Vol. 19, #6 - February 10, 2014 - Issue #966
Getting Management Buy-In for Information Security
- Editor's Corner
- From the Mailbag
- Getting Management Buy-In for Information Security
- Tip of the Week: Fixing Problems with Shell Extensions
- Recommended for Learning
- Microsoft Virtual Academy
- Quote of the Week
- Admin Toolbox
- Admin Tools We Think You Shouldn't Be Without
- Events Calendar
- Asia Pacific
- Webcast Calendar
- MSExchange.org: Office 365 Online Conference
- Register for Webcasts
- Tech Briefing
- Enterprise IT
- Cloud Computing
- Windows Server
- Windows Server News
- They said what?! This year's most notable cloud computing quotes
- Top 10 VDI news stories of 2013
- Even a small business can take advantage of virtualization
- Top 10 countdown of Windows 8, Office 2013 tips for 2013
- WServerNews FAVE Links
- #1 Hyper-V Backup
- WServerNews - Product of the Week
- Don't Let Bandwidth Hogs Slow Down Your Network
- SAVE THIS NEWSLETTER so you can refer back to it later for helpful tips, tools and resources!
- FORWARD THIS NEWSLETTER to a colleague who you think might find it useful!
- SEND YOUR FEEDBACK to [email protected] if you have any comments or suggestions!
This week's newsletter is all about getting management buy-in for spending time and money on improving information security in your organization. We welcome Andrew S. Baker who has contributed this week's guest editorial on this subject.
Many readers of this newsletter are in positions of responsibility where decisions can be made for IT spending within their organization. But will top-level management agree to your initiatives if they don't seem to improve the company's bottom line. And it's always important to keep your eye on the bottom line as this classic Dilbert comic illustrates:
From the Mailbag
In Issue #964 Remote Login to Desktop PCs and the week following in Issue #965 More Remote Login Solutions we heard from a lot of our readers about the solutions they use and recommend for logging on to remote PCs so you can assist users with troubleshooting and perform other tasks. Reader feedback continues to pour in on this topic, and here's a sampling:
First, a reader named Jeff Mason (I've used Jeff's full name here as he's a published author who will likely be happy that I'm linking to his books) shared in detail concerning two tools (LogMeIn and TeamViewer) as follows:
Mitch, the illegal use of LogMeIn is one of the big reasons LMI (LogMeIn) was destined to die... Since the entire LMI (LogMeIn) structure worked on "the honor system" and, since we know there is "no honor among thieves," the LMI ship always was expected eventually to sink. I rarely knew anyone who subscribed to the "pay/commercial/business-use" LMI licensing -- actually only one commercial vendor I'm personally aware of. And the bottom line is that there was not enough difference in the "free LMI" vs. the "paid LMI" for anyone really to purchase the paid version. The paid version had some neat things, such as "central control UI" that allowed you to see some counters, updates (or lack thereof) and log entries from a central console; and, it allowed FTP directly through the client; but, those are things most people can (and do) live without. Without any true "major feature differentiation," there really was not much incentive to purchase the paid version. And again, since you (the user) were on "the honor system," many users simply rationalized along the lines of, "Well, hey, I'm just supporting a couple servers; not really commercial use." I know of a few such users who did that. And, though it may seem innocent; it's not; it is illegal; and it is taking potential profits away from LMI.
Also, regarding "forgetting to bring a report to work," just store it in the cloud -- the other part of your latest newsletter was about "Hybrid Cloud." If you get use to using Google-drive, OneDrive (formerly SkyDrive), Amazon Cloud, iCloud, DropBox, etc.; your whole world will change, and you almost won't need to think about "remotely accessing your work documents that you left at home." If they are "in the cloud," and their modifications synch to the cloud, then any updates you've saved will be there, in the cloud, no matter where you are.
Regarding TeamViewer, you missed some HUGE aspects:
TeamViewer works on virtually ANY device/platform, allowing control of virtually ANY device/platform:
1) You can control virtually any Android, Linux, Mac or PC devices (yes, including tablets & phones) with TeamViewer.
2) Vice-versa also is true -- you can use virtually any Android, Linux, Mac or PC devices to control any other Android, Linux, Mac, or PC devices with TeamViewer.
