Microsoft Windows 10

/in , , /by

Microsoft is releasing Windows 10 on July 29th.  It is available as a free upgrade to licensed users of Windows 7 and Windows 8.1 through the Get Windows 10 (GWX) application which is part of Windows Updates.  (Note: Some companies, including Bryley Systems, are temporarily blocking this update to permit a controlled migration to Windows 10.)

To minimize bandwidth and processing disruptions, those who reserve now for this 3Gb upgrade periodically receive parts of it until the entire upgrade is downloaded and ready for installation on 7/29/2015.

Windows 10 will run most Windows XP applications.  The Windows 10 Home Edition will likely sell at $119; the Pro edition at $199.

View the article from Mark Hachman at PCWorld It’s official: Microsoft says you can download the final version of Windows 10 on July 29

Recommended Practices: IT security cheat-sheet

/in , /by

This is a multi-part series on recommended IT practices for organizations and their end-users.  Additional parts will be included in upcoming newsletters.

All organizations are at risk of a breach in IT security, whether externally (by a party outside the organization’s computer network) or internally (by a person connected to the organization’s computer network); studies show that even small companies are targeted externally, primarily because they are more vulnerable than larger organizations who can dedicate resources to combat external threats.

Organizations take great efforts to secure their data; they have firewalls, spam blockers, anti-malware applications, intrusion detection, etc.  However, the greatest threat comes from within:  End-users often inadvertently introduce malware (via web browsing or email-attachment clicking), which can spread across the network or attack confidential data.

Effective IT security requires a layered approach; it is comprised of multiple solutions at different points-of-entry and areas of concern.  It must be setup properly, but must also be continually monitored and then updated as appropriate.  Security should be periodically reviewed by an IT expert and, if budget permits, tested to ensure what is expected is what is received.

Effective IT security also requires ongoing training for all users and monitoring and enforcement of usage policies.

For an overview on IT security, I recommend viewing Derrick Hughes’ Ten ways to prevent a data breach and secure your small business in The Globe and Mail.

Here is our checklist, organized by security concern:

1.) Computer network:

  • Deploy, update, and monitor stand-alone firewall(s) between all external networks (IE: Internet) and the organization’s network.
  • Deploy, update, and monitor an email/spam-protection capability.
  • Deploy, update, and monitor an event-log management capability.
  • Deploy, update, and monitor intrusion-prevention/detection capability.
  • Lock-down wireless access points.

The first line-of-defense from external threats is a professional-grade, stand-alone firewall configured to refuse unwanted traffic from external sources while permitting only desirable connections.  It should be supplemented with email/spam protection; either as a Cloud-based service or via an internal appliance.  Event-log management and intrusion prevention/detection are also available either as a service or appliance; both are recommended, but budget versus benefits must be considered.

Enable Service Set Identifier (SSID) for internal-use wireless access points.

2.) Servers, their operating systems, and their applications:

  • Test and then install all recommended security patches/firmware updates.
  • Manage operating system and application security-updates continually.
  • Deploy, update, and monitor anti-malware application on all servers.
  • Monitor continuously and review periodically for anomalies.

Servers, whether in-house or Cloud-based, contain not only valuable data, but also end-user information (usernames, passwords, profiles, etc.) that can be manipulated and used to infiltrate.  They, their operating systems, and server-based applications, must be aggressively patched, protected through anti-malware, and monitored continuously.

Anomalies in performance and event logs can highlight potential security risks; both should be reviewed periodically.

3.) Data:

  • Identify at-risk data and its location; keep only what you need.
  • Outsource payment processing to a reliable, third-party partner.
  • Verify security of vendors and partners with access to your data.
  • Where performance permits; encrypt data at-rest and in-motion.
  • Deploy an encrypted backup solution with onsite and offsite storage.

Company data should be classified as to its value and stored accordingly.  It is best always encrypted, although many organizations might not have the processing power to permit such.

Rather than process payments onsite, many third-party vendors provide this service, but they should be verified before engaging.

Data backups should be encrypted and follow the 3-2-1 rule for reliability:

  • Three copies of important data
  • Two different media types
  • One copy offsite

4.) End-user devices, operating systems, and applications:

  • Manage operating system and application security-updates continually.
  • Deploy, monitor, and update anti-malware app(s) on all end-user devices.
  • Test and install security-required firmware updates to end-user devices.

End-user devices are a primary target; they are difficult to secure and change continually.  However, end-user tools also share some blame:  Karen A. Frenkel of CIO Insight writes in “How Malware Bypasses Detection Tools” that 81% of IT professionals believe that web-browser-initiated malware can remain undetected by security tools and that the primary attack vector is an insecure web browser.

