Monday, March 8, 2010

Cell Phone Security

For most of us, a cell phone is a way of life.  I know I freak out a little when I leave the house without my phone.  It has all my phone numbers in it, my calendar, my e-mail… I’d be fairly lost without it (as, I am guessing, most of you would be).  And yet, I know a LOT of people who don’t have a security lock on their phone.  You may “lock” your phone to keep from accidentally pocket-dialing someone, but unless you have a PIN that you have to enter (much like the password on your computer), then you may be risking a lot more than someone simply taking a peek at your phone logs.

When I first started at Mavidea, I tried to explain to the powers-that-be that locking your cell phone with a pin is important.  If that phone fell into the wrong hands, it could mean that confidential e-mail could fall into the wrong hands…  But now, it means something far worse.  If you don’t worry about your phone falling into the wrong hands, you should.  As this video from Good Morning America shows, having your phone fall into the wrong hands for just a few minutes can be infinitely worse than losing it!

 

So, if you’re not locking your phone with a PIN (and something better than 1234), then you should be.  If you’re concerned about this threat, but need some help figuring out how to setup these basic security measures, contact your cell phone provider – they can walk you through the process.

If you have company phones and see the danger here, contact us.  We can help you stay safe and secure!

Posted by Dan Woodman at 5:57 PM 0 comments Links to this post
Labels:

Friday, March 5, 2010

Gone Phishing…

One of the things we warn our clients about is “social engineering.”  With the array of anti-virus, anti-spam, and anti-malware programs on the market, the bad guys have been forced to get sneakier.  Social engineering is all about getting you, the user, to perform some action which provides the bad guys with what they want – your private information, credit card numbers, etc.  Some programs that you use everyday do their best to protect you from social engineering.  Many anti-virus vendors, for instance, now have some sort of application built-in to prevent you from going to sites which are known to be malicious.  Even Internet explorer has built-in protection against suspicious websites and “phishing” sites.  The problem is, these sites are very easy to set-up and most of the software designed to protect you works from a list.  Sites you visit are compared against a list of “known dangerous” sites.  But, until the site is discovered and confirmed dangerous, it doesn’t appear in the list.  This means you can become a victim.  The only way to protect yourself is to be on guard at all times for suspicious activity.  The Internet is like a city – there are good neighborhoods and bad and it’s important not to walk down any dark alleys by yourself!

The term phishing refers to bad guys literally fishing for your information.  They throw their bait into the water and wait for a nibble.  In most cases, the bait is an e-mail designed to look like an e-mail coming from a legitimate institution, such as your bank or Paypal.com.  They may try to phish for a username/password combination by sending you to a site that looks like it’s the real website affiliated with your institution, when in reality, it is a fake site designed to do nothing more than “harvest” your information.  They may even cast their net wider, phishing for your social security number, bank account, etc.

How do they do this?  Let’s see an example:

Please click here to be re-directed to Paypal.com.

The link above says it should take you to Paypal.com.  But, in fact, I have set it to re-direct you to our company’s main website.  If I were malicious and trying to get information from you, I could direct you to a page that looks like the main Paypal page, where you would be able to type in your username and password.  If I set that page up and controlled it, when you typed in your username and password, I would have that information before you even knew anything was wrong.

It can be hard to tell when an e-mail is legitimate and when it is fake, which is why the best course of action is to always go to the site directly, rather than using links in an e-mail.  If, for instance, you get an e-mail saying there is something wrong with your Paypal account, login to Paypal directly.  That way, you know that you are visiting the real Paypal.

 

Want to see how tricky it can be?  I found this test today, which is the whole reason for this blog post.  This test is from SonicWall, a leader in Internet protection (and a company that we have partnered with to provide security services to our clients).  And yes, the link is safe to click on.  It runs you through ten sample e-mails and let’s you choose whether they are legitimate or a phishing attack.  I scored a 9/10.  Even experts make mistakes sometimes!  As you can see, some of the e-mails in this quiz do look legitimate.  See how well you do.  And, when you are done, click the “Why?” links on any that you missed to see the explanations and cues to look for to protect yourself.  Because, whether you realize it or not, you’re taking this quiz every time you open an e-mail.  In most cases, the stakes are much higher than whether or not you can beat my score! 

