Archive for RB

| August 12, 2014
Comments Off on Who Needs Two-Factor Authentication

Who Needs Two-Factor Authentication

Who Needs Two-Factor AuthenticationThe recent epidemic of online security breaches has shown the folly of passwords as the sole protector of your online data. As I have covered several times, most users depend on the same passwords. So what are we to do? One solution is Two-Factor Authentication.

John Shier at SophosNaked Security blog provided a primer on multi-factor authentication. Two-Factor Authentication is a subset of Multi-factor authentication (MFA).  MFA is an authentication process where two of three recognized factors are used to identify a user:

  • Sommulti-factor authenticationething you know – usually a password, passphrase, or PIN.
  • Something you have – a cryptographic smartcard or token, a chip-enabled bank card, or an RSA SecurID-style token with rotating digits
  • Something you are – fingerprints, iris patterns, voiceprints, or similar

How two-factor authentication works

Two-factor authentication works by demanding that two of these three factors be correctly entered before granting access to a system or website. So if someone manages to get hold of your password (something you know), the article says they still will not be able to get access to your account unless they can provide one of the other two factors (something you have or something you are).

Data breachThe author explains that secure tokens with rotating six-digit codes can be used to remotely access internal systems via a VPN session. Users need to give a username, a password, and the six-digit code from the secure token appended to a PIN. Home users can use a sort of two-factor authentication using SMS code verification. This is where, in addition to correctly entering your password (something you know), you must also correctly enter a numeric passcode sent to your mobile phone via SMS (something you have).

The availability of mobile network service and the unreliable nature of SMS can make SMS 2FA difficult. However, some services allow you to use an authenticator app in addition to your password which presents you with a different numeric one-time password (OTP) for each service that you register with the app. Both Google and Windows make these apps freely available in their respective stores.

Authenticator apps can be great for signing into sites like Google, Facebook, and Twitter even when your phone does not have service (mobile or otherwise).

Two-factor authentication makes it harder

SPAM emailParker Higgins at the EFF, says normal password logins, which use single-factor authentication, just check whether you know a password. This means anybody who learns your password can log in and impersonate you. Adding a second factor, like a PIN, something you know, with your ATM card, something you have, makes it harder to impersonate you. You need to both have a card and know its PIN to make a withdrawal.

Online two-factor authentication brings the same concept to your services and devices by using your phone—which means that even if your password is compromised by a keylogger in an Internet café, or through a company’s security breach, your account is safer according to the EFF.

That’s important because phishing, which is one of the most common ways in which accounts are compromised, only gets information about passwords. By adding a different factor, phishing attacks become much more complicated and much less effective according to Mr. Higgins.

APhishings two-factor authentication systems become more popular, they have gotten increasingly user-friendly; the EFF believes it doesn’t have to be a difficult trade-off of convenience for security. Major services like Twitter, Google (GOOG), LinkedIn (LNKD), Facebook (FB), Dropbox, Apple (AAPL), Microsoft (MSFT). GitHub, Evernote, WordPressYahoo (YHOO) Mail and Amazon (AMZN) Web Services have enabled two-factor authentication.

rb-

Users should get used to two-factor authentication. 2FA is not available everywhere but many of the most popular sites and services on the internet use the technology.  Hopefully, this will compel the rest to follow suit. There is Android malware in the wild that is specifically designed to steal SMS verification codes trying to thwart 2FA so you still need anti-malware on your mobile devices.

In the wake of recent POS attacks (which I covered here), DHS has recommended 2FA for POS systems. While it is not bulletproof, it does increase your security by making it harder for your accounts to be compromised. All users will need Two-Factor-Authentication Authentication.

