Today is the Washington State IT Industry Forum. Bill Kehoe, WA State CIO, delivered the keynote address.
(Paraphrased and summarized):
"Sure the economy is tough and State budgets are lean. Nevertheless, the State and Industry need to work together, communicate, assess, adapt, and keep moving forward."
How do you make a cybersecurity presentation about government requirements be interesting? In this photo, you see me casting a spell on the attendees to keep their eyes open. ;-)
The secret to making an interesting presentation is to start by advertising it accurately. That way, the only people who bother to show up are people who are already interested in the topic. That’s half the battle right there – getting the right audience.
The next step is to provide useful information and actionable steps in a way that’s easy to understand and helps the listeners feel like they can successfully do the things that need to be done.
Assemble motivated attendees. Then, tell them:
What they need to know.
What to do.
How to do it.
(This photo is from the ITA Showcase on March 13, where my topic was “Meeting Cybersecurity Requirements for Federal Grants in Critical Infrastructure,” which as we all know, is a universally appealing topic).
A client commented good-naturedly that the IT support time costs more than the computers. That’s true, and really it’s to be expected.
EXAMPLE 1: An appliance to store food.
Over a refrigerator’s lifetime, the food you store in it costs way more than the refrigerator.
EXAMPLE 2: An appliance to prepare food.
Over a stove’s lifetime, the food you prepare with it costs much more than the stove.
In the same way, a computer or a server is an appliance, used to store and prepare information. When you pay an IT support person or company, it’s not really about maintaining the appliance. It’s about your continuing ability to store and prepare information.
The value is in the information.
“My daughter’s personal computer, she uses for school work, came up with needing a BitLocker recovery password.”
Over the weekend I was contacted by a dad on the other side of the country trying to locate the BitLocker key. This is a very common problem. Microsoft’s position is, “Don’t worry, we store you BitLocker keys for you in your Microsoft account!” Microsoft’s attitude seems like: “I know you’re in water over your head, and you can’t swim, and you’re drowning and choking, but don’t worry, we have life preservers right here on the boat. Come get one!”
The reality is that many people have no idea what to do when faced with this challenge.
You must protect yourself. Get your BitLocker recovery key for every BitLocker device, and store it safely yourself. You can find information on how to get your recovery key by searching for “find my BitLocker recovery key,” or a similar phrase, using any search engine.
If you don’t want to do that, contact me, and I’ll help you get your BitLocker key(s) for a very reasonable fee.
Microsoft is getting ready to do away with MFA for its web-based products. No, this is not clickbait.
Beginning in February, if you log in to a web-based service, Microsoft will keep you logged in by default. Go ahead and close the browser window, it doesn’t matter. You’re still logged in, unless you deliberately log out. Think about hotel computers, library computers. Think about women in an abusive relationship.
It’s no longer MFA if Microsoft reduces authentication to device authentication. They won’t be requiring proof of identity of the person in front of the screen.
If you sign in to a Microsoft web-based app on a computer that is ACCESSED BY OTHER PEOPLE, you are at risk.
ACTION STEP
Even though Microsoft is placing the notification at the top of the screen right now, there are people you know who won’t understand what it means. There are people who won’t even notice the message. Make sure your friends and family know how to explicitly sign out after every session on a shared computer.
One last note: Microsoft says that instead of logging out you can use private browsing (for example, Google’s incognito mode). I don’t recommend this option, because sometimes software doesn’t behave quite like the coder thinks it will. For the most reliable security, log out.
Some IT people work in an environment of fear. They’re afraid to do routine system maintenance that might take the system down for awhile.
The crazy thing is, scheduled maintenance downtime will be less impactful than unscheduled emergency downtime.
The solutions are to have upper management fully supportive of system maintenance, and a smoothly functioning change management process that includes mechanisms for incorporating patches and updates into the workflow.
If you WORK FOR a company with a culture of fear surrounding routine system maintenance downtime, do yourself a favor and look for a new job.
If you OWN OR MANAGE a company with a culture of fear surrounding routine system maintenance downtime, do yourself a favor and call me. I can turn it around.
Want to meet in person? I’ll be speaking at the ITA Showcase in Portland, Oregon in March.
From the website: “ITA Showcase is an annual trade show sponsored by the associate members of the Washington Independent Telephone Association (WITA) and the Oregon Telecommunications Association (OTA), for the benefit of the members of those associations in the Pacific Northwest.”