So, a more accurate statement would have been:
"TeamVeiwer lets you remote control any Android, Linux, Mac or PC device over the Internet from any other Android, Linux, Mac or PC device" (as an aside, I believe [excepting maybe Chrome Remote]) that TeamViewer is the ONLY product that has THAT high a degree of flexibility.
Additionally, TeamViewer allows you to, optionally, use a "Run-Time executable" instead of actually "installing" the product. This saves time when you have "one-off" servers at your mother's house that need to be managed, yet you have not installed TeamViewer -- so, instead, you can use the "lighter-footprint" run-time piece so that, when you're mother's servers are working, and you exit, NOTHING is installed on your system.
Additionally, TeamViewer has even MORE coolness: If you desire, you can either manage all your family's servers from a central console, whereby TeamViewer's servers keep track of all your profiles/setups/servers in their UI (much like LMI did); OR, you can alternatively choose to "manage on-the fly," and just keep track of your "TeamViewer IDs" for all the clients on which you've installed TeamViewer.
Maybe you can do a "feature matrix" in one of your upcoming newsletters showing which product supports/controls/allows-control-from which platform/OS.
Best regards, and thanks for all the excellent info!
Thanks Jeff! And here's a link to Jeff's Amazon page where his books "A Social Engineering Primer - Hacking Without Hacking" and "Wirelessly Bridge Existing Network to Verizon MiFi Hotspot" can be purchased:
A reader named Kevin sent us this feedback:
The first item in your second article is JoinMe. It is from the same company that makes LogMeIn, so a lot of people will not like it. Also willing to bet, if it is still free, it will go the way of LogMeIn soon.
Remote desktop programs almost need to be sorted into "active" and "passive". Passive programs REQUIRE that the user on the other end at least be there to push "Yes" to allow you to control their desktop. Other programs require the user to click a link or type a code into the website. Some also require a small install on the user desktop, with the user has to ok. All well and good, if you have a half-way decent user, but, frankly, if you had that, you probably would be able to walk them thru it on the phone relatively painlessly. Active RDP allow an admin to log in remotely without user interaction. They also require pre-installation of the software,
I was using LogMeIn for users who, 1. had problems figuring out how to get passive programs to run. and 2. my personal machines, so I could access them remotely, as no one else would be at home. I am testing TeamViewer with pretty good result for that now. For users who I need to support and have not installed TeamViewer, I will most likely use the passive RDP Mikogo:
It has a small first time use download and you can email the user a link that they click to get them into the session. Sadly, that means users who are kinda computer savvy. Just a caveat, before I stared using LogMeIn, those users who had problems figuring out "easy" would also most likely have to have 3-4 links emailed to them, as they would also have problems figuring out how to install Mikogos program BEFORE I could fix what they were having problems with in the first place. Lead to a bit of frustration on both parts occasionally, which would then lead to more expensive home visits.
Frankly, I support a lot of home users, who pay me a total of $50 to $200 per year or volunteers for church who expect free support since they are volunteering their time. There is no way I could convince them to part with a $99.00 annual sub as LogMeIn is wanting to charge.
A reader named Joe suggested that he had no problem with paying LogMeIn's solution:
I am just not understanding the ideas that the product of someone's (or a corporate) idea developed using a very valuable commodity - someone's time and labors - should be available at no cost.
Whatever product it is, it took time and money to develop and, unless the amount of time is negligible, why should a person not be compensated for his labors?
I do IT work on a full time basis, all day and every day and constantly have to defend charging for time spent doing work for customers who called me with their problem. Granted, people usually have not a really loud complaint but one can read displeasure when they are asked to pay for repairs to their little boxes.
Just one man's opinion, but, I pay for LogMeIn and like and use it quite a bit. They even answer the phone when I call-another service of someone's time and labor that must be made up some way.
A fair price is all I expect.
We all have lots of products that we don't use all the time but when we need it, the thing must work and to assure that, I believe it must be paid for. Whether it is a car, a shovel, a test meter, soap or whatever, if we did not pay for it we cannot expect it just to be there because we are nice guys.
Of course, this is just IMHO.
Tony from South Africa also shelled out a few Rand for a popular solution:
I'm a semi-retired IT guy and solve 95% of my customer's problems from my favourite chair in my lounge using my laptop and TeamViewer 9.