End-user devices, their operating systems and their applications must also be aggressively patched, protected through anti-malware, and monitored continuously.

Occasionally, a manufacturer will issue an alert for a security-required update to an end-user device, which should be applied as soon as possible.

5.) Usage:

  • Lock-down user rights to restrict data access to as-needed basis.
  • Require complex passwords with forced, periodic changes.
  • Enforce periodic time-outs when computer is left unattended.
  • Separate social-media browsing from financial-data handling.
  • Require two-factor authentication for all online transactions.
  • Create end-user policy detailing appropriate Internet use.
  • Create end-user policy on how-to protect sensitive data.
  • Enable web-monitoring capability to enforce policies.
  • Protect email via encryption (as needed).

Data should be restricted, preferably by need-to-know.  (Crypto Locker can initially only attack data available to the end-user introducing this virus.)  Complex passwords with periodic changes can restrict untrusted access while forced time-outs keep private information from unwanted eyes.

Setup a separate login account or device for access to financial-data.  All online financial transactions must have two-factor authentication.

Policies should exist to inform end-users; they can be enforced through web-monitoring solutions.

Sensitive emails should be encrypted (via a service or appliance) while sensitive documents can be transferred via a secure FTP site.

6.) Training:

  • Define an organization’s best practices for IT security.
  • Demonstrate how to spot an unwanted ad while browsing.
  • Train users how to verify a website link (before clicking it).
  • Show how to verify an email attachment (before opening it).
  • Train users to check the address of an email’s sender/source.

Data breaches occur due to the inadvertent introduction of malware, sometimes through the failure to comply with policies designed to limit inappropriate behavior, but often through a lack of IT-security knowledge and training.

50% of corporate employees do not consider IT security to be their responsibility; Millennials are at greater risk than Baby Boomers due to their use of company devices for personal use (64%) and willingness to change default settings (35%).  (These findings are highlighted in Karen A. Frenkel’s of CIO InsightsMillennials Pose a Greater Security Risk”.)

The more training, the better.  Initial training should be acknowledged by the recipient and then tested for knowledge gained.  Security training should be repeated periodically; preferably at least annually.

7.) Maintain a Written Information Security Plan (WISP):

  • Assign a responsible person.
  • Define and announce the WISP.
  • Review WISP periodically (at least annually).
  • Document changes to WISP when they occur.
  • Periodically test, assess, and rework policies and procedures.

The Commonwealth of Massachusetts, under statute 201 CMR 17.00, requires a WISP for all organizations that hold personal information on any Massachusetts resident.  The WISP must be assigned to an Information Security Manager, periodically reviewed, and changes must be documented.  All WISP policies and procedures must be periodically tested, assessed, and reworked as needed to ensure maximum, ongoing protection.

Visit Bryley Systems’ 201 CMR 17.00 Seminar.

Roy Pacitto achieves 20 years at Bryley Systems

/in , /by

Yes, Roy Pacitto, Director of Business Development, has made it through 20 years.

Roy started with Bryley Systems on May 22nd, 1995.  He initially provided service dispatch and management, but quickly moved to business development, where, over the years, he has transformed this group into a tightly-knit team.

Congratulations, Roy:  We’re looking forward to another 20!

IMG_20150520_115805_829

IMG_20150520_120239_205

Winner of our monthly Service-Ticket Survey drawing

/in /by

Monthly, we select a winner from all respondents to our service-ticket surveys.  Congratulations to DG of FCI, our survey-response winner from last month.

Our winner received a $10 gift certificate, compliments of Bryley Systems.

Selecting a Macintosh computer

/in , /by

Yes, the business world still thrives on Microsoft Windows; it remains the most-compatible platform for business-oriented applications.  However, we do have Mac users and they occasionally seek our advice.  Well, thanks to Laurie Lake of Macs at Work, a business partner of Bryley Systems located in Shrewsbury, MA, we can share these tips for selecting a Macintosh computer.

Basic steps in the decision process:

  • Define your preference – mobile or desktop
  • Make your choice and buy accordingly

Define your preference – mobile or desktop

Mobile workers will want a MacBook; Apple’s alternative to the Intel-branded Ultrabook, the MacBook is a sleek (13.1 mm), light (2.03 lbs.), mobile computer with an Intel processor, a 12” or a 13” Retina display, a 9-hour batters, and a full-size keyboard that can easily fit in a small carry-bag.  Prices start at $1,299.

