Intro
If you ask any company do they do "Risk Management" they will say yes...and if they don't then they don't realize they do. What blows my mind is the fact that there are so many that "fudge the lines" on what risk management is. I would like to take the idea of "Risk Management" and expound on the different types. "WHY?" This is for every side of the company, C Levels, Security levels, IT levels, They all have their idea of "Risk Management". What I don't get is they all believe that their way is the only way to look at risk, and that all risk can be looked at through their model.
Risk Register
A risk register is where you house your risks. What is interesting is the house must have various doors to put data into it, or it won't be used nor make sense. Let me explain this by going through the main ideas behind Risk Management.
Business Risk Management:
Business risk management is, on the far side of things, dealing with buying other companies, Venturing into different markets, taking on certain customers, and so on. What also lays into this however is finding out what threats lay on ahead. I leave it as vague as "threats" for a reason. When a C level is asked about threats he could go off on competitors...but also can go off on exploiters. The C level sees both in the same category. What the C level doesn't see is there are different ways to remeditate the risk. Now lets take a step back. I am sure C Level employees see that we have to deal with risks differently. I am not trying to say they can't figure out the difference. This is not what I am saying. I am saying if we don't collect the correct data on the competitor we lose. The same goes for an exploiter...their data is different and must be collected through different doors into our house: "The Risk Register" or we lose.
Security Risk Management:
Security Risk Management is finding vulnerabilities to our data, our people, our assets, etc. What is threatening our business from growing and succeeding. You can see where Business and Security Risk Management can get a little fuzzy for someone on the far side of either argument. a Tech would see risks being "exploits to the operating system" where the C level can see risk being "competitors moving in for the kill". Each one threatens the business from growing and succeeding. There is such a subtle difference between the two also. don't you see the difference though? One deals with security while one deals with business. Once you can find that difference between the two you will see that they require separate doors to enter into the risk register because both of different "things" to go through to determine the risk. I am not going to ask the question "what assets are affected by this exploit" to a
Now I have to take a step back and explain. There is only one risk register. I am a firm believer in ITIL and one destination for all. What I am saying is the way you input the risk into the register must be different. You are not going fill out a form for business risk that works for security risk as well. These forms must be different. I fill like I could lose someone on this again. remember that a threat to business doesn't necessarily mean a threat to security. There has to be different data collected to find out what the risk really is and then remediate it.
One Register, different data?
With different data being entered into one risk register you could think that the data can be skewed. You can't get a good view about overall risks to the company. That is where you have to realize that relational databases, a store house for your risks can be created. The relationships between risks of business and risks of security can be related and tied together via the same score card. You can make a tree structure so that risks fall under certain areas and mean certain things to the company. Each company is different and can define "things" for themselves and how to correlate it all together. I am not going to try and solve everyone issues in one blog.
Conclusion
Working different data into a single risk register is going to be tough. It will create more discussion, more meetings, more understanding of each side and who does what when. What it will give you however is a happy risk manager able to see and remediate a risk under its own side...and not have to rely on some concepts from the other that don't even make sense.
Friday, September 5, 2014
Friday, July 12, 2013
Retail IT Security
Introduction
In today’s world there is a lot of talk about security and
big corporate businesses being hacked into and losing who knows how much
information. It’s to my surprise how many small businesses get hacked into but
do not get the media publicity because it is not as sever to the general
public. Retail security lacks. This phrase says it all to our current retail
environment. It is time to admit that our retail stores are most defiantly a
weak point for consumer’s credit cards to pass through. This is for many different reasons. The use
of old hardware to cut costs, not to mention the use of hardware meant for your
home in an office environment. Another issue is normally there is no staff
specifically hired for IT, they just use upper management. These upper managers
just cannot juggle keeping up with the daily manager duties and keeping their
store secure.
Offloading to 3rd
party
What managers need is a way to focus on what they do best:
manage. 3rd parties are great for many IT related tasks for retail.
What is great is these tasks can be managed quite easily. As an exclaimer there
are many technologies that corporate businesses use that retail environments do
not need to manage themselves.
One very large task is a webpage. To host a webpage from
your own server is no easy task, let alone keeping it up to date and
functioning. Hosting a webpage also opens up your systems to a whole bunch of
different security vulnerabilities that now puts more pressure on upper
management that has to deal with it.
There are many functions that don’t make sense in a retail
environment. The use of domain controls and multi-tiered routing systems for a
retail chain in most scenarios just doesn’t make sense. I can see why failover
is important for retail but I cannot justify the cost of setting up these
systems and then having the need to maintain them…all from 1 manager.
Exchange servers for email would be a great function to
instead of hosting your own exchange services, offload them to a 3rd
party. All the security issues and spam and everything else that comes with
email has just been sent to a 3rd party to work on and all
management has to do is manage.
Setting up policies
and procedures
I am sure managers have been able to setup a policy that
makes sure their tills are always on every day…or even more than that. What I
am sure many managers haven’t done however, is setup a policy or procedure for
security. If someone steals an item what are the specific steps to reporting
the issue? Do you store employees confront the felon? If you can answer these
questions then take it a step further: what is your policy if your backup of
all your customer info just got stolen? Do you even have systems in place to
tell you the data was stolen?
It is coming to a point that retail stores no matter how big
need someone or some service to make sure security policies and procedures are
in place.
Staffing your IT
department
I would probably be safe to say many retails do not have any
type of IT department. They are just too much for retail to employee. As we
have found out from above there is a need for retail IT departments. So what
can retail do?
You can use professors from colleges looking for experience
in the professional field. They are trustworthy and usually you can get away
with not spending very much on them. They have been teaching students things
that your company needs so they are knowledgeable and can find solutions for
your retail setup.
You can use students in college that are learning and need
experience. You will have to look for a trustworthy person however. They will
want benefits like college tuition pay.
Securing data
transfers
Data for retail is money. Your customer database is also
money which many others would like to get a hold of. Secure you data inside and
out. Who are the people in your company that if they brought a flash drive to
work could grab your entire database of customers and walk out the door with
it? Is there any type of system that is configured correctly to prevent this?
When was it tested last?
Secure backups and
storage physically and digitally on and offsite
Backups are a great target for hackers. It usually is stored
in places that are easier to get to then the live data. If you data is stored
on site make sure to secure that closet space. Find a place to store your
database server that isn’t easy for someone to walk into your offices and walk
away with it.
I sure hope you have a system in place that is storing your
files offsite from you location. This is a must if major catastrophes occur and
you still want to do business afterwards. Any offsite backup should be
encrypted and password protected with some huge password no one can ever guess.
Only key people should know this password to your data. If the password is
written down then that password must be secured also. Storing your data on
someone else’s server offsite using the cloud or some other technology for
backups is a wonderful thing, as long as you make sure it is a reputable place
and your data is encrypted and password protected before you transfer it to
them. Any security they say they have should not be your only line of defense.