Hint:  Hold your mouse over one of the links in this blog post.  When you do, look at the bottom of the screen.  You should be able to see the address to which the the link points.  (This varies from browser to browser, but if you don’t see it, you may need to turn on a status toolbar so that you can.  This is your best secondary defense.  The primary defense, again, is to go to sites directly.)  This will come in handy during the quiz, as they show you the address the link is pointing to at the bottom of the screen.  Good luck!

Posted by Dan Woodman at 1:21 PM 0 comments Links to this post
Labels:

Tuesday, September 29, 2009

Getting Organized…

One of the problems we have in our office (and most business owners have) is that we all wear many different hats.  While officially, I am the Business IT Adviser for Mavidea, I also help out occasionally with some copywriting.  At times, I get called on to answer some Microsoft-related questions.  I’m also the closest thing we have (so far) to a regular blogger (though I realize you may not believe it based on how long it has been since I updated my blog).  The end result is that I get a lot of e-mail on a variety of topics.  (Sound familiar?)  These e-mails are frequently something like:

“Call Company X.  Heard they landed a big new deal and may need help with their technology.”

If I’m in the middle of something else, I may not have time to drop what I am doing and call them right this second.  But I obviously don’t want to lose track of this.  We have a line-of-business database that helps manage items like this, but when things come in randomly via e-mail, it’s not always as helpful as it could be.  Enter Outlook 2007.

I realize that Office 2010 is on its way to store shelves in a few short months.  but, that doesn’t stop this advice from being effective and pertinent.  (I’m guessing the things I discuss here will still be present in Office 2010.)

Let’s start with a scenario.  One of my co-workers who shall remain nameless uses the time-honored system of “an open e-mail is something to deal with.”  Familiar with this system?  Chances are, someone in your organization uses it.  At any one point in time, they have dozens of e-mails open in their taskbar.  This is a system that I used to use… until one day, when I had a plethora of important e-mails open, waiting to be dealt with, my PC froze.  I had to reboot.  When I did, I lost all of those open e-mails.  Sure, they were still in my inbox.  But I had to go through item by item to see what needed to be dealt with.  Since I didn’t have time to deal with them in the first place, I certainly didn’t have time to go back and figure out what needed to be dealt with!

Read vs. Unread

Then, I started to use the read and unread status of the message.  I would turn off “automatically mark a message read,” so anytime I wanted to follow-up on something, I would just leave it unread.  Then, I could change the view in Outlook to “only unread messages” and see what still needed to be followed up on.  This was better than the open messages, but did nothing to prioritize or categorize the messages.  (You can change your view using the menu shown below.)

image

Planting a Flag

Flags introduced a new way to follow-up on items in Outlook (and they’ve been around awhile now).  You can simply click the flag button to “flag an item for follow-up.”  Right-clicking the flag even gives you the menu shown below.  image

You can pick the due date on the item.  You can also add a reminder so that you don’t forget about it.  If you go in and flag something now, you will see that it gets added to your “to-do" bar.”  (If you don’t see your to-do bar, ensure it is turned on.  Using the same menu shown above (the “view” menu), click to-do bar and ensure it is set to normal.)  This is a handy way to ensure that you follow-up on something by a required date.  Using the “Set Quick Click” option (at the bottom of the menu), you can choose your default default settings for every item you click. 

Once you’ve set a flag and the item shows up in your to-do bar, you will see that double-clicking the item in your to-do bar actually opens the e-mail.  This means you don’t have to spend time searching for the original e-mail.  It’s right there at your fingertips.

While the flag helps you keep track of what needs to get done and allows you to prioritize items by setting a due date, it still doesn’t help you categorize your items.

