Bryley Basics: How to identify the ransomware source on a computer network

/in , /by

Mike Carlson and Gavin Livingstone, Bryley Systems Inc.

Mike Carlson, CTO and a young, 20-year employee at Bryley Systems, had these suggestions on what to do when you get ransomware on your computer network:

  • Identify the end-user login name associated with the ransomware “How to decrypt” text files that are placed in the shared folders. (You would look at the properties of all of these text files to determine the originator.)
  • Remove this end-user’s workstation from the network immediately; preferably disconnect the network cable, but, if not feasible, power it down.
  • Restore all encrypted files from backup.
  • Erase the infected workstation(s) completely, then rebuild it.

In addition, we offered these suggestions in our July 2015 Bryley Information and Tips (BITs):

  • To be prudent, change online and system passwords
  • Create forensic images of infected computers
  • Preserve all firewall, Intrusion Prevention, and Active Directory logs for potential analysis by law-enforcement officials

These three can’t hurt, but the first one won’t stop the next attack and the last two are a bit of a stretch; it seems unlikely that the criminals will ever be pursued unless they happen to be working in this country (which also seems unlikely).

The US Computer Emergency Readiness Team (US-CERT) defines ransomware, its variants, and some solutions at Alert TA16-091A, Ransomware and recent variants.

Search Engine madness

/in /by

Lawrence Strauss, Strauss and Strauss

A long time ago in the Information Age, there was Yahoo!. Yahoo! was the work of Jerry Yang and David Filo, grad students at Stanford, and was a guide to the soon-to-be-bursting-out World Wide Web. Here is a snapshot of an early version of Yahoo!, when there were about 200,000 websites (now there are around a billion).

Yahoo! was the work of people, who spent their time looking for interesting sites on the Web and, when they found something of value, the discovered site would make the Yahoo! list, sometimes with a brief, opinionated review of what to expect on a visit. And an opinionated review is what netizens sought to deal with the voluminous web: What do the people at Yahoo! think is a good resource for any given subject?

But when the sites and the pages ballooned in the mid-’90s, it begged for developers to write software-based means to reveal the Web’s contents in a helpful way. And the engineers adapted database-sorting software to the task, authoring Lycos, Overture, Excite and Alta Vista. AOL was the most popular way to access the Internet at the time. And so it was imitated, generating what became known as “portals”. Each of those software search engines, one by one, tried to follow AOL’s model, and tried to each create a content-rich site so visitors would theoretically never have to leave1.

Google, also developed by students at Stanford, Larry Page and Sergey Brin, had a different approach. Google emerged from this trend of bloated interfaces as a bare-bones search engine. Google also incorporated a different technology, Page Rank. Page Rank aided in prioritizing search results not just on the basis of the page’s content, but also on the basis of how often it is linked to by other web pages. The thinking behind this was that a good resource will be highly valued by others and so these others will naturally want to link to it on their web pages. Google uses a combination of methods to arrive at its results to a given search. And Google, so confident it would lead visitors to the right answer, included an “I’m Feeling Lucky” button to take a visitor directly to the top item on the search result’s page.

Google’s technology and approach left the others in the dust … and now we are in an age in which Google is nearly the only major search engine left. And while still extant, CEO Marissa Mayer is selling Yahoo! for parts.

Today, it’s estimated that 80% of the time that we search the web, we Google.

(See comScore’s comScore Releases February 2016 US Desktop Search Engine Rankings and Search Engine Land’s Who’s Really Winning The Search War? By Eli Schwartz on 10/24/2014.) The other options include Microsoft’s successfully relaunched Live Search, now known as Bing (and on Yahoo’s site, branded as Yahoo! search), which has search engine traffic around 20% of Web searches. And there are lesser-known search engines like DuckDuckGo (although growing because of its privacy aims, it’s mostly a Bing-derived search2 and represents less than 1% of searches) and similar and even less frequently used Google-derived privacy protected search, such as at ixquick.com.