Small business setups
vs home setups
I have seen many small business retails using home routers
for their networks. A simple Linksys WRT54G for your routing functions is not
going to be a good defense. A great way to stay in budget on retail networking
equipment is to use small business hardware. There are so many options and
configurations that it is to difficult to include in this blog. To make the
correct decision for your company use a service. There are many out there that
can make those correct decisions for your company.
Keeping up with
technology by research and slow implementation
Old technology is a key factor in why our retail stores are
not secure. What is hard for retail business however is to justify costs for
newer technology. A good rule of thumb on old technology is if it isn’t
receiving updates from the manufacture or if the manufacture says they do not
support that hardware anymore then it is time to buy newer (not to be confused
with newest). Calling the manufacture and asking them about your hardware is a
great way to tell if they still support it. If they have trouble finding your
hardware then it probably is a good indication you need an upgrade.
Your weakest point is
the level your security is at currently
The best rule of thumb with security is this: your weakest
point is the highest level your security is currently. Even if you have some
awesome sonic firewall and intrusion detection hardware, if someone can walk
into your office and access your folder named “confidential” then that firewall
did no good. This is where audits and research comes in. Sometimes it even
takes outsiders to point out your security issues. If I might suggest something
it would be use your connections you have with other retail companies. I am
sure you have many and they have many also. If we were to build a community of
retail managers talking about how to secure your stores down then you would be
doing exactly what everyone else is doing…figuring out solutions to problems by
community efforts.
Conclusion
Mangers: do what you do best and manage. Find solutions you
need through community efforts and 3rd party services. Even though
your efforts are not publicized like those corporate businesses you still have a
major role in our community. You process consumer credit cards and store our
personal data. When it comes down to it all that is exactly what the big guys
are doing also. Keep up with security and find ways to offload your IT tasks to
someone that can build your security up to standards.
Thursday, June 6, 2013
Passwords, hackers, hashes and defense against it all
P@sZW0rd!
This seems like a great password correct? WRONG! This
password can be cracked in as little as a half hour or less with a hacker that
has some simple tools. This article is to enlighten us on the use of passwords
and their frailty to keeping our most secure personal information safe. I intend to
write this article for reference only and will not name any actual tools the
hackers use.
Hashes and their Uses:
To make things secure programmers do not store the password
of users in plain text. In other words
programmers don’t have an excel spreadsheet with usernames in column A and
Passwords in Column B. If they do…they’re doing it wrong. Instead they store
what is called a hash of the password. A hash is a mathematical equation that
only the password can solve. So when you type in your password and hit “login”
you send your answer to the server and the server uses the password to solve
the equation. If it solves then it allows the user to enter if it doesn’t then
you get the “login failed, please try again”.
Hackers love Hashes
Hackers have a lot of tools to grab these hashes from the
servers. Some tools are as simple as breaking the login page with what is
called an SQL injection. Other programs could “dump” the contents of a file
that stores these hashes to their own PC. Why do hackers want a bunch of
seeming less garble? If they can solve these equations they can get your
password. If they can get your password they can use your account for whatever
they want. If you account happens to have privileges such as administrator…they
can have anything they want.
Hackers always like to boost about how many hashes they have
cracked…Its like playing Farmville to them. There are blogs all over that all
they do is post hashes that people have “collected” from somewhere and then you
get posts back of “I got 34,000 of the 90,000 in 16 hours!”
How do hackers solve these hashes?
There are plenty of tools that hackers have that are already
built for solving hashes. Some use attacks called “brute force” where it just
keeps guess on letters till it solves the hash. They use brute force both
randomly and also more focused. If the hacker knows anything about the hash and
where it comes from (which is always) the can use “Wordlists” and hope that
someone has made a password that relates to information about the hash. Hackers can also randomly put characters
together and hope for the best with “Rainbow Tables”. All these tools are very
easy to use and widely documented on the internet on how to use them.
Now I would like to go through some statements that I
defiantly would hear from others:
“My password is secure.”
I am interested in what people think is secure. If they
think the name of their dog that they talk about every day with the date he was
born is your password please think again. Anniversary dates, any dates for that
matter, are cracked in seconds. A laughable password is the use of special
characters to form a word like I displayed at the beginning of this blog. With
some simple tweaking of the hackers program it can find those passwords in
seconds. How about a sentence from your favorite book with commas, spaces and
the whole thing? This can be hacked by a simple wordlist made from millions of
books cracked in hours. Now I know of people using sequences of keys to make
their password. The famous QWERTY comes to mind. I myself thought this was very
secure. It doesn’t make a word or anything. Hackers have created wordlists for
every key combo on your keyboard and will eventually get that one too. How
about some random long character password with all the different types of
symbols and strangeness to it? If you have this type of password you probably
have it written down somewhere like a sticky note on the back of your monitor
or keyboard. “BUT MY HOUSE IS SECURE!” Could be your argument against someone
getting that sticky. Look if someone wants in your house that bad they can find
a way in. What I laugh at is the
password programs that keep all your passwords in one safe spot…behind a single
password. That single password allows access to all other passwords.
“I have a password that is 15 characters long.”
These are hard to crack. There are different types of hashes
and when you get above 14 characters it forces a more secure hash to be
created. Chances are you used a phrase or names to get all those characters
which as described above is fairly easy with the right wordlist. On the other
hand you probably have it written down to remember it.
“How can someone guess a password that is so random?”
The hacker doesn’t do much of anything once they get good
enough. They just run a program with different ways. They let the computer do
the work. The hacker doesn’t even need a powerful machine. All the hacker needs
is a little creativity. Although it is true someone with some money can buy a
very powerful password cracking machine for as little as $15Gs. 15,000 is a lot
for some…but when a hacker can get into some financial institution that can
15Gs can be made in milliseconds. What they get for $15Gs is billion passwords
a second speed. Yes they are trying to solve a hash they stole up in the 14
billion tries each second. To translate that a bit lets say your password is 8
characters long. These machines can crack that password no matter what
character, symbol or number you use in 5 hours or less. To clarify it will take
5 hours if it has to guess your password on the last guess it tries.
“But a crack my passwords website says it will take 2 zilion
years to crack my password..”
This is laughable. What this website is based on is what
hackers use as a last resort called brute force incremental. Brute force was
explained earlier but with incremental it does something like this: start with
a and go through z then add an a and then go through to z again. So a-z then
aa-az then aaa-aaz and so on with every combo also including numbers and
symbols and CAP lock. Now a smart program that does incremental would just
start in some random place as it is better then starting at “a” as if you have
no idea where to start always start in the middle and choose randomly up or
down. There are lots of other ways to
try cracking hashes before they try this. The hacker will avoid this last
resort at all costs. Just to make the point crossed the hacker will usually get
a hit before they have to turn to this last resort.
Why is this so scary?
To gain access to any system all a hacker needs is ONE
username and password. The hacker will always go after a user name with the
most privileges (admin or root). All they need is to get one of these accounts
to start their work. After they gain access…they get to have even more fun. Now
this relates to some system that is usually company owned and has lots of users
on it. Personal accounts (gmail, facebook, linkedin) they are still targeted.