 ABCategorizing

The categorize feature in Outlook is easily one of the more powerful (and most under-utilized) organizational tools available.  Chances are, you’ve seen the “categorize” button.  Maybe you’ve even clicked on it to see what it does.  Spending a few minutes understanding how this button can help you can save you a LOT of time over the course of a year.  (Wish I had a great statistic to enter here to make this sound more official.  Trust me – try it and see how much easier it makes your life!)  Let’s take a look at the button and it’s menu.

image

The button itself is the four colored squares, reminiscent of the Windows logo.  You can see the various menu options here.  If you’ve never done anything with this, then your categories will all be named with the color of the icon.  As you can see in the picture above, I’ve renamed my blue, green, and purple categories to leads, login info, and research respectively. 

Think of the categories as a way to file your e-mail.  They allow you to add some extra information to any individual piece of mail without moving it into a different folder.  Before we get too far, let’s take a look at the “All Categories” menu.

image

As you can see from the picture above, there are 25 different colors you can use to identify a category.  You can associate a name with each individual category.  If you’re a keyboard kind of person, you can even assign a shortcut key to the category using the button on the right (shortcut keys will be a combination of ctrl and a function key).  This means you can assign an e-mail to a category simply by clicking your shortcut key while reading the e-mail.

To really understand how categories can help us be organized, let’s look at an example.  Let’s say I get a piece of e-mail from my Chief Technology Officer with the subject, “Are Small Businesses Prepared for Disaster?”  Upon opening it, I find a link along with this text, “Great article on small business backups.  Use this when talking with customers.”  I don’t have time to read it right now, but it is obviously an article I need to read.  I would assign this to my “research” category, which is purple.  I can do this any number of ways, including using a shortcut key (if I have assigned one), clicking the categorize button and selecting “research,” or simply right-clicking the category button on the e-mail as shown below.

image

Like the flag, I also have the option of setting a “Quick Click” default.  You can also use the built-in rules wizard to automatically assign a category based on keywords.  I know, for instance, that our line-of-business database always sends me e-mails formatted the same way for specific activities.  An e-mail to build a quote for a customer always has the following phrases:  “New Activity” and “Create Quote.”  I can set up a rule to automatically categorize all e-mails with these phrases into the “Quote” category.  This allows me to prioritize these mails before I’ve even read them in my inbox!

Where Oh Where has my E-mail Gone?

This categorization of e-mail is enough to significantly improve my organization, but we’re not done.  The most impressive aspect of categorization is when you combine it with a feature in Outlook called Search Folders.  As you can see in the picture above, you have the option to create a Category Search Folder.  This allows you to create a folder which will display mail that fits a set of rules without actually moving the mail!

For instance, I categorized the mail from our CTO earlier as research.  If I go into the “Create Category Search Folder” menu shown above, it brings up the menu shown here.

image

I can set the category I want to filter on and the mailbox I want to use.  Then, I click OK and I have created a search folder.  This folder will show me all of the mail matching my criteria (in this case, all mail categorized as research) without moving it!  I simply need to click on the “Research folder” listed under Search Folders in Outlook.

image

You can see from the picture above that it automatically updates that folder with the number of unread messages, just as any other folder does.  I also have the option of moving that search folder up to my “Favorite Folders” to make it even easier to use.

And the Search Folder doesn’t stop with categories.  You can use a Search Folder to find and filter e-mail on a number of different criteria.  This is one of the single most powerful tools in Outlook!  It keeps you from having to build a complicated folder system for filtering out mail.  You can leave it all in one folder and use Search Folders to separate it.

I’m sure you’ve already stopped reading by this point and are in Outlook setting up your own organizational structure, taking advantage of all the things you’ve just learned.  In a future post, I’ll go through some more tips and tricks to help you get the most out of Outlook 2007.  Being more organized in Outlook means getting more time to do the things you want to do!!!

Posted by Dan Woodman at 3:08 PM 1 comments Links to this post
Labels: ,

Wednesday, April 22, 2009

All Work and No Play Makes Jack a Dull Boy

We all know that it is imperative to have some fun at work.  Water cooler conversations, impromptu basketball games (that’s our office fun), reading web comics, surfing eBay, and so on are all ways that different people take little breaks at work.  When it’s under control, it can lead to increased productivity.  But when is enough too much?  Have any fantasy footballers in your organization?  How much time do they spend online, researching for their league as opposed to working?  You might be unpleasantly surprised.  According to one study:

Fantasy football will cost U.S. employers $9.2 billion in lost work time this season, a private research group said.
Business researchers Challenger, Gray & Christmas said Monday the 17-week National Football League schedule will subtract 1.19 hours of productivity per week from about 17 million Americans who participate.