The Business of Searching for Business

Although popularly dubbed Web 2.0 around ten years ago and 3.0 more recently3, people still use the web to do most of the same things as in the ’90s. And 70% of the time, we start with a web search (per the 2014 research of 310 million web visits by web content-creating company, Conductor, in the Nathan Safran article: Organic Search is Actually Responsible for 64% of Your Web Traffic). So search is important to businesses who want to use the web to get searchers to consider their services.

And not only is the top position potentially lucky for the Google searcher, according to a study by ad network, Chitika, that top position in the search-results page is clicked 33% of the time (from the article No. 1 position in Google Gets 33% of Search Traffic by Jessica Lee). So, no wonder there is an industry, SEO (Search Engine Optimization), to try to get pages in that top position.

As a result of the desire for the top position, there is an ongoing cat and mouse game between makers of web pages (or their SEO contractors) and search engines. The makers are the cats who want to catch that elusive mouse of top-of-page placement when someone searches using the ideas that connect to their service.

One of the first examples of this game was the infamous Meta name=’keywords’. Created by the World Wide Web Consortium (W3C) in the ’90s out of a desire to get useful indexing information to the search engines the Meta Tag, Keywords could contain a list of words that would help a search engine’s software robot have ready access to the important ideas on a given page4. Only problem was how quickly web-page-writers tried to stuff (aka spam) the Keywords tag with words the writer thought would make it rise to the top of the pack of search results (and I’ve seen some ridiculous things like porn words placed by an “SEO expert” in the Keywords meta tag of a retailer).

In 2002, Alta Vista’s John Glick said, “In the past we have indexed the Meta keywords tag but have found that the high incidence of keyword repetition and spam made it an unreliable indication of site content and quality.” (See the Search Engine Watch article Death of a Meta Tag by Danny Sullivan on 9/30/2002.) And Alta Vista was one of the last to support the Keyword tag.

And this game goes on today, only the venue changes. Google just announced that it is delisting or downgrading sites that have outbound links it considers illegitimate (these links were intended to boost the Page Rank of the page being linked to). In the current case bloggers were linking to sites in exchange for gifts. Google discovered the pattern of behavior and exacted penalties on the offending bloggers’ sites. (See the Search Engine Land article Google’s manual action penalty this weekend was over free product reviews by Barry Schwartz on 4/12/2016.)

Google is our (mostly) sole arbiter of the content of the voluminous web that we access by its rankings in importance (aka software-derived opinionated review). And an opinionated review is what netizens seek in order to deal with the voluminous web: What does the Google engine think is a good resource for any given subject? Which of course sounds a lot like trying to appeal to David and Jerry’s Yahoo!: Fundamentally the rules that applied to catching Yahoo’s favor are the rules that apply to winning Google’s highest ranks.

Next installment: How the Web is Won.

Notes

1Keeping visitors was valuable two ways. In lieu of a truer model, a site’s “eyeball” count was a measure by which too many web-based companies’ valuation went stratospheric. Also ad revenues were based on the traditional media-derived model of cost per impression.

2DuckDuckGo’s search is not identical to Bing in the way Yahoo’s is, as of this writing. DuckDuckGo, per its own site, claims to have its own web robot collecting information on web pages and also aggregates information from disparate sources, chiefly Bing, and uses a proprietary method to weigh the importance of information from all the sources.

3Web 2.0 was to indicate increased content coming from web users (e.g. blogs and YouTube channels). Web 3.0 is a Web-inventor, Tim Berners Lee, proposal to increase and change the nature of the web’s html language to include access to additional code and computer languages so that computers can process data in the html, it’s designed so that both humans and machines can make use of the content in a way native to each. (See the W3C standards on Semantic Web.)

4Meta Tags or Metatags are mostly hidden html content. These include a page refresh function and page-content description.