I was using the free version for a long time until TeamViewer got a little irritated (quite rightly) and would kick me off after 5 minutes for 5 minutes. I have 2 main laptops and would swop to the other one (using Radmin) until I was knocked off that and would switch back.
This became tedious so I bought a license which allows me 50 hours a month on one computer. This suits me fine and the R3100 (ZAR, not sure what that was in US$ at the time as the ZAR has taken a major fall) was very well worth it.
One of the strong features of TeamViewer 9 is that it allows you to reboot the remote computer in Safe Mode with Networking, often a necessity with troubled computers.
I didn't see a mention of Ammyy which is free and although not as fast as Teamviewer, it is useful:
Radmin is very nice but requires port forwarding in the remote router if accessing over Internet. I use Radmin for my home network:
One solution that was mentioned last week was CrossLoop, but reader Randy went to their website and reported back as follows:
Thanks for all the help and education that WServerNews provides. Went to the Crossloop site and got:
"To support our rapidly growing AVG CloudCare offering, AVG Technologies in 2012 acquired some of CrossLoop's assets, including the service provided at the www.crossloop.com website. AVG has made the business decision to no longer provide the remote support and management tools available through the CrossLoop website.
"AVG is providing a full refund on valid, active subscriptions. If you feel you are entitled to a refund but have not received one by February 28, 2014, please notify us at [email protected]"
Malcolm, who works at a consulting service in Ontario, Canada, said:
I use Splashtop ($free) to access either of my two windows desktops from either my other desktop, or my iPAD. My iPhone also works at a pinch.
Excellent performance -- it just works.
But here's what another reader named Vinc said about Splashtop:
Just an FYI. We had a client struggling with slow line-of-sight internet access and tracked down some of their problems to SplashTop. I didn't look into the situation terribly closely with your cool tools but it appeared that SplashTop was streaming the user's desktops continuously. They'd have terrible upload speed, we'd disable SplashTop, and suddenly outgoing email would flow again.
My two cents.
Thanks for the great newsletter!
Cam who lives in Queensland, Australia, suggested this solution:
NeoRouter VPN is a good LogMeIn replacement.
I moved from LogMeIn Free to this product 3 years ago because of its roaming profile support and other great features.
Excellent value for money. Version 2.2 just released.
A reader named Joe from Texas, USA, recommended another solution:
We've been using ScreenConnect for several months now and all our staff absolutely love the solution.
It addresses all the key features/limitations that other solutions have. The best part is the on-premise license model where you get to purchase concurrent licenses and pay an annual maintenance. This classic approach turns out to be much less expensive than the monthly subscription options that are widely available. ScreenConnect is one of the best solutions from a technical and financial level.
Finally, Alan from Park City, Utah USA, asks the following question:
I need to set up two-factor remote access for a client. Is there any consensus on best products for this?
The client is a very cost-sensitive non-profit organization. They would prefer USB drives as tokens, but also could live with cell-phone text message techniques.
Can any of our readers answer his question? Email us at [email protected]And now on to our guest editorial by Andrew S. Baker...
Getting Management to Buy-In for Information Security
It's 2014, and the good news is that information security is high on the agenda for small, medium and large businesses alike -- across many different industries. With the constant stream of attacks against businesses and governments, there is no question that information security needs to have a legitimate budget and adequate personnel resources.
Unfortunately, even with all of this awareness and acceptance of security and its costs, getting actual budget approval can still be pretty difficult. In fairness, organizations have a lot of areas that need funding. And, many organizations are so far behind in their security spending, that it can be overwhelming when they look at all the areas that need funding.
It certainly doesn't help that when asked, "So, will this expenditure prevent us from getting hacked?" the wise security professional will avoid making any foolish promises, but will point out that the goal of information security is not to guarantee success, but rather to reduce the likelihood and magnitude of failure. That's not exactly the kind message that will cause business owners to immediately fund an expensive security project.
Given all this, what's an information security professional to do?
Here are some approaches which can significantly improve the odds of getting timely funding for much needed information security initiatives.
Tie security expenditures to another business initiative
First and foremost, it is imperative that information security projects be seen as business projects, because that's what they are -- initiatives to ensure the safety of the business operations. If your organization is not yet at that point of operational maturity, then you can try the next best approach: hitch your wagon to a project that the business wants or needs to accomplish. A typical vehicle for this approach is compliance of some time, such as PCI DSS, HIPPA or, for the federal government, FedRAMP or FISMA.
