|RSS | MY PROFILE | PRIVACY|
Vol. 19, #35 - September 1, 2014 - Issue #995
This week's newsletter is all about implementing cloud computing in the shadows of your organization. That's when an employee or department surreptitiously begins making use of a public or hosted cloud service provider's offering without first getting the necessary authorization from your organization's management for doing so. Of course it's not only your employees who may sometimes operate in the shadows, you also need to watch out for your vendors as this Dilbert comic strip hints:
Last week in Issue #994 Account Lockout Flame Wars we looked at the strongly diverging opinions within the IT pro community concerning whether to use account lockout in Active Directory environments. Here's a sample of the feedback we received on that issue.
Rob, a Technical Lead for the Security Team of a large enterprise, sent us this feedback:
There is another consideration regarding account lockouts. Account lockouts can be used to create a DoS situation and shutdown users, or manufacturing systems, and plants. The risk has to be examined and properly considered in light of defense in depth measures. Brute force attacks can be identified and blocked automatically, without requiring account lockout policies. Every environment is different, and many times there are different environments within the same organization such as the LAN versus DMZ. We do not use account lockouts on our LAN, but they are mandatory in our DMZ.
I asked Rob if they implemented account lockout on their DMZ servers using local GPOs and he replied:
Our DMZ systems are not members of our internal Windows Active Directory. They are standalone servers, with their own local accounts and policies...
Yes, local GPOs are configured to lockout accounts. Our DMZ is very strict about traffic entering our network, additionally we have IPS's at all choke points including the firewalls and IDS's monitoring all traffic through devices that support NetFlow. We are in the process of implementing Symantec Critical System Protection, which has the ability to monitor and alert on brute force attacks. I am uncertain if it will drop the attackers session upon detection.
We had suffered a near total lockout of accounts some years ago while we were beginning to implement our internal firewalls. These internal firewalls restrict inbound traffic from our global network of affiliates, HQ and others. Once the firewalls were in place we took extra care to allow only authorized inbound traffic, and was particularly interested in blocking inbound requests from outside desktop subnets to our own desktop subnets, to prevent the propagation of worms. This has worked very well for us, but took a lot of time and work to identify our corporate subnets globally.
I also asked him if he could recommend any products or solutions for automatically blocking brute force attacks and he replied:
Cisco IPs's can be configured to detect/block brute force attacks and probably most other IPS's as well [see Detecting Account Brute Forcing on this page]:
A reader named Sam took a somewhat different view concerning account lockout and shared the following story and some recommendations with us:
The following is a real event: A large Health organization hired an intern to work in the accounting area, there was no lockout policy and she downloaded the personal information of about 10,000 patients. She said, that she just kept trying different passwords, till she cracked the patients database. Her boyfriend was caught selling the information on line and now both are serving time in a federal prison.
We are for strong account lockout policies. Here is some of our reasoning:
A. Not having a lockout policy is akin to not having a login password, yes there are those that rebel against that basic security requirement. In our opinion they just don't care for the consequences of their inactions.
B. It defeats the purpose of securing a network and therefore is completely unacceptable, plainly: "what is wrong with you, can't remember your own created password?".
C. Given all the types of attacks that networks face today, not having a lockout policy is against any first line of defense against hackers ( DoS, sensitive data breach, etc.), imagine leaving your house front door unlocked forever hoping that nobody ever turns the knob!
D. In large enterprises, all types of assorted individuals work, most are decent and trustworthy but the larger the enterprise the more likely that the security breaches come from within (WikiLeaks, Target).
E. As for it been an administrative nightmare, some suggestions:
1. Remote unlock, it takes less time that fixing a corrupted database due to.....paperwork to explain to superiors how the "event" happened...... interacting with law enforcement, etc.
2. Strong HR policies including , verbal warnings, write-ups, probation and termination for abusive users.
3. Fix those apps that are causing problems (what else are they not doing correctly, maybe time for an upgrade)
4. Make time for managing your lockout policies (yes, plural, like a policy for smart cards (they do go bad also and then??????? Plan B is??????) vs keyboard), fingerprint, retina scan, etc.
5. Lockout policies are not a panacea so don't forget to include other policies like time limits policies, no flash drive download, no emailing of certain types of info, diagrams, R&D, etc.