Recommended Further Reading:

  • The Search: How Google and Its Rivals Rewrote the Rules of Business and Transformed Our Culture by John Battelle.
  • Googled: The End of the World As We Know It by Ken Auletta.

Active Directory and its uses

/in , /by

Gavin Livingstone, Bryley Systems Inc.

Microsoft’s Active Directory (AD) is not well known, but it is a critical component in securing Windows Server-based networks.

Active Directory, introduced with Windows Server 2000, is included with most versions of Windows Server, but is also available as a service1.  Its primary function is to facilitate authentication and authorization of users (members) and resources within an AD domain.  (An AD domain is a logical collection of users, computers, groups, and other objects; multiple domains can be created for different sites or groups, and trust relationships can be established between these domains.)

One of AD’s greatest strengths is to permit the centralized creation of user and group-based policies; it can then enforce these policies, ensuring that members comply with login and usage requirements.  Plus, it logs policy violations and login attempts, supporting the automation of error-log-checking solutions.

Basic AD services include:

  • Domain Services (AD DS) – Stores and verifies member credentials
  • Lightweight Directory Services (AD LDS) – A limited-feature version of AD DS
  • Certificate Services (AD CS) – Public-key certificates supporting encryption
  • Federation Services (AD FS) – Single sign-on functionality; AD and non-AD
  • Rights Management Services (AD RMS) – Management of access rights

Single instances of AD DS run on a server; once AD DS is deployed, this server is known as a domain controller (DC).  Most Windows Server-based networks have two or more domain controllers; a primary DC and secondary DC(s) to provide failover directory (via replication) and location-based access to the directory.

During login, users authenticate to the primary DC or to a secondary DC.

Active Directory is managed through a series of tools; most are included within Windows Server, but third-party tools2 exist that provide better control and automation, particularly for larger organizations managing complex environments.

Best practices for AD design include3:

  • Build a logical structure based on a hierarchical, tree-like approach:
    • Forests – Top-level container (not always used)
    • Domains – Second-level containers within forests
    • Organizational units – Third-level containers within domains
  • Construct a physical model to address location requirements/constraints:
    • Place at least one domain controller (preferably two) at each site
    • Determine placement of replicas of domain data
    • Describe network topology
    • Consider traffic limitations

AD design tips4 include:

  • Keep it simple
  • Match site topology to network topology
  • Ensure you have at least two DNS servers
  • Try to dedicate a server as a domain controller

Security best practices for AD include5:

  • Rename or disable the Administrator account
  • Physically secure domain controllers and servers
  • Apply Group Policy settings to restrict users, group, and computer access

Basically, Active Directory forms the heart of any Windows Server-based network; it is a critical component, even when using Cloud-based resources.  (Cloud-based resources can often be integrated within AD through Federated Services.)

References

1Active Directory as a service is available through Microsoft’s Azure Active Directory, Bryley Systems’ Hosted Cloud Server™, and other providers.

210 Must-Have Active Directory Tools by Walker Rowe of Anturis, 4/14/15.

3Best Practice Active Directory Design for Managing Windows Networks and Best Practice Active Directory Deployment for Managing Windows Networks from the Microsoft Developer Network.  (These are dated, but extremely detailed.)

410 Tips for effective Active Directory design by Brien Posey of TechRepublic, 8/23/2010.

5Active Directory Best Practices at Microsoft TechNet on 1/21/2005.

Bryley Basics: Intel® Compute Stick

/in , /by

Intel released its Compute Stick; essentially, a low-end PC that can fit into the palm of your hand or mount onto a USB port on a monitor (as shown below where the Compute Stick is mounted at the top-left of the monitor). It sells for under $150.

Due to its small size and low-power use, it can be used in these (and other) areas:

  • Thin client
  • Digital signage
  • Conference room
  • Machinery control

It can be controlled remotely through a Bluetooth-enabled keyboard/mouse. There is also an Android-based application that enables control through your smartphone.