1.19 hours of lost productivity per employee is probably not a statistic to get too concerned about.  If that’s the only thing they waste time on, then chances are, it is a much needed break from work.  But, what happens if it is more than 1.19 hours.  And what if it is something less harmless than fantasy football?

Content Filtering

In this scenario, the term “content filtering” refers to locking down websites that people within your network can access.  It’s always a good idea to block sites which promote things unacceptable in the workplace, such as gambling, nudity, and violence.  In addition to lost productivity, employees viewing these types of sites can lead to legal hassles that you would probably rather not deal with.  Some organizations have a “we trust our employees” mentality.  I am certainly not suggesting that there is anything wrong with that.  One question I would pose to those organizations – is there any security around your confidential files?  Why?  If you trust your employees….

Good or bad, there’s a lot to worry about in any business environment.  Leveraging the power of content filtering can help you prevent inappropriate websites from becoming a problem.  It can also help otherwise acceptable websites from becoming a problem, too!

What’s Coming Soon?

Today’s post was a short one.  (I know at least some of you are thankful, right?)  I’m going to meet a colleague to discuss some SharePoint topics.  Woo-hoo!  Yes, I do still get excited talking about SharePoint.  I’m building out a new SharePoint deck, focusing on business value, for an upcoming SharePoint seminar I am delivering on May 19th at the Microsoft office here in Bloomington.  (It’s for Mavidea, not Microsoft.)  As I am working on this, plan to see some information about how SharePoint can help you in your organization!

 

Posted by Dan Woodman at 4:06 PM 1 comments Links to this post
Labels: , ,

Monday, April 20, 2009

Yesterday…

Ever notice that a lot of my blog post titles are song titles, lyrics, movie quotes, etc.?  I’m not sure why, as it gives you no idea of what the topic of the post is really about, but I enjoy doing it.  Let’s face it:  I can be weird.  :)

Last week, when we left our heroes, we were in the middle of a disaster.  The thrilling conclusion to that adventure, where we find out if the heroes survived and caught the bad guys did not air as expected.  By now, I should know better than to state a specific day or time in my posts – it never works out for me.  Instead, I should just say, “In my next post….”  Ah well.  I won’t change, so don’t expect me to. 

Business Continuity

Disaster recovery is, as I mentioned, a larger concern than simply, “Is my data protected?”  A real business continuity plan needs to cover, “How would my business recover from a severe data loss?”  A couple different scenarios leap to mind, so I would like to discuss each.

Server meltdown

For whatever reason, your server is lost.  This could happen for any number of reasons, but for the sake of this discussion, let’s assume it is ONLY the server which has crashed, and the rest of your location is fine.  In this case, your business may (or may not) be interrupted while waiting for the server to come back online.  Your business continuity plan hopefully outlines this scenario with an expected Recovery Time Objective (RTO), which is nothing more than an estimated time to be back up and running.  If you have an extra server in-house, this can be a quick turnaround.  Simply restoring your data onto the extra server means you are back up and running in the time it takes for that restore to happen.  If you, like most people, aren’t sitting on an extra server, then this is the first consideration – what hardware will my data get restored to?  How will I get that server back up and running?  The obvious answer to this question is to order a new piece of hardware and restore the data to it.  But what does the RTO look like on this plan?  It will be however long it takes to get a replacement server, get it delivered, and get the data restored to it.  Chances are, this is a longer RTO than you really want.

Our Serenity package includes an on-site device which will act as a virtual server (using your backed-up data) in the event that your server goes down.  This means that while you are waiting for your replacement server hardware to be delivered, you are still up and running, leveraging the on-site Serenity device.  In this case, your RTO is minimal, since the device is already in place and ready to go in the event of a server meltdown.

