Practicing good information security means more than just turning on a box or installing software and assuming your business is in the clear. Educating the workforce is a great way to practice good security. Another method (and the purpose of today’s post) is periodic testing of equipment and systems to ensure that they are truly protecting your information. Penetration testing is exactly that -  testing your implementation for holes and gaps that could potentially lead to compromise of your business information.

David Maynor, makes a good point in his article about zero-day penetration testing. New attacks appear daily and without warning (known as zero-day attacks). Many times, the technology itself can’t protect against these type of attacks, and they are the most dangerous. Penetration testing looks for these types of vulnerabilities in your systems, and allows us to set up generalized mitigation techniques that will go “above and beyond” the technology itself to secure your business resources. Even though it is difficult to anticipate specific attacks, a good security professional is aware of new issues associated with specific technologies, and can employ measures such as better configuration, education and patching to strengthen the system.

At Etnacom, we have nearly 10 years of experience in all realms of information technology (industry, government and academic) that allow us to test the security of technologies that reside within your organization. We have the tools, knowledge and manpower to assist you in keeping your most vital business resources safe from outside threats.

Spanair 5022 (from Wikipedia)

It has been over 2 years since Spanair Flight 5022 crashed, killing 154 people. MSNBC recently released this article, which mentions that undetected malware could be to blame. As the world becomes more technology dependent, we need to take more steps to ensure safety. It is simply not responsible to allow systems to be interconnected without putting appropriate safeguards in place.

This incident is emerging proof that we live in a world where security sensors and checks on computer systems could mean the difference between life and death. Even in a perfect world (without malware and threats) we would still need to worry about human error and software malfunction.

Can we stop all malware? No. But we can take steps to minimize the impact of malware and reduce risk wherever possible. Monitors and machines that support life or even affect life are obviously those with the highest risk and should operate under the most stringent integrity checks.

In this particular case, the medium with the malevolent payload was a USB thumb-drive. This form of removable media could have been infected with malware, thus infecting the entire system. This leads us to ask: What are the security policies in place at this airline? What are the security policies at any establishment where lives are at risk?

This is a great time to reflect back on the nature of your own organization and think about the systems that you are running. Does your computer network handle systems that could harm others? Does it hold private or confidential data about your company or more importantly, your customers? If so, it might be wise to consider the risks associated with introducing foreign media onto the network.

MD5 Hashes Explained

For those of you that know what an MD5 hash is, feel free to skip this section. Otherwise, read on. An MD5 hash in simplest terms is a digital “footprint” of a piece of data. That data could be a message, a computer program, a music file, or anything else that occupies data storage. It doesn’t matter how large the file is – an MD-5 hash is usually 128 bits. An algorithm creates a “hash” of the data (for more information on how a hash function works, take a look at thisWikipedia article). The most common application for a hash is to verify the integrity of a file – if you generate a hash, change the file, and then generate a new hash, the hashes will not match. This helps to determine if a file was changed either on purpose or by accident (such as being corrupted in a download). Another important fact is that a hash function is one-way – that means there is no way to recover the original data from the hash itself. The only way to see if a particular piece of data corresponds to the hash is to run the algorithm against the data you think the hash might be for and see if the algorithm yields the same output. Basically, brute force it, or guess and check.

In recent years, researchers found quite a few vulnerabilities in both the MD5 hash and SHA-1, another one-way hash function. These vulnerabilities could compromise the intent of the hash function and could theoretically allow someone to make changes to the file which are undetected by the hash function (in other words, the hash would stay the same after the change). The most secure implementation of the one-way hash at the moment is the SHA-2 algorithm, so if you’re looking for the best, use that.

Obviously, the hash function in the CYBERCOM logo is meant for decoration, and to get some attention. I guess it worked.

So, while there may be specific reasons for personally choosing to use Windows, Mac OS or some form of Unix/Linux, there aren’t many compelling reasons to adopt a standard approach for business. Choosing an environment and operating system depends on your personal preference and what your needs are; for example, designers tend to choose Mac OS due to their support for high-quality design applications and aesthetics, while software developers may prefer Linux due to high levels of customization and uniform compatibility.