If someone gained administrative access to a linkedin server they could find a
users list of hashes on it. Your personal password could be one of those
hashes. So it all comes back to the customer in the end.
What do we do then?
Unfortunately we as consumers can’t do much. We have to wait
for our supplier to work things out and find ways to combat this. The high hope
is that the suppliers are the only ones that have these admin rights/privileges
and they understand the importance of strong passwords. There are some groups
doing great things. 2 form factor authentication is becoming a great way to
combat this. How 2 form essentially works is there are different ways you can
tell the system you are who you say you are. These forms answer one of these
three questions:
·
What you know
·
What you have
·
What you are
Since passwords are “things that you know” there has to be a
second question answered for it to become 2 form authentications. Google has
done this well with their gmail accounts. They are now allowing these 2 forms
by answering “what you know” and “what you have” by making a password and
getting a password from your phone. To finish this idea “What you are” can be
answered by finger prints or retina scans.
What do we have left for a defense then since passwords are
not secure?
Since we are stuck with what we have and no way to make it
different we should find the best way to make our passwords harder than the
other guys. This is a theory I like to call “Better than your neighbor”. If a
potential burglar wants to get into a house on the block they will choose the
easiest door. The easiest door usually is the one that is unlocked or partially
open. Now think if you have a dog, an alarm, a fence, a dead bolt… it deters
the confidence of the burglar to look elsewhere…most of the time. Burglars
usually are not that smart. Think of it, if they were smart why would they be
robbing? They could make money a lot easier than robbing a couple places. Now
it is true we have those shady people that like to do it just to have fun.
These people we got to watch out for cause they take all these obstacles as a
challenge and enjoy the more challenging. Also to cover the bases I guess you
can say there are exceptions to the above statements. You can have a smart
burglar.
What are some pointers to creating a good password?
With companies still enforcing passwords I guess the best
thing we can do is make it at least somewhat hard for them. Here are some pointers:
- passwords:
- Of all the ways to create a password, sequences seems to throw off hackers a lot. Find a way to sequence your passwords on the keyboard using letters, upper and lower, numbers and symbols. So maybe something like this for a linkedin.com
i.
“L” for the first part of the website name (linked)
then count left 2 “j” then up 2 “&” then right 2 “9” then down 2 “l” then
use “i” for in (the second part) and go left one “U” up one “7” right one “*”
down one “i”. then to finish it off put something random like “%laugh” the
entire password together would look like this:
1. Lj&9liU7*i%laugh
a. You
may laugh at this but that will almost never be cracked…and the above 14
characters is met (more secure hash) and you don’t have to write it down. Notice the use of the shift key is every other
one.
2. Now
I am going to get some reader saying “OK I will do it exactly like that above…”
Please be creative and at least think how you can personalize this sequence. At
least change the numbers or the direction of your sequence. I would suggest
coming up with a new password scheme all together as some crafty
hacker/programmer is already trolled this website and put my above scheme and
any other scheme that relates to it into a wordlist just in case…which he will
use if he has to.
- Create a DIFFERENT password for all websites you sign into. If your password is cracked then the first thing a hacker will do is use this password for all the other websites you go to.
- I would like to pause here and just say that a hacker isn’t doing a lot of work here. Someone did a ton of work in creating a program to do all this digging into a personal life and just hands over the program to other hackers. All they do is run programs and let the program do all the work. So when you think “man these hackers get personal” just remember they aren’t doing much work…just letting a program do it all for them. ** it may be true that some hackers out there do some manual things…but I think you get this “exceptions happen always in life”.
- Passphrases: As a side note these passphrases are starting to become the target rather then the password hashes. They are easier by the fact that a hacker gets to see details (the questions) of what the hash could contain that make it easier for the hacker to use to gain access to the account.
- Do not use the correct answer to the question. If the question is “What was your favorite pets name?” do NOT answer the question…at least directly. If you pets name was “Charlie” please oh please do no use this. A keen hacker that is focused on you will be getting to know you very well and if anything is on the internet it would be personal details about your life…especially that of your favorite animal. I have heard use something that isn’t even expected…like the word “telephone bike” or something random that cannot be guessed. As you notice telephone and bike have almost nothing in common and no one in their right mind would think your favorite pets name is related to telephone or bike…
Conclusion:
- Please, tell all your neighbors, tell your friends and family about “safe” passwords. The more people know about this the better we all get. We live in a community that survives by people telling others of hazards.
- Please tell them to put “safe” passwords on their wireless. Please put “safe” passwords to the configuration page of your routers as well as a DIFFERNET good “safe” password for access to your wireless network.
- Use password sharing on all your files and folders inside your network…yes even to your trusted itunes shared folder on your Drobo or NAS.
- Use a good “safe” password on your cloud storage. This is a big target as it houses all your personal financial data.
- Do not think that your home “firewall” can block intruders from accessing your PC. All it takes is one email or one exploit (some malicious piece of code that uses vulnerabilities from software to gain access to your pc) to get into your PC behind a firewall. Use the next to bullet points to guard
- Use an antivirus. There is some debate on if they really do a good job. I say the freebies do a lot. The freebies (like avg free, MSE, etc) at least block known bad places and even can tell you you are accessing a bad website. It is better then nothing. I personally enjoy webroot endpoint. It is not free but they do a great job and there is very little that can get passed them as they do a ton more then the freebie such as automatically update the clients with any exploit that just barely dropped into an outsiders knowledge (zero day exploits).
- Do not click on anything that you don’t know where it will take you. Popups, stray emails, banners (those flashing “free screensaver!” things), any thing saying “click here” without reference to where “here” is.
I hope this helps everyone. I truly hope I have shouted this
loud and clear. I have done lots of research…but as always there could be some
kind of mistake out there…Who can say they haven’t made a mistake?
Some after notes:
I refer to hackers as a HE…there are SHE’s. I don’t get why
but for some people this he/she bit gets people angry. Any English book will
state: the word “He” can be used in a non gender specific setting. Same goes
for all the other languages in the world. If you are speaking to general public
and you even have the inclination that someone out there could be male then you
always talk to the group as a HE audience not a she… If I offend…just remember
what they say about “taking offence”…I am not to blame.
Tuesday, October 9, 2012
The Big Questions of IT Certifications
·
What is Certification?
o Certification
means you are qualified for a job that works with what the certification is
about. This statement is highly debatable but that is what certification
companies stress. The Point I want to say is Certifications can be great tools
if you use them correctly. Certifications don’t mean you are guaranteed a job,
but mean that you dedicated enough to that direction in the IT field that you
want to be recognized of those skills. Certification is not enough…but certs are
sure a great step in showing your employer you want the job.