Site lost

Let’s look at a more comprehensive disaster scenario.  Be it flood, tornado, hurricane, fire, lightning, etc., your site is lost.  Your server is destroyed, but so are your workstations, office space, etc.  In this scenario, we would assume that your on-site Serenity device would also be destroyed, meaning it could not act as a virtual server.  Thus, your business is, at this point, completely offline.  What solution does your current business continuity plan provide for such a scenario?  Hopefully, you are taking backed-up data off-site on a regular basis, whether it is a physical movement of data or an automatic cloud (Internet) backup.  In either scenario, you will still need somewhere to restore that data to (meaning you will need server hardware again).  In this scenario, your workstations were also lost, meaning you will need to replace them as well.  But this situation is trickier, as your physical space may be a loss as well.  Where will you be conducting business while waiting for your office space to be restored?  Once again, our Serenity business continuity package has the answer!  The product does regular cloud-based (Internet) backup, which means all of your data is being stored off-site in secure datacenters.  If your site is lost, we can virtualize your server and 5 workstations (or more) in the cloud.  In laymen’s terms, this means that you could run to you local PC retailer and grab PCs right off the shelf.  You could then take these anywhere with an Internet connection (your home, a coffee shop, etc.) and use the Internet to remotely login to your virtualized workstations, which would have access to all of your data and applications courtesy of the virtualized server.  I realize this may seem complicated, but it really isn’t.  Let me break it down a bit further.

When we setup the Serenity package, we determine which machines will be virtualized in a disaster.  This includes servers and the workstations of the important people in the organization.  (In this case, important refers to “mission critical.”  I, for instance, would not be considered as mission critical as our technicians, who needs their PCs and associated tools, databases, etc. in order to keep our clients up and running.  Likewise, our CEO, Erik, would not be considered as important as our Service Manager, Jamie.)  This plan is put into place and we store all of this information in the event of disaster.  If it happens, we go into action, utilizing the plan we already have in place to create a virtual network on the Internet.  This virtual network is secure, and features your own workstations and servers, which you will log into via any Internet connection.  It’s important to realize how this will work.  You will use whatever PCs you have (or purchase) and login through a secure connection to your virtualized workstations, which will look and feel just as they did when you were sitting at them in your office.  That means that you don’t have to bother with re-setting up your new workstations during this critical time.  All you need is a web browser.  Picking up off-the-shelf units from a store like Best Buy or Fry’s will allow you to reconnect to your data and have your business back up and running.  The bottom line is that this is a fast, secure, and most of all, complete business continuity plan. 

RTO

Earlier, I mentioned RTO, or Recovery Time Objective.  Ideally, you want to know the RTO of any business continuity solution you put in place, since this is what determines how long after declaring a disaster you will be back up and running.  (Downtime is lost profit, but it can mean a lot more than that.  Depending on your business, it could mean that you are not able to help your customers/clients/patients with the services they really need at that time.)  The RTO on the Serenity package is 48 hours, meaning from the time the disaster strikes until the time your network is virtualized and available in the cloud is, at most, 48 hours.  If you are in a business where 48 hours is too long, you can reduce the RTO even further.  This requires some special testing (which comes at an additional cost), but is absolutely available.  Not a risk taker?  Like to know that your solution is working?  One of the features of this product is that we can work together to actually perform a simulated disaster in order to test/demonstrate the virtualization processes.  Once it is demonstrated that everything is working as expected (and will in the event of a disaster), then even the most paranoid of business people can rest easy knowing their business continuity plan, as it relates to IT, is sound. 

What Do I Need to Do?

Take a look at your current disaster recovery/business continuity plan.  If you have one in place, think of the things I’ve mentioned above and ensure you’re covered.  If so, great!  If not, or if you don’t have a plan in place, why not drop me an e-mail and I will be happy to assist you in figuring out what sort of plan you could put in place.