Related articles
  • Fending off automated attacks with two-factor authentication (cloudentr.com)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , ,
| August 7, 2014
Comments Off on Tips to Blend Agile, Waterfall

Tips to Blend Agile, Waterfall

Tips to Blend Agile, WaterfallThere is a battle waging for the hearts and minds of project managers. The battle is between Agile advocates and Waterfall supporters according to Eric Morgan, in a recent FierceCIO article. The CEO of AtTask explains that Agile loyalists see the benefit of empowering people and teams in a bottom-up approach that produces a faster, more responsive way of working.  Meanwhile, traditionalists prefer a top-down Waterfall approach that neatly outlines all the steps in the project and defines the scope, budget, and schedule upfront–minimizing risk and uncertainty.

use a mixed approach

So who is right? The article says neither. Rather the article says that organizations with successful development cycles seem to use a mixed approach, using both methodologies for different projects. They cite Amazon (AMZN), an Agile powerhouse, could not have built s core web services product without some top-down dictation of standards. According to the AtTask CEO, the real difficulty for organizations, therefore, lies not in choosing one methodology over the other, but in successfully mixing the two methodologies.

Whether your organization is already juggling multiple methodologies or is considering adding Agile into the project management mix, here are four tips from the AtTask CEO on how to hybridize without sacrificing the visibility and productivity you need:

1. Transition to agile slowly

ScrumThe biggest issue organizations face in adopting or expanding Agile is the cultural transition. Change is never easy, and moving from a top-down culture of command and control to a bottom-up approach where workers self-organize and self-prioritize will certainly test your leadership team. the article stresses it’s a cultural transition that many people in an organization feel is disruptive and too much of a challenge to the established culture. To make the transition smoother and improve adoption, you should try to slow down your process transition. Understand that onboarding a system like Agile is a long-term commitment and because only certain teams will benefit from its methodology, make sure that your organization takes the time to strategically consider where it would be most effective.

Define up front what you are trying to accomplish with Agile so everyone can understand the benefits. In addition, developing a culture of respect and appreciation for both methodologies within the organization is important. Acknowledge what works well with Waterfall and when it is most appropriate to use. This extra effort will build trust; make people more open and resilient to trying new methods; increase buy-in from management and team members; and ensure that everyone is on the same page and trying to accomplish the same goals.

2. Provide professional agile training

With dozens of different aspects and processes, Agile is complex. The AtTask CEO warns that one of the biggest strategic mistakes organizations make is not getting professional training at the start. In particular, it is crucial that middle management participates in training. “Middle management really holds the keys to the success of Agile adoption. They create all the procedures and policies. If the middle is not on board, the transformation will be shunned,” says Dean Leffingwell, author of “Agile Software Requirements: Lean Requirements Practices for Teams, Programs, and the Enterprise.” When middle management is properly trained, not only do they understand the value of Agile for themselves, but they can be influential in mentoring the team and in demonstrating the value of Agile to the leadership.

3. Allow teams to communicate

In Allow teams to communicatemany organizations, Agile teams often become insulated from the rest of the organization. According to Mr. Morgan, they work in a kind of bubble, rarely interfacing with other teams or departments. However, communication and collaboration are two of the most critical elements of an effective mixed-methodology enterprise. Finding a way to enable visibility and communication across distributed teams, such as developing standard processes for organizing requirements and cross-team development, ensuring comprehensive release visibility for both upstream and downstream stakeholders, and managing the entire work life-cycle within one tool, will make hybrid organizations much more productive.

4. Speak a language everyone understands

The nuanced terminology associated with Agile is often an area ripe for miscommunication according to the author. In addition to making sure everyone understands the terminology and is speaking the same language, it’s important to identify key data points, such as what the team is working on, where the team is along their work process, and when the team will complete the task. Then, translate the data points into either methodology. No matter what methodology your teams choose, the work being done ultimately must be visible to the organization’s management and executive teams. Because manager reports and dashboards tend to focus on Waterfall-centric metrics, Agile teams need to ensure they are able to translate their results and progress accordingly. Moving to a mixed management style will always present challenges.

The article concludes that adoption may happen in baby steps, and not leaps and bounds. Following these four tips, however, can make implementation much more successful and enable you to structure projects in a more productive way to meet your business goals.

rb-

I have talked to several grey-hair PM’s and they have basically told me that Agile/Scrum is the best tool when you don’t know what you want and use PMBOK when you know what you want?