Many businesses tend to think that all computers need to be of one specific type or platform. I have personally seen large businesses do this, and although I don’t agree with it I do understand the reasons (mostly cost and configuration issues). A small business usually doesn’t have these types of issues, and can actually be more robust and successful by having a mix of machine types and platforms (Etnacom is proof). A common misconception is that there might be extra configuration or specialized software needed during setup and operation. In reality most basic networking tasks (such as file sharing, instant messaging, e-mail and anything requiring a web browser) are platform-independent can be done natively on both platforms.Also, platform diversity actually enhances overall network security, since most worms and viruses propagate among machines of the same platform. By diversifying the network, it is much more difficult for malicious activity or an outage to completely halt operations.

At Etnacom, we embrace personal preference. I choose a Mac because of its roots in Unix. Paul has he his operational and managerial reasons for using both a PC running Windows and a second PC running Linux. Our wider range of knowledge allows us to better address our customers’ needs because between the two of us, we can work a wider variety of issues and capabilities across platforms.

We know that we haven’t posted much on our blog lately, and we’re sincerely sorry for that. Stay tuned, because we have plenty of new posts on the way!

Courtesy of Getty Images

I’m entering my sixth day of cabin fever in the Baltimore / DC area, and it hasn’t been as quiet as I’ve expected. I’ve actually been receiving calls from a number of clients who are also snowed in but need to access their work files in order to keep business running. After taking calls on a number of issues, I’ve separated them into three categories:

• “Help! Can I access any of my work files from home? I’ve never done it before but really need to get in!”
• “Help! We set up remote access and VPN months ago but I never use it. I don’t remember how to use it / can’t get it to work / don’t have it set up on my computer anymore.”
• “I’m safe and working from home! Since I’m online, can you take care of a couple of projects / small tasks for me?”

Ideally, I would like to see all of my clients fit into the third bullet. I understand that some businesses don’t require extremely advanced technical systems, and sometimes it’s just not in the budget. However, a snowstorm such as the one that is just starting to wind down in the northeastern U.S. might force a few business owners and managers to re-evaluate change and continuity plans across the board. It certainly pays to at least consider the impact of various events (man-made, natural or otherwise) on the business. Even if the ultimate result is that it is not worth the investment in countermeasures, at least you know what you’re in for.

What you might find from this exercise is that countermeasures actually aren’t that costly. Here are a few relatively inexpensive countermeasures that we can employ for a small business. Given the current weather and its anticipated consequences, I’ll use the case of a family-owned insurance agency.

XYZ Insurance agency operates out of a small shopping center in Montgomery County, Maryland. With the growing number of power outages, roof collapses, car accidents and other calamities, it’s safe to assume that XYZ Insurance is pretty busy handling claims right now. Unfortunately, the employees of XYZ can’t even get out of their driveways and down the street. Even if they could, the shopping center where the offices are located can’t clear its own parking lot. There’s just no way to get to the office.

Normally, this would be a catastrophe. However, just a few simple measures in what I will call an “emergency plan” (some larger organizations call it a COOP, or Continuity of Operations Plan) helped XYZ to keep moving and be highly effective for its customers, even when XYZ itself had some considerable issues in the snow. Let’s talk about a few of these measures:

1. On the company’s letterhead, answering machine, website (and just about anywhere else their phone number is posted), XYZ has an “emergency line” displayed. This line is designed for after-hours usage and any other time that the office can’t be contacted. The emergency line is actually a Google Voice line available free to anyone with a Google Account (also free) but by invitation. Google Voice provides such features as call forwarding to any number of telephone numbers (such as employee mobile or home telephones), voicemail transcription, and more. Now XYZ’s employees can be reachable to clients from an alternate location. Did I mention that Google Voice is free?
2. XYZ keeps some pretty detailed records on clients in their database, including contact and policy information. This is run on an internal server for security and privacy reasons, but the server isn’t actually located in the office – it is in a safe, reliable data center behind a trusted firewall. While keeping a hosted server could cost various amounts of money (anywhere from $40 per month into the thousands), it doesn’t cost anything to extend access to employees working from home. It’s as easy as installing VPN software provided by the hosting company. Luckily, XYZ thought ahead and ensured that employees had home access to systems in case of an emergency.
3. Most importantly, clients need to be aware of what is going on and why XYZ is not reachable at the office. They also need to be comforted in knowing that this isn’t a problem and that the company is still available to help. By placing an emergency message on their website with current status, most customers can be reached. Additionally, the office voicemail was changed to also reflect current status.