Posted by Dan Woodman at 1:27 PM 0 comments Links to this post
Labels: , , ,

Thursday, April 16, 2009

The Exits are Here and Here…

When you sit down on a plane, meet and greet your seatmates, adjust your seatbelt, and get ready for takeoff, what happens?  The flight attendant tells you what to do in the event of a disaster.  The plan is thorough, covers the bases, and is fairly easy to understand (it’s even got pictures).  What if a disaster happened to your business?  Do you have a plan in place to deal with that eventuality?  I realize it isn’t fun to think about.  Planning for something which may never happen could seem like a waste of your time.  But, when it hits the fan, what are you going to do?

Back It Up (You’ve Got to Move It, Move It)

It used to be that IT folks (read: geeks) would suggest you backup your data.  It didn’t take long to realize that simply having a backup isn’t enough.  That backup needs to be somewhere other than your current location.  If, for instance, your building burns down or floods, how useful is that backed up data going to be if it was in the same room as the server?  Thus, backing up data and moving it to a remote location became the norm.  Larger companies have an easier time with this, as they can mirror that data at a different branch, datacenter, etc.  But what if you only have one location?  Unfortunately, it usually means a manual process.  Back up the data to some sort of external device (preferably a hard drive – don’t get me started talking about the failure rate of tapes), then move that external device to a different location (like your home) on a regular basis.  Sound familiar?  Hopefully, this is something you are doing now.  I certainly don’t want to be a fear-monger, but if you’re not doing this now, stop and think what would happen if your data was lost – how long would your business survive?  Could you continue to function without that data?  In most cases, the answer is, “no.” 

Assuming that you are protecting yourself to at least this degree, ask yourself the next question -- “how is this process happening?”  Is it something that you’ve entrusted to an employee?  Maybe this is something you do yourself.  Whatever the case, when was the last time you checked on the process to ensure it is actually happening the way you think?  And, as long as we’re talking about it, when was the last time you tested one of your backups?  Are you certain that you are backing up what you think you are backing up?  Are the backups functional and capable of restoring your business to the point it was before the disaster?

This is a Disaster!

I know when I talk about “disasters” and “catastrophes,” people often think about natural disasters like floods, hurricanes, tornadoes, fires, etc.  These disasters could also be less destructive on a regional level (one of our clients recently had their building hit by lightning, destroying their IT infrastructure).  But what people don’t often think about is the disasters lurking right within their office – an employee who unintentionally (or even intentionally) destroys data.  All of these have the same end result – lost data.  Clearly, backing up data is a priority, but it is not a disaster recovery plan – it’s only one piece of a complex puzzle.

What Now?

The scenario:  Your data is secure.  It’s backed up.  You’ve tested the backups and have multiple copies at off-site locations.  (These steps already put you well ahead of most of the businesses I talk to on a daily basis!)  Out of nowhere, disaster strikes.  Your server is lost (for whatever reason).  This isn’t a big deal to you at all, since you know your data is safe.  What’s step one in your disaster recovery plan?  Restore your data?  To what?  Your server was destroyed, so unless you have another one sitting around, your disaster recovery plan has a flaw in it.  It’s certainly not an insurmountable flaw – you can order another server, get your data restored to it, and be back up and running.  But what did that downtime cost you?

Think about your own disaster recovery plan and where its weak points might be.  I’ll be back tomorrow to offer some solutions to the common problems with disaster recovery plans that we see every day. 

 

Posted by Dan Woodman at 4:59 PM 0 comments Links to this post
Labels: , , ,

Wednesday, April 15, 2009

Math is Fun!

I realize I don’t work for Microsoft anymore, but this was too neat to pass up sharing it.  (I would imagine you can expect future Microsoft posts, too.  Old habits and so on…)

One of my FaceBook friends just posted this as her status:

Can you solve this?  .30=(x-34.58)/x

I started to work it out (figuring she had a need for the answer), when I had a thought.  I pasted the equation into my Live search box and wah-lah – the answer appeared instantly!

.30=( x-34.58)/ x : x=49.4

I don’t know how often you need to solve for X in your daily lives, but it is nice to know Microsoft is there to help (or at least check your work if you insist on doing things the long way).

 

Technorati Tags: ,,,
Posted by Dan Woodman at 3:48 PM 1 comments Links to this post
Labels: , ,
Subscribe to: Posts (Atom)