Bryley Basics: Microsoft Windows is not as vulnerable as Apple OS or Linux

Due to their size and complexity, it is difficult to completely secure a computer operating system, which leaves them vulnerable to attack.  With the number of reported hackings, most might consider Microsoft Windows to be extremely vulnerable, but Windows actually ranked less vulnerable than Apple Mac OS X, Apple iOS, and Linux.

This ranking was made by GFI Software in 2014, which reviewed popular operating systems and the number and rating of reported vulnerabilities.  GFI reported these top-5 results:

  1. Apple Mac OS X – 147 vulnerabilities; 64 High, 64 Medium, and 16 Low
  2. Apple iOS – 127 vulnerabilities; 32 High, 72 Medium, and 23 Low
  3. Linux – 119 vulnerabilities; 24 High, 74 Medium, and 12 Low
  4. Microsoft Windows Server 2008 – 38 vulnerabilities; 26 High and 12 Medium
  5. Microsoft Windows 7 – 36 vulnerabilities; 25 High and 11 Medium

Microsoft’s Internet Explorer, however, was ranked as the most-vulnerable application followed by Google Chrome, Mozilla Firefox, Adobe Flash Player, and Oracle’s Java.

See the article from Swati Khandelwal of The Hacker NewsWindows?  NO, Linux and Mac OS X Most Vulnerable Operating System in 2014.

Recommended Practices: Basic training for IT end users

This is a multi-part series on recommended IT practices for organizations and their end-users.  Additional parts will be included in upcoming newsletters.

End users receive the benefits of IT, but usually with some pain involved, which they are glad to share with the IT administrators and technicians.  Oftentimes, the pain comes from not knowing the correct way to do something or from enabling malware; these can be avoided (or at least reduced) through proper training.

Training is usually considered optional, but the increased emphasis on security and compliance, along with the potential gains from trained users that are comfortable and knowledgeable with their IT assets and systems, can provide significant return on investment.

Training can play a critical role in the satisfaction of end users and in the security of the computer network.  It can provide end users with the knowledge to safely browse the Internet, reject harmful emails, and avoid trouble.  It is also important to define appropriate-use policies and demonstrate how to enter timely data into information systems.

Training topics

Generally, IT-oriented training occurs in these areas:

  • End-user equipment
  • Network resources
  • Applications
  • Policy
  • Security

End-user equipment

End-users have a myriad of devices, ranging from desktop PCs to terminals, tablets and other mobile devices; some have specialized items like hand-held scanners or terminals tied to a specific application.

The fundamentals are important:

  • Simple maintenance (cooling, ventilation, etc.)
  • How to operate the user interface (touch display, special keyboard, etc.)
  • Basic usage at the operating-system (Windows, Android, iOS) level

Ergonomics should also be considered; ensure that the equipment is optimized to the user’s body in the placement of displays, keyboards, mouse, etc. and that ergonomically correct accessories (gel-based wrist pads, comfortable seating, etc.) are provided and aligned properly.  (See Ergonomics Made Simple from the May 2014 edition of Bryley Tips and Information.)

Network resources

Resources available to end-users should be identified and demonstrated:

  • Printer features (b&w/color options, duplexing, etc.), location, and use
  • Multi-Function Printer (MFP) functions (faxing, copying, scanning) and use
  • Server names, basic purpose, shared folders, and access privileges
  • Conference-room display and wireless keyboard/mouse
  • Login credentials to Wireless Access Points (WAPs)

Labeling these resources makes them easier for end-users to identify.

Applications

Software applications fit a variety of functions, including:

  • Productivity suites:
    • Microsoft Office
    • Google Apps
  • Organization-wide:
    • Customer Relationship Management ((CRM)
    • Professional Services Administration (PSA)
    • Enterprise Resource Planning (ERP)
  • Utilities:
    • PDF readers and writers
    • Password managers
    • File compression
    • Storage
    • Backup
  • Prevention:
    • Email protection
    • End-point security
    • Web filtering

(Software applications are discussed in the September 2013 through January 2014 editions of Bryley Tips and Information.)

Policy

Usage policies focus on the organization’s permissiveness (and lack thereof); they are designed to specify proper use and discourage improper behavior.

Most organizations have at least these IT-related policies:

  • Authorized use of computer network and its resources
  • Internet, email, and social media use and etiquette
  • Information Security Policy

Security

Security relies heavily on policies, training, and protective applications; the human element is the largest security risk in any organization.  Policies and training should encourage end-user behavior that minimizes security risks; protective applications help to enforce policies and to detect and remove problems when they occur.