As one of the only local insurance agencies able to stay ahead of the snowstorm, clients praise XYZ for being there when they are needed. The company capitalized on this success and marketed its ability to be “local and available”, leading to new customer lead generation and increased profits.

In the end, XYZ was able to stay ahead of the storm’s incapacitation. What was the cost to implement this plan? Surprisingly, it was absolutely free. The only cost was some prior thought and planning.

I do agree that sometimes it requires an outside perspective to start thinking of an emergency plan. Here’s my shameless plug! If you need help putting together your COOP or emergency plan, especially when it comes to leveraging IT and systems resources during an emergency, I can help. I’ve done it for a number of clients, both big and small. Don’t forget that I have the free consultation guarantee – try before you buy!

If you’re in the northeast U.S. – stay warm and be careful digging your cars out!

Personally, I tend to follow the Getting Things Done (GTD) approach fostered by David Allen. There are many other strategies that can be just as successful. However, if you’re a techie like myself, you may find yourself struggling to find software that best fits your personal organization scheme. I’ve been struggling with that question for a long time, and I finally found a solution. Yes, I do think that simplifying my life a bit is certainly part of the answer, but life gets busy, no matter what. For a long time, I sought a solution that could help me keep information from all parts of my life in one spot. A couple of months ago, I found my solution and it has been working wonderfully. I call it “life by CRM”.

CRM, as you may know, stands for “Customer Relationship Management”. It is one of the bigger business buzzwords these days, partially because we’ve entered the age where software to manage CRM is available and relatively inexpensive. It’s popular among sales teams and project managers for its strength in measuring customer requirements, tasks and interactions. SalesForce.com is one example of CRM software – other examples include Microsoft Dynamics and my personal and professional favorite, Highrise. Highrise is a web-based CRM manager created by 37signals.

Let’s back up to how businesses use CRM. It’s strengths are in tracking contacts, interactions and tasks, to keep it simple. Isn’t that how personal life is structured as well? When running personal errands, there’s usually something to do, something that happens and someone to do it for. Many people like to keep track of their personal errands in some sort of journal or diary. CRM is a journal that’s in electronic form and tailored to help you get things done.

Being that Highrise is my CRM tool of choice (and what I use for both business and personal), I can share my strategy for keeping my life organized. Here’s a screenshot of what my Highrise looks like (with some proprietary data conspicuously hidden):

When I log in I can see a “Journal” of recent entries, including my notes, e-mails, tasks and so on. I can also see upcoming tasks, which I can complete and assign categories to. On the top of the page, I can view my contacts, tasks, cases, deals and tags. Cases and Deals are great. They are special groupings of notes, e-mails and tasks that pertain to one particular initiative. Cases and Deals are very similar, but Deals pertain to initiatives when there is an incoming sale. You can keep track of bid information and whether or not the deal was won. Tags allow you to assign categories to various people, companies, cases, and so on. This is all set on top of a pretty powerful set of permissions, if you’re going to allow multiple users to access the system. I’m not going to go into too much detail about the product – you can access a tour on the Highrise website.

What’s important to me is that I can use this Web-based contact / case / task / sales / Rolodex manager to help me stay on top of everything that I need to do. As a part-time consultant, I am constantly trying to keep up with shifting needs, changing priorities, and multiple updates from clients and vendors on a variety of issues. Highrise is uncanny in it’s ability to help any kind of professional like myself stay on top of this and update case files easily. When I need to fulfill a request, I add a task and categorize it. When I receive new information or have an interaction with someone, I can add notes or forward e-mails. At the end of the day, Highrise is the best tool for me and helps me to stay agile.

This doesn’t just translate to my professional work, either. Highrise CRM’s organization capabilities help in my personal life, too. My fiancé and I are planning our wedding and this tool helps us keep on top of our vendors, financials, and everything that we need to do before the big day. Being able to search for a receipt or for conversations from a specific person or company works great! It is especially useful when something doesn’t go as planned and need to go back to a previous conversation to verify what was said. I’m sure many have been in a situation like that.

