OST Kitchen

We all received the apologetic email when Zappos.com customer’s credit card information was hacked. (All of a sudden those boots you got for 50% off could have ended up costing a lot more than expected!) And again, another apology note when 6.5 million LinkedIn users’ encrypted passwords were leaked on a Russian hacker forum in June. The stories of corporations who’s IT security was compromised are unfortunately a dime a dozen. But by working with trusted companies such as OST who focus specifically on security is one simple step towards protecting your organization from a catastrophic breach. We have put together a basic list below of the top 10 security mistakes that a company can make. These common mistakes seem like a small slap on the wrist to some, but for those of us in the technology industry, the smallest insecurities can lead to the largest problems.

The 10 mistakes we chose were rated by analyzing the highest volume of protected data access, ability to cause the greatest “harm” to the organization, ease of which the mistake can be taken advantage of, ability to use that mistake to breach the entire organization, and the consistency of the mistake. With this in mind, let’s take a look at this list, shall we?

1. Reliance on Vendor or Installer to keep you secure. Just because they set up a network for you, doesn’t mean they locked the door on the way out. Certain IT firms may not feel it practical or necessary to consider security when setting up a network. I have seen many organizations who once thought their networks were built tough from the get-go because they hired the “best” IT Company to set it up. This false sense of security can most assuredly lead to a breach, and affects the industries of Healthcare, Financial and Retail.
2. Weak or Trivial Passwords. I hate to be the billionth person to say this, but “drowssap” or its less secure friend, “password” have never cut it, and will never cut it as secure passwords. I won’t spend much time going into other insecure passwords, you can see a great guide here, but the fact that trivial passwords are still being used is almost comical – until all of your company information is stolen. Half of the organizations I have worked with have had at least one account that is left blank or “password”, and this issue most affects healthcare organizations and small businesses.
3. Consistent Passwords. Your fine-tuned 8 character, lowercase, Twitter password would take just a few days computing time to be cracked by a brute force attack.  So what? It’s Twitter. But what if you used that same password for your corporate mail server? How long would it take to crack that? About 2 seconds. If you used the same password for your social media, email, webmail, phone and everything else, those passwords have already been broken and can be used to gain access to the entire company’s network.
4. Missing Security Updates/ Patches. Hackers are always looking to stay ahead of the curve. Whenever they invent some new way of breaking into a computer, the security programs will find a way to defend against it, and send out an update to their users. These updates must be installed immediately and correctly to ensure your network is up to date on all the latest exploits.  What’s more: these threats are universal they affect all operating systems, in all industries at all different threat levels.
5. Scanned documents on “Multi-function devices”  Those balance sheets you scanned on your Multi-function device (That printer in the copy room) are still sitting in that machines’ memory, and hackers know it. Finding and instantly deleting files that contain protected data is one way to avoid these leasing concerns, or keeping the files to send to other machines. This exploit also affects all organizations, and has a special taste for financial documents.
6. Not changing default login credentials.  All new wireless devices come with an admin username “Admin” and an admin password “Password”. These credentials are publicly known, (See what we mean?) and if a hacker can get into your network, he or she can change these credentials to lock you out, and your data in. Ensuring your IT department has changed the default logins on all of your wireless devices is one more hurdle for hackers to jump to gain access to your data.
7. Open Network Shares. This mistake is usually user based. Employees sometimes take computers home, and want to share media with other computers or devices. This is fine if there weren’t also financial and protected information. This exploit not only provides access to data, but an easy way for them to distribute viruses and malware to the entire network.
8. Not planning for lost, stolen, discarded or sold computers. These computers all have access to your organizations network, and sometimes these computers are lost, stolen, discarded or sold. Work out a plan to recover data or prohibit that machine from re-accessing the network before they are lost, to ensure maximum security. These simple means are rarely addressed, and for the greatest threat to loss of “consumer information”.All industries are affected by this.
9. Improperly configured Wi-Fi or improper use of Wi-Fi. What was secure a year ago has a greater risk today, because of the pace at which these methods advance. Open Wi-Fi, or unsecured Wi-Fi, can be a large threat to an organization, and can offer a “hidden” way to gain access to the organization. New techniques outline ways for hackers to piggyback their internet activities through your network, so you get blamed for their seedy downloads and web history.
10. Antivirus not installed or out-of-date. This issue is likely the most costly of them all. A computer without antivirus is like rolling out the red carpet for hackers, just pleading them to come on in. All industries are affected by this, and a simple install of antivirus or updates can clear this problem.