Security training should include, at a minimum:

  • Anti-virus/anti-malware protection
  • Preventing phishing attacks
  • Password guidance
  • Safe web browsing

Many organizations will provide continuous training and reminders; some setup internal honeypots designed to lure end users into inappropriate behavior so that this behavior can be addressed and corrected.

Training process and related factors

The training process:

  • Set training goals
  • Assess end-user needs
  • Tailor the delivery methods
  • Create the training program
  • Scale the program to the audience

Trainers should factor in these items:

  • Budget training at the beginning of the project
  • Consider the needs and learning styles of the end-users
  • Marry the business context of the need to the IT training

References

Recommended Practices: How to update technology

This is a multi-part series on recommended IT practices for organizations and their end-users.  Additional parts will be included in upcoming newsletters.

The psychological impact of an IT upgrade is significant:  Most employees are excited to receive new equipment (larger monitor, faster PC, better tablet), but often balk at a significant change – like introducing a new version of Microsoft Office – since their daily, tried-and-tested routines might shift, and not always for the better.  Also, these changes could impact their ability to get things done, even if for just a few hours during the cut-over.

In general, various groups involved might have different perspectives:

  • CEOs and C-level executives see IT as an influential asset that should increase operational efficiencies or provide a competitive advantage – either through data analytics or by enhancing the customer experience – but they don’t want the pace of technological change to inhibit growth.1
  • Professionals might be more willing to accept the changes (and the pain) that go with new technology, particularly if they see how these changes will help them succeed in their roles within the organization.
  • Middle management wants things to work the first time, every time. They are glad to have new equipment, but are concerned with keeping their direct reports functional and happy.
  • Office workers have the most to gain (or lose); some might be excited by the prospect of bigger-better-newer, but none want to lose what they had, whether it was an icon pointing to a specific file on their desktop or an older, label-printing application. To many, IT can be confusing and frustrating.
  • Line workers view technology primarily as a tool; when it is broken, replace it, but make sure the new one works the same as the old one or show me how to use the new one.

The strategic objectives of an organization also play a role in the process:

  • A growing organization will want improvement, but with a strong emphasis on planning to ensure that the direction taken is suitable, now, into the near future, and beyond.
  • A stable, slow-growing organization might focus more on replacement rather than on change, preferring to avoid the pain of a significant upgrade.

Typically, the management team develops the technology plan, either internally or with an IT partner like Bryley Systems. Needs filter up through the organization, typically during the budgeting process.  The implementation then filters down through the organization.

For technology planning and implementation, we recommend these steps:2

  • Define needs and requirements
  • Assess and select
  • Implement
  • Train

Define needs and requirements

Identify what you have before you decide what you need; a full inventory of all IT assets can remove the guesswork and point-out critical issues.  (We use Kaseya, our remote-monitoring-and-management tool, to inventory existing clients.  We also use Network Detective from Rapid File Tools to audit and assess new clients.)

Knowing what you need simplifies the decision and timing; having a good handle on where the organization is now and where it is going is critical, but also defining what constitutes success, and how to measure it, are important.

Consider these needs from the context of the different groups above; try to permit these groups to define their individual requirements within the overall plan.

Requirements can be as simple as counting new PCs or as complex as determining the best-fit solution to permit a quick recovery after a disaster.  Requirements should be recorded, categorized, prioritized, and then monetized.

Assess and select

We at Bryley Systems tend to err on the side of caution; we’re rarely early adopters and we don’t want to be far in front of the pack, but we do try to keep up with the well-tested tools and hardware that will improve our efficiency, particularly when this technology impacts our clients.

We also favor these technology-selection principles:

  • Business-grade (rather than consumer-class) equipment and software,
  • Well-known, USA-based manufacturers with time-tested credentials,
  • Available updates and ongoing support, and
  • Green and ergonomic (where appropriate).

Price should not be the overriding selection factor; a long-term investment should consider all impactful areas, including:

  • Going Green
  • Length of service

Going Green

In technology, going Green is mostly about reducing energy consumption:

  • Virtualization techniques can cut energy costs by efficiently using on-premise servers to house multiple platforms, both for server-based applications and for end-user access.
  • Tablets, Ultrabooks, and small-footprint PCs with SSD drives consume less electricity than traditional PCs with internal fans and moving parts.
  • Inkjet printers use significantly less energy than laser printers.