Highlights:

  • Windows 8.1, 32-bit in current version*
  • Atom™ processor with 2Gb RAM
  • Integrated 802.11bgn wireless
  • USB 2.0 with a Micro SD slot
  • Must be powered externally

*Also available with Ubuntu 14.04 LTS.

We put it through its paces and found it slow, but adequate for low-end tasks. Its best feature is the small size, which can fit most anywhere.

Windows 10 Intel Compute Stick

The value of outsourcing IT

/in , /by

Many organizations invest in Information Technology (IT) as a strategic advantage; others see it as an expensive necessity.  We tend to favor the former perspective, but empathize with the latter; although IT can consume significant financial resources, it is a cornerstone of most modern organizations.

Either way, a key decision is whether to keep IT internally within the organization or outsource it to a Managed IT Services Provider (MSP) like Bryley Systems.  With an MSP, the basic tenet is a long-term relationship between the client and the MSP with an agreement that details types and levels of service at a fixed amount.

We reviewed some considerations of outsourcing in Outsourcing IT in the May 2014 issue of Bryley Information and Tips, but what of its value?

Let’s start with the players, their interests, and their capabilities.

The primary player:  The Client

The client has technology needs and issues, from end-user oriented (“Please show me how to rename a file.”) to network-level critical (“The Internet is unavailable.”) to business based (“How do I plan and budget our technology requirements in a world that is constantly changing?”).

The client has a limited technology budget spread across at least these areas:

  • End-user equipment and applications – Potentially an area of frequent change; typically a three to six-year lifespan with ongoing maintenance
  • Network equipment and software – Relatively stable, but some replacement required on a four to eight-year basis with ongoing maintenance
  • Cloud resources – Fairly stable; requires periodic payments, typically on a per-user basis
  • Security – Often under-invested, especially in the need for multi-layered defenses and ongoing security training
  • Support – Fairly stable in an MSP-supported environment
  • Training – Often neglected, but useful to boost productivity

The client seeks a stable, reliable, optimized IT environment; one that is patched appropriately and is secured against external and internal threats.

The second player:  The MSP

The MSP has a competent, stable, well-trained, and certified technical team with different levels of capability:

  • Technicians supporting end-user environments (PCs, MACs, mobile devices)
  • Engineers servicing back-office/Cloud networks (servers, firewalls, routers)
  • Consultants providing high-level planning, design, and troubleshooting

The technical team works closely with an account-management team, which owns the client relationship and maintains communications while advocating on behalf of the client.  The account-management team discloses the client’s interests and requirements within the MSP; they also set client expectations based on close alignment with the technical team’s schedule and availability.

The MSP spreads its resources across a manageable number of clients, typically assigning an account and technical person to each client.  Exceptions within the client’s environment are noted and shared, allowing others to assist when the assigned personnel are unavailable.

The billing is periodic, usually monthly, providing predictable, recurring revenue to the MSP to support its operations and finance its constant improvement.

The MSP is led by capable, experienced management utilizing a holistic service-management system for ticketing, account-management, reporting, etc.

Next:  What did the survey reveal?

CompTIA, a respected, IT-industry trade association, surveyed 350 companies in June 2015 to compile its Fourth Annual Trends in Managed Services Study.  Their results include:

  • 68% had used an outside IT firm in the last 12 months
  • 64% believe they use an MSP for at least one operational function
  • Six in 10 said it was a collaborative effort with the internal IT staff
  • Many seek efficiencies and competitive advantage in addition to cost savings

Most use their MSP in these areas*:

  • Repairing/troubleshooting IT systems
  • Deploying/installing/integrating
  • General IT consulting
  • Cybersecurity

*Please see “CIOs give Managed IT Service High Marks” by Dennis McCafferty ofCIO|Insight.

Finally:  Where’s the value?

Value is not hard to define, but sometimes difficult to quantify.  Value can often be in the eyes of the beholder, having greater weight with one and less with another.