·
Why should I certify?
o Put
aside the question, “Do certifications really get you a better job”. If all it
does is keep you up to date than $400 a cert is not a bad investment when it is
to teach you more about your field. The IT field and any technology field for
that matter is always changing…and you must change with it.
o Certifications
allow you to see what is out there and where things are heading. Change is
everything. If you aren’t changing with the field you get left behind and put
in a corner with no way up. You will eventually lose your job…or at the very
least you’ll lose your sanity. No one can work in an environment that doesn’t
provide a success and advancement of some kind for very long. Without change
you will be stuck with dead end jobs living paycheck to paycheck. Sure its one
thing to provide for your family…but providing amazing things for your family
comes only when you are happy doing your job and working towards the next
advancement. If you aren’t progressing, you aren’t happy and I can say for sure
your family won’t be happy.
o Certifications
keep you relevant in the field. ‘Nough said. Yes certifications do mostly just
skim the top of the topic…but normally that is all you really need to pass the
HR tests and get the job. Then in the job your get to learn their proprietary
nitty-gritty. You see even if two companies require you to be CCNA certified,
they both have their own reasons and networks that require only in depth parts
of your certification. To know the in depth stuff of their own proprietary
solutions means you have worked with them before. If any employer ever asks for
that in depth knowledge for an interview than they need your help fast because
they don’t know what they really need. You should turn in your resume and ask for
an interview. Show them you have what they need and help them understand that
you can learn and understand what is solely for their purposes.
o Certifications
get you past the HR departments. It’s sad but people without certs and tons of
experience are overlooked by people with current certifications. Yes we can
complain and say that’s not fair…or just get the certification that would take
less than a week for someone already working in the field for 5 years and
usually only spend about $150 bucks to write for the test. The interesting
factor is HR wants people that are dedicated. If you want to show your
dedication a CURRENT certification shows that. Take advantage of being on both
sides and having experience and the certification.
o The
point is to prepare as much as you can for when the opportunity arises you have
the ability and expertise to take advantage. And after you take advantage of
the opportunity…you know what people will say to you when you land that big job
afterwards? “Man, you got lucky”. Funny thing is…you created your own luck by
preparation. Would you chance your dream job when it comes along on the global
definition of luck? I wouldn’t. I would create my own luck by preparing and
dedicating the effort to make it happen. The fact remains that when you prepare
and do things for a change you attract the change to occur. You may never
happen upon the dream job unless you prepare yourself and practically throw
yourself into the direct line of fire. The hard thing about this point is not
knowing when the next dream opportunity will happen. Learn to go from cert to
cert as a success from success. Don’t just be waiting to feel success only after
you can land a dream job or dream advance.
o Learn
from certs outside of your direction in IT. Go into programming. Go into
networking. Learn to run a LAMP server. Learn PHP. Learn about security. Learn Mobile apps. The more background you know of each direction
in IT the better you are with your own direction. You may even find a different
direction to be refreshing. You may even want to go in that other direction.
You will never know until you dive into the direction for a while.
o About
dedication: don’t be like the boy that dips his toe into the water and then
comes home saying he went swimming. If you are going to learn something, learn
in depth knowledge about the subject. Get a surface knowledge of things and
then dive right into the topics of that direction that interest you. By diving
into the places that interest you the parts that don’t seem quite interesting
will become appealing.
·
When should I start to Certify?
o You
should start to get certified today no matter your current situation. Is it going to be tough giving up time? Yes.
Worth it? Yes.
o When
you are in high school go to the technology center for half a day and take the
certification tests. It’s a great way to get out of dreary High school and into
a environment where learning is fun and not considered a chore by your peers.
If a tech center isn’t available I am sure there is some class that can get you
involved. If all else fails in High school…give up just 1 hour of video games
and take certification courses in that small hour.
o Get
your certification during college. I am currently taking 12 credit hours in
College, work full time, and get a certification a semester. Tough? Yes. The
more certifications you have the more enticing you look to potential
employers…not just because of the certs on your resume but the confidence you
will have knowing you have what they need.
o Get
certified even if you are in the field and working there for years. Just the
feeling of accomplishment will get you feeling better and open you eyes to the
things you don’t know currently. Remember: Also go into certifications that are
not in your direction…these will be the most satisfying to earn.
o The
point is to start now…where every you are in your life. If you want to be in
any computer field you got to earn it.
o *Note:
I have heard from many it is hard to get into the industry with no previous
experience. All these people that I hear complain I ask them a simple question:
what have you done in your personal life to get real world experience? Most of
them say nothing. Some say, “Well I know how to setup my wireless router!”.
That may be a good start…but not enough. If Cisco is your thing work with GNS3
and cisco packet tracer to build enterprise level networks on your home PC. I
just can’t get why I hear people complain about something they have control
over…they just don’t go after it for themselves first. You can get real world
experience by simply doing things for yourself. Taking from Brian Tracey again:
You are your own CEO. If you want some real world experience then work for
yourself. Make a mobile app for yourself.
Build a network for yourself. There are so many real life labs out there
on the web for entry level certifications that all you have to do is search and
go employee yourself. I am positive someone will hire you over a person with
experience when you walk into the interview, looked over what they have and say
to them, “I have made a very similar network in the lab that works flawlessly.”
The confidence you have will be your sale point.
·
How can I certify?
o Invest
cash in yourself. Something I take out of Brian Tracey’s books: invest 3% of
total income into yourself and your learning. For a $50,000 salary that is
$1,500 or $125 a month. This can easily pay for 3 or 4 certs a year. If you
want to become something like VMware certified it requires a class. Some other
certs require a class as well. Classes are around $2,000 to $4,000 and usually
require you to travel and spend 4 to 5 days learning. If you want those then
you will have to commit a bit more of your salary and save for a year…or go
into debt and pay it off in a year…which ever you prefer. $3,000 is a small risk with huge payoffs.
Putting off that fishing boat one year for a certification course could mean a
yacht the next.
o Invest
time in yourself. If you really want to do something than wake up early and do
it. It is amazing how much can be accomplished with that 1 hr of waking up
earlier. There will be fewer distractions, less phone calls and less demand for
your time in the morning hours. This means more concentration on the task at
hand. One hour a day for 6 days a week turns out to be a 3 credit course every
quarter. Getting a new certification every quarter isn’t hard when you have the
morning hours to get done. If you want to take this to the extreme and get it
done far faster than a semester than wake up at 4AM and go to bed at 9PM. 8 hrs
of sleep is great plus you have a full 4 hours before you go into work at 9AM
(add an hour for getting ready and eating). You could get part time hours by
just going to sleep at 9PM…for most of us that is 2 hours difference is all.
Think of putting part time hours into a certification…you won’t regret it and
would be done in weeks.
o Certifications
are not hard to earn. They are simple courses that mostly can be done in a
couple weeks. They usually cover broad topics and skim the surface on each
topic. If they take longer it means they are worth more value to you and
require you to be working in the field for a while. The certifications that
take longer than a couple weeks are usually earned by those that have gotten
the easier, faster certifications first and then got into a job the requires
them to gain that longer, harder to earn certification.
