Vol. 19, #27 - July 7, 2014 - Issue #987
Site Security Tips
- Editor's Corner
- Site Security Tips
- Tip of the Week: Laptop Unexpectedly Waking from Sleep
- Recommended for Learning
- Microsoft Virtual Academy
- Quote of the Week
- Admin Toolbox
- Admin Tools We Think You Shouldn't Be Without
- Events Calendar
- Asia Pacific
- Webcast Calendar
- MSExchange.org Exchange CON 2014 Registrations are Open!
- Register for Webcasts
- Tech Briefing
- Enterprise IT
- Cloud Computing
- Microsoft Azure
- Windows Server News
- ROI can't measure true value of cloud
- Great debate: Virtualize apps or include them in VDI images
- Keep your servers dancing to the same tune with DSC
- Take control of the Windows 8 Store with Desktop Enterprise
- WServerNews FAVE Links
- Harrier Jet Pilot Performs Perfect Vertical Landing Without Nose Gear
- Putting On Pants With No Hands
- Look Closer To See The Big Picture
- Do Not Go - Stay With Me
- WServerNews - Product of the Week
- Veeam Backup Free Edition - Free Tool for Hyper-V Backup
- SAVE THIS NEWSLETTER so you can refer back to it later for helpful tips, tools and resources!
- FORWARD THIS NEWSLETTER to a colleague who you think might find it useful!
- SEND YOUR FEEDBACK to [email protected] if you have any comments or suggestions!
This week's newsletter is all about maintaining the physical security of the site where your business has its IT infrastructure deployed. But before we examine this topic, let's start by consulting our expert in circumventing security controls--Dogbert--as this Dilbert comic strip illustrates:
Site Security Tips
Until recently I believed that most organizations needed to implement two main strategies to ensure the security of their physical IT assets and sensitive data:
- Combine network and system lockdown tools and practices (e.g. firewalls, role-based access control, etc) with intelligent monitoring/reporting.
- Implement physical security controls (e.g. pincode locks, CCTV cameras, etc) and diligently monitor their effectiveness.
I naively thought that this two-pronged approach could effectively deter criminals who tried to breach both the digital and physical security of a datacenter.
But I was wrong. The reason is because wolves often manifest themselves in sheep's clothing...
In other words, the greatest danger a datacenter faces may not be a brute-force attack (think The Rock driving a Hummer through the steel gate that guards the perimeter of the site where your datacenter is located) but the use of social engineering and other clever forms of deception to circumvent both physical and network security controls.
Consider the smartphone for example. Today's smartphones are capable of recording high-resolution video, so it's easy for a "friendly" attacker (a wolf in sheep's clothing) to stand a few feet away from you while you punch your pincode into a doorlock and record a video showing the numbers your fingers punched. The way to do this of course is to use an old dodge (trick) known to con artists: you simply hold your phone backwards against your ear nearest the door and pretend you're talking to someone on the phone. I call this an "old" dodge because in former times con artists used telescopes for covert observation of the mark. Which leads me to my first site security tip: ban smartphones, or at least their use in certain circumstances and by unauthorized individuals, within close proximity to your datacenter. And remember, if you're simply withdrawing money from an ATM or paying for something in a store with your credit card, such an attacker could obtain both your account number and pincode and end up taking a nice vacation to the Cayman Islands at your expense. So be on your alert for this dodge not only at work but also when you're shopping.
This kind of dodge can also be used to surreptitiously obtain your username and password when you log on to your company network from your computer. It could happen for example in your office if a "visitor" is nearby, or in a coffee shop when you VPN into corpnet. The stolen credentials might then be used to try and circumvent the physical security controls that are managed by your site's IT systems in order to gain physical entry to your site (or more likely to perform a data breach). Which leads me to my second tip: use a physically segregated (air-gapped) IT infrastructure for controlling the physical security controls of your site. That way, if your primary business (production) network gets compromised then at least they won't be able to type a few keystrokes to unlock all the doors in your building as in the first scene of Mission Impossible: Ghost Protocol.
Of course a doorlock or user logon that requires a pincode/password together with a smartcard or biometric signature makes things a lot harder for the attacker, but they're partway there if they know your pincode/password. Which leads us to our third site security tip: always use some form of two-factor authentication.