If you find yourself with questions around your organization’s security, don’t hesitate to call us. Click here for more information.

Listen to this information on WGVU’s “Tech Talk”  with Shelley Irwin, broadcast Thursday, October 11.

—–

W. Scott Montgomery

W. Scott Montgomery joined OST in the spring of 2009 as the Manager of the OST Security Practice. Scott comes to OST with over 30 years of IT and IT Security related experience.  Scott has personally performed more than 700 Security Assessments for several hundred organizations. Using a proprietary and unique assessment approach, developed by Scott and used since 1998, the OST Security Team has the ability to gather, analyze and assess the security of any organization. The Montgomery Method ™ guarantees comprehensive security results for even the most complex of computing environm

VMworld is a global conference for virtualization and cloud computing, hosted by VMware. There are two conferences every year: one in North America and another in Europe, and Since I’m based in Michigan it just makes more sense to attend, and talk about, the North American conference. If you are looking for VMworld announcements, you can find those announcements scattered throughout the blogosphere via a simple Google Search. Instead I want to give you a view of the conference from my point of view as a consultant, and why you, as an IT Consultant, should go next year.

The slogan for VMworld 2012. Photo courtesy VMworld2012.

The conference took place in San Francisco, California. Over 20,000 attendees were on site,  with an additional 10,000 virtual attendees watching the keynote sessions via the internet. Most of the conference activities began on Sunday, August 26^th, and concluded on Thursday, August 30^th.

I arrived on Sunday to take advantage of the registration time period and to pick up my VMworld Materials (Laptop Bag, T-shirt, Notepad). Immediately following, the Solutions Exchange opened for a reception of small snacks and chilled beverages. Sunday was a great time to get in there and pick up as much free swag as you can before the vendors run out. One almost irksome thing was wearing a badge with an RFID tag that the vendors must scan before you leave their booths with swag, which means they have your contact information, which will undoubtedly lead to a year of sales calls. The swag, while cool, is not the point of the Solutions Exchange.

The Solutions Exchange provided a place to see the new technologies and solutions that will make our jobs easier in the future.  Solution vendors did a great job of selling their products, including plenty of information and having more than one reason why their product is the best.  As a Data Center Solutions Consultant, I need to know what these solutions are, what they do, and more importantly: I need to separate the marketing from the reality of the solution and what it can mean for our customers in the future.  The Solutions Exchange offered me the ability to check out these products first-hand and as an IT Professional – this was key.

The final keynote on Thursday was the best. Three guest speakers were in the room speaking on various technologies around us: Kevin Slavin spoke about how various algorithms are used around the world, Dr. Dennis Hong spoke about his work creating humanoid robots and even brought some out for a live demonstration, and Chris Ormson from the Google self-driving car spoke about the project and even brought a car in to demonstrate. In between the keynote speeches there were plenty of activities to keep us busy, Breakout Sessions (seminar-style get together where you learn about a specific technology or project), lunches, labs, and after-hour sessions. Since I mainly consult in the virtual desktop infrastructure space (or “End User Computing” as VMware likes to call it) all of the Breakout Sessions that I attended revolved around this specific technology space.

The most informative sessions for me where I learned something new came from John Dodge, with his advanced troubleshooting for VMware View seminar, an updated ThinApp seminar where they noted a change in the abstraction layer in order to support 64-bit applications moving forward; and a joint VMware/FusionIO session where they demonstrated and explained a white box with FusionIO configuration that brought the desktop cost down to less than $200/desktop/year. This excited me because finding ways to cut down the costs is a great offer to our customers, and since this stuff is expensive (way more expensive than giving users a standard physical desktop) cutting costs is imperative!!

The final aspect of VMworld that you’ll need to know about is the after-hour activities:  networking,  dinner, group hang-outs, etc. This was where I took my social hat out of the closet, dusted it off, and made some new friends. Networking with vendors and other customers at events like VMworld will help you and your organization in the long term, and not only with those relationships you make while at VMworld. Other customers in your market may have encountered issues and solved the problems before you even thought of it, and these experiences can become your experience through dinner and other activities.