You should already be trying to make security intrinsic to your business. This is done by embedding protection into every initiative and making it part of every discussion. Whenever a new business project arises, look at where it intersects with the overall security infrastructure, and ensure that everything is up to date. If the business is deploying a new web-based platform for interacting with customer, then make sure that the parts of the infrastructure that are involved in the delivery of this service will be able to support present and future needs, such as your load balancers, or business application servers.
Keep up to date with new requirements for security, such as a move from SSL v3 to TLS v1.1, or a push for AES-256 encryption rather than AES-128 (or even 3DES!) The time to make these changes is when the supporting technologies are also changing, such that the costs are spread across more than one group, and the desire is generated by the business.
Taking advantage of industry or regulatory compliance initiatives is one of the best ways to hitch your wagon to a project that has been initiated by the business, because the natural alignment between compliance and security results in less "selling" to convince others of the need to implement the changes. Success with this method requires that the InfoSec leader have a good relationship with the business managers, and be knowledgeable about upcoming projects.
Obtain an external champion or executive sponsor
Before you run off to setup your big meeting with the CEO to get approval for the next big security project, consider speaking with another trusted and influential executive about what you are proposing to change or implement. The goal of this discussion is two-fold: (a) You want to get feedback about the proposal in general, so that you can identify and correct any pitfalls before it comes before the CEO, and (b) you're looking to possibly secure the ongoing support of your project by an external party to the information security or information technology team, who is influential enough to help gain broad acceptance of your project.
This is closely related to the first suggestion, and it again requires the cultivation of good business relationships with key business stakeholders and executives. While it is always important for you to be enthusiastic about the projects you are seeking to implement, it is even more important that you not be overly passionate about them. Why not? Because your projects might get rejected outright, or you might be advised to make substantial changes to the projects in order to gain approval and support.
Don't let these things adversely impact your morale. As long as the changes do not significantly undermine the proposed security benefits, you will absolutely want to cooperate with your sponsor/supporter. As the relationship grows, you will get better at how (and what) to present, and you will be given more latitude in your approach.
Your goal is to build up a track record of success, which will give you more leverage in subsequent projects.
Have a thorough game plan
Even if your business executives do really care about security, they're not going to keep track of the details like you are. This is not negligence, but business reality -- running a business has many, many facets and responsibilities. Be prepared to answer the same questions about where the current project fits into the whole scheme of risk mitigation again and again. Also, be prepared to answer broader questions than just about this single project. Occasionally, executives will surprise you by being willing to spend more on a given area, and they'll want to know what else they should do. Don't drop the ball by not knowing your own strategy for securing the environment that you cannot immediately show what else could be obtained and delivered at the same time.
The only good reason to turn down a project expansion is concern about delivering it on time, given all the other priorities of the organization. Be very prudent in when you decide to play that card, but it will increase the trust factor, and might buy you an executive sponsor.
Most organizations, particularly md-sized and larger organizations, have some sort of "business case justification" template that is used to request funding. Be familiar with that document, and fill it out in advance, so that it is clear to the senior management team that you understand the rules of engagement for business projects.
Effective communication is key
A large part of having a thorough game plan is being able to quickly and succinctly articulate that plan. If you get some time with the CEO or senior management, don't waste time discussing what is already known, or trying to oversell your point. Nothing snatches defeat from the jaws of victory better than poor communication.
Be sure to find out how much time you have to make your case, and don't assume that the whole meeting time will be allotted to your presentation. The main point of your presentation must always be this: How the proposal benefits the organization. This can be by giving it an advantage relative to its competitors, or by reducing a risk that would otherwise undermine business or lead to revenue loss.
Come armed with facts, of course, but the goal is not to overwhelm with "proof," but to show that your project is well thought out. It is a presentation about trust, not about technology or solutions, and your focus is on showing what you know about the organization's needs, how your solution addresses those needs, and how you have already collaborated with key persons in the organization to be able to integrate the solution smoothly.