·
Where can I certify?
o Most
certifications can be earned from your house. All you have to do is get to a
testing center to write the exam (write for exam means take the test…I have no
idea who came up of that term) Certifications can mostly be studied all from
your home PC.
o Another
part of “where” is where can you get certification study material? That is
easy. Google search is a great friend. Learn how to use it and find what you
are looking for fast and you will have any answer you need.
o Most
certifications have many books on Amazon. Find the best rated book, make sure
it is the current test (because the tests change every couple years) and buy
it. They are always less than 100 bucks.
o Most
certifications have web pages that are free dedicated to the exam. Take Cisco
for example. 9tut.com has great tutorials and questions. Be very careful
learning from these webpages however. They could be great in passing the
exam…but all they do is cover the topics of the exam and never get into the in
depth knowledge that you need to pass the tests given during an interview. If you
are going to learn something learn it well.
o There
are websites and torrents out there that can be downloaded that have study
materials and actual exam questions. Some websites even have the full test
bank. Although these are great in passing the exam with high scores this type
of studying is horrible for everyone. This is why so many people say that being
certified doesn’t mean you know your stuff…it just means you know how to take a
test. If you choose to use these testbanks then I sure hope you learn the real
in depth, soul feeling experience of each direction. Learning those things
means progression. Things like money never make happiness. Do things make life
easier? YES…but is easier happiness? NO. Get that in your head before you go
off in search of riches.
·
Which certifications are right for me?
o This
is a tough question. On one hand people say to go get many certifications in
all different areas. On the other hand people say get into a direction you love
and get the highest degree of certification available. This is how I put it:
o If
you are starting in the field get the certification that seems most
enticing. Gain that certification and if
it was easy go for the second level of that certification. As you gain more and
more levels of certification start expanding into other directions. Just as you
went through college or high school you had to take classes that didn’t seem
very relevant to your direction. This is a good thing. I repeat myself: The
more you know about other directions the better you know your own direction. By
understanding the dynamics of a database, you can better understand how to
network your DB server.
o Here
is a list of types of Certifications (I will not go into much detail…just
enough to get you interested J ) :
§
Comptia: Comptia doesn’t rely on vendors
specific knowledge. This is good and bad. You get the general overview of the
direction, but nothing in dept. Comptia Certifications are great for entry
level people looking for a quick easy paced certification that gets them rolling.
Some of the highlighted certs in Comptia are A+, Network+, Secruity+ and their
new Healthcare+ that they promoting heavily right now.
§
Cisco: The big networking certifications. The
beginning cert is called CCNA which almost everyone in IT earns sometime in
their career. CCNA is still a very hard test and requires you to know some very
specific things about networking and how Cisco makes it easier. CCNP are for
people really wanting a cisco networking job at enterprises. Their highest,
CCIE is something not very many achieve. I would suggest getting CCIE only if
your employer requires it and is willing to put you through the course.
§
Microsoft: They are a big supplier of
certifications. You can get the silly ones that I myself wouldn’t pay for with
my own money such as Windows 7 MCT. The ones that give you the best bang for
the buck are their MCSA and MCSE certifications. They cover all the aspects of
Microsoft Servers and anyone that works with Microsoft products always want to
get. All their other certifications are there for employers to put their
employees through.
§
Apple: I have never really seen these certs used
unless you work for apple. They can be obtained outside of their company
however.
§
PMI: PMI is all about project management. This is
a very lofty certification that requires bachelors degree and at least 3 years
experience in project management just to qualify for the test.
§
CISSP: The big Security Certification. This cert also requires a minimum of 5 years
in the field. You can however take the test and then have 6 years to earn the
experience and become fully certified. I would have to say taking the test and
passing it is enough for employers to take a risk and hire you…this Cert is
that powerful.
§
VMWare: The virtual empire certificate. This is
another very costly certification but is mostly straight forward. You must take
a class to be admitted to an exam. The classes are 5 days and most likely not
in your area so traveling expenses and taking time off work are a must.
§
CSIM: This is the highest earning most sought
after IT Security Certificate. There is no required experience. Just study and
take the pass or fail exam. Very prestigious award.
§
CHFI: this is the Ethical Hacking Forensics
Investigator Cert. This is a great one to get into a job with the feds or
police department and go help solve crimes. Some get it just to have a side job
along with their main job of teaching.
§
CIW: Certified Internet Web Development. This is
all about internet servers and web pages security, design, development, and
foundational. They take certifications
from Comptia and apply it to some pre-requirements of their certifications.
o I
have named the main ones here. There are plenty of more to keep you going a
life time.
·
Suggestion: continue to get new ones and renew
the old ones relevant to your direction currently. Never let one expire…you
usually have to take it all over again.
·
My largest Suggestion of this entire article:
this is worthy of an entirely separate article which I will be writing on soon.
Invest in your Soft skills learning courses. Soft skills can be learned and are
not given at birth. You soft skills are probably the best money makers of all
certifications. If you cannot sale yourself you cannot sale your talents. Take course
to better your presentation, talking, networking, sales (you are all sales
managers…more about this in another article), and every aspect in life.
o The
best way I have been able to build my soft skills is by book on “Tape”…or CD or
Ipod or whatever. Listening to books on tape while driving to and fro from work
and other locations can turn your boring driving time into full 3 semester
classes. If you drive the average hours a year as everyone else (more than 1500
hours) than you can read over 50 books a year…that is 50 times more books than
the average person reads a year…yep the average person reads less than a book a
year.
·
What I want to
see different in IT cets and what
I want ot see more of (conclusion)
o I
want to see a way that makes certifications more reliable to the employer. Some
kind of check list to make sure the client didn’t cheat on the exam by
testbanks. Maybe some kind of separate way to verify someone can really do what
the certification says they can do that isn’t directed by the certification companies…I
smell a start up coming.
o I
also want to see more certifications about management. Management is what is
taking over IT in the small business world…which is our world in the US . Be a
manager in a small business means you not only manage people, but computers as
well. Get into upper management in a small business and you end up being titled
“tech support” along side.
Friday, October 5, 2012
That Mysterious Cloud as a service
There is so much talk about the cloud. This talk about white fluffy stuff can get very confusing if you don't know what the cloud really is. To explain a short Youtube video will describe the basic concept:
http://www.youtube.com/watch?v=ae_DKNwK_ms
So hoping that the video changed your view a bit lets just say the cloud is a bunch of services. By using someone else as a service all maintaining, tech staff, upgrades, etc are handled by the provider while you just use their service. All you as their client do is pay a fee to keep their service going.
What is interesting to note about cloud services is the fact that computers in the beginning started off in a cloud scenario...albeit a very small and local cloud. You had your main frame with all the operations and storage centrally located on it. Then you had a client that just displayed the info from the Main frame on a screen. The client didn't do any work other than display the info while the mainframe did everything else. In essence this is what the cloud is. Now there may not be huge mainframes that are room sized to provide you a cloud service but nowadays the cloud could be as simple as a desktop hosting software in a remote location anywhere in the world and others can log on and use the service for a fee.