However, other Green factors can also apply:

  • Printers that print two-sided (duplex), reduce costs and paper use.
  • Multi-purpose printers that fax, copy, and scan increase efficiency.
  • Fewer components, each with higher value, simplify recycling.

Length of Service

Most technology decisions have a span of three to five years; newer, virtualized platforms and Cloud-based options can be significantly longer.  Due to the rapid pace of change, planning horizons are typically only a few years, but consideration should be given to the longer term.

Implement

Implementations work best with planning and preparation; knowing what to expect and being prepared to deal with anomalies can shorten deployment time and minimize user disruption.

A solid, reliable series of backups should be completed and verified before starting.

We try to schedule our automated deployments to occur overnight or over the weekend, often arriving early the next business day to sort-out any issues.

Train

Often overlooked and usually under-budgeted, training should be considered, particularly when deploying a software change that introduces a new interface to the end-users.

Training often occurs during implementation, usually by the implementer showing the end-user what is new.  However, pre-implementation training on any new technology platform will facilitate a successful transition.

For large-scale deployments of new technology, we recommend initial group sessions followed by refresher courses for those greatly impacted.

Sources:

  1. Dennis McCafferty of CIO Insight What CEOs expect from IT investment on 4/17/2015.
  2. Brian J. Nichelson, PhD, of About Money Keeping up with Technology – Four Steps and some Resources, undated.
  3. Susan Ward of About Money Information Technology Makeover, undated.

Bryley’s Client-Service Portal

Bryley has made significant investments in our business systems and infrastructure to enable real-time communications regarding the timeliness and quality of services we deliver. A result is that client-service requests (with resulting service tickets) may now be added, viewed, or updated through our Client-Service Portal.

This real-time environment is available 24 x 7 at www.Bryley.com by selecting “Login” from the upper-right corner of our home-page.  Registered users may perform these functions:

  • View the current status and details of their service tickets
  • Enter new service requests
  • Review invoices
  • View reports

To use this capability, please contact us at 978.562.6077 to setup a username and password.  Training is also available at no charge.

Bryley Basics: Current PC configuration for office use

Recommended configuration

We recommend brand-name PCs (HP is our preference, but Dell is also a US-based company with good products) with Intel processors and these minimum features:

  • 8Gb (or more) of RAM
  • A 250Gb (or larger) fixed-disk drive
  • DisplayPort video with two monitors

We typically deploy Windows 8.1 (or downgrade to Windows 7 upon request), but Windows 10 is slated to be released this summer.  Microsoft Office 2013 is the current version; Microsoft Office 2016 will be available in late 2015.

Favored options

We like these options:

  • SSDs (Solid State Drives) – SSDs are memory-only drives with no moving parts, which makes them durable and fast. They speed-up the boot process and work well for those that store large files.  Though they have dropped in price, they still add about $100 to the price of most PCs, but pay-off for high-end users.  (We don’t always quote these because of their higher price, but the boot-up speed is significantly faster.)
  • Ultrabook – Ultrabook is a thin, light, durable, high-end sub-notebook with reasonable battery life. Combined with a docking station, it’s a great, mobile alternative to a desktop computer.  Due to their sleek physique, most do not have internal DVD drives and have few external ports.

Most of our staff have an Ultrabook with a docking station, which works well for the field technicians and account executives.  Many of our newer PCs have SSD drives.

PC Refresh Schedule:  We recommend developing a PC-refresh schedule, one that meets the budget and objectives of the organization.  For example: Bryley Systems replaces at least one PC each quarter, which gives us a maximum replacement-PC cycle of about four-and-½ years for our 18 employees.

Email Best Practices

Recommended practices – Part 4:  Email use

This is a multi-part series on recommended practices for organizations and their end-users.  Additional parts will be included in upcoming newsletters.

Email is still the primary business application, although alternatives like texting and social media are gaining ground.  Most business people email to clients, prospects, vendors, stakeholders, etc. on a regular basis; they also accept emails from those in the outside world, occasionally with unforeseen consequence.

Organizations should consider email use in these areas:

  • Inbound – Email received by the organization’s end-users
  • Outbound – Email sent from end-users to others outside the organization
  • Etiquette – The appropriateness of the email’s message and content
  • Archiving – The ability to store and retrieve historic email

I’ll describe the specifics and offer IT solutions to manage each area.