Don't oversell the need for security. Your presentation time must be balanced among the following topics:
- Current challenges
- How the proposal addresses those challenges
- What this implementation means for the business (risk reduction / business benefit)
There is no need to spend 20 minutes proving that the organization needs security, when what you need to do is show how your proposal adds value to the organization through either risk reduction or revenue improvement.
Let's summarize what we have been discussing thus far. To improve your chances of getting your information security proposals funded, be sure to do the following:
- Tie your proposal to business initiatives
- Get support from key business executives at an early stage
- Think holistically about security and the organization's objectives and opportunities
- Know your plan, and be able to communicate it quickly and effectively
- Be flexible, and be enterprising
- Make sure you deliver when given any chance
Securing funding for information security is based on good planning, preparedness, and excellent business relationships. The sooner you can start working on all three, the better it will be for you and for your organization.
And be sure to make the most of every funded proposal -- no matter how small it is. Every successful delivery will make it that much easier for you the next time, and enhance your career and reputation that much more.
About Andrew S. Baker
Andrew S. Baker is the president and founder of BrainWave Consulting Company, LLC where he provides Virtual CIO services for small/medium businesses.
For more information about BrainWave Consulting, see their Facebook page:
You can also Andrew's complete social presence here:
Send us feedback
Got feedback about this topic? Let us know at [email protected]
This week's tip was sent to us by reader Jeff Rodenkirch:
Recently upgraded to Win8.1 and VirtualBox would crash anytime a "file open" dialog box opened. I finally tracked the problem to 8.1-incompatible shell extensions from a third-party app. The ShellExView program from nirsoft.net was invaluable in tracking down and fixing this problem:
Just disable the extensions that are NOT from MS and re-enable one at a time until the problem comes back. This one took me several hours to track down. I finally found the answer on a PhotoShop forum. This one can be tricky to find as apps may leave shell extensions after they are uninstalled.
GOT TIPS you'd like to share with other readers? Email us at [email protected]
Some books on Windows security to check out:
Windows Server 2012 Security from End to Edge and Beyond
Group Policy: Fundamentals, Security, and the Managed Desktop
Thor's Microsoft Security Bible: A Collection of Practical Security Techniques
Protect Your Windows Network: From Perimeter to Data
Microsoft Virtual Academy
February 11: Faster Insights to Data with SQL Server 2014 Jump Start
Are you all about data discovery, visualization, and collaboration? If you're trying to make sense of ever-growing piles of data, and you're an Excel power user, get ready for Power BI. Excel is now even more powerful with Power BI for Office 365 and the new tools you need to provide faster data insights to your organization. Join this demo-rich Jump Start and learn about Power Query, Power Map, and natural language querying. This live session provides a full-day drilldown into Power BI features and capabilities, led by the team of Microsoft experts who own them. Register here:
Free ebooks from Microsoft Press on MVA
Microsoft Virtual Academy (MVA) is pleased to announce that we now offer free ebooks from Microsoft Press. From technical overviews to drilldowns on special topics, these free ebooks are available in PDF, EPUB, and/or Mobi for Kindle formats, ready for you to download. Take advantage of these great resources, and be sure to check back -- more books will be added as they're released. See available ebooks:
Quote of the Week
"If you are not learning new things, you stop doing great and useful things." - Satya Nadella, Microsoft's new CEO as quoted on Business Insider from his First Email To Employees As New Microsoft CEO
Note to subscribers: If for some reason you don’t receive your weekly issue of this newsletter, please notify us at [email protected] and we’ll try to troubleshoot things from our end.
Admin Tools We Think You Shouldn't Be Without
With Veeam, you can sleep knowing that your data’s under control, your backups are fast, and if a VM goes down or someone needs a file right away, recovery is just a few clicks away.
Server performance problems? Find out why with FactFinder Express. See whether the issue is a slow app, slow SQL requests, or a CPU/Memory/Disk bottleneck. 30 day free trial.
This free online service performs a deep analysis of the configuration of any SSL web server on the public Internet
VisualEsxtop can connect to VMware vCenter Server or ESX hosts, and display ESX server stats with a better user interface and more advanced features:
Generate Exchange environment reports using PowerShell:
Lync Conference 2014 on February 18-20, 2014 at The Aria in Las Vegas, Nevada
SharePoint Conference 2014 on March 3-6, 2014 at The Venetian in Las Vegas, Nevada
Microsoft Dynamics Convergence 2014 on March 4-7, 2014 in Atlanta, Georgia
Microsoft Exchange Conference (MEC 2014) on March 30-April 2, 2014 in Austin, Texas
Microsoft Build Developer Conference (Build 2014) on April 2-4, 2014 in San Francisco, California
TechEd North America on May 12-15, 2014 in Houston, Texas
Microsoft Worldwide Partner Conference (WPC 2014) in July, 2014 in Washington, D.C.