6. Continuous review of security policies, for no static policy is infallible.
Our philosophy is basically to be prepared for the worst and to make preventive policies a way of operations (paranoia approach), because they are out to get us!!!!!!! Lockout policies are a significant part of the overall security policy of the network, alongside with physical security and others. Our lockout is set to 3 attempts. After a period of adjustment, it has worked really well; at the beginning many calls for unlocking and now very few, mostly from new employees. The only way to shape the enterprise security culture is with strong measures like a lockout and if it continues a trip to HR for disciplinary counselling.
Got more thoughts on this matter? Email us at firstname.lastname@example.org
And now on to the main topic of this week's newsletter...
A friend of mine Yuri Diogenes pointed out an article called "Shadow cloud services pose a growing risk to enterprises" on ComputerWorld that you can read here:
The article is about the risks involved when individuals or departments within a company decide to sign up for cloud services without first gaining the blessing of management.
But before we get to this, if you're on Twitter you may want to follow Yuri:
Anyways, of course "shadow IT" has been around as long as computers have been available and readily affordable. Copying company data onto removable storage so you can take it home to do your work is an example of end-users doing an end run around the controls IT has put in place to safeguard sensitive business information. The endless proliferation of SharePoint sites could also be considered a form of shadow IT since most of the time such sites are self-provisioned without any oversight from the IT department. Other examples of shadow IT can range from setting up unauthorized WiFi access points to deploying whole Active Directory domains of PCs with their own DHCP servers.
And then there's the cloud.
One can argue that the main driver behind business units surreptitiously signing up for cloud services with a public or hosted cloud provider is the backwards-looking overly-restrictive resistance to change evidenced by IT departments in large organizations. Because of such inertia, and because employees are driven to perform in order to be rewarded (or at least not be penalized) it's becoming commonplace for those whose workflow can benefit from using cloud-based services to simply go ahead and secretly implement them in the office.
The problem with this as the ComputerWorld article points out is that parallel IT infrastructures like this that are operating in the shadows are not parallel at all. They touch the company's own infrastructure at various points, and where they touch can represent vectors for new forms of attack on the company's business assets. And the problem is magnified by how cloud services are becoming cheaper, more powerful, and easier to sign up for and use.
How can cloud-based shadow IT like this be controlled? Should it be controlled? What controls, technical or policy-based, has your own organization put in place to limit the possible damage that may occur from cloud-based shadow IT being present in your environment?
Share your stories and suggestions with us and we'll share them with our readers so they can help make their own workplace more secure by emailing us at email@example.com
And be sure to check out the Tech Briefing section of this issue for more links to some thought-provoking articles on this topic.
Earlier this year we examined various remote login solutions in two issues of this newsletter, namely Issue #964 Remote Login to Desktop PCs and Issue #965 More Remote Login Solutions. Subsequent issues discussed additional remote login solutions in their Mailbag sections. Of course, one important use of remote login is to provide remote support for users, both for businesses and consumers.
Along those lines I recently came across a resource you might want to check out. It's called "Call That Girl's Guide to Remote Support", and it's an eBook series about how to set up and run a business that provides remote support to other businesses. It was also written for working technicians who need to learn remote support skills as our industry is going more into the cloud, the skills you will learn are invaluable. An aspiring networking student who is preparing for their careers in the IT industry can also take many of Lisa's tips on with them to their next job. Learning valuable remote support customer service skills is critical in today's fast moving support world. Included with purchase are documents and templates, and you can read more about the eBook here:
You can also email Lisa directly with questions about the eBook at Lisa@callthatgirl.biz
GOT TIPS you'd like to share with other readers? Email us at firstname.lastname@example.org
There's a new section on TechNet called "Solutions guidance for IT professionals" that provides links to Microsoft solution content that's designed to help IT professionals solve real business problems. Check it out here:
Support for Windows Server 2003 ends on July 14, 2015 as you can read right up front here:
Here are some Microsoft Virtual Academy courses that can be of help to you when you plan migration of your infrastructure from Windows Server 2003 to Windows Server 2012:
Migrating to Windows Server 2012 Training
Transform the Datacenter Immersion V3
Virtualizing Your Data Center with Hyper-V and System Center
Licensing Windows Server 2012 R2
"Rail travel at high speeds is not possible because passengers, unable to breathe, would die of asphyxia."
--Dionysius Lardner, Professor of Natural Philosophy and Astronomy at University College, London (1830)
Note to subscribers: If for some reason you don’t receive your weekly issue of this newsletter, please notify us at email@example.com and we’ll try to troubleshoot things from our end.
LinkFixer Advanced fixes broken links in Excel, Word, PowerPoint, Access, PDF, PageMaker, AutoCAD, MicroStation and others when performing migrations. Broken link reporting. Download free trial version.