So the cloud is just a bunch of services hosted at some other location. You pay for the service to work and continue. Us techies like to categorize things so we come up with different ways to show the different services available. Here are the three categories:
Why use the cloud?
http://www.youtube.com/watch?v=ae_DKNwK_ms
So hoping that the video changed your view a bit lets just say the cloud is a bunch of services. By using someone else as a service all maintaining, tech staff, upgrades, etc are handled by the provider while you just use their service. All you as their client do is pay a fee to keep their service going.
What is interesting to note about cloud services is the fact that computers in the beginning started off in a cloud scenario...albeit a very small and local cloud. You had your main frame with all the operations and storage centrally located on it. Then you had a client that just displayed the info from the Main frame on a screen. The client didn't do any work other than display the info while the mainframe did everything else. In essence this is what the cloud is. Now there may not be huge mainframes that are room sized to provide you a cloud service but nowadays the cloud could be as simple as a desktop hosting software in a remote location anywhere in the world and others can log on and use the service for a fee.
So the cloud is just a bunch of services hosted at some other location. You pay for the service to work and continue. Us techies like to categorize things so we come up with different ways to show the different services available. Here are the three categories:
- SaaS: Software as a serivce. This is a service that can provide many different functions. If you use Gmail you are using a form of SaaS. Reading this blog it is a form of SaaS. Watching Youtube is a form of SaaS. There is a very blurry line between what is and what isn't SaaS nowadays. Lets just say if your computer doesn't host the service or doesn't process the entirety of the service you are using a form of SaaS .A good example of SaaS is Google docs or Office 360. You just sign in and use with no need to install. Another good example is the comparison between the old Outlook and gmail. You didn't have to install gmail to get gmail working where as Outlook is an office product that you installed on a machine. Dropbox, google drive, windows sky drive...they are all SaaS. SaaS covers storage, processing power, software and many other services. SaaS could even function as your networking equipment.
- PaaS: Platform of a Service. PaaS is used by us developers. Instead of storing and downloading all the coding we use to make SaaS services, we just login and use a PaaS service that has it all there. A good example here is Facebook apps. A developer can code an entire app using Facebooks "codes" called APIs.
- IaaS: Infrastructure as a Service. This is where it comes down to virtualization. With special software we can use a 1 computer and turn it into hundreds of slower, simple computers. This is great when needing to stress test a software program. This idea is the same idea behind putting a shoe on a robot and having it press in a certain area for a billion cycles to see how much ware happens. IaaS allows us to stress test the software program so we know it won't break when it becomes popular. IaaS also allows for all the different types of computers out there to be used without actually having those computers right next to the developer. So the software can be tested in Mac, Windows, Linux, Android, etc and see how it performs.
Why use the cloud?
- Cost to you as client and for your business. Yes this is a fee you will have to pay for as long as you use the service. In most scenarios though this simple fee will look like a lot, but will definantly make up the difference if lets say you buy your own server and have to spend your time updating, troubleshooting, and sometimes replacing it.
- No need for upkeep. No updates, no downtime, no wasted time.
- "pay and play" for the most part. You just pay for a service and start using it.
What the cloud is not:
- free. There is a cost. Even if you don't see it you do have a cost.
- replacement for your home computer. To access these services you got to have some way of getting to it
What I want to see in cloud computing:
I can imagine a world where whatever computer you sign into you have all your info, personal settings, personal documents, email, etc right when you sign in. In all reality this type of computing is just like our old Mainframe and client scenario. The mainframe or 'cloud' does all the work while the client just displays the results. Think of a kiosk where you just sign in and you can continue where you left off at the last kiosk. Better yet think of a personal device just as fast and powerful as any other computer. With all the processing that would have taken up battery life now is used just to display the results.
So I guess the for fathers of computing got it right and were way ahead of their time with cloud computing. Since then we have made a complete loop. Making a complete all in one system doing all the computation and then now as we come back to the hosted services from one central system.
Wednesday, June 13, 2012
Conversational Tips for the Analytical Thinkers
As you read this keep in mind that you are probably going to say to yourself, "this isn't me but it sure would help so and so...". So all I want you to do while reading this is think, "this is for me." and stop trying to help others for a couple mins.
Is it OK to contradict? In short, yes it is OK. There is a very big side note on this statement. Lets go over some scenarios.
Scenario 1
1. You meet with a bunch of friends and they start talking about cars. Someone brings up that a Dodge is better than any competitor. You know all about cars of course...you studied them perfusively for an hour or two. So You (being you...the analytical thinker) go on to say "Chevy is better than dodge hands down". The conversation gets akward right after that statement and you start to get remarks like "My experience with Dodge is...." from the friend. All you can think of to say is a silly commercial you heard saying that Chevy was the only survivor of the apocalypse. When you both leave you kind of feel akward and are not for sure why the conversation wasn't carried on or why anyone left happy.
what went wrong with this first scenario?
Being the analytical thinker you are, you love debate. You have to look at the pros and cons. This is OK. This is why you are good at what you do. Most of the time when someone brings up a potential debate you take the opposite of what someone is saying AKA if they are for it you are against it. This is great. This is who you are. The problem lies in no one wants to be shot down in a public settings. Public criticism is the worst, yet Analytical Thinkers thrive on creating this criticism. Analytical thinkers however tend to think this is a good converstational device and want to use it often. No wonder no one likes you! You contradict them on ever turn and like it! What is worse is when you contradicted them it is in front of everyone! You didn't have any idea what you are getting into. The point is no matter how many backup statements you can put after you contradict someone in a public setting DON'T CONTRADICT and try to spark the conversation by pros and cons. It will never work and you will leave with that "what did I say?"
If you have to contradict in the public setting I suggest:
1. hear them out. Give them a compliment such as "Dodge is a good car..." ask them questions like "how did you conclude that dodge was the best?" let them talk. Do NOT interject any of your side comments. Give them a pleasant face to look at....not that judgmental face you get right before a debate. Without humilating them in public they can then move on to their experience and go over their pros. The point of this is you are letting them be heard out. Everyone wants to be heard. If you get them talking and let them talk without interuption you just scored points with them.
2. when you actually get to the "contradicting" part after they made their spill maybe say something like "well from what you said Dodge is a great choice! I personally choose Chevy however because....". You could even throw out your funny commercial spill now and make a joke...which would be unheard of from the analytical thinker. The point is to leave the conversation open...try not to use cons but pros about your side.
Now take the second scenario:
Scenario 2
2. You and a friend are out ready to go see a movie when you start talking about the best super hero. You know of course it is Iron Man but he is stuck on saying it is Captian America. You both have strong pros and cons and you go over them. It becomes a great experience.
What went right in this second scenario and why was it different than the first?