“Bob, what will your presentation be about?”
Cybersecurity in telecom, of course!
Don’t delay – register soon.
When you’re looking for your first tech job (or even another job later in your career),
1) remember to check out smaller companies, and
2) check out companies that aren’t in the tech sector.
Every industry uses information technology.
Every industry needs cybersecurity.
In smaller companies, these two roles will be combined.
One of my clients is in road construction.
Another client repairs equipment used on commercial fishing boats in the Alaska fishing fleet.
Some clients are in medical practice.
Some clients are in retail.
Some clients are in manufacturing.
Some clients are national, state, or local government agencies.
Information technology is needed and used everywhere.
Getting a tech job in a smaller company has one advantage that stands out among its many other advantages: in smaller companies, you’ll have more opportunities to develop a greater breadth of skills. The cross-functional experience you obtain in a smaller company will serve you well in later stages of your career.
This is barcode security done right. The picture shows a DMV barcode for a vehicle registered in the state of Washington. Try to read it with your phone’s barcode reader, and it won’t work. This barcode requires specific hardware and software to decode. The name for this barcode protocol is PDF417. Just obtaining a PDF417 reader isn’t enough, because different states and agencies can use different encryption methods AND different encryption keys.
In addition to vehicle registration documents, PDF417 barcodes are also used on most (all?) US driver’s licenses. It’s a complex barcode, and can hold much more information than a standard QR code. For example, your driver’s license picture and/or fingerprint can be included in this type of barcode, with room to spare.
This makes it much harder to create a fake ID for a minor to use to purchase alcohol. You might think, “Just copy the barcode from a 21-year old’s driver’s license.” Even though a quick scan of a fake driver’s license would show a valid birthdate, displaying the picture on the retail clerk’s screen is likely to reveal that the customer standing in front of the counter isn’t the person whose barcode is on the license.
“Bob, I want to know what information is contained in the PDF417 barcode on my driver’s license. How can I do that?”
It’s easier than you think. No special scanner needed. Just read the cleartext on your driver’s license, and look at your picture. That’s what’s in the barcode.
SUMMARY
The PDF417 2D barcode is encrypted, not so it can contain secret information, but in order to make counterfeiting more difficult. Since the same information is displayed on the document or ID in cleartext, it’s important to protect the document from being observed or copied by people with malicious intent.
After yesterday’s LinkedIn post I was asked this question: “Bob, can you recommend a white hat hacking service to do a penetration test on my home setup?” My reply:
“Sorry, no, I can't. I don't do pen testing. I describe myself this way: ‘I’m the one you call before you call the pen tester, to get you ready for the penetration testing.’
Pen testing is expensive, and as a paid service it’s geared toward businesses, not individuals.
I do offer personal cybersecurity services. This is typically for:
1) journalists,
2) people with a lot of financial assets to protect,
3) politicians (city council members face a lot of local animosity, and have no formal protection, so they need to make sure they have privacy and secure email and text messaging),
4) stalking victims, and
5) people escaping a harmful relationship.
But to your question, I don’t know anyone who does pen testing for hire at the residential level.”
Does anyone know someone who does residential pen testing - legit, licensed, and insured?
The checkbox to “log out everywhere” can be critical under some circumstances, even if you don’t think you’re logged in on more than one device.
I do personal cybersecurity consulting and setup for high profile individuals (think City Council members), people escaping an abusive relationship, etc. One of the most appalling things I’ve run across is resetting an email password and finding out it was automatically applied to ALL INSTANCES where the account is logged in. In other words, if the abuser is reading his ex’s email on his phone, and she changes her password, the ex isn’t logged out. Instead, the new authentication is automatically applied! (Some email and social media service providers do this, not all of them).
If you’re concerned that an account has been compromised, follow these steps.
1) Log out of all devices.
2) Then change your password on the device you’re currently using.
3) If two-factor authentication isn’t already enabled, enable it now.
If you find Notepad++ on a computer in, say, Accounting, or HR – you should probably be concerned. There’s a good probability that the person who installed it has coding skills. And they installed it on that work computer because they’re using it to do something.
Maybe it’s innocent.
Maybe it’s beneficial.
But you won’t know until you investigate.
THE LESSON
Yes, you want to establish an approved software list, but that’s just Step One.
Step Two is identifying approved users.