Check free lockout examiner tool that alerts on account lockouts, helps troubleshoot these events, and analyzes their potential causes.
Why is the APP so slow? SolarWinds® Server & Application Monitor provides capabilities for alerting & understanding application latency—includes SaaS-based, on-premise, or a hybrid approach.
AutoIt v3 is a freeware BASIC-like scripting language designed for automating the Windows GUI and general scripting:
My colleagues tell me that the SB6141 the cable modem they highly recommend for small businesses:
Microsoft SQL Server PASS Summit 2014 on November 4-7, 2014 in Seattle, Washington
TechEd Europe on October 27-31, 2014 in Barcelona, Spain
TechEd New Zealand on September 9-12, 2014 in Auckland, New Zealand
PLANNING A CONFERENCE OR OTHER EVENT you'd like to tell our 95,000 subscribers about? Contact firstname.lastname@example.org
PLANNING A WEBCAST you'd like to tell our subscribers about? Contact email@example.com
We'll start off this section with links to some articles on the topic of cloud-based shadow IT:
How to manage shadow IT in the cloud (CloudPro)
Shadow IT Reality Check: Survey Shows IT Pros Are The Worst Offenders (Information Week)
Shadow IT: Far Bigger, Less Manageable And More Important Than You Think (ReadWrite)
Shining the lights on shadow IT in businesses (SearchCloudComputing)
Cloud & The Fuzzy Math of Shadow IT (Information Week)
Wrangle Shadow IT and Empower BYOD with Hybrid Cloud (Green House Data)
And now on to some other IT tech briefings...
The 6 Requirements of Enterprise-grade OpenStack, Part 3 (CloudScaling)
Cloud and Datacenter Strategy Workshop (Microsoft Download Center)
Why offsite backups are no longer enough – The Code Spaces case (4sysops)
It was a Monday morning… (Third Tier)
Azure Enhanced Monitoring for SAP (Azure Blog)
SAP Business Apps to Run On Microsoft Azure (Data Center Knowledge)
Some Mobile Phone Related Security Reading and Videos (Third Tier)
How The World Cup 2014 Affected Mobile Data Usage (The Citrix Blog)
The Internet is used for everything from information gathering and communications, to home monitoring and vehicle control, bringing about the term "Internet of Things" (IoT). Learn all about this trend and how combining it with the cloud can bring you IT superpowers.
If you have the right architecture and combo of flash and disk storage, you can keep your costs reasonable while taking advantage of the rewards that come with flash. Learn about the top three expert and achievable ways you can start to implement your hybrid approach to storage today.
The two virtual machines options for Windows Server 2012 R2 are Generation 1 and Generation 2. A Generation 2 VM is a newer addition, but despite its improvements and benefits, it still suffers from some overbearing requirements and unfortunate limitations. Learn about Generation 2's drawbacks and compare them to its benefits today.
Despite the many benefits associated with the cloud, many companies still worry about its vagueness and continue to have understandable security and privacy concerns when it comes to their data. Find out what resellers and cloud services partners are doing to help address and ease some of these hesitations today.
This Week's Links We Like. Tips, Hints And Fun Stuff
GOT FUN VIDEOS or other fun links to suggest you'd like to recommend? Email us at firstname.lastname@example.org
A homemade hovercraft made from polystyrene insulation board and powered by a hand vacuum:
The biggest remote-controlled paper plane ever built crashes spectacularly in Denmark:
Subaru Driver Patrick Richard and Co-Driver Alan Ockwell push hard at Rallye Baie Des Chaleurs 2010 when disaster strikes ... but in true Rally spirit, they press on:
Ozzy, the Welsh Border Collie, is the World's #1 rope balancing canine:
Mitch Tulloch is Senior Editor of WServerNews and is a widely recognized expert on Windows administration, deployment and virtualization. Mitch was lead author of the bestselling Windows 7 Resource Kit and has been author or series editor for almost fifty books mostly published by Microsoft Press. Mitch is also a ten-time recipient of Microsoft's Most Valuable Professional (MVP) award for his outstanding contributions in support of the global IT pro community. Mitch owns and runs an information technology content development business based in Winnipeg, Canada. For more information see www.mtit.com.
Ingrid Tulloch is Associate Editor of WServerNews and was co-author of the Microsoft Encyclopedia of Networking from Microsoft Press. Ingrid is also manages research and marketing for our content development business and has co-developed university-level courses in Information Security Management for a Masters of Business Administration program.