Inbound email

End-users constantly receive email, usually without incident.  However, one misstep in responding can lead to a malware outbreak (or worse).  Plus, failing to block inappropriate email content, even unknowingly, can lead to legal repercussions.  (For example:  An employee could object to receiving an email with explicit pornography and decide to pursue legal recourse.)

Most email-based attacks occur via an attachment; the attachment holds malware designed to activate, usually without fanfare, when the attachment is opened.  Often the email message is enticing, in-disguise, or just plain compelling; the end-user believes that opening the attachment is the right thing to do.

Basic rules for opening an email:

  • Do not open email from an untrusted source; when in doubt, check it out
  • Do not click on an attachment before verifying its integrity
  • Always ask for help if uncertain

The best tool is an email-filtering service or device; a service sits outside your organization (Cloud-based) while a device typically sits inside (on-premise).

A Cloud-based, email-filtering service can improve Internet performance by reducing incoming traffic; all emails are captured by the service before they enter the organization’s Internet connection.  Some services (i.e.: McAfee SaaS Email Protection and Continuity™ or MEPC) also offer email continuity, which provides the ability to receive and respond to email even when your email server or email service is unavailable.  Most email-filtering services are billed monthly on a per-user basis, requiring little or no up-front expenditure.

An on-premise, email-filtering device requires upfront expenditure, but can provide a cost-advantage solution at organizations with many users.  To calculate the true cost per user, you would figure the annual cost of the device, add the annual maintenance fee and support costs, and divide by the total number of users.

Both offer advantages; pick one or use both.  (We offer McAfee Email Protection and Continuity and our Secure Network™ as service options, but also deploy, on-premise, Barracuda’s Spam Filter, Cisco’s IronPort, and WebSense.)

Outbound email

Outbound email should be secure; you don’t want to expose confidential details to an outsider.  However, email is typically sent via open-text format; the contents of the email are unencrypted and can be pieced together by others.

Email typically flows in this fashion:

  • Sender composes the email; this might be on a standalone application like Microsoft Outlook or on a web-based interface like Google Gmail.
  • Sender sends the email, which ships it to the sender’s email server/service.
  • The email server/service addresses the email according to the recipient’s email domain and then forwards it to the email server/service within the recipient’s email domain.
  • Email server/service within the recipient’s email domain receives the email, verifies that the recipient exists within this domain, and then forwards the email to the recipient.
  • Recipient receives the email.

Email within an organization’s email domain via an internal email server is usually secure; an external email service must be examined to ensure messages are encrypted between the sender, service, and recipient.

Security can be enforced through encryption, which offers levels of enforcement.  For example:  You can be forced to encrypt any email with the words “social security number”, but not encrypt other emails.  Likewise, you can encrypt all email from the Accounting team while not encrypting emails from the Marketing team.

Email encryption is available via external services (we recommend McAfee SaaS Email Encryption™) or through an on-premise device (Cisco IronPort or WebSense).

Email etiquette

You should consider what you are saying and how it might affect the recipient.  Even more important, for legal reasons, you should block inappropriate content and malware from being emailed by end-users within your organization.

Outbound policy enforcement and management is available as an external service through McAfee SaaS Email Protection and Continuity, which monitors outgoing email for inappropriate content and malware.  Both Cisco IronPort and Websense provide this capability on-premise.

Beyond the basics listed above, email etiquette extends to these areas:

  • Sending – Always verify grammar, spelling, courtesy, and content
  • Formatting – Don’t type all CAPS; use a white background for readability
  • Forwarding – Don’t forward emails unless relevant and desired by recipient
  • Attachments – Zip large attachments and virus check before sending
  • Privacy – Hide recipients email address when sending to a group

My favorite rules (which I sometimes break):

  • Don’t say things in an email that you would not say verbally to the recipient.
  • If your email is emotionally tinged, sleep on it overnight before sending.

For tips on email etiquette, please visit http://www.101emailetiquettetips.com/.

Email archiving

Archiving is all about reliable storage and quick retrieval; you never know what you might need to bring back to life or when it will be needed.  Saving tens or hundreds of thousands of emails can be challenging; finding the right email can be virtually impossible, but might be required at a moment’s notice.

Archiving can reduce management and storage costs while satisfying e-discovery and compliance requirements.  Archiving can also simplify requests for email histories during litigation.

We recommend these archiving options:

 

Bryley Basics:  Print from your mobile phone

CNet has a video demonstrating how to setup printing from your Android phone at http://www.cnet.com/how-to/print-from-your-android-to-any-printer-cloud-print/ using Google Cloud Print; we tried it and it works!