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Project Management | Tags: , , , , ,
| August 5, 2014
Comments Off on Remote Desktop Opens Door to POS Malware

Remote Desktop Opens Door to POS Malware

Remote Desktop Opens Door to POS MalwareThe U.S. Department of Homeland Security (DHS) has issued a warning to retailers. DHS reports that cybercriminals are using remote desktop software to open up retailers’ networks to point-of-sale malware attacks. Point of Sale (POS) systems have been at the heart of many of the recent data breaches. Retailers impacted include Target, Jimmy John’sP.F. Chang’s, Neiman Marcus, Michaels, Sally Beauty Supply, and Goodwill Industries International the New York Times reported.

Research conducted by the DHS, the Secret Service, the National Cybersecurity and Communications Integration Center, and security firm Trustwave SpiderLab. have following the attacks. During the attacks, Cybercriminals are scanning corporate systems for remote desktop software. The attackers are looking for Microsoft (MSFT) Remote DesktopApple (AAPL) Remote Desktop, Google (GOOG) Chrome Remote Desktop, Splashtop, Pulseway, and LogMeIn’s join.me.

Install malware

After finding an exposed system, attackers launch brute force attacks on the login feature. FireceIT Security reports that once the attackers gain network access, they deploy Backoff POS malware.  steal customer payment data and hide the theft using encryption.  An alert was issued by US-CERT on 07-31-2014 that explained how the malware gets installed.

At the time of discovery and analysis, the [Backoff] malware variants had low to zero percent anti-virus detection rates, which means that fully updated anti-virus engines on fully patched computers could not identify the malware as malicious

malwareUS-CERT has informed anti-virus vendors of the threat from Backoff malware and they will be updating their software to detect and block the malware. The malware can scrape memory for track data, log keystrokes, engage in command and control communication, and inject a malicious stub into explorer.exe that ensures “persistence in the event the malicious executable crashes or is forcefully stopped.”

The article concludes, “The impact of a compromised POS system can affect both the businesses and consumer by exposing customer data such as names, mailing addresses, credit/debit card numbers, phone numbers, and e-mail addresses to criminal elements. These breaches can impact a business’ brand and reputation, while consumers’ information can be used to make fraudulent purchases or risk compromise of bank accounts.

rb-

Lesson learned?If mega-firms like Target can be breached, what chance do small mom-and-pop POS firms in schools, food trucks, kiosks at the airport stand? I say not much. I have worked with several POS vendors and it seems they barely understand their own product, let alone SSL certs, VPNs.

Here are some tips from Verizon’s 2012 research into security breaches affecting companies that use POS systems to process customer payments. Make sure your POS vendor does the following:

1.  Change administrative passwords on all POS systems. (Hackers are scanning the Internet for easily guessable passwords).

2.  Implement a firewall or access control list on remote access /administration services. (If hackers can’t reach your systems, they can’t easily steal from it).

3.  Avoid using POS systems to browse the web (or anything else on the Internet).

4.  Make sure your POS is a PCI DSS compliant application (ask your vendor)

5.  Use password management software like LastPass to generate secure passwords. (LastPass allows you to avoid storing passwords in your browsers and can generate ready-to-use secure passwords for you).

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , ,
| July 31, 2014
Comments Off on Killer IT Jobs

Killer IT Jobs

Killer IT JobsThe third annual GFI Software IT Admin Stress Survey reveals that 79% of IT staff are actively considering leaving their jobs due to job-related stress. According to GFI, that’s a significant increase from 2013, when just 57 percent of respondents said they were actively considering leaving.

The survey of 200 U.S. IT administrators also found that the largest source of work-related stress was management. 36% of the sample of IT professionals surveyed citing it as the biggest source of stress. An additional 34% cited a lack of budget and staff to get the job done, as a source of stress despite the perceived improvement in the US job market.