The VMworld party this year was headlined by Bon Jovi. As a younger guy this didn’t excite me nearly as much as the techno mix playing before the concert, but the party was still a blast. This is where you have some fun with all the new friends and contacts that you’ve made throughout the week. Most people fly home the very next day so this is the time to make things happen.

So what did I take away from my week at VMworld?

• VDI is shifting from traditional server/SAN infrastructure and will be more appliance-based and commoditized:  this will bring down the per desktop cost to more acceptable levels allowing for further market penetration for VDI.
• VMware is making leaps and bounds towards creating a 100% virtual datacenter (software defined datacenter): this will include 100% virtualized networking (through the Nicira acquisition) and also virtual SAN.
• ThinApp, the application packaging software that VMware uses, will support 64-bit applications moving forward.
• The Drivers of Change for End User Computing: End user should be able to work Whenever, Wherever, and However best fits that user – IT must respond and support this.
• VMware will sometimes listen to customers and partners: they changed the vSphere licensing model in response to the community outrage.
• Expect better documentation that doesn’t just describe the products and capabilities, but also tells you how to use the software moving forward.
• This is the most important for me: The next major version of VMware View will solve the 2+ Datacenter and Single Namespace issue that has been present since the very beginning. This is a huge win for VMware View in my opinion. I just wish it was available right now!

As a consultant I find these conferences to be the best way to discover new solutions to everyday problems. I’m constantly running into brick walls – the chance to bounce these thoughts off of other like-minded people is both necessary and welcome. Will I see you at VMworld 2013? I sure hope so!

-Richard

Richard Maloley II is an Enterprise Virtualization Consultant for Open Systems Technologies.

This summer, OST challenged companies to THINK BIG – and award the top 4 ideas with $5000 worth of technology services.

The top four winners include:

• Doorganics, a farm-to-front door food delivery service located in Grand Rapids, Michigan.
• FoodCircles, a local start up encouraging those dining out to ‘BOFO’ (buy one, feed one) through their mobile application that has been created in collaboration with local restaurants in West Michigan.
• VN Barr from Humility Publishing LLC, a publishing company in Minneapolis, Minnesota which is interested in digitizing company’s historic documents and data in order to create an accessible web library.
• 911 Family Alert System  from Brad Spurlin. Real-time updates and GPS coordinates of family members who dial 911.

One of the winners, Doorganics, was thrilled about the business growth that they are anticipating from OST’s contribution. After their launch in August of 2011 they have continued to expand and are at a critical stage where optimization of their operations is imperative to support further expansion. Mike Hughes, owner of Doorganics stated,

“We [Doorganics] are a small company at the brink of very fast growth. With support from the expert minds and talent at OST, Doorganics will be positioned to accommodate many new customers in a very streamlined fashion. We are grateful to have companies like OST in the community that support and encourage entrepreneurship and innovation.”

In Grand Rapids, Foodcircles will be receiving some OST love.  ”We want to repurpose the way that people dine out,”  says Foodcircles founder, Jonathan Kumar. FoodCircles reaches for this goal by donating a meal to a child living below the poverty line every time a person dines out using their web-based or mobile app. Called the BOFO (Buy One, Feed One) movement, this one-for-one concept is powered by an array of innovative technology; everything from a highly interactive mobile app for Android and Apple to a unique call-ahead program that creates reservations at restaurants with the touch of a button.

We will also be assisting VN Barr, out of Minneapolis, Minnesota, with business process solutions as he explores ways for companies and universities to digitize their collections of data and turn them into web libraries. “Would you believe the Frank and Lillian Gilbreth collection and the Randy Shilts collection, as well as many other donations that are sitting around unable to be used because no one has the time to digitalize and index them?” asks Barr while explaining the importance of the accessibility of knowledge through technology.

Last but definitely not least, 911 Family Alert system will allow real-time updates and GPS coordinates of family members who dial 911. The application will be coordinated between family devices. If a family member were to dial out to 911, a GPS tag and real-time alert would notify the family. These alerts can shorten the time parents and family members have to respond in emergency situations where the caller will be busy speaking with the Emergency Responder.

We are excited to share their expertise with these four forward thinking organizations. “There are so many potential opportunities for companies to leverage technology which can dramatically improve business,” said Dan Behm  “and here at OST, we want to continue encouraging companies to be creative, think bigger, and explore what possibilities exist within their business.”