Turns out there are also options for iPhone users.

wikiHow offers these three methods to print from your iPhone:

  • Use AirPrint with an AirPrint-supported printer
  • Find a third-party printing application via the iTunes apps store
  • Send document to an alternate device (ie: Windows-based PC) and print

View the article at http://www.wikihow.com/Print-from-Your-iPhone.  Or, visit

http://www.cnet.com/how-to/how-to-print-wirelessly-from-your-iphone-ipad-or-ipod-touch/ for CNet’s video on setting up the first method listed above.

3 Simple Steps To Secure Your Mobile Device

Three simple steps to keep your mobile device secure:

  • Turn off the Wi-Fi capability when not using it
  • Turn off GeoLocator when not needed
  • Logout and lock when finished

See Ray Ramon’s article at http://www.smallbiztechnology.com/archive/2014/02/3-simple-ways-to-be-secure-no-wifi-no-geolocation-logout.html/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Smallbiztechnologycom-SmbNewsAndInsight+%28Smallbiztechnology.com+-+small+biz+tech+news+and+insight%29 for more information.

Bryley Basics: Encrypt your iPhone

iPhones, versions 3GS and later, offer hardware encryption; it is activated through the data-protection feature by enabling a passcode:

  • Tap Settings > General > Passcode.
  • Follow the prompts to create a passcode.
  • After the passcode is set, scroll down to the bottom of the screen and verify that “Data protection is enabled” is visible.

Note: Your encryption protection is only as good as the passcode; try to make this difficult to guess and keep it hidden.

You should also encrypt your backup for added security.  Check the “encrypt local backup” in iTunes if you back up to your computer.  If you back up to iCloud it is automatically encrypted, but be sure you have a really good iCloud passcode.

Maintaining your dynamic website

Guest writers: Al Morel, Carlos Ramos, and Dan Rouse of www.CommAreUs.com

Your car, house, and most things in life, take some amount of maintenance. Add to that list your website. A website can be comprised of thousands of files working with all kinds of tools and underlying code.

The days of ‘static’ websites, i.e. built with just HTML, is essentially over for most organizations. This article will speak to the steps to take when using a Content Management System, CMS, such as WordPress.

Your essential strategy is: BackupandUpdate.

Backup

This is your ‘get out of jail free’ option. Even if your website gets totally hacked, you forget to pay your hosting bill, the data center in Utah gets hit by a meteor, you should still be able to roll back and get your website back up.

With a dynamic site, it’s a little trickier because you have the site files such as the HTML and images, graphics, etc. And then there’s the database files, which in the WordPress scenario, starts at several thousand files.

The traditional method of backing up a site involves the lengthy process of manually backing up all your site’s files, exporting your database, and finally moving everything somewhere safe. There are software additions (called ‘plugins’ in the WordPress world) that will simplify this process and even automate it for you.

We add a plugin with all of our builds that lets you quickly backup, restore, and migrate a site – often times with only a single click. Most backup plugins will offer two different types of backups: full and database. Full covers all site files and the database, the database option only includes the database. The full backup is the safest bet and is generally the recommended option, however the database only backup might be more appropriate if you’re simply experimenting with settings on a plugin, or some other activity that only involves the database.

One key feature and advantage over manual backups, is that using a backup plugin allows you to set up an automatic backup schedule. For example, we recommend our clients schedule a weekly backup of the database and a monthly full backup. Manual backups can also be performed whenever needed.

In addition, most plugins have the capability to back up the site to your hosting server and to another source as well. So you can have redundant backups to a third party service such as Amazon S3.

 

Update

It is critical to schedule regular updates of your website as well. In WordPress, there are regular updates to the core code and also plugins. Your administrative interface or ‘dashboard’ will tell you when to update.

It goes without saying that no update (WordPress or Plugin) should be done before a full backup has been made.  Your dashboard will go to great lengths to tell you to backup first, so don’t ignore them! Although we haven’t seen many updates go wrong, it can happen.

Generally, we recommend to our clients that updates be applied as soon as they are available for security and stability reasons.

Once you have your backup completed, proceed to the Updates screen in the WordPress Dashboard. From here you can update WordPress, plugins and your themes. If you have an update to WordPress and plugins waiting, perform the WordPress update first, then proceed to update your plugins.

It’s worth noting that in recent WordPress releases (security and maintenance related) are installed automatically to promote better security.