This may get even worse if wearable technologies like Google Glass become ubiquitous in our society as the day may come when you don't even notice that the person standing next to you is wearing such technology. To counter this, you might begin by considering where Google Glass users and laptops belonging to your employees might likely be found in close proximity to one another, for example in coffee shops. Which that leads me to another security tip: ban your employees from drinking coffee off-premises! I'm just kidding of course, but the following article in Wired magazine might get you thinking about the potential for this kind of attack:
What factors are common to a successful "over the shoulder" attack? One key is trust: the attacker behaves in a way that doesn't arouse suspicion. But trust is scenario-dependent. For example, if someone wearing Google Glass was standing near me while I was punching the lockcode for my server room, I would probably get suspicious. But if I was sitting in a coffee shop in San Francisco where half the customers were wearing Google Glass, then I probably wouldn't think twice about what might be happening around me. Similarly, someone with a camcorder strapped to his hat would definitely stand out; someone using a smartphone doesn't however. The moral? The danger may be greatest when you think there's none there. The solution, much as we'd prefer it were not so, is to be paranoid. And perhaps the greater the responsibility you have in your IT department, the more paranoid you should be. At least when sheep are around...
How does the ubiquity of smartphones and the possibility of a Google Glass future impact your own site security processes and practices? Are such concerns overblown or are they legitimate? What steps have you taken in your own organization to deter these kinds of attacks? How paranoid are you about site security for your datacenter? Share your thoughts with us and we'll pass them on to our readers. Email me at [email protected]
Tip of the Week: Laptop Unexpectedly Waking from Sleep
Tired of having your laptop waking up and almost frying your carry bag? This old but still good tip from Raymond Chen's fascinating blog The Old New Thing tells you what steps you can take to try and track down the source of these unexpected wake events:
Raymond also has a book out that is now a few years old but is still a worthwhile and entertaining read:
GOT TIPS you'd like to share with other readers? Email us at [email protected]
This week we have a few books on physical security you might want to check out:
Effective Physical Security, Fourth Edition
The Complete Guide to Physical Security
Protection of Assets: Physical Security
The Basics of Information Security, Second Edition: Understanding the Fundamentals of InfoSec in Theory and Practice
Cybersecurity for Executives: A Practical Guide
Practical Lock Picking, Second Edition: A Physical Penetration Tester's Training Guide
Microsoft Virtual Academy
Two repeat announcements from last week from the Microsoft Virtual Academy:
July 16-17: Windows Azure Pack; Infrastructure as a Service
Learn how Windows Azure Pack brings the benefit of the cloud to your datacenter. Windows Azure Pack (WAP) builds on the power of Windows Server and System Center to deliver an enterprise-class, cost-effective solution for self-service, multi-tenant cloud infrastructure and application services that runs on the hardware in your datacenter, giving you the benefit of the cloud with the customization and control you need. Learn more during this free, expert-led training on July 16-17. Register Now:
July 24: Migrating legacy Windows Server to 2012 R2 and Microsoft Azure
Out with the old! Migrate from Windows Server 2003/2008. What's the best way for IT professionals to ensure a seamless transition to Windows Server 2012 R2 on-premises and in Microsoft Azure? By getting help directly from Microsoft professionals during our July 24 Jump Start. Register now:
Quote of the Week
"Coming together is a beginning. Keeping together is progress. Working together is success." --Henry FordUntil next week,
Note to subscribers: If for some reason you don’t receive your weekly issue of this newsletter, please notify us at [email protected] and we’ll try to troubleshoot things from our end.
#1 backup tool for Hyper-V. Backup of a running Hyper-V VM with VeeamZIP. You can create ad-hoc backups of live Hyper-V VMs for operational, portability or archival purposes. Download now.
Symantec Backup Exec 2014 delivers powerful, flexible, and easy-to-use backup and recovery to protect your entire infrastructure whether built upon virtual, physical, or a combination of both. Try it now.
ExifTool is a platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of files:
Measure current and voltage output from any USB device using this USB Power Meter:
Give your computer insomnia using this free tool which can temporarily prevent your machine from going to sleep:
Microsoft Worldwide Partner Conference (WPC 2014) on July 13-17, 2014 in Washington, D.C.