Although I strongly advocate Highrise, please understand that I have some specific needs and operate in a specific way. Highrise is a perfect fit for a small company with many different things going on – most of them short-term. If you are a larger organization or operate in a different manner, different software might work better for you. I’ve worked for medium-sized businesses that have used Microsoft Dynamics with great success. I’ve worked with startups who use SalesForce.com and it is a disaster, while other startups wouldn’t want to use anything else. It is all about finding a solution that meets your needs. I can certainly assist anyone looking to determine how to leverage the benefits of CRM software or just boost productivity in general.

I invite you to keep this discussion going. What sort of CRM or web-based productivity software do you use (or have used in the past)? How has it worked for you? Feel free to share success and horror stories. Perhaps I’ll even share some of my own!

During some routine maintenance on this client’s domain names (i.e. name server and contact changes), we realized that the domain was not registered to the corporation, but rather an individual who had not been employed there for a number of years. The client requested that I change the contacts to reflect the corporation’s ownership and list the name of the CEO. Simple, right?

Apparently not. I logged into the Register.com control panel to update the registrant’s contact information, but received a notice saying that the domain was “locked” and that the registrant could only be changed with a “change of registrant” form. This was confusing. Why was the domain name locked? There was certainly no setting in the control panel to lock or unlock a domain name. This seemed like an arbitrary setting with no rationale. Perhaps the domain name was registered through another registrar later absorbed into Register.com, or it was a setting that was chosen when the domain name was first registered. Either way, it didn’t seem practical and nobody was able to explain it, including a couple of otherwise friendly technical support representatives from Register.com.

Giving up on the online change, I looked at the change of registrant form. New problem – this form needed to be completed and filed by the existing registrant! This would not work in our case, as the employee left the business and there has been no contact with him ever since. In fact, I would think that this is the case in most scenarios where an employee leaves the company, so unless a transaction is being made by two separate parties, this seemed like a bad method for Register.com to facilitate this change in the first place.

Having nowhere else to turn, I dialed customer support and started asking questions. Surely there must have been another customer facing this issue in the past, and I thought that company representatives could help me through by using some type of loophole. I had no such luck. One representative told me that I shouldn’t worry; as long as I had the username and password to log into the control panel, it didn’t matter whose name was on the account. Another representative told me that I could just fill out the form, leave out the current registrant’s information and explain the situation in the notes block; we realized that didn’t work when the form was promptly returned to me.

The third representative told me that I should follow the steps outlined in Register.com’s dispute policy. I examined this policy closely and concluded that the only way to make this change would be to file legal paperwork, appear in front of a district judge asserting the change, and send the results of the proceeding to Register.com.

Needless to say, we decided it was not worth the time and money to conduct all of this litigation just to change a name. Instead, I went forward with an alternative plan – let’s transfer the domain name to another registrar that wouldn’t give us the runaround. Before doing so, I gave Register.com one final chance – I called them, explained the situation and told them that I would be forced to transfer the domain names if they didn’t offer an alternative. The phone representative actually agreed with me and said that the best plan would be to transfer the names. So, I transferred the domain names to another registrar, updated the contact information, and completed the work.

I wanted to note that I sent Register.com an e-mail alerting them of this post and asking them if they wanted to comment. I haven’t received a response in the 24 hours since I sent it, but if I receive one I will be sure to post it.

A couple of closing points. First, the moral of the story – unlike a decade ago, there are now hundreds of domain name registrars. Don’t let them bully you and have you jump through hoops; your time is precious. If your registrar won’t allow you to do what you need, find another one that will and transfer the names over. Transfers are quick and easy these days, and most registrars include a free year’s renewal with the transfer, so you’re not losing any money. Additionally, transfers are cheap, averaging about $9.00 per domain name.

Second, there is a larger issue. Companies must always balance the security of their business and their clients against functionality and convenience. If you have too much security, functionality and convenience suffer, driving away customers. With not enough security, you might make your customers happy in the short term but they’ll be running away with the first sign of trouble. In some business models, it is okay to lean a little bit more heavily towards one side, but there is always a limit. In this case, it might very well be that Register.com erred too much on the side of security and not heavily enough on the convenience side. After all, they lost a customer because of the issue. However, Register.com is a large company and might not mind losing a customer here and there for the sake of keeping domain name transactions secure. There is no right or wrong answer – this is a strategy that many business should think about from time to time in regard to its own products.