I bet you guessed it: this is a private setting. It happens that when you are in private with one other it seems like debate is a must to keep a good conversation. You both are happy cause there is no other person listening in to feel dumb around. A word of caution would be if someone came into the conversation during the conversation...just switch over to letting the other talk about the pros and then get your chance and spill over the pros of your super hero.
Now I would like to caution contradicting in general.
General Triggers
Even in a private setting contradiction is tricky. There are some triggers to remember during private converstations that will help you see that the other isn't in the mood for a debate even though they are in a private setting.
1. look at their eyes. They will say "I am open" or "I am closed" to debate. It is very easy to tell...you just have to look at them...which is hard for us Analyticals.
2. If you hear anything like "My experience is..." you have not oversteped your bounds yet. Just match them and say "That is an interesting point of view! My experience is....". This leaves it open. No criticism so you are OK for now.
so as you go throughout your day analytical thinkers think "Am I contradicting and is it appropriate?" With a conscious effort for a couple days this question will become natural and you will be on your way to being a great conversationalist... Whatever that means.
For more great insights I found a webpage that goes over some funny stuff:
http://www.techrepublic.com/blog/10things/10-curses-of-the-analytical-thinker/2466
Is it OK to contradict? In short, yes it is OK. There is a very big side note on this statement. Lets go over some scenarios.
Scenario 1
1. You meet with a bunch of friends and they start talking about cars. Someone brings up that a Dodge is better than any competitor. You know all about cars of course...you studied them perfusively for an hour or two. So You (being you...the analytical thinker) go on to say "Chevy is better than dodge hands down". The conversation gets akward right after that statement and you start to get remarks like "My experience with Dodge is...." from the friend. All you can think of to say is a silly commercial you heard saying that Chevy was the only survivor of the apocalypse. When you both leave you kind of feel akward and are not for sure why the conversation wasn't carried on or why anyone left happy.
what went wrong with this first scenario?
Being the analytical thinker you are, you love debate. You have to look at the pros and cons. This is OK. This is why you are good at what you do. Most of the time when someone brings up a potential debate you take the opposite of what someone is saying AKA if they are for it you are against it. This is great. This is who you are. The problem lies in no one wants to be shot down in a public settings. Public criticism is the worst, yet Analytical Thinkers thrive on creating this criticism. Analytical thinkers however tend to think this is a good converstational device and want to use it often. No wonder no one likes you! You contradict them on ever turn and like it! What is worse is when you contradicted them it is in front of everyone! You didn't have any idea what you are getting into. The point is no matter how many backup statements you can put after you contradict someone in a public setting DON'T CONTRADICT and try to spark the conversation by pros and cons. It will never work and you will leave with that "what did I say?"
If you have to contradict in the public setting I suggest:
1. hear them out. Give them a compliment such as "Dodge is a good car..." ask them questions like "how did you conclude that dodge was the best?" let them talk. Do NOT interject any of your side comments. Give them a pleasant face to look at....not that judgmental face you get right before a debate. Without humilating them in public they can then move on to their experience and go over their pros. The point of this is you are letting them be heard out. Everyone wants to be heard. If you get them talking and let them talk without interuption you just scored points with them.
2. when you actually get to the "contradicting" part after they made their spill maybe say something like "well from what you said Dodge is a great choice! I personally choose Chevy however because....". You could even throw out your funny commercial spill now and make a joke...which would be unheard of from the analytical thinker. The point is to leave the conversation open...try not to use cons but pros about your side.
Now take the second scenario:
Scenario 2
2. You and a friend are out ready to go see a movie when you start talking about the best super hero. You know of course it is Iron Man but he is stuck on saying it is Captian America. You both have strong pros and cons and you go over them. It becomes a great experience.
What went right in this second scenario and why was it different than the first?
I bet you guessed it: this is a private setting. It happens that when you are in private with one other it seems like debate is a must to keep a good conversation. You both are happy cause there is no other person listening in to feel dumb around. A word of caution would be if someone came into the conversation during the conversation...just switch over to letting the other talk about the pros and then get your chance and spill over the pros of your super hero.
Now I would like to caution contradicting in general.
General Triggers
Even in a private setting contradiction is tricky. There are some triggers to remember during private converstations that will help you see that the other isn't in the mood for a debate even though they are in a private setting.
1. look at their eyes. They will say "I am open" or "I am closed" to debate. It is very easy to tell...you just have to look at them...which is hard for us Analyticals.
2. If you hear anything like "My experience is..." you have not oversteped your bounds yet. Just match them and say "That is an interesting point of view! My experience is....". This leaves it open. No criticism so you are OK for now.
so as you go throughout your day analytical thinkers think "Am I contradicting and is it appropriate?" With a conscious effort for a couple days this question will become natural and you will be on your way to being a great conversationalist... Whatever that means.
For more great insights I found a webpage that goes over some funny stuff:
http://www.techrepublic.com/blog/10things/10-curses-of-the-analytical-thinker/2466
Friday, May 25, 2012
Parental Control/addict helper software
Parental Control Software
The internet in its raw form in my opinion is so tasteless and goes way outside the bounds of even an adult. However, there are so many good things about the internet that the internet cannot just be disconnected from our lives. This is where Parental controls come to play. If you read up anything about me you will see I favor K9 Web Security. After much research you just can't beat what you get for free from this software. Most paid softwares don't even compare. K9 can also be combined with opendns to lock down almost everything. The keyword to that last phrase was *almost*. It's impossible to block everything sadly. This is why blocking "bad" sites is just not enough. Another tool that is need is accountability reports.
Addict Helper Software
Accountability reports are usually used by addicts. These reports get sent to a sponsor or another person to review and talk about with the addict. What I want to persuade is that these accountability reports should be used not just for addicts but for parents and kids. The fear of having someone else know where you are going on the internet through reports is a good tool to keep you away from the demoralizing aspects of the internet. I have heard that convenant eyes is a great accountability solution. It does have a monthly cost, but is worth the cheap price tag. I would not recommend x3watch. Very often it doesn't work not sending the report to your sponsor and if the report does send it only shows random snipets of what is going on.
Incomplete Protection
Combining the tools of blocking the internet and adding the accountability reporting is a good step towards what is being looked at on the computer screen. This is not complete however. There are loop holes to consider. A teen could have all the above enabled on the PC and still get around the security.
Here are some additions to the above recomendations:
1. Disable boot from external drive and CD then password protect the BIOS. This makes the PC not able to boot to a disk that could have a bootable OS system. Booting to another OS system could allow avoiding any software installed on the current OS on the disk.
2. Make an Admin user on the PC with a password. Then make all other users standard users with update rights. This dissallows anyone from installing keyloggers (records what keys are being pressed...which if on the PC your password when typed could be hijacked). This also doesnt allow the software installed to be disabled. Even my highly recommended K9 has a flaw that can be disabled by changing a files contents and restarting. Without admin rights however this flaw is no more.
