As we “weathered” the storm and are coming out the other end, what have we learned from this event? My home and my office are in the same town, but on different ends and they experienced the storm differently. The roads around my office were flooded and could not be reached (except by boat) but had power and connectivity. I use the term physical isolation with connectivity on the BDR whitepaper (http://triadanet.com/bdr) that I published recently.  At home, we have a complete loss of power and Internet connectivity except for laptop power and 3G/4G connectivity using a Verizon MiFi.

Pre-Storm

First we assessed our situation with all of our clients. Although our backup systems have a combination of automatic checking and some periodic manual checking, we felt it was prudent to review each client at a moment in time prior to any potential outage. We reviewed existing backups both onsite and offsite and added some additional backups to take place if it made sense to minimize recovery point gaps (Recovery Point is the difference between your last backup and when you suffered your outage…and therefore the gap in data loss when you bring things back online). This also had the added benefit of potentially reducing recovery times (Recovery Time is how long it would take to bring systems online from when an outage or disaster is declared). We felt these were important since the event could potentially take out more than one client at a time and reducing both of these would allow us to bring up more clients sooner.

During the Storm

During the storm and prior to our power outage at home, I monitored systems in each client office: services, power, and connectivity. Where we were able to, we tested UPS systems to ensure that a power disruption would give us time to shut equipment down without damage.  The majority of the storm took place after hours in our area. When we lost power at our home on Saturday night/Sunday morning, I continued to monitor my own systems. Fortunately, our office network did not suffer a power outage and we were able to continue to remotely monitor our clients’ systems.

Post-Storm

In the morning, I remotely was able to check to see if our clients’ systems were still operational and provided updates to each of them. Many customers had trouble getting into their offices because of flooding, transit issues, or downed trees, so they worked remotely. Ensuring that their remote connectivity was available was key.

The other issue that arised were systems/connectivity outside of the scope of the office and its locations. For example, one client had perfectly fine internet connectivity, but one of the peering relationships was not working well and therefore voice calls were not passing through properly. These types of issues are difficult to diagnose and report particularly after a major event when the ISP is worried about making sure their customers are up and running and not necessarily the problems any peers may have. This is unfortunate because it ultimately affects the service of a broad number of clients.

Another issue that came up were people working from home (including myself). Fortunately, I was able to reach my office. But many that commute into New York City were cut off and local coffee shops didn’t have power or were otherwise closed.  Those that had cellular service were able to at least use those devices to keep in contact by phone and email.

Final Points

As I look at some of the locations that were harder hit than the NYC metro area, it is obvious that this could have been a bigger concern than it was, but fortunately we had the right kinds of processes and systems in place that allowed us and our customers to get through it.  But like anything, there is always room for improvement.  Besides letting clients know that their systems were still operational during or after the storm, greater communication leading up to a known event should have taken place. In addition, since some events cannot be planned for like a hurricane, periodic communication in addition to testing plans would be prudent to keep things top of mind.

Knee-Jerk Reactions

One unfortunate side effect of these sort of event are knee-jerk reactions and vendor FUD (Fear-Uncertainty-Doubt). For example, one of the things that is cropping up are the large number of cloud related vendors telling companies that if your systems were in the cloud then you won’t have had down time or worried about an outage. This is only partially true. (See “Learning from the Cloud Outages and Failure Planning”) Just like anything else, your systems have to be properly planned out and you need to understand what sort of events you are going to be protected from.  Maybe you have an inhouse system that you still can utilize when your office does not have Internet connectivity; that would not be a good solution to put in a cloud). But if you have an applicatin that can be used by a distributed workforce or you have backup systems, those may be good candidates for the cloud. A cloud or hosted solution for your particular critical applicatinos can be a completely viable solution assuming you understand the caveats or they may not. Do your homework and talk to your trusted technology advisor.

Hurricane Irene is moving up the east coast this weekend and current forecasts have it running straight through Northern New Jersey, Manhattan and Southern Connecticut.  Is your business prepared? Is your family?

Statistics show that disaster preparedness is the single greatest way to increase your odds that you will come out the other end in good shape. For your home, the Red Cross has put together a checklist that you can download and use. Download it here. You probably already have most of these items in your home, but it may make sense to drag them out and put them all in one place.

Keep cellphones charged and use text messaging  and turn off extra services like GPS and WiFi as a way to keep battery use down. Keep cash on hand as power outages will affect credit card transactions and ATMs. If you have to evacuate, power down your equipment at home, turn off water and gas. If you have a generator, make sure you have adequate fuel.

Chances are that as most hurricanes, Irene will be largely diminished by the time it reaches us, but with heavy rain and wind comes the high potential loss of power and area flooding. Make sure you have the right supplies to safely get around your house including flashlights with batteries, safe candles, etc. 

Have you put together a Disaster Plan for your family? Where do you go and how do you contact each other if you are separated either before, during or after an event? What is each family member’s roles and responsibilities?

Now that your family is in order and prepared, is your business? Most smaller businesses shut their doors after a major event never to reopen. This is a sad state like preparing your family for disaster, preparing your business is the single greatest way to ensure it comes out the other end. Many of the same items for your family apply here as well.

1. Insure that backups are working and are moving offsite. Leaving your backups in your office is not going to help you here. Hopefuly you have also tested your backups to make sure they are available. You don’t want the first time you are testing to be in the middle of an event.
2. Shut down non-essential systems that require power