Microsoft SQL Server PASS Summit 2014 on November 4-7, 2014 in Seattle, Washington
TechEd Europe on October 27-31, 2014 in Barcelona, Spain
TechEd New Zealand on September 9-12, 2014 in Auckland, New Zealand
Add your event
PLANNING A CONFERENCE OR OTHER EVENT you'd like to tell our 95,000 subscribers about? Contact [email protected]
MSExchange.org Exchange CON 2014 Registration is now Open!
Registration is open for MS Exchange CON 2014, an information-packed annual event designed for busy IT Professionals within the global MS Exchange Community. This online event is hosted by MSExchange.org and begins at 10am EDT | 7am PDT | 3pm BST on Thursday, September 18, 2014. Participation is limited to 1,000 attendees, so register here today!
All registrants will also receive complimentary access to all of the Office 365 CON 2014 sessions. This popular online event took place earlier this year, but you'll receive access to view the entire event on-demand when you register for the upcoming MS Exchange CON 2014!
Register for Webcasts
Add your Webcast
PLANNING A WEBCAST you'd like to tell our subscribers about? Contact [email protected]
The Data Skills Server Admins Should Master (WindowsNetworking.com)
Considerations for Distributed Applications in Virtual Environments (Part 1) (VirtualizationAdmin.com)
Amazon WorkSpaces review (4sysops)
How to check if your EC2 instance uses SSD (4sysops)
Announcing Microsoft Azure Import/Export Service GA (Microsoft Azure Storage Team Blog)
What’s new for Microsoft Azure Storage at TechEd 2014 (Microsoft Azure Storage Team Blog)
Windows PowerShell Networking Guide (Microsoft Download Center)
Wi-Fi Network Design Tips (WindowsNetworking.com)
ROI can't measure true value of cloud
IT leaders are looking to establish cloud value for their organizations, but defining what that value is specifically can be challenging. Learn how to go beyond the old CapEx vs. OpEx model and get a clearer idea of the current best practices for finding cloud value based on your unique business needs.
Great debate: Virtualize apps or include them in VDI images
Should you virtualize applications separately or embed them in VDI images? There is not a simple answer – in addition to evaluating how well the apps actually perform virtually, it depends on how much time and money you’ll be saving. Continue reading for a detailed look at tips and considerations you should take into account when making your decision.
Keep your servers dancing to the same tune with DSC
Configuring target computers to use a Desired State Configuration (DSC) Pull Server can be a complex process. Fortunately, this expert tip, complete with helpful visuals, walks you through all the important steps you need to know so you can connect your systems to a Pull Server correctly and keep your servers in check.
Take control of the Windows 8 Store with Desktop Enterprise
The Windows 8 Store can be intimidating and problematic for even the most seasoned IT pros – you want users to be able to install and download apps independently, but there are risks involved. Find out more about the ways in which Microsoft’s Group Policy settings work to lock down the Windows Store to help you maintain more control, and learn how to enable this feature today.
This Week's Links We Like. Tips, Hints And Fun Stuff
GOT FUN VIDEOS or other fun links to suggest you'd like to recommend? Email us at [email protected]
Harrier Jet Pilot Performs Perfect Vertical Landing Without Nose Gear
Pilot William Mahoney had to perform a perfect vertical landing on USS Bataan, after his AV-8B Harrier aircraft experienced a front landing gear malfunction:
Putting On Pants With No Hands
Xiao Zhiwei demonstrates how to put on pants without using your hands:
Look Closer To See The Big Picture
What you see, all depends on your point of view:
Do Not Go - Stay With Me
Dear human. Do not go. Stay with me. Or at least - feed me!
WServerNews - Editors
Mitch Tulloch is Senior Editor of WServerNews and is a widely recognized expert on Windows administration, deployment and virtualization. Mitch was lead author of the bestselling Windows 7 Resource Kit from Microsoft Press and has published hundreds of articles for IT pros. Mitch is also a seven-time recipient of Microsoft's Most Valuable Professional (MVP) award for his outstanding contributions in support of the global IT pro community. Mitch owns and runs an information technology content development business based in Winnipeg, Canada. For more information see www.mtit.com
Ingrid Tulloch is Associate Editor of WServerNews and was co-author of the Microsoft Encyclopedia of Networking from Microsoft Press. Ingrid is also Head of Research for our content development business and has co-developed university-level courses in Information Security Management for a Masters of Business Administration program.