The easily discerned areas of value include*:

  • Highly competent resource to efficiently resolve difficult issues
  • Service Level Agreement (SLA) with detailed response times
  • Predictable support budget
  • Proactive, 24×7 coverage
  • Team approach
  • Reporting

*Please see 7 Advantages of Managed IT Services by Chase Moritz of Heartland Technology Solutions.

Some of the other, less-quantifiable considerations that come with outsourcing:

  • Secure, stable environment from well-honed best practices of the MSP
  • Strategic, flexible partnership with ongoing counsel
  • Supplement to existing IT team (if any)

For the client, our recommendation is to establish and maintain a strategic relationship with an MSP of similar perspectives and sufficient resources, one that can respond when needed, but acts proactively to manage, optimize, and secure your IT environment.  In a mid-sized IT environment, say 25 to 85 technology users, the typical IT challenges can be met by the MSP at a fraction of the cost of having a comparable team on your payroll.

Bryley Basics: Improve the battery life of your mobile device

/in /by

Unfortunately, batteries degrade; they wear down with time.  Fortunately, here are some steps you can take to keep them working longer.

1.) Charging habits:

  • Unplug when charged – If the device says full charge; believe it, and unplug.
  • Don’t store at full charge – Wait a minute after charging before power-down.
  • Don’t discharge – Discharging a modern battery does not help; it is better to charge more often in short bursts than to discharge.

2.) Environmental concerns:

  • Keep it cool – Think room temperature or below, but well above freezing.
  • Let it breathe – When possible, keep the air flowing around the device.

3.) Device-specific features and tools:

  • Reduce the power-grabbing features on your mobile device:
    • Brightness – Dim it as the default; brighten only as needed.
    • Sleep mode – If you’re not using it, give the device some downtime.
    • Shut-off unneeded services – Enable GPS tracking only when required.
  • Use apps to automate battery maintenance:
    • Calibrate – Setup baseline status.
    • Monitor – Set alerts to warn of issues.
    • Automate – Automatically hibernate power hungry apps with Greenify (Android), Normal (iOS), and Carat (Android and iOS).

Please review the article Top 10 ways to improve battery life on your phone or laptop by Melanie Pinola of lifehacker.

Bryley Basics: Undo a sent email via Microsoft Exchange or Google Gmail

/in , , /by

Google recently introduced a new feature, Undo Send, which permits the sender to retract a sent email; Microsoft has a similar, though somewhat limited, feature with the ability to recall or replace a sent email named Recall This Message.

Google’s Undo Send works for all emails, but it is time-constrained:  Google permits up to 30 seconds after an email is sent to Undo Send; however, any email-oriented activity other than Undo will end the countdown prematurely.

The Undo option is displayed along with View this Message after every sent Gmail-based email.  You must first access your Gmail account settings and enable Undo Send to make it work.

Bartie Scott of Inc. highlights Undo Send in her article How to Unsend an Email in Under 30 Seconds Flat.

Microsoft’s Recall This Message tries to stop delivery and, optionally, can replace a recalled email message.   Recall This Message requires an Exchange Server and stops email messages sent, but only email sent internally within your organization.  Also, the success of a recall depends on the recipient’s settings in Outlook:

  • If Automatically process requests… is enabled, recall will be successful
  • If disabled, the recipient will receive both the original email and the recall request; the original email is deleted only if the recipient opens the recall message first.

For more information, please view the Microsoft article Recall or replace an email message that you sent.

Given the short timeframe of Undo Send and the limitations of Recall This Message, your best option is to avoid recalling a message by:

  • Double-checking the To, Copy, and BCC recipients,
  • Ensuring that you have attached the desired file (if any), and
  • Giving yourself enough time to cool off before sending a heated email.