Microsoft SQL Server PASS Summit 2014 on November 4-7, 2014 in Seattle, Washington
European SharePoint Conference on May 5-8, 2014 in Barcelona, Spain
TechEd New Zealand on September 9-12, 2014 in Auckland, New Zealand
Add your event
PLANNING A CONFERENCE OR OTHER EVENT you'd like to tell our 95,000 subscribers about? Contact [email protected]
MSExchange.org: Office 365 Online Conference
- Hear from a top analyst from Osterman Research with the latest survey research on Office 365 & MS Exchange top trends and challenges
- Learn how vendors are solving some of the biggest Office 365 Exchange issues and problems
- Get answers to your questions from the expert panel of Microsoft MVPs.
All from the convenience of your office, on March 6, 2014
This unique, online conference is limited to 1,000 participants, so register today!
Register for Webcasts
Add your Webcast
PLANNING A WEBCAST you'd like to tell our subscribers about? Contact [email protected]
Dell Driver CAB files for Enterprise Client OS Deployment (Dell TechCenter)
Application Virtualization Smackdown: Head-to-head analysis of Cameyo, Citrix, Numecent, Microsoft, Spoon, Symantec and VMware: 2014 edition (Brian Madden)
How to Move Computers in and out of a Group Policy (Third Tier)
How to Best Control a Private Cloud Environment (Data Center Knowledge)
Coming in 2014: Cloud Sprawl, Personal Clouds and More (Data Center Knowledge)
Amazon Rivals Collaborate: Dell, Microsoft Unveil Cloud Partner Ecosystems (Data Center Knowledge)
Internet Security is a failure (Paul's Journal)
SHA1 Deprecation Policy (Windows PKI Blog)
Video: Securing Service Accounts - Part 2 (WindowSecurity.com)
Step-By-Step: Creating a Tiered Storage Space (CanITPro)
Step-By-Step: Enabling Disk Performance Counters in Windows Server 2012 R2 Task Manager (CanITPro)
Free Up Disk Space on Windows Server 2012 (CanITPro)
They said what?! This year's most notable cloud computing quotes
There are many self-proclaimed cloud experts across the IT industry today that voice their opinions on popular cloud topics. Inside this exclusive tip, the SearchCloudComputing.com editorial team compiled the five most memorable cloud quotes of 2013.
Top 10 VDI news stories of 2013
Thanks to an explosion in VDI options from major contenders like Citrix, VMware, and Amazon, and advancements in the tools and techniques available for managing VDI's fluctuating workloads, 2013 was truly the year of wide VDI acceptance. Review the top 10 VDI news stories of 2013 in this recap.
Even a small business can take advantage of virtualization
Virtualization is often referred to as a luxury that only large enterprises can afford, but there are cost-effective ways for small businesses to take full advantage of this trend as well. Access this guide to learn why small businesses need virtualization, how to afford it, and steps to take to support it.
Top 10 countdown of Windows 8, Office 2013 tips for 2013
Windows 8 and Office 2013 were popular topics of debate among desktop admins and users across the IT industry in 2013. Inside this exclusive recap, explore a roundup of the top 10 tips of 2013 to find out what made your peers' must-read lists last year.
This Week's Links We Like. Tips, Hints And Fun Stuff
GOT FUN VIDEOS or other fun links to suggest you'd like to recommend? Email us at [email protected]
It is not easy to find a parking spot in Moscow. When you find one, you go for it, using any driving and drifting skills you have acquired.
Does that mean that a soft moon landing is out of the question for the time being?
The Chrysler 200 Super Bowl 2014 Commercial presented by Bob Dylan and also featuring American icons such as Marilyn Monroe and James Dean.
Maurizio Sera put a GoPro on top of his BMW and drove from Hollywood to Washington DC, snapping a picture every 2 seconds. Wanna see the result??!