Weekend Thought Experiment for Business Owners
Grab your favorite relaxation beverage, find a comfortable place to sit, and consider this question: “How long can my business function if the entire Internet goes down in my region?”
If you’re an Internet-based business, like LinkedIn, this will be a very short endeavor, because of course the answer is, “Zero seconds.” Same for small Internet businesses, like an Etsy shop.
On the other hand, if you run a grocery store chain or a pizza delivery business, you may be able to continue operating for at least a short period of time. There are things to consider that will affect how long.
- Can you process debit/credit card payments on premise and store the transactions until Internet service is restored? Do you need to reduce operations to cash only transactions?
- Do you have a VoIP phone system? That will be down. Is the phone system essential to operations?
- What about your suppliers? Can you order replacement stock without the Internet? If not, your continued operations are limited to the exhaustion of stock on hand.
- How much do your suppliers depend on the Internet? Can your gas station continue providing fuel for your delivery trucks? Or, without Internet, does the gas station close down when its tanks are empty?
Whatever that relaxing beverage is, take a sip now.
As the reality of your dependence on the Internet sinks in, resolve to develop alternative solutions for purchasing, accepting payments, order placement and order taking, supply procurement, delivery…
Think militarily. People with military capabilities already know how much you need the Internet. They’ve already identified their targets.
Have a great, carefree weekend!
“I'm one of the oldest farts in the Old Farts Club.” Yesterday a couple of us were having a lighthearted discussion about age on LinkedIn. Ageism is real, and I get it, actually. Since I’m 69 years old, and I’ve been consulting since 2003, I’ve had plenty of opportunities to work with people of all ages in Information Technology. Want to know what I’ve found?
The younger ones are easier to work with. This is a generalization, and I’ve known some notable exceptions, but in general it’s true.
When I travel someplace and go onsite, the older people in the IT Department often feel a need to impress on me that they’re the experienced ones. The vibe they radiate is, “You don’t need to work with me; I know this stuff, leave me alone and go work with the youngsters.”
You know what’s wrong with that? If they “knew this stuff,” the Director or CIO never would’ve called me to come in and work with the team.
My presence – at considerable expense – is evidence that their upper level management is convinced they absolutely do not know this stuff.
The younger men and women on the team, by contrast, know that there are problems, they know that they don’t have the ability to fix those problems, and they want things to run smoother.
The younger ones talk to me.
They tell me what’s going on.
They tell me what the problems are.
They ask me what to do.
They ask me what to change.
And then they do it.
I frequently say, “You can’t solve today’s problems with yesterday’s solutions.” Technology changes too fast for that. You’ve got to keep up.
My advice, if you’re over 40: quit saying, “Been there, done that.” This is 2024, and you’ve never been here before.
Never stop learning.
Yesterday at the weekly Rotary lunch one of the other members asked me about the CrowdStrike incident. I realized that he thought it was caused by cybercriminals, so I said, “It wasn’t caused by a virus.” His eyes opened wide and he asked what happened, so I explained that it was a piece of badly written code that was part of an update issued by CrowdStrike. He correctly concluded, “So they didn’t even test it before it went out.” I nodded and he said, “I hoped they learned a lesson.”
The reason this conversation is noteworthy is because this affluent, well-educated man still didn’t understand what happened after a week of reporting in the news.
I see two issues that need to be addressed:
1) Journalists need to have a better grasp of cybersecurity incidents so they can provide better quality information, and
2) The general public needs more training in both information technology and cybersecurity awareness.
My residential clients don’t pay me $10,000 to $40,000 for a few days on site. On the other hand, my large enterprise clients don’t enclose their checks in handwritten thank-you notes.
The day after this remote support call, I called the client to make sure everything was still working. When she said yes, I emailed the invoice. A few days later, the client sent the payment. The end of the note says, "Still working fine." She knows that I offer thirty days of customer care support at no additional charge on every service call, and that’s why she mentioned that it’s still working.
“Thirty days? Bob! Isn’t that excessive?”
Occasionally I’ll have trouble getting fully done with a “sticky ticket,” where the customer calls back over and over, but it’s rare. And those customers sometimes make the most enthusiastic referrals – “He really helped me!” – and you get your money from the additional business they generate for you.
Three things you need to do with every packing list…
When you order goods (not services), the goods come with a packing list that shows what’s in the box(es). When you place personal orders from Amazon you may throw those packing lists away without even reading them. As a small business owner, packing lists are important! You need to do three things with the packing lists.