The MacBook Air is a less-expensive, slightly heavier (2.38 lbs. to 3.48 lbs.) version with either an 11” (from $899) or 13” (from $1,199) display.  The processors are slightly faster than a comparable MacBook and storage can configure up to 1Tb, which is exclusively flash-based; electronic rather than mechanical.

The MacBook Pro comes with a 13” (from $999) or a 15” (from $1,999) Retina display powered by high-end graphics; it also has significant processing power (Intel dual-core and quad-core processors) with greater flash-based storage and the advanced, OS X Yosemite operating system.

If you are desk-bound and desire a larger display, a mouse, and a full-size keyboard with numeric keypad, you might consider an iMac.

iMacs come with quad-core processors and max-out with 3Tb of storage; the base units are of three basic types (measured by display size):

  • iMAC 21.5-inch (from $1,099)
  • iMac 27-inch (from $1,799)
  • iMac 27-inch with Retina (from $1,999)

All come equipped with at least a 500Gb hard drive, wireless keyboard, and mouse or trackpad.

Make your choice and buy accordingly

If you spend most of your time on the road, a MacBook variation makes a lot of sense.  If your eyes are strong and you wish to minimize weight in your travel bag, get the 11” MacBook Air with the 9-hour battery.  If you need a larger display with greater processing and can accept the extra weight, go with the 15” MacBook Pro.

For office-bound users; get the most you can afford in your budget.  Always buy the largest display, the most Random Access Memory (RAM) and the greatest amount of storage that you can justify; with computing, more is generally better.

Please view the article by Roman Loyola of Macworld Which Mac Should I Buy? and the article by Jesus Vigo of TechRepublic Apple’s MacBook lineup:  Which works better for business?

Alternatives:  Choose a PC or an Ultrabook

We have visited this topic repeatedly over the years, but here are two suggestions:

Firewall Trade-Up program for existing clients

/in /by

We are offering a trade-up program to existing clients; we will rebate the cost of your current firewall plus provide low, fixed-price installation of a new Cisco ASA firewall/VPN appliance.

For details, please contact our Business Development team at 978.562.6077 option 2.  Or, email ITExperts@Bryley.com.

Bryley Basics: Microsoft Windows is not as vulnerable as Apple OS or Linux

/in , , /by

Due to their size and complexity, it is difficult to completely secure a computer operating system, which leaves them vulnerable to attack.  With the number of reported hackings, most might consider Microsoft Windows to be extremely vulnerable, but Windows actually ranked less vulnerable than Apple Mac OS X, Apple iOS, and Linux.

This ranking was made by GFI Software in 2014, which reviewed popular operating systems and the number and rating of reported vulnerabilities.  GFI reported these top-5 results:

  1. Apple Mac OS X – 147 vulnerabilities; 64 High, 64 Medium, and 16 Low
  2. Apple iOS – 127 vulnerabilities; 32 High, 72 Medium, and 23 Low
  3. Linux – 119 vulnerabilities; 24 High, 74 Medium, and 12 Low
  4. Microsoft Windows Server 2008 – 38 vulnerabilities; 26 High and 12 Medium
  5. Microsoft Windows 7 – 36 vulnerabilities; 25 High and 11 Medium

Microsoft’s Internet Explorer, however, was ranked as the most-vulnerable application followed by Google Chrome, Mozilla Firefox, Adobe Flash Player, and Oracle’s Java.

See the article from Swati Khandelwal of The Hacker NewsWindows?  NO, Linux and Mac OS X Most Vulnerable Operating System in 2014.

Recommended Practices: Basic training for IT end users

/in , /by

This is a multi-part series on recommended IT practices for organizations and their end-users.  Additional parts will be included in upcoming newsletters.

End users receive the benefits of IT, but usually with some pain involved, which they are glad to share with the IT administrators and technicians.  Oftentimes, the pain comes from not knowing the correct way to do something or from enabling malware; these can be avoided (or at least reduced) through proper training.

Training is usually considered optional, but the increased emphasis on security and compliance, along with the potential gains from trained users that are comfortable and knowledgeable with their IT assets and systems, can provide significant return on investment.

Training can play a critical role in the satisfaction of end users and in the security of the computer network.  It can provide end users with the knowledge to safely browse the Internet, reject harmful emails, and avoid trouble.  It is also important to define appropriate-use policies and demonstrate how to enter timely data into information systems.

Training topics

Generally, IT-oriented training occurs in these areas:

  • End-user equipment
  • Network resources
  • Applications
  • Policy
  • Security

End-user equipment

End-users have a myriad of devices, ranging from desktop PCs to terminals, tablets and other mobile devices; some have specialized items like hand-held scanners or terminals tied to a specific application.

