilities. Your employees have likely added your WiFi network access onto their phone without your approval or knowledge. The result is that your employees smart phones have uncontrolled and unsupervised access to your company LAN. The Assessment can document who is using your WiFi network and can provide some insight to what risks might be occurring at this moment.

Does Your Company have a WiFi Access Policy?

Your written IT security policies will define your organization's information security goals. At ANP we include a written security policy in every employee's employment agreement. In a changing IT environment, where new devices can gain access to your company LAN that are not controlled or owned by your company, businesses have rapidly changing information security needs. It's incumbent upon management to keep up with modern threats of WiFi information security and consider establishing a written WiFi policy as a guideline; regular policy review with WiFi experts will allow you to keep ahead of changes in the information landscape and address areas of concern before they become significant problems or worse yet you become a casualty of a WiFi data breach.

Wireless Infrastructure Threats:

The growing demand for wireless access has forced WiFi vendors to make an access point easy to setup. It is common for a wireless network to be added to existing infrastructure by following a setup wizard without much thought. This may be fine for a home network, but businesses have more at risk and need to ensure a secure and consistent implementation. One of the most common issues for wireless implementations are using weak encryption protocols like WEP or using weak Pre-Shared Keys for WPA2. As I mentioned earlier another common concern is someone installing an access point or wireless router on the network without company approval. This could be a misguided employee or an intentional malicious act. A third common issue is the improper configuration or no network access policy; for example a Guest wireless network that unintentionally allows access to internal LAN resources. You wouldn’t hang a live LAN cable out of your window, so make sure your wireless network is securely locked-up.

Wireless Site Survey Expertise:

The saying goes “you can judge a tradesmen by his tools,” goes a long way with WiFi consultants. The wireless assessment methodology that your IT Service Provider uses will tell you a lot about their expertise. Ask if your IT consultant has a Spectrum Analyzer that can detect out-of-band and in-band WiFi interference. An interference report is the most common problem with poorly performing WiFi infrastructure networks.

wireless spectrum interference 

Insure that the consultant has a test set that uses your office floor plan.  The consultant will load your floor plan in his test set and literally walk through your hallways, conference rooms and break rooms, he will also walk the outside of your building.  The technician should also have an access point and multiple WiFi antennas and a tripod to hang-up and access point to simulate WiFi coverage in your office using various antennas to manipulate the signal coverage.  The IT consultant should be able to produce WiFi reports that clearly documents the WiFi coverage of every access point in your office, look for a drawing that looks like this:

wifi coverage map resized 600

You are also going to need a list of detected access points, their security protocols and SSID names. The inventory report should look like something like this:

wifi inventory list resized 600

ANP’s TCP-IP security engineering team maintains a deep technical knowledge base of modern security threats. A Wireless LAN Assessment is more than wandering around with laptop looking for rogue access points or making sure your WiFi security keys are strong. The ANP engineering team understands wireless technology and can provide a comprehensive wireless audit by reviewing your security policies, your coverage densities, and then implement a complete wireless network not just some helter-skelter access points.

Would you like to learn more? Follow this link to our WiFi Assessment page to discuss your needs. During this Halloween holiday let’s give the boot to the Ghouls, Ghosts and Goblins; and kick them out of your Wireless LAN!

 

Request A Free Network Assessment

Topics: wireless audit, wireless site survey, wireless LAN assessment

6 Things The IT Support Tech Does that the Boss Needs to Know About!

Posted by David S. Mulvey on Thu, Oct 23, 2014

Your IT Employee QuitsWith Halloween around the corner the following seems like an appropriate question to ask a small business owner: Here's a scary question most businesses don't think about: what would happen if your IT support guy suddenly quits? Most business owners think it would only be a temporary inconvenience when, in fact, the opposite is usually the case. I get more concerned business owner phones calls once their IT guy leaves than any other motivating reason. Want to know how much you are at risk? Ask yourself the following 6 frightening IT questions:

  1. Do you have written network documentation about your computer network? What software licenses do you own, where are the software license keys stored? What are the critical administrator passwords to your systems and devices and who knows them? How is your computer network structured?  Is there a current drawing? What hardware do you own and when do your equipment warranties expire? Are there cloud vendors for email, online data backup storage, hosted line of business applications, etc. that you don't currently have, who has access? Who is listed as the technical contact for your company domain name? You should NEVER allow a single IT person or IT company hold this information under their full control over you and your company. If they suddenly left for any reason, this could lead to huge negative consequences for your company.
  2. Do you know where your backup files are stored and if they are being stored properly? If you are like most business owners, you're too busy dealing with the "crisis of the day" to think about system backups and probably leave tasks to your IT support expert. If your database gets fried and your tech is nowhere to be found, you might be in a lot of trouble. If there was a data disaster do you know how long it would take to restore your key company applications? Are your employees trained to continue to work without access to the core company applications?
  3. Do you have a written plan for restoring your network fast in the case of a disaster? If you don't have a fully tested disaster recovery plan for your office, you could be at serious risk without knowing it until something happens. You should have a written game plan to account for a power failure, a water leak and flood, and a fire? Creating a business continuity plan can save you in the time of crisis.
  4. Do you know where all of your software is stored? Bad things can and do happen to computers and servers, and the situation can be made worse if you are not prepared. Taking a minute to organize and store your software in a secure place can save you a considerable chunk of money in the event that you need to restore a program on your systems. If you don't have access to the software or don't know where it is located, you might be forced to buy the software again. You should download your important software and burn it onto DVD disks so you don’t even need the Internet to get an application back up and running.
  5. Do you know what routine maintenance is being done on your network? I know that the very idea of learning about and keeping track of all the servers, workstations, and peripherals on your network is about as welcome as a black cat crossing your path, but it is important information to maintain. If your in-house IT expert leaves, who will take over? What are the daily, weekly and monthly processes they are performing on the IT infrastructure? This work should be documented by your IT employee through writing an “IT run book”, then reviewed and discussed with you or their manager.
  6. Do you know how to protect yourself from an ugly security breach if your in-house computer expert leaves? What happens if your company’s in-house IT expert splits with no warning and has access to your company's network? As soon as humanly possible, you should disable his or her access, including remote access to your network and all cloud based application. Do you know how to do this or does someone else in your company know how to disable their VPN access and remove their Active Directory credentials?

So how did you do? If you answered "No," to even one of these questions, you need to get help now before it's too late. During this month I will help you go from answering “No,” to getting a “Yes,” for every question. I will teach you how to do any of these items for free! ANP is offering a free IT Network Assessment this month to companies with greater than 30 PCs. Follow this link and register for your free IT Network Assessment. Please don't let your IT employees' two week notice scare you to death!

Topics: IT Assessment, IT Support employee gives notice, IT support tech quits

What's the Value of an IT Network Assessment?

Posted by David S. Mulvey on Fri, Oct 17, 2014

For a small business owner or IT manager an IT Network Assessment gives you a clear picture of your network infrastructure and the security posture of how the IT environment is set up and being maintained.  If your company is considering expanding your network, an IT Network Assessment is a great means to taking inventory and establishing a baseline of current performance levels.  An IT Network Assessment will identify equipment that is poorly performing or near its End-of-Life and will also reveal the skill level of the IT staff that is configuring and maintaining the IT environment. 

An IT system isn’t just technology for technology’s sake.  Technology should help meet specific business goals and provide value.  An IT Assessment can make sure that the technology is meeting these goals, or provide a blueprint for improving the technology and a specific and measurable template for achieving business objectives.  It can also ensure that IT technology and security is in compliance with government guidelines and best practices.

IT Network Assessment Report

Any business in today’s environment is running on a network of connected computers, servers, printers, and other hardware.  The network is the backbone of the entire company and can become a major bottleneck in business applications.  An IT Network Assessment will provide a network performance review and make recommendations based on traffic, errors, packet loss, and conflicts that can bring a business network to a halt.  Investing in new Servers and PCs is a waste of money if it is attached to a sub-optimal network.

There are any number of reasons that would motivate a business Owner to perform an IT Network Assessment. For example, if an IT employee recently gave his notice, it would be a good idea to have an independent third party assess the IT infrastructure and provide an unbiased report of how the employee is leaving the IT environment; are there any open issues that need to be addressed?  Another common motivator is that the business owner feels the business has outgrown the capabilities of the current IT Service Provider.  No matter what the motivation is; having an IT Network Assessment preformed can help you establish the current health of your IT environment and you receive the added bonus of evaluating the professional service and engineering work of the assessing IT Service Provider.  

Here is a great IT Network Assessment Checklist. A typical IT Network Assessment consists of 5 key evaluation areas:

  1. Server & Desktop Infrastructure: Document the hardware and software on each device, is there missing software license keys or worse yet are duplicate software keys in use?  Is any of the equipment out of warranty or End-of-Life support?
  2. Operating Systems & Active Directory Configuration: An inventory of Operating Systems and an evaluation of how the O/S is set up.  Is Active Directory in place, and is it correctly deployed?
  3. Patching & Anti-Virus/Malware Status: Are the Servers and PCs properly and timely patched? Is there a common Anti-Virus in place?  Is it updating, scanning and quarantining as expected?
  4. Data Backups & Business Continuity: Are your backups running? Can you restore a file, application or server quickly? Do you test your backups to insure they are viable?
  5. LAN/WAN Performance &Security: Are your WAN routers, LAN switches, and your Firewall all manufacturers supported, flashed to recent software levels, and configured to insure good performance and high security?

Let me share with ANP’s IT Network Assessment Process so you gain a sense of what to expect:

  1. ANP will send out on site our account manager to sit down with the Owner or manager in front of their PC.
  2. Our account manager starts a WebEx conference call between the business PC and ANP’s IT Network Assessment engineer.
  3. Once a WebEx session is in place, the ANP engineer will take charge of the business PC and drive through the assessment topics with the business owner watching over our engineer’s shoulder.

A few things are accomplished by taking this approach:

  • The Owner types in all of the passwords into his own PC; ANP never asks for and never sees the business password which insures the business data remains secure.
  • The Owner can actually watch and learn as the engineer evaluates everything in the assessment checklist.  They can see all of the issues with their own eyes.
  • The Owner has an opportunity to gage the technical prowess of the engineer performing the assessment.
  • Once all of the items are assessed, the WebEx session is shut down.  The technical data is collected and the information is reviewed for trends, problems and issues that are negatively affecting your network performance and security posture.  ANP begins the process of writing up our findings to review with the business owner.

Written IT Network Assessment Recommendations

Perhaps the most important deliverable in an IT Network Assessment is the Statement-of-Findings and the Recommended Remediation.  The assessment data is reviewed and compared with best practices, business requirements and common design requirements.  The results from the assessment are then utilized to develop specific recommendations that focus on design, equipment configuration, and security improvements.  ANP will write a Statement-of-Findings and provide you with some specific prioritized recommendations to remediate for the most significant issues. 

Typical assessment issues that are found are software that is out of license compliance or copied illegally which can cause huge fines and penalties to your business.  An IT Network Assessment will evaluate the existing software for compliance and create an audit process for future software.  A software audit now as part of an IT Network Assessment is much more cost effective than an audit later by a software company.

Security of your company data is a top priority.  Proper security measures not only protect the data from outside hackers and disgruntled employees, but the ability to demonstrate good security is essential for new sales and customer retention.  An IT Network Assessment will evaluate and make recommendations to close holes in security and help create a bulletproof computing environment for critical data.

Another typical result of the IT Network Assessment is that your backups are broken or not running at all.  ANP often determines that the wrong data is being backed up, or backup failures are going undetected and therefore not corrected.   Unfortunately most often the backups are not being tested at all and so you really don’t know if the backup copy is viable and can actually restore data when called upon to do so.

Start Today Idea: Once a quarter ANP offers a free IT Network Assessment to the first 5 companies that sign up.  ANP only requests that the company signing up has at least 30 PCs.  If you feel an IT Network Assessment might help you follow this link to see if we are offering a free assessment this quarter.   

 

Request A Free Network Assessment

Topics: IT Assessment, network assessment, IT Network Assessment, IT Network Assessment Checklist, IT Network Assessment Questions

ShellShock Assessment Scan: Assess your Unix & Linux Servers Now

Posted by David S. Mulvey on Wed, Oct 08, 2014

ShellShock Bash BugJust after we have worked our way through the Heartbleed vulnerability a new software vulnerability has been found that might affect any versions of the Linux and Unix operating systems, in addition to Apple Mac OS X within your business.  The vulnerability is referred to as the “Bash Bug” or “ShellShock,” which might allow a remote attacker to gain control over a targeted Unix/Linux computer.

The vulnerability affects a software language called Bash, which is the common part of the Unix Operating System shell that appears in almost all versions of Linux and Unix. Bash is a command shell interpreter, or in other words, it allows the user to type text based commands into a window, and then Unix will run the command.

Bash can also be used to run commands passed to it through another application and it is this Application-to-Bash feature that the vulnerability affects. Environmental values can be sent to Bash using this Application-to-Bash feature. The problem here is that setting environmental values on servers is a powerful way for an attacker to deploy malicious code into the target Unix server and essentially remotely take over and hijack the server.

The governments NIHT regards this vulnerability as critical, since Bash is widely deployed in Linux and Unix operating systems running on Internet-connected servers, such as Apache Web servers. With a successful Bash exploitation, the Attacker can enable remote code execution. This could not only allow an attacker to steal data from the compromised Unix server, but enable the attacker to gain control over the server and potentially provide the hacker with an infected server to launch attacks onto the devices sharing the same LAN as the infected Unix Server.

Has it been exploited yet?

There are limited reports of the vulnerability being used by attackers in the wild. The consequences of an attacker successfully exploiting this vulnerability on a Web server are serious in nature. Once inside the victim’s firewall, the attackers could then compromise and infect other computers on the network.

Computers running Mac OS X are also potentially vulnerable until you deploy Apple's patch for the vulnerability. Again, attackers would need to find a way to pass environmental commands to Bash on the targeted Mac. The most likely avenue of attack against OS X would probably be through the Secure Shell (SSH), a secure communications protocol.  The Internet of Things (IoT) and embedded devices such as routers may be vulnerable if they’re running Bash.

How would this bug affect your business?

Most IT departments are unlikely to see any immediate impact relating to this bug.  This stems from the fact that an overwhelming majority of these impacted servers are not connected to the Internet.  In order for an attacker to exploit this bug, they would have to have external access to these affected systems, either through SSH, web or publicly-accessible service endpoints. 

What is ANP doing about this?

At ANP we have ensured that our internal infrastructure (much like many of our customers) is not exposed in such a way that would cause concern.  We are continuing to monitor our vendors’ updates & patch releases, and as we receive and digest this information, we will (as necessary) work to address these individual impacted systems with our customers individually.

Bottom Line

Any Linux/UNIX-based device that publishes Internet-facing web pages and/or services may be vulnerable to the ShellShock bug.  This assumes that these websites and/or services are calling direct system functions through commands issued on the web site Application (widely considered to be a no-no from a security perspective) -or- are vulnerable to a remote command execution vulnerability. 

Therefore, a successful ShellShock exploitation of this bug requires three things:

  1. A Linux/UNIX-based device that…
  2. Must be Internet-accessible via public-facing website
  3. And the Unix server will execute remote commands

Here is a breakdown of popular IT manufacturers:

Apple Products

Apple has released a security advisory, for OSX so apply their patch through their standard update process.  ANP believes that implementing the OSX patch is the best approach to lower your potential exposure to attack.

Cisco Products 

Cisco has released a security advisory that details the impacted products.  ANP is continuing to monitor this security advisory as Cisco continues testing & validating fixes for each impacted item.  You can expect updates from ANP as we identify impacted products and customers.  As is the case above with Apple products, unless your device is publishing web pages or services to the Internet (i.e. is publicly-accessible), the risk factor of an Attack is limited.   These devices will however, show up on a security audit if the audit scans the internal network and (as such) should be patched prior to the audit.

Unix/Linux Servers

All of ANP’s Linux/Unix servers have been patched to protect against this bug.  If you have an internal Web Development team that manages your own company-owned Linux/Unix servers, we would highly recommend following your Operating Systems vendors advice on patching. 

Free ShellShock Assessment from ANP

ANP would be happy to perform a free ShellShock assessment scan of your IT environment to look for the ShellShock vulnerability in your Unix/Linux servers and IT equipment.  We will look at your IT systems and let you know if you have anything at risk. Call our office and ask for the free ShellShock assessment at (800) 572-3282. Or click on the Free Assessment button below.

 

Request A Free Network Assessment

Topics: ShellShock Vulnerability, Bash Bug, ShellShock Assessment Scan

When Data Disaster Strikes will Your Company Data Backup be Ready?

Posted by David S. Mulvey on Thu, Sep 18, 2014

data problems resized 600Most IT experts will agree that in order for a business to survive a data disaster, they need some sort of data backup plan or business continuity plan in place. Regardless of the type of plan, or systems integrated, all of your IT systems need to have at least one backup copy. In the last blog, we took a look at the first four tips to help improve your data backups, let’s continue in this part 2 blog with the final four tips.

5. Automate your backups

It can be challenging to remember to back up your data files by memory, especially if your business can become hectic at times. Therefore, you should look into an automated data backup solution. At the very least, you should set a schedule as to when the data backups are conducted and set-up what is backed up. While this is not complete data backup automation, a schedule will insure the copy is created even if you or your IT personnel become busy and forget to make a backup copy.

If you are using data backup solutions like a Cloud Service Provider or NAS (Network Attached Storage) within your office, you can usually automate the process by selecting which files and folders to back up and schedule when they are backed up. The software that powers these solutions will then do this automatically and will often send an email out after the job is run notifying you if it was successful or not. There have been cases where employees have become frustrated by an unsuccessful backup process and simply turned the backup job off. The business owner, thinking their data was being backed up would be in for a bit of a shock when systems crashed. Automation also insures that your backups begin to have reliability and a higher likelihood of a successful restoration if needed.

6. Back up your backups

Copies of your backups are just as important as actually backing up your data. You should keep a second copy of your data backup image just in case something happens to your original backup. While this doesn't have to be carried out as often as the 'regular scheduled' backup, this should be done on a scheduled basis. In order to really ensure backup redundancy we recommend that if your main backup is kept on-site, then the secondary backup should be on another storage medium that is kept off-site. Here at ANP we make backup copies every 30 minutes to an on-location NAS and then copy all the data that changes each night up to our Cloud storage located in Toronto. This gives ANP many backup copies of the data dispersed across different media, and located at different locations.

7. Don't forget data stored on non-physical drives

What I am referring to here is the data stored on different Cloud services for example: your outsourced email, Drop Box files, and non-physical locations. This is especially true if you say have you own servers. It's highly likely that there is company data scattered around on these Cloud services as well, and should they go down and you haven't kept a backup, you may lose important company information.

Essentially, think about critical data that is used in the company, but isn't physically kept on computers. It may feel like this is going a step too far with backups, especially for businesses who use email services like Office 365 or Gmail, however, while the chances of these systems going down are incredibly rare, it could still happen. Therefore, you should conduct a monthly to bi-yearly backup image of the mail boxes just to ensure that Cloud based data is backed up should something happen.

8. Test the viability of your backups

Finally, it is beneficial to actually test your backups from time-to-time to ensure that they are not only working but the data is actually recoverable. If you are getting messages that your automated backups are running successfully, and as a result, you never test them. It would be awful to find out when you actually need to do a restoral, that although the backups were running perfectly, not all of the data that was needed was ever backed-up.

If you do a trial run on recovering your data, you can get a good idea of how long it will take to retrieve this information when you actually need to recover it and you will also confirm that you are backing up everything you need to have a successful restoration. Also, testing is a good way to discover any personnel problems, such as if someone has disabled backups, or someone doesn’t know how to get a successful restoral. This will ensure that your data is there when you need it, and you have trained people ready to recover it.

This completes our two part blog on small business data backups. I hope this was interesting and valuable to you. Want to learn more about small business data backups, disaster recovery plans, and disaster recovery services? Sign up for our Free IT Webinar this month HERE. Not ready to meet yet? You can download a great free white paper about disaster recovery planning HERE.

Topics: backup plan, Data backup, Data Recovery, business continuity plan, data backups, backup solutions

When Data Disaster Strikes, will Your Company Data Backup be Ready?

Posted by David S. Mulvey on Mon, Sep 15, 2014

data disaster resized 600While there are many different and important tasks a business needs to do, one of the most important is to back up your company data. Your data is important often impossible to recreate.  I promise you the day will come (if it hasn’t yet) where you will have catastrophic loss of data. Most business owners realize this and do back up their data, but it can be a challenge to an owner on how to setup and operate a really reliable and low cost data backup plan.  In order to help, I have come up with eight data backup tips, four of which we will review in this blog.

1. Pick the data backup solution that works best for your business

When it comes to backing up the data on your company's PCs and Servers, most small businesses will choose from these 5 options.  In my last blog I discussed how a company could possibly lose (even though they are backing up) and also how much time a company could possibly wait to recover their data while running on manually systems.  The choices below really affect how much data is potentially lost and how long it takes to recover. Let’s look at the choices ranked from least expensive to likely the most expensive:

  • Internal hard drives on A PC or a Server - You can either use another hard drive installed in your computer or partition an existing hard drive so that it functions as a separate drive on which you back your data up. This is a quick option, however should your computer or the hard drive fail - two of the most common computer failures - then you will lose this data.
  • External portable hard drives - These drives are essentially separate hard drives that you connect to your computer via a USB or other connection. Many of these drives allow for one touch backup and can be configured to back up data at certain times. While these can be useful, especially if you want to keep data backups easily accessible, they are prone to the same potential failure as internal drives.
  • Removable drives or media - For example, USB flash drives, DVDs, etc. These are great for backing up work you are doing at the moment or for transferring small files from one machine to another. These options are limited by smaller storage sizes however, so backing up even one computer will likely require multiple disks or drives.
  • Cloud-based backup - This is the act of backing up your files to a backup provider over the Internet. Your files are stored off-site and can be restored as long as you have an Internet connection. For many businesses, this has become the main form of backup employed, largely due to cost and convenience - files can be backed up in the background. The biggest downside of this backup option however is that you do need an Internet connection for it to work and you will see more bandwidth being used, which could result in slower overall Internet speeds when files are being backed up.
  • NAS - Network Attached Storage, is a physical device that has slots for multiple hard drives. You connect this to your network and the storage space on the hard drives is pooled together and delivered to users. This solution is like a mix of cloud-based and external backup, only the device is usually in your office. While it is a good backup solution, it can get expensive, especially if you have a large number of PCs and Servers to back up.

ANP uses a combination of NAS and Cloud based backup; the reason why we choose this solution is twofold. One, by using a NAS in our office we can essentially snap shot our data backups in a real-time mode (so we will never lose any data between a failure and the last backup.)  The last successful backup before a failure typically would be seconds before the outage. This allows ANP to recover all of our data AND because the NAS is on our LAN we can restore applications very quickly (measured in minutes.)

We also use a Cloud-based backup to insure if our office building had a fire or flood, and our NAS device was destroyed, we still have all of our data off site.  The cloud back up restoration would take us a long time to recover, but at least we would have all of our data intact. 

There are a wide variety of backup solutions available, so it is a good idea to sit down and figure out which are best for your business. The vast majority of companies integrate multiple solutions in order to maximize the effectiveness of their backups and spread the risk of losing data around a bit.

2. Split your backup locations

In order to ensure that your data backups are available for recovery should you need them, you should split up the locations where the backups are stored. Should you keep all of your backups on hard drives in the office and there is damage to the premises, you could potentially lose your data. One of the most effective strategies is to have one set of backups on-site, and another off-site which will ensure that should there be a disaster in one location, the other will likely be safe and you will still be able to access your data.  Despite all of the backup technology options available, you can narrow these down to two categories, the fact that the backups are kept in two locations

  • On-site - Data backup solutions that are kept in your office. This could include internal hard drives, or NAS, and even tape. The idea here is that the data backup is kept in your office. Some like USB drives may leave the office, but the main idea is that they are used primarily in the office.
  • Off-site - Data backup solutions are stored off-site, or out of the office. The best example of this is cloud-based backup where your data is stored in a data center, most likely in another region of the country. Another example is backing up to hard drives and storing them in a secure location outside of the office in another branch location or at the owner’s home.

3. Establish a standard naming and filing system

Have you ever seen how people organize their hard drives on their own PCs? Some like to use folders and subfolders that are organized neatly, while others tend to throw files into one general folder or leave them on the desktop. The same can be said for the way files are named.

Because of these differences, in the event you do need to restore the data, it can be difficult to back up and recover files properly. We recommend that you pick a naming and file system that every file and folder will follow across all systems. This means backups will be quicker, you will be able to see what is new, and you will spend less time organizing files.

At ANP we have a written file naming convention that we educate everyone on and enforce the use of.  A standardized file naming and file organization structure goes a long way toward making it easier to find files and recover them should your systems go down. 

4. Determine, which files need to be backed up and protected

While it may be tempting to back every file and folder up, in an effort to maximize efficiency of your solution, it is better to not back everything up. Because you are going to want to be able to restore a backup quickly, it’s worth investing the time to identify what files and folders are to be backed up.

The same can be said for non-work related files. While these may be important to your personal life, they likely aren't to the business so should not be backed up onto your business backups.  Look at each file and folder and see if it has something to do with business decisions, or is in anyway tied to your business. If it is, then it is probably a good idea to keep it and add it to your backup rotation.

In my next blog I will share four more tips regarding your data backups. In the meantime if you want to learn more about small business data backups, disaster recovery plans, and disaster recovery services sign up for our Free IT Webinar this month HERE.  Or if you are not ready to meet yet, you can download a great free white paper about disaster recovery planning HERE.

 

 

Topics: backup plan, Data backup, Data Recovery, business continuity plan, data backups, backup solutions

Disaster recovery planning, ask questions before disaster strikes.

Posted by David S. Mulvey on Wed, Sep 10, 2014

As a business owner, I suspect you wonder if your company could survive a fire, flood or a data disaster. The US Small Business Administration came out with some scary data last year; 90% of small businesses do not survive a fire/flood disaster.   Certainly it is impossible to predict what the next disaster will be, but it's easy to prepare for, especially if you have an effective data backup plan. When it comes to data backup planning there are a few key metrics that you as the owner need to be aware of.  In this blog I will show you what questions you need to be asking and why you need to know the answers.  The survivability of your business might depend upon it.

There are essentially two key questions you need to be talking to your IT employee or your outsourced IT Managed Service Provider about when it comes to data backup plans. The first is how often are the files being backed up: measured in weeks, days, hours or seconds?  This is important because it will give you a sense as the owner just how much data could be LOST if your server failed at any given moment and you had to go back to the last good data backup copy to restore the server and it’s applications from that point in time.

If you are backing up on a per minute basis, you stand to lose very little data.  But on the other hand if you are backing up daily, once a week or once a month, you could lose up to a whole month of company data. Take a look at this graphical representation: 

 RPO Lost Data resized 600

Note the slower the backups occur typically there is a longer amount of time between the backups. A slower back up media (tape) could possibly equate to losing more data.  The inverse of that statement is also true; the faster your backup media (disk based backups), the more often you are likely to be backing up.  With more frequent backup copies, the less company data you can possibly lose during a disaster.  The takeaway point here is the time between your last successful back up and the disaster is the time in which company data is at risk and will be lost.

The second question you need to know is once a data disaster does occur, how long will it take to restore your most recent backup copy on a new server?  It’s important to remember that during the restoration time line, your business applications will not be available.  So ask yourself, “Can your business run for a prolonged period of time without your ERP application or your CRM or accounting software?”  Do you need all of your applications immediately or just a few key apps?  Can you manufacture or provide your company’s service without your software applications up and running?

There are three related questions you need to ask: First, where will a new server come from and how long will it take to get it? You can’t begin to restore a backup until you have good hardware to restore to.  Second, how long will it take to restore the basic Server Operating System?  Finally, how long will it take to restore your application and data on top of the operating system?  Unfortunately the restoral process is completed in a serial fashion: first the hardware, then the operating system(s) and finally the application itself which stretches out the time it takes to recover.  Bear in mind, your business is running in a manual mode during the recovery time.

If you choose to place your backups on a slow media like Tape, your restoration process could take weeks, or if you decided to spend more money on a faster media (on location disk or cloud based disk) the recovery process will be much faster.  But the point is you need to know how long it takes, and then decide if that time line is actually appropriate for your business.  Plus you should plan ahead and determine the logical order in which you want to restore your applications. 

 RTO or lost time and mannual processing resized 600

There are some great business takeaways here: my clients often want to dive into technology discussions.  I prefer to hold a business conversation first.  How much data can you afford to lose if there is a data disaster? How long can your business be without your key applications? Have your employees been taught how to work without their key application in a manual mode?  Data backup planning is much more about your business approach than it is about selecting a backup media technology.

Start Today Idea: As part of your business continuity plan, you need to figure out how much company data you can afford to lose should you have a data disaster.  Then calculate how quickly you need to recover the last backup.  With this planning completed; you can begin to design a data backup task list, a backup rotation schedule and a backup restoral test schedule.

Want to learn more about small business data backups, disaster recovery plans, and disaster recovery services? Sign up for our Free IT Webinar this month HERE.  Not ready to meet yet?  You can download a great free white paper about disaster recovery planning HERE.

Topics: data backups, disaster recovery planning

Subscribe By Entering Your Email

Follow ANP

Browse by Category