Key survey findings:

GF! Software logo

  • 77% of U.S. IT staff surveyed consider their job stressful up 12% over 2013
  • 38% have missed social functions due to overrunning issues at work
  • 35% report missing time with their families due to work demands on their personal time
  • 33% of IT staff regularly lose sleep over work pressures
  • 30% feel they are the most stressed person in their social or family group
  • 25% have suffered stress-related illness
  • 24% have had a relationship severely damaged or fail due to their job
  • 17% complain of feeling in poor physical condition due to work demands

12 hours of unpaid overtime each week.On average, the IT workers surveyed would work eight and a half hours a week over and above their stated working hours, with 23% of the survey sample working between eight and 12 hours of unpaid overtime each week.

Sergio Galindo, general manager of the Infrastructure Business Unit at GFI Software, said in a statement,

IT is renowned for being one of the most stressful white-collar jobs to undertake, now more so than ever given the critical role IT plays in everything from e-commerce to facilities management

Good news for IT Pro’s

Stress eatingIn more good news for IT Pro’s a study of 3,022 workers by CareerBuilder, reveals that information technology workers categorize themselves as overweight more than workers in any other industry. This is bad news because there is a link between stress and weight gain.

The problem is so bad that 50% of IT workers call themselves overweight, the study says. Sectors that outpaced the national average for weight gain include:

  • Information Technology – 50 percent
  • Government – 48 percent
  • Financial Services – 46 percent
  • Health Care – 42 percent
  • Professional and Business Services – 42 percent

FierceCIO says the estimated annual medical costs to an employer for those who are obese are $1,429 higher than those of normal weight.

 rb-

disillusioned, stressed, unhappy, unhealthyEven though a disillusioned, stressed, unhappy, unhealthy IT staff may seem the norm for many organizations, (I’ve worked in this environment) it will lead to a crisis. The last place I managed at, it took a crisis-like job offer for the senior systems engineer to get management moving on addressing some of the very issues identified here. In the long run, they never brought on a high-caliber backup to cross-train and when he left they were left with a hole to fill on the 

Progressive organizations need to take the lead and make sure that their IT staff are happy, engaged, and content. Here are three suggestions to do so –

Gamify IT support. Break the ticket tedium and let agents compete against each other, give them incentives and challenges, let them view the points they accumulate. In short, take the boring out of the service desk.

Let staff work right from their email to spend less time at work and more time with family – while maintaining or increasing productivity. No more setting up a VPN, logging into the help desk, finding the ticket, updating the ticket, and logging back out. 

Automate everything, set up a Wiki, a FAQ, set up self-serve password resets, take the load off the agents. Some organizational direction towards this can take the effort a long way. Write scripts to automate new users and terminations.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Health care | Tags: , , , , , , ,
| July 29, 2014
Comments Off on Clock Ticking on Windows Server 2003 Deployments

Clock Ticking on Windows Server 2003 Deployments

Clock Ticking on Server 2003 DeploymentsNow that everybody has worked Windows XP out of the PC fleet (LOL), another Redmond deadline looms. Microsoft (MSFT) will be ending all support on the venerable workhorse of many organizations, Windows Server 2003. Windows Server 2003 (and R2) will cease to be supported by Microsoft on July 14, 2015. Yeap that is less than one year.

Windows Server 2003 logoPaul Mah at FierceCIO explains that Windows Server 2003 will be end-of-support phase on July 14, 2015, and will no longer be updated with security patches and bug fixes. He points out that companies that continue to run Windows Server 2003 July 14, 2015, will start to fail standard compliance audits. Regulations such as HIPAA, PCI, and SOX require regulated industries to run on supported platforms. Michael Cobb at SearchSecurity reminds us that most compliance and regulatory standards consider running end-of-life software as a control failure.

FierceCIO estimates that custom support agreements for Windows Server 2003 will have a hefty price tag of $200,000 per year. The article quotes Brad Anderson, Microsoft corporate vice president of Windows Server and System Center, “If new issues do happen to be found, the only way to receive additional updates will be through a custom support agreement.”