3. have each parent create their half of one password. On any password you create make the password split into two passwords that each parent only knows their part to the password. This is security 101 to any corperation. Don't give anyone all the keys to the castle. The responsability eats away at the person and since we are all human we all can fail.
4. Setup OpenDNS on the router and not on each indivdual PC. Doing this adds more security when a device that doesn't have K9 or other parental software installed to have access to your "bad" list. There is a loop hole with this concept in they can just change their PC DNS to another and get around this step 4. To counter I would suggest getting a router with DD-WRT firmware so you can force DNS resolution to always use the DNS you provide on the router.
5. use pingdom.com. This trys to setup communication to the router. If it fails it emails you that it is down. Without going into to much tech stuff it would be better if you used TCP settings to communicate and use a port you opened up. The port could be a protocol you use but could also be something you don't. If you don't use it just map the port to an IP not used on your home network. If a hacker notices this port is open and attacks it, he can't get anything out of it. pingdom is a great way to notice if someone is bypassing the router and connecting directly to the modem. Connecting directly to the modem means they bypass any security set up on the router.
6. May I suggest a tidius but good way to block everything except what is needed on the internet? block all catagories of the internet with the filter. After they are all blocked start browsing to your favorties list. Allow each of those websites that you know are good and can be trusted. Amazon and ebay sites in my opinion cannot be trusted as a simple search can lead to very revealing stuff. after allowing all your favorites start browsing around a little and when you have a website you know is good allow it. It's funny but I bet you only visit around 20 sites normally. Only when searching for something on google would you venture out of these 20 sites. So when you want to venture out in the open have the neccessary security, get someone to allow you full access for 20 mins while you search down your big project. That's all you really need to find the solution. If it doesn't you can always allow for more. I am sure your spouse or whomever will be gratefull you didn't spend hours resesarch on a the topic. Then, afterwards, your walls come back up and your secure again.
Castle Analogy
Think of the analogy of a castle. You need walls to protect the inside. The walls need to be high enough to evad a baruage from the air. There are guards to only allow what is good in. Another thing worth mentioning is when the King or Queen step out of the castle they never go out alone. There was always a protector, even if the protector was a single archor with a keen eye for look out.
What happens in the movies when the King/Queen leaves without a gaurd? He/She gets into pearl. Although he/she may come back a hero, he/she still got into trouble and had to find a way out.
can you see the simularities from the castle to the web protection?
Conclusion
I would hope parents/addicts and anyone alike don't have just the raw internet flowing from their PCs. I would also hope that this article was helpful to someone and in turn will help many.
The internet in its raw form in my opinion is so tasteless and goes way outside the bounds of even an adult. However, there are so many good things about the internet that the internet cannot just be disconnected from our lives. This is where Parental controls come to play. If you read up anything about me you will see I favor K9 Web Security. After much research you just can't beat what you get for free from this software. Most paid softwares don't even compare. K9 can also be combined with opendns to lock down almost everything. The keyword to that last phrase was *almost*. It's impossible to block everything sadly. This is why blocking "bad" sites is just not enough. Another tool that is need is accountability reports.
Addict Helper Software
Accountability reports are usually used by addicts. These reports get sent to a sponsor or another person to review and talk about with the addict. What I want to persuade is that these accountability reports should be used not just for addicts but for parents and kids. The fear of having someone else know where you are going on the internet through reports is a good tool to keep you away from the demoralizing aspects of the internet. I have heard that convenant eyes is a great accountability solution. It does have a monthly cost, but is worth the cheap price tag. I would not recommend x3watch. Very often it doesn't work not sending the report to your sponsor and if the report does send it only shows random snipets of what is going on.
Incomplete Protection
Combining the tools of blocking the internet and adding the accountability reporting is a good step towards what is being looked at on the computer screen. This is not complete however. There are loop holes to consider. A teen could have all the above enabled on the PC and still get around the security.
Here are some additions to the above recomendations:
1. Disable boot from external drive and CD then password protect the BIOS. This makes the PC not able to boot to a disk that could have a bootable OS system. Booting to another OS system could allow avoiding any software installed on the current OS on the disk.
2. Make an Admin user on the PC with a password. Then make all other users standard users with update rights. This dissallows anyone from installing keyloggers (records what keys are being pressed...which if on the PC your password when typed could be hijacked). This also doesnt allow the software installed to be disabled. Even my highly recommended K9 has a flaw that can be disabled by changing a files contents and restarting. Without admin rights however this flaw is no more.
3. have each parent create their half of one password. On any password you create make the password split into two passwords that each parent only knows their part to the password. This is security 101 to any corperation. Don't give anyone all the keys to the castle. The responsability eats away at the person and since we are all human we all can fail.
4. Setup OpenDNS on the router and not on each indivdual PC. Doing this adds more security when a device that doesn't have K9 or other parental software installed to have access to your "bad" list. There is a loop hole with this concept in they can just change their PC DNS to another and get around this step 4. To counter I would suggest getting a router with DD-WRT firmware so you can force DNS resolution to always use the DNS you provide on the router.
5. use pingdom.com. This trys to setup communication to the router. If it fails it emails you that it is down. Without going into to much tech stuff it would be better if you used TCP settings to communicate and use a port you opened up. The port could be a protocol you use but could also be something you don't. If you don't use it just map the port to an IP not used on your home network. If a hacker notices this port is open and attacks it, he can't get anything out of it. pingdom is a great way to notice if someone is bypassing the router and connecting directly to the modem. Connecting directly to the modem means they bypass any security set up on the router.
6. May I suggest a tidius but good way to block everything except what is needed on the internet? block all catagories of the internet with the filter. After they are all blocked start browsing to your favorties list. Allow each of those websites that you know are good and can be trusted. Amazon and ebay sites in my opinion cannot be trusted as a simple search can lead to very revealing stuff. after allowing all your favorites start browsing around a little and when you have a website you know is good allow it. It's funny but I bet you only visit around 20 sites normally. Only when searching for something on google would you venture out of these 20 sites. So when you want to venture out in the open have the neccessary security, get someone to allow you full access for 20 mins while you search down your big project. That's all you really need to find the solution. If it doesn't you can always allow for more. I am sure your spouse or whomever will be gratefull you didn't spend hours resesarch on a the topic. Then, afterwards, your walls come back up and your secure again.
Castle Analogy
Think of the analogy of a castle. You need walls to protect the inside. The walls need to be high enough to evad a baruage from the air. There are guards to only allow what is good in. Another thing worth mentioning is when the King or Queen step out of the castle they never go out alone. There was always a protector, even if the protector was a single archor with a keen eye for look out.
What happens in the movies when the King/Queen leaves without a gaurd? He/She gets into pearl. Although he/she may come back a hero, he/she still got into trouble and had to find a way out.
can you see the simularities from the castle to the web protection?
Conclusion
I would hope parents/addicts and anyone alike don't have just the raw internet flowing from their PCs. I would also hope that this article was helpful to someone and in turn will help many.
Subscribe to:
Comments (Atom)