The fundamentals are important:

  • Simple maintenance (cooling, ventilation, etc.)
  • How to operate the user interface (touch display, special keyboard, etc.)
  • Basic usage at the operating-system (Windows, Android, iOS) level

Ergonomics should also be considered; ensure that the equipment is optimized to the user’s body in the placement of displays, keyboards, mouse, etc. and that ergonomically correct accessories (gel-based wrist pads, comfortable seating, etc.) are provided and aligned properly.  (See Ergonomics Made Simple from the May 2014 edition of Bryley Tips and Information.)

Network resources

Resources available to end-users should be identified and demonstrated:

  • Printer features (b&w/color options, duplexing, etc.), location, and use
  • Multi-Function Printer (MFP) functions (faxing, copying, scanning) and use
  • Server names, basic purpose, shared folders, and access privileges
  • Conference-room display and wireless keyboard/mouse
  • Login credentials to Wireless Access Points (WAPs)

Labeling these resources makes them easier for end-users to identify.

Applications

Software applications fit a variety of functions, including:

  • Productivity suites:
    • Microsoft Office
    • Google Apps
  • Organization-wide:
    • Customer Relationship Management ((CRM)
    • Professional Services Administration (PSA)
    • Enterprise Resource Planning (ERP)
  • Utilities:
    • PDF readers and writers
    • Password managers
    • File compression
    • Storage
    • Backup
  • Prevention:
    • Email protection
    • End-point security
    • Web filtering

(Software applications are discussed in the September 2013 through January 2014 editions of Bryley Tips and Information.)

Policy

Usage policies focus on the organization’s permissiveness (and lack thereof); they are designed to specify proper use and discourage improper behavior.

Most organizations have at least these IT-related policies:

  • Authorized use of computer network and its resources
  • Internet, email, and social media use and etiquette
  • Information Security Policy

Security

Security relies heavily on policies, training, and protective applications; the human element is the largest security risk in any organization.  Policies and training should encourage end-user behavior that minimizes security risks; protective applications help to enforce policies and to detect and remove problems when they occur.

Security training should include, at a minimum:

  • Anti-virus/anti-malware protection
  • Preventing phishing attacks
  • Password guidance
  • Safe web browsing

Many organizations will provide continuous training and reminders; some setup internal honeypots designed to lure end users into inappropriate behavior so that this behavior can be addressed and corrected.

Training process and related factors

The training process:

  • Set training goals
  • Assess end-user needs
  • Tailor the delivery methods
  • Create the training program
  • Scale the program to the audience

Trainers should factor in these items:

  • Budget training at the beginning of the project
  • Consider the needs and learning styles of the end-users
  • Marry the business context of the need to the IT training

References

Bryley Basics: How ransomware (Crypto Locker) makes backups more critical

/in , /by

Ransomware – usually Crypto Locker and its variants – is a form of cyber-malware based on encryption software that seeks payment (ransom) to undo the damage; when infected, the malware typically encrypts all data files, rendering them useless until the ransom is paid.  (Encryption software scrambles a files’ contents and creates an encryption key, essentially a code used to reverse the process.  Unless you have this key and the encryption software, the files remain unreadable.)

Hiawatha Bray of the Boston Globe recently reported a ransomware infection at the Tewksbury Police Department; after repeated attempts to decrypt, the Chief of Police paid the ransom.

Other than paying the ransom, which is risky and not recommended since it potentially makes you more of a target in the future, the only way to thwart ransomware is by restoring the corrupted files through a backup that was created before the infection.

A properly planned and implemented backup process is vital since data stored on a network server represents many hours of effort over time, making it impractical and usually impossible to recreate.  A properly functioning, multi-point-in-time backup is necessary to provide restoration under these and other scenarios:

  • A server fails
  • A file is deleted
  • A template is written over
  • An application upgrade fails and must be restored
  • A document is inadvertently changed and saved by a user

A backup should be a complete, recoverable copy of not just data, but the entire server/network environment.  It should have these properties:

  • Sequenced over many days
  • Complete image
  • Offsite storage

For information on backups, visit our Data-Backup Guidelines.

Recommended Practices: How to update technology

/in , /by

This is a multi-part series on recommended IT practices for organizations and their end-users.  Additional parts will be included in upcoming newsletters.

The psychological impact of an IT upgrade is significant:  Most employees are excited to receive new equipment (larger monitor, faster PC, better tablet), but often balk at a significant change – like introducing a new version of Microsoft Office – since their daily, tried-and-tested routines might shift, and not always for the better.  Also, these changes could impact their ability to get things done, even if for just a few hours during the cut-over.