End of LifeCompliance considerations aside Windows Server 2003 would have been in operation for 12 years at that point. The article says companies that continue to use an unsupported platform could find support for some server applications suspended–including all Microsoft applications.

Microsoft is expecting a large number of existing deployments to be migrated to its latest Windows Server 2012 platform. This mandatory migration could help MSFT with its market share against is virtual nemesis VMware (VMW). Mr. Anderson says a lot of Server 2003 machines need to be upgraded.

The fact of the matter is that there is a significant amount of Windows Server 2003 to upgrade around the world. We estimate that there are more than 15 million physical servers that are likely to be upgraded over the next 12 months.

Windows HyperVMigrating millions of servers to Windows Server 2012 gives Microsoft’s virtualization technology, Hyper-V, a big boost, noted eWeek. This is because Windows Server 2003 doesn’t have any virtualization technology baked in, unlike Server 2012 which comes with Hyper-V for support for up to 1,024 active virtual machines (VM) and up to 1TB of memory per VM.

The clock is ticking though for companies looking to make the switch. The FierceCIO article reports the average Windows Server migration takes 200 days. This means that organizations looking to get started very soon, or risk running out of time.

Over at SearchSecurity, Michael Cobb, CISSP, offers a starting point for migrating from Windows Server 2003.

Upgrade nowStart now – Mr. Cobb warms that phasing out Windows Server 2003 will be a complicated process there are choices that must be made that will affect infrastructure strategies for the foreseeable future.

Hosted Services – Organizations using hosted services will have no choice but to update their legacy software. Mr. Cobb says providers will ultimately force customers to upgrade from Windows Server 2003 so that they can continue to provide the support and security promised in their service-level agreements.

Enterprises have a couple of upgrade options when it comes to retiring Windows Server 2003 according to Mr. Cobb.

  • Changing from Windows to a Unix-based OS won’t really be an option for many enterprises, as their key applications will only run on a Windows machine. Because application compatibility and a lack of in-house skills are likely the overriding issues, Unix is not an option for most companies.

application compatibility and a lack of in-house skills

  • Going to Windows Server 2012 – While it is the latest Microsoft server OS, it can’t run 16-bit Windows-based applications, and 32-bit applications must be run in an emulator, making this option also unattractive because of compatibility issues according to the author of www.hairyitdog.com.
  • Windows Server 2003 x64 Edition – Enterprises already running 64-bit applications should consider upgrading their hardware and moving straight to Windows Server 2012.
  • Windows Server 2008 – Since Windows Server 2003 servers are likely to be running on old hardware, this upgrade route — while cheaper short-term — will probably just delay legacy hardware and software issues to a later date as both will need replacing prior to 2020 when Windows Server 2008 reaches the end of its extended support period.

SearchSecurity offers these starting points:

  • Start rewriting old applications now so the inevitable problems and errors can be sorted out. It is also a great opportunity to not only improve security and stability but also add much-needed new features to enterprise systems.
  • Legacy software is always an attractive target for hackers,Contact vendors now about 64-bit versions of key application software. If vendors have no plans to offer application upgrades, it’s time to start searching for replacements. Legacy software is always an attractive target for hackers, particularly if it is no longer supported by the original vendor.

Rewriting applications and upgrading licenses and hardware is complex, time-consuming, and costly, but vulnerable systems and data could ultimately be even more expensive. CISSP Cobb warns that doing nothing is not an option. Enterprises must start planning their migration strategies now to avoid making hasty decisions once the reality of unsupported software has already disrupted operations.

rb-

Will the last-minute scramble to migrate from the Windows XP repeat itself all over again? To quote the immortal Yogi Berra, will it be déjà vu all over again.

déjà vu all over againThe rule of thumb for successful migrations is to plan ahead, be thorough, and don’t wait until the last minute if it can be avoided.  Despite this fact, a survey by AppZero found that:

  • 57% of Microsoft customers are still running WS 2003
  • 94% of those running WS 2003 intend to migrate, but only 24% are ready to do so
  • 40% not sure of upgrade path
Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , ,
« Older Entries   Recent Entries »