Selecting a Macintosh computer

/in , /by

Yes, the business world still thrives on Microsoft Windows; it remains the most-compatible platform for business-oriented applications.  However, we do have Mac users and they occasionally seek our advice.  Well, thanks to Laurie Lake of Macs at Work, a business partner of Bryley Systems located in Shrewsbury, MA, we can share these tips for selecting a Macintosh computer.

Basic steps in the decision process:

  • Define your preference – mobile or desktop
  • Make your choice and buy accordingly

Define your preference – mobile or desktop

Mobile workers will want a MacBook; Apple’s alternative to the Intel-branded Ultrabook, the MacBook is a sleek (13.1 mm), light (2.03 lbs.), mobile computer with an Intel processor, a 12” or a 13” Retina display, a 9-hour batters, and a full-size keyboard that can easily fit in a small carry-bag.  Prices start at $1,299.

The MacBook Air is a less-expensive, slightly heavier (2.38 lbs. to 3.48 lbs.) version with either an 11” (from $899) or 13” (from $1,199) display.  The processors are slightly faster than a comparable MacBook and storage can configure up to 1Tb, which is exclusively flash-based; electronic rather than mechanical.

The MacBook Pro comes with a 13” (from $999) or a 15” (from $1,999) Retina display powered by high-end graphics; it also has significant processing power (Intel dual-core and quad-core processors) with greater flash-based storage and the advanced, OS X Yosemite operating system.

If you are desk-bound and desire a larger display, a mouse, and a full-size keyboard with numeric keypad, you might consider an iMac.

iMacs come with quad-core processors and max-out with 3Tb of storage; the base units are of three basic types (measured by display size):

  • iMAC 21.5-inch (from $1,099)
  • iMac 27-inch (from $1,799)
  • iMac 27-inch with Retina (from $1,999)

All come equipped with at least a 500Gb hard drive, wireless keyboard, and mouse or trackpad.

Make your choice and buy accordingly

If you spend most of your time on the road, a MacBook variation makes a lot of sense.  If your eyes are strong and you wish to minimize weight in your travel bag, get the 11” MacBook Air with the 9-hour battery.  If you need a larger display with greater processing and can accept the extra weight, go with the 15” MacBook Pro.

For office-bound users; get the most you can afford in your budget.  Always buy the largest display, the most Random Access Memory (RAM) and the greatest amount of storage that you can justify; with computing, more is generally better.

Please view the article by Roman Loyola of Macworld Which Mac Should I Buy? and the article by Jesus Vigo of TechRepublic Apple’s MacBook lineup:  Which works better for business?

Alternatives:  Choose a PC or an Ultrabook

We have visited this topic repeatedly over the years, but here are two suggestions:

Bryley Basics: Microsoft Windows is not as vulnerable as Apple OS or Linux

/in , , /by

Due to their size and complexity, it is difficult to completely secure a computer operating system, which leaves them vulnerable to attack.  With the number of reported hackings, most might consider Microsoft Windows to be extremely vulnerable, but Windows actually ranked less vulnerable than Apple Mac OS X, Apple iOS, and Linux.

This ranking was made by GFI Software in 2014, which reviewed popular operating systems and the number and rating of reported vulnerabilities.  GFI reported these top-5 results:

  1. Apple Mac OS X – 147 vulnerabilities; 64 High, 64 Medium, and 16 Low
  2. Apple iOS – 127 vulnerabilities; 32 High, 72 Medium, and 23 Low
  3. Linux – 119 vulnerabilities; 24 High, 74 Medium, and 12 Low
  4. Microsoft Windows Server 2008 – 38 vulnerabilities; 26 High and 12 Medium
  5. Microsoft Windows 7 – 36 vulnerabilities; 25 High and 11 Medium

Microsoft’s Internet Explorer, however, was ranked as the most-vulnerable application followed by Google Chrome, Mozilla Firefox, Adobe Flash Player, and Oracle’s Java.

See the article from Swati Khandelwal of The Hacker NewsWindows?  NO, Linux and Mac OS X Most Vulnerable Operating System in 2014.

