This is a guest post from Paul Bishop. Paul is a systems engineer for NCR Corporation with 16 years of service in various roles and capacities. He currently consults with NCR’s retail channel partners and helps them implement NCR hardware and software solutions in a variety of retail outlets. Paul is presently working on a project to roll out Watchguard firewalls and NCR Security Services to channel partners and their client bases. When he’s not working he can be found at home with his wife and 3 cats.
Security and PCI compliance are a concern for everyone doing business today unless your users are still using a cigar box and calculator and only accepting cash payments.
How can you secure your end user and make it harder for crackers* to gain access to financial information and perpetrate identity theft?
*Hackers are good guys, crackers are the bad guys. Hackers figure out how to root Androids, jailbreak iPhones and find security holes in software which they then report to developers. They never use their knowledge to perpetrate crimes only to learn, teach others and make money legally. Crackers are the criminals. They employ the same methods that hackers do, but use their knowledge to commit crimes. While you typically hear the work hacker used to describe the bad guys, it is a misnomer used by the media incorrectly well over 99% of the time. Crackers wear black hats and hackers wear white ones.
The most important way a user’s network can be secured is using a layered security approach. Do not install a firewall and expect it will catch everything. It will not. Firewalls are simply a first line of defense at the perimeter of your network. They do a great job at catching many threats, but no one firewall will catch 100% of spam, viruses, malware, ransomware (think Cryptlocker) or any other junkware that is out there.
After a firewall there should be antivirus installed and updated on every machine that touches the firewall and the internet. It should go without saying, but outdated AV software is as much a threat as not having any.
After installing a firewall and anti-virus, make sure to whitelist both web sites and applications. Malware cannot infect machines if the code cannot be run. Had Neiman Marcus whitelisted applications, they likely would not have had their customer data stolen. The malware running on their servers was nearly identical to the name of their credit processing software, so whitelisting would more than likely have shut down the threat, even if it was not detected. Whitelisting is much easier than blacklisting in a general way because you identify only the web sites and applications that are allowed to run, excluding everything else.
Complex passwords is yet another line of defense. We all hate typing H8cMpLxPwd5 to log on to our machines. But we should. PCI standards dictate a 7 character password with 3 of the following 4 characteristics; capital letters, lower case letters, numbers and special characters. It’s fairly simple to make a complex password that’s still easy to remember. Like the one you just read. That one is really easy to remember since it’s short for Hate Complex Passwords! Recognizable as a pattern but very difficult to crack.
Finally, network segmenting. Many retailers like to provide their customers with Wi-Fi access. When doing so, it is of the utmost importance to keep the Wi-Fi separated from the POS segment of the network. Never in any instance is it okay for customer Wi-Fi and POS to be on the same network segment.
Setting up layers of security will help you and your end users filter out the threats that exist today. When implementing all of the above suggestions for network security, the risk of intrusion and theft goes down significantly and peace of mind goes up inversely.
The beginning of April brought the discovery of a major bug named Heartbleed that’s affected two-thirds of websites and applications, exposing users to information theft.
While we’ve been busy making all necessary patches, updates and password changes for our clients, we wanted to take the time to explain to you exactly what Heartbleed is, what it’s affected and what to do.
What is the Heartbleed bug?
A website or application that transmits sensitive information needs to be secure. To be secure, it uses one of the security protocols that have been developed to keep the information protected and encoded. One of the most common is called Open SSL (Secure Sockets Layer), which is developed by a volunteer team of programmers all over the world.
One of the newer parts of OpenSSL is the Heartbeat feature, which lets two applications confirm that they’re still both on a secure connection with each other. The sender sends a request to the server: “If you’re still on the connection, send back the 3 letter word boy.” If the server sends back the word “boy”, the connection is confirmed and they continue to transmit information securely.
The bug is that the requested word length (3 letters for boy) can be changed to be longer than the confirmation word (say 400), causing the server to send back the word plus all the data that was processed by the server right before the request (397 characters worth). The following cartoon by XKCD provides a great visual explanation.
What’s the issue?
The information that the attacker would see could contain any of the following (from least problematic to most problematic):
1) protected content like personal or financial details, emails or other communications
2) usernames and passwords – which would enable the attacker to take control of users’ accounts
3) the private encryption key – which would enable the attacker to understand any future communication by the server (even encrypted) and to impersonate the server
You could be affected if:
1) the server was processing your information right before an attack
2) the private key was part of the information accessed in an attack, leaving the server itself open to infiltration without needing the Heartbleed bug
What should you do now?
Check if any of the secure sites/services you use were running a vulnerable version of OpenSSL.
Have they patched (fixed the issue) yet?
If they have, change your password.
If they haven’t, wait to change your password until they do. Even if you would change your password now, an attacker could still get it through an attack, or they could use the private key to decipher your password from encrypted info. They may be giving updated on their sites, or email them asking what they’ve done and if you should change your password yet or not.
Here’s a list of highly-used sites and their Heartbleed status. Sites that were vulnerable include Facebook, Gmail, Pinterest, Yahoo, Godaddy and Minecraft.
Even the Healthcare.gov site was affected.
Thought to be an oversight, rather than a deliberate misprogramming, the Heartbleed bug did show the dangers of relying on open source software for critical functions. OpenSSL itself has been fixed. Both the volunteers to create open source software, and the community that uses it, will have an eagle eye open in the future.
Quick, take this two-second quiz:
1) Do you and your employees own personal smartphones, tablets or notebooks?
2) If yes, are they used for company work also?
Okay, now it’s time for a Choose Your Own Adventure post:
If the answer to question 2 is “no,” go on to the “Pros” section to find out how utilizing your personal mobile devices for work (otherwise known as BYOD – Bring Your Own Device) can increase employee satisfaction and productivity while cutting your company’s expenses.
If the answer to question 2 is “yes,” go on to the “Pitfalls and How to Stay Clear of Them” section to find out how to ensure the security of your company data and the productivity of your employees with the open access of BYOD.
Section 1 – Pros of BYOD
- BYOD promises employee satisfaction – employees expect to be able to access work from their mobile devices, just like they can access everything else in life from their smartphones.
- BYOD lowers expenses – if employees are using their own smartphones or tablets, you don’t have to provide them with a work device.
- BYOD increases work efficiency – if employees can access work whenever, they will put in more time outside of standard work hours.
BYOD is most effective for companies with a mobile workforce that is anyway using mobile devices. Salespeople and distributors use apps to check inventory or show sales videos to prospects. Construction teams access and update project information when they’re on-site.
Enabling the workforce to use the devices they already have simplifies life for them and lowers your company’s expenses.
BYOD isn’t a utopia, though. There are pitfalls, but the smart business owner will know about them and know how to manage them to get the pros of BYOD while minimizing the cons.
Section 2 – Pitfalls of BYOD and How to Stay Clear
- security breaches when a device gets lost, stolen – or picked up by your employee’s teenager.
- strain on your company’s bandwidth as employees use both their personal device and their desktop at the same time.
- employees getting distracted by their smartphone apps and wasting time instead of working.
- compatibility issues with different operating systems and applications.
How do you manage BYOD to minimize the pitfalls and enjoy the advantages?
- Device management – know who is using what on your network.
- this year, the Inspector General released a report stating that the US military CIO was unaware of 14,000 mobile devices being used actively within the military.
- Standards for password complexity and rotation.
- Your company needs to have the authority to remotely wipe data when a device is lost, stolen or when an employee leaves the company.
- Standards for data encryption.
- so that a lost flash drive won’t put your clients at lifetime risk of ID theft after its files are uploaded to a torrent site.
- Access company data, when possible, through web servers and apps, eliminating the need to store data on the device itself and providing another layer of protection.
- Security patch, antivirus and antimalware update standards.
- If bandwidth and productivity are concerns, consider limitation of BYOD to mobile workforce, when on-site or on sales calls.
Write out all your expectation and standards in an official BYOD policy that your employees read and sign on.
BYOD is where company technology is leading – especially for mobile workforces. Stay ahead of the game and make sure the rules are in favor of security, economy and productivity.
Do you allow personal devices already, but your device management is haphazard? Or now you want to allow devices but all of the stuff you need to manage seems overwhelming?
Don’t sweat it.
Take a look at how we can facilitate your mobile device management so you can reap the benefits without the pitfalls.
<The following is an interview done with Zohar Shiff, Director of Don’t Sweat IT Solutions, published originally in the Atlanta Jewish Times.>
“The official reason I came here was because I had a job offer to be a laundry man for $17,000 a year,” says Shiff.
Although his love for technology had been developing since childhood, Shiff’s path to a career in IT and subsequent reimagining of the industry wasn’t quite so straightforward.
Shiff grew up on Kibbutz Hanita, in Israel, where children went to school for five days out of the week and spent the sixth working. According to Shiff, most of his peers pursued agriculture, passing their days outdoors in the banana or potato fields.
“And I never had interest in being outside in the sun,” Shiff laughs. “I had technical abilities, so I went to work with an electrician. I liked to build stuff and take it apart.”
He took his amassed knowledge from said electrician and applied it to his other passion – the theater.
It was the army, of all places, that allowed Shiff to explore his thespian passion whereby he went on to perform for three years, five nights a week.
While gratifying, his army salary didn’t exactly cover the bills. In an effort to bridge his two interests and supplement his work in the army, Shiff began a career in stage lighting.
In a spurt of entrepreneurial zeal, Shiff also opened up a restaurant, only to have it close six months later. It was this experience that left a bad taste in his mouth, causing him to shy away from the world of business for years to come.
After his eventual move to the States, Shiff worked odd jobs as a laundry manager, furniture mover, and eventually support technician for a nationwide medical software company.
It was a time of change in the computer industry. The internet had only just begun to take hold and DSL was the latest thing. The medical offices were suddenly interested in having personal computers, internet, and email. As a result, they turned to Shiff as a guide whenever he came in on his support calls.
“I helped as much as I could while I was there, but the company I was a part of wasn’t really behind it.” Shiff wanted to do more than simply support the software. He wanted to advise and guide the customer, help them to expand.
Shiff wanted to do more than simply support the software. He wanted to advise and guide the customer, help them to expand.
Shiff was then approached by a colleague who wanted to start a venture.
“I didn’t need to take care of the business end, just the technical so I was convinced to go back in to business.”
And so it was that several of the doctors’ offices immediately became clients of Shiff’s new IT support services.
Along the way, customers began to broach the subject of Shiff coming in on a monthly basis to monitor their technology and keep it up to date, instead of on-call.
“I would advise them to run certain programs to maintain their computers and they would reply, ‘Why don’t you run it for us?’”
Shiff eventually struck out on his own and began Shiff Atlanta IT services in 2010. If the internet and email had been the up-and-coming technology when Shiff’s prior venture began, the new technological horizon was cloud computing, for which Shiff wanted to push the envelope even further.
Simply put, cloud computing connects a large number of computers typically via the internet. It allows businesses to reduce their IT infrastructure, eliminate purchase of expensive equipment and only pay for the computing power they actually use.
Everything from email and internet browsing to documents and data management is now available from anywhere and on any device.
“Take for example the idea of BYOD (Bring Your Own Device),” says Shiff. “It’s one of the ultimate expressions of the idea of cloud computing. It frees users to work the way they want, where they want, without compromising corporate security.”
Shiff saw something else that as missing in the way IT services had typically been handled.
“You have a problem, you call somebody and they come, they fix the problem and you pay them per hour,” he explains. “But that puts the technician and the client in a situation of conflict of interests because the client wants the job to be as short as possible and the technician makes more if the job takes longer. The way to overcome that was to take a risk.”
Shiff decided to offer a flat, monthly fee with everything included – all remote support, technician visits, monitoring and updating of equipment and programs – in order to help ease the minds of business owners.
The Shiff Atlanta brand would eventually undergo a makeover, in no small part thanks to Michael Friedman of Sosgona Marketing & Design, LLC, to be reborn as Don’t Sweat IT Solutions. In its current incarnation, Don’t Sweat IT offers IT services ranging from cloud servers to synchronized email to disaster recovery.
The name change is a reflection of Shiff’s personal mission to make IT less daunting.
“They [the customers] always feel intimidated by IT. Some probably even feel stupid because they don’t understand,” says Shiff.
In his past work experiences in IT support, Shiff noticed his fellow technicians becoming frustrated with the customers that they were supposed to be helping. He realized there was a real need for a human connection, for a patience that had been lacking.
Shiff’s friendly demeanor turned one-time jobs into returning customers, and a simple concept into a thriving business.
“I liked the connection with the people, more than the connection with the computer,” says Shiff. “I noticed the positive human interaction and then I came up with the thought that maybe the whole computer thing is just an excuse to connect with people.”
Shiff’s personal mission is to make IT less daunting to small business owners and staff.
How much does a new computer cost? Most companies will answer based on the price tag – 800, 1000, 1200 dollars.
But the Total Cost of Ownership – how much your computer will cost your company over its entire lifespan – is much, much higher.
Gartner Research, Inc. released a study years back reporting that the Total Cost of Ownership (for a computer kept for several years) is usually 12 to 16 times that of the computer purchase price. Companies doubting the numbers and testing it out were surprised to find that it was often higher than that.
Where do these hardware costs come from and how can you keep them down?
Any new computer or piece of hardware needs an IT technician to set it up, and install any requisite programs and integrate it into your network.
Things break. Computer hardware is no exception. Whether from negligence, misuse, or just growing older, a malfunctioning computer needs an IT technician to come in and spend billable hours working to fix the hardware and make it functional again.
The older the hardware gets, the more it tends to be incompatible with the new software and apps that you’re trying to integrate, requiring more technician hours to keep it operating and raising the TCO.
3) Removing viruses and malware
This is similar to maintenance, but is related directly to usage of the computer. Your users will open emails, browse the web, install programs and addons… not all of which are innocent and helpful. The computer can be slowed down or rendered nonfunctional, and again, the technician has to come in and spend time getting the computer back into shape.
Run out of memory? Need a new operating system? Upgrade cost is comprised of technician hours and of the necessary parts and supplies needed for the upgrade.
5) Backup and recovery
Your data is the backbone of your business. You have to ensure its viability even if disaster or human error sends that data to the land of no return. Backups on tapes and disks have been the choice for years, and recently backup to virtual locations in the cloud have been the up and coming option. Local backups cost you the cost of the materials and the workhours needed to run the backups. Virtual backups usually cost a monthly fee.
While you can’t eliminate these costs entirely until they invent the unbreakable supercomputer that updates and maintains itself, here are ways to keep costs down:
1) Cloud computing
Migrating hardware needs (like servers and even workstations) to the cloud means that they don’t require you to call in a technician if they go on the fritz. Any issue is solved by the cloud services provider and usually part of a set monthly or yearly fee. And their tendency to go on the fritz is vastly reduced because any reliable cloud services providers will have redundancy, so if one data center is having issues, you’ll just be getting your data from the redundant servers or other data center without users noticing the difference. That reduces your downtime, yet another hidden TCO cost – the reduced earnings your hardware causes you when it decides to be nonfunctional for a few hours.
2) Don’t hang on to hardware
It’s hard to spend a significant chunk of money on a new computer, so you may be tempted to milk every last unit of processing power out of those desktops you bought 6 years ago. Be aware – the older a computer gets, the more it tends to need maintenance. By hanging on to that computer, you may actually be using the money you could have bought a new computer with to maintain a grumpy old computer with sub-par performance.
Another option to eliminate this issue all together is to use a HaaS (Hardware as a Service) provider. You pay for the computing power, not a specific piece of hardware. If any piece of hardware malfunctions, it is the service provider’s responsibility to replace or fix it without any user interruption.
3) Managed IT services with monthly flat rates
When you’re using technicians who charge by the hour, your expenses tend to go up fast – usually in parallel with your blood pressure as you wonder why the technician is taking so long. Signing up for an IT service at a flat monthly rate that includes on-site visits from technicians will keep TCO costs predictable and not ballooning out of proportion.
4) Locking down computers, especially laptops
The more freedom you give your employees with your computers, the higher TCO costs go. Adware, malware, spyware, unnecessary programs and addons congregate on an open computer, slowing it down or paralyzing it entirely. And then you have to pay someone to fix it. Gartner released research a few years ago showing that a locked and well-managed PC can have a TCO 42% less than an unmanaged one, and a laptop TCO can be reduced 45% by locking it. Their 2013 update continues to demonstrate the difference.
Sometimes locking it down isn’t relevant, as in the case of employees who work on the go and need the flexibility to modify settings. Other times a lockdown can cause a significant increase in support calls because the user is entirely dependent on the IT support to do anything. In those cases, even moderate management can reduce the TCO by 24% – still a significant benefit.
5) Get what you need, not more than you need
With the rate at which you produce data, do you need your data backed up every two hours or every five minutes? If it’s only every two hours, don’t be convinced into taking an “every five minutes plan” if it’s going to cost you more. Get upgrades that you will actually use and will produce an ROI for your business. If a lesser upgrade would get you the same ROI, do that instead. If you buy a high-power, multiple processing unit laptop for a user who basically needs to access one company program and do data entry, you’re wasting your money. Sometimes less is more.
But don’t skimp and buy sub-par equipment for your business. If you buy a low-performance laptop for a power user who needs several programs open at once in addition to an internet browser with 10 tabs, he will wear his computer down very fast.
Hardware as a Service, mentioned above, is also helpful here to get the exact hardware which will meet your needs.
Hardware is a necessary IT expense. With the above tips you can be a more educated consumer in the effort to keep your hardware TCO as low as possible.