1) Compare the packing list to what’s in the box. Sometimes they goof it up, and everything isn’t in there. Count that stuff! Check it off!
2) Compare the packing list to the purchase order. Maybe they forgot to ship something you ordered, or maybe they shipped you too many, or maybe it’s on backorder. Backordered items on the packing list can really mess up your project completion schedule. Inquire!
3) Compare the packing list to the invoice. If the vendor invoices you for something, make sure you received it before you pay.
The scams can be very convincing. This client is college educated, owns a business employing several dozen people, and has homes in two different states. A couple of years ago he was duped by one of those pop-ups that said, “Your computer is infected! Call Microsoft for assistance at 1-800-xxx-xxxx.” He called the number and the person who answered said, “Microsoft Technical Assistance, how may I help you?” Before it was all over, his credit card had been charged – twice! – for a total of $459.00.
Two years later, they are still calling him, trying to get more money! He told me about their most recent attempt on June 13.
He’s been a client of mine since 2011. I maintain his business computers and his family’s personal computers. A couple of years ago when he saw the pop-up which led to his computer being infected by the fake tech support company, he told me, “I thought about calling you instead of the number on the screen, but it seemed so urgent, and it really looked like it was from Microsoft, so I decided to call them.”
The thing that strikes me the most about this story is the brazenness of the cybercriminals. They keep coming back, and have no fear of arrest or prosecution.
It’s up to you to be cautious.
Over the weekend I was called on to be part of the incident response team in the middle of a real-time ransomware attack. Their current backup was online, and of course it was encrypted, too. The company’s most recent backup that wasn’t encrypted was about three weeks old, and it was pure chance that the three-week old copy even existed.
This company isn’t unusual. More often than not, companies have inadequate backups. I’m not entirely sure why, since the data is the company’s most valuable non-human asset. But for whatever reasons, decision makers have an aversion – that borders on revulsion – to spending money on proper backups.
THE FIRST QUESTION THEY ALWAYS ASK
In ransomware cases like this, when there’s no decent backup, I’m always asked, “Can you recover the data without paying the ransom?” The answer is essentially no. There are some ransomware decryption keys online, but once a ransomware key has been uncovered the cybercriminals move pretty quickly to insert a new key in their code going forward. So that decryption key that you downloaded online is great if your data was encrypted three months ago, but probably worthless if your data was encrypted last night.
THE SECOND QUESTION THEY ALWAYS ASK
The next question they ask is, “Should we consider paying the ransom?” My answer is fast and certain: “If you decide to pay the ransom, my involvement ends. I won’t have any part in that.”
Ransomware remediation must begin before the attack, not after.
The only protection against ransomware is: current, offline, unpowered backups.
Current. Offline. Unpowered. Your data is the lifeblood of your company. Do your backups right.
Here’s the link to a presentation I did on the difference between “data sync” and “data backup.”
https://fifonetworks.com/resources/backup_and_sync_explained.pdf
Don’t be embarrassed about your server room. I’m talking to small business owners and the IT employees who love working there.
The reality for a lot of small businesses and retail locations is that there is no server room. There’s one server on the floor next to the shift manager’s desk, or up on a shelf in a supply closet. One bar that’s a client of mine has the Internet Gateway, the firewall, a switch, and a server in the attic crawl space. I have to climb up a ladder and go through a hatch in the ceiling to get to it.
If the business is a little larger and has an in-house IT person, the server room is often still a multi-purpose room that happens to have a couple of racks in it. The Ethernet cables go up and out through a hole in the corner of a ceiling tile in the drop ceiling.
Every time I visit one of these locations for the first time, the IT person or business owner apologizes to me and feels like they’re somehow not living up to my expectations. But really, this is pretty normal.
Your equipment isn’t generating enough heat to need additional air conditioning. You’re making enough money to run the business and cover payroll every month, but it’s not like you have a safe full of excess cash begging you to spend it on antistatic flooring.
So please, relax. Whatever you’ve got, I’ve seen worse. It’s not as bad as you think. (Well, unless you’ve got mouse droppings inside the server case, and rats have chewed the insulation off your Ethernet cables – then you’re getting close to the bottom end of what I’ve had to deal with).
I’ll fix what you’ve got so you’re up and running again, and I’ll make some recommendations for ways we can make your network less prone to another failure. It’s your business. You know your budget and your needs. You decide how much we do from there.