In general, various groups involved might have different perspectives:

  • CEOs and C-level executives see IT as an influential asset that should increase operational efficiencies or provide a competitive advantage – either through data analytics or by enhancing the customer experience – but they don’t want the pace of technological change to inhibit growth.1
  • Professionals might be more willing to accept the changes (and the pain) that go with new technology, particularly if they see how these changes will help them succeed in their roles within the organization.
  • Middle management wants things to work the first time, every time. They are glad to have new equipment, but are concerned with keeping their direct reports functional and happy.
  • Office workers have the most to gain (or lose); some might be excited by the prospect of bigger-better-newer, but none want to lose what they had, whether it was an icon pointing to a specific file on their desktop or an older, label-printing application. To many, IT can be confusing and frustrating.
  • Line workers view technology primarily as a tool; when it is broken, replace it, but make sure the new one works the same as the old one or show me how to use the new one.

The strategic objectives of an organization also play a role in the process:

  • A growing organization will want improvement, but with a strong emphasis on planning to ensure that the direction taken is suitable, now, into the near future, and beyond.
  • A stable, slow-growing organization might focus more on replacement rather than on change, preferring to avoid the pain of a significant upgrade.

Typically, the management team develops the technology plan, either internally or with an IT partner like Bryley Systems. Needs filter up through the organization, typically during the budgeting process.  The implementation then filters down through the organization.

For technology planning and implementation, we recommend these steps:2

  • Define needs and requirements
  • Assess and select
  • Implement
  • Train

Define needs and requirements

Identify what you have before you decide what you need; a full inventory of all IT assets can remove the guesswork and point-out critical issues.  (We use Kaseya, our remote-monitoring-and-management tool, to inventory existing clients.  We also use Network Detective from Rapid File Tools to audit and assess new clients.)

Knowing what you need simplifies the decision and timing; having a good handle on where the organization is now and where it is going is critical, but also defining what constitutes success, and how to measure it, are important.

Consider these needs from the context of the different groups above; try to permit these groups to define their individual requirements within the overall plan.

Requirements can be as simple as counting new PCs or as complex as determining the best-fit solution to permit a quick recovery after a disaster.  Requirements should be recorded, categorized, prioritized, and then monetized.

Assess and select

We at Bryley Systems tend to err on the side of caution; we’re rarely early adopters and we don’t want to be far in front of the pack, but we do try to keep up with the well-tested tools and hardware that will improve our efficiency, particularly when this technology impacts our clients.

We also favor these technology-selection principles:

  • Business-grade (rather than consumer-class) equipment and software,
  • Well-known, USA-based manufacturers with time-tested credentials,
  • Available updates and ongoing support, and
  • Green and ergonomic (where appropriate).

Price should not be the overriding selection factor; a long-term investment should consider all impactful areas, including:

  • Going Green
  • Length of service

Going Green

In technology, going Green is mostly about reducing energy consumption:

  • Virtualization techniques can cut energy costs by efficiently using on-premise servers to house multiple platforms, both for server-based applications and for end-user access.
  • Tablets, Ultrabooks, and small-footprint PCs with SSD drives consume less electricity than traditional PCs with internal fans and moving parts.
  • Inkjet printers use significantly less energy than laser printers.

However, other Green factors can also apply:

  • Printers that print two-sided (duplex), reduce costs and paper use.
  • Multi-purpose printers that fax, copy, and scan increase efficiency.
  • Fewer components, each with higher value, simplify recycling.

Length of Service

Most technology decisions have a span of three to five years; newer, virtualized platforms and Cloud-based options can be significantly longer.  Due to the rapid pace of change, planning horizons are typically only a few years, but consideration should be given to the longer term.

Implement

Implementations work best with planning and preparation; knowing what to expect and being prepared to deal with anomalies can shorten deployment time and minimize user disruption.

A solid, reliable series of backups should be completed and verified before starting.

We try to schedule our automated deployments to occur overnight or over the weekend, often arriving early the next business day to sort-out any issues.

Train

Often overlooked and usually under-budgeted, training should be considered, particularly when deploying a software change that introduces a new interface to the end-users.

Training often occurs during implementation, usually by the implementer showing the end-user what is new.  However, pre-implementation training on any new technology platform will facilitate a successful transition.

For large-scale deployments of new technology, we recommend initial group sessions followed by refresher courses for those greatly impacted.

Sources:

  1. Dennis McCafferty of CIO Insight What CEOs expect from IT investment on 4/17/2015.
  2. Brian J. Nichelson, PhD, of About Money Keeping up with Technology – Four Steps and some Resources, undated.
  3. Susan Ward of About Money Information Technology Makeover, undated.