If you have any comments, feel free to post – I’d be happy to keep this discussion going!

Modern Etnacom Logo

Etnacom has existed in one way or another since 2001. Throughout its life its services, employees and even its location have changed multiple times.

I thought it might be interesting for some readers to see how the company has evolved over the years. At most, this will serve as a way to see how I’ve gotten to this point and some of the interesting things I’ve encountered. At the very least, it will be a “statement for the record” of where the company has been and where I intend to take it.

The Beginning

Original Etnacom Logo

In the summer of 2001, I was still in high school. A close friend and I were deliberating about how we could make some extra money in addition to our typical teenage jobs as waiters. We both knew a lot about computers and my friend was an expert in video editing, producing clips for many local events such as track meets, town gatherings and weddings. I already had some success in creating small websites for local businesses and helping others around the community with their computer repair issues. Thus, Etnacom Networks was born. I still joke with my friend about the day when we typed up a one-page “business plan” and brought it upstairs so that my father could review it (we were both under 18 at the time and needed a financial guarantor). Being a business owner himself, my father was excited about the idea and took us to the bank to open our own account. Our initial investment was fifty dollars each.

From that point forward, we worked hard to earn any business that came our way. The majority of our clients were local organizations that needed websites and web hosting, and we were able to meet their needs quite well. In fact, we still retain a lot of our original clients, even though Etnacom has evolved quite a lot since then.

As we grew older and more experienced, we started working on more complicated projects. The era of wireless computing was just starting to come about, and many businesses in the community wanted a cost-effective way to network multiple laptops and desktops into a small network with shared printers, files and Internet. We started installing more complicated server systems that ran on various flavors of Linux and Windows Server. Of course, we never forgot about our “bread and butter” services of web sites and web hosting.

Transformation to Consulting Firm

Towards the end of 2006, the original two Etnacom partners decided to go separate ways. There were no hard feelings (in fact, Brian is still a very close friend and is the best man at my upcoming wedding), but we decided that I would take the company into a consulting role while Brian would concentrate on his own profession that actually had little to do with the IT field. I became a support provider for a few start-ups and small businesses in the New York / New Jersey area, and I partnered with GoDaddy so that I could continue to offer web hosting services to my clients while improving maintenance and quality of service. Web hosting services are now offered under a subsidiary called Etnahost.

With the completion of my Masters’ degree at Carnegie Mellon University, I expanded my knowledge and experience within all of the topics I consult in, which included some very in-depth expertise in Online Marketing and SEO. I also added a new field to my repetoire – Information Security, which is in my opinion one of the most important aspects of IT. Because of my large concentration in this new field, I decided to again make some big changes and accept a full-time position working in the Baltimore / Washington D.C. area. However, Etnacom will continue to operate in the same reliable capacity it always did.

The Future

The Internet and IT in general have certainly evolved quite a bit since I’ve started doing this. Networks were once a luxury only enjoyed by corporations, now they are common in most homes (and even in some automobiles). Websites were a one-way venue to share information and e-commerce was just taking off in 2001; Facebook wasn’t even an idea in anyone’s mind. These days, community-based interaction over the Internet is common. There is no telling how Etnacom will evolve over the next few years or how technology will either. However, I can promise that I’ll continue to offer solutions that are on the cutting edge but also practical. It will certainly be a fun ride!

If you are a client, you are well aware that I started a new full-time position in July, working information security-type issues. Being that my degree is in Info. Security, I decided that this would be a wonderful opportunity, but I also wanted to continue doing my work at Etnacom. So, I decided to transform the company into a vehicle for part-time consulting.

Before I accepted the position, I spoke with my clients to see if there were any concerns with me meeting their needs part time and mostly during nights and weekends. Everyone was extremely supportive (and I thank everyone for their generous support!)

So, here we are. Getting back to the website – I think a look and feel that shows that I’m a one-man show with a lot of experience to offer does the trick. I am now showcasing my blog on the home page so that you can read about my insights and experiences with clients and technologies (and sometimes with my full-time job, if I am able to share). I am still accepting new clients, but have relocated to the Baltimore-Washington metro area, so my on-site work is limited to that region.

As always, i’m available anytime for help, so drop me a line if you need anything!