Recommended Practices: Basic training for IT end users

/in , /by

This is a multi-part series on recommended IT practices for organizations and their end-users.  Additional parts will be included in upcoming newsletters.

End users receive the benefits of IT, but usually with some pain involved, which they are glad to share with the IT administrators and technicians.  Oftentimes, the pain comes from not knowing the correct way to do something or from enabling malware; these can be avoided (or at least reduced) through proper training.

Training is usually considered optional, but the increased emphasis on security and compliance, along with the potential gains from trained users that are comfortable and knowledgeable with their IT assets and systems, can provide significant return on investment.

Training can play a critical role in the satisfaction of end users and in the security of the computer network.  It can provide end users with the knowledge to safely browse the Internet, reject harmful emails, and avoid trouble.  It is also important to define appropriate-use policies and demonstrate how to enter timely data into information systems.

Training topics

Generally, IT-oriented training occurs in these areas:

  • End-user equipment
  • Network resources
  • Applications
  • Policy
  • Security

End-user equipment

End-users have a myriad of devices, ranging from desktop PCs to terminals, tablets and other mobile devices; some have specialized items like hand-held scanners or terminals tied to a specific application.

The fundamentals are important:

  • Simple maintenance (cooling, ventilation, etc.)
  • How to operate the user interface (touch display, special keyboard, etc.)
  • Basic usage at the operating-system (Windows, Android, iOS) level

Ergonomics should also be considered; ensure that the equipment is optimized to the user’s body in the placement of displays, keyboards, mouse, etc. and that ergonomically correct accessories (gel-based wrist pads, comfortable seating, etc.) are provided and aligned properly.  (See Ergonomics Made Simple from the May 2014 edition of Bryley Tips and Information.)

Network resources

Resources available to end-users should be identified and demonstrated:

  • Printer features (b&w/color options, duplexing, etc.), location, and use
  • Multi-Function Printer (MFP) functions (faxing, copying, scanning) and use
  • Server names, basic purpose, shared folders, and access privileges
  • Conference-room display and wireless keyboard/mouse
  • Login credentials to Wireless Access Points (WAPs)

Labeling these resources makes them easier for end-users to identify.

Applications

Software applications fit a variety of functions, including:

  • Productivity suites:
    • Microsoft Office
    • Google Apps
  • Organization-wide:
    • Customer Relationship Management ((CRM)
    • Professional Services Administration (PSA)
    • Enterprise Resource Planning (ERP)
  • Utilities:
    • PDF readers and writers
    • Password managers
    • File compression
    • Storage
    • Backup
  • Prevention:
    • Email protection
    • End-point security
    • Web filtering

(Software applications are discussed in the September 2013 through January 2014 editions of Bryley Tips and Information.)

Policy

Usage policies focus on the organization’s permissiveness (and lack thereof); they are designed to specify proper use and discourage improper behavior.

Most organizations have at least these IT-related policies:

  • Authorized use of computer network and its resources
  • Internet, email, and social media use and etiquette
  • Information Security Policy

Security

Security relies heavily on policies, training, and protective applications; the human element is the largest security risk in any organization.  Policies and training should encourage end-user behavior that minimizes security risks; protective applications help to enforce policies and to detect and remove problems when they occur.

Security training should include, at a minimum:

  • Anti-virus/anti-malware protection
  • Preventing phishing attacks
  • Password guidance
  • Safe web browsing

Many organizations will provide continuous training and reminders; some setup internal honeypots designed to lure end users into inappropriate behavior so that this behavior can be addressed and corrected.

Training process and related factors

The training process:

  • Set training goals
  • Assess end-user needs
  • Tailor the delivery methods
  • Create the training program
  • Scale the program to the audience

Trainers should factor in these items:

  • Budget training at the beginning of the project
  • Consider the needs and learning styles of the end-users
  • Marry the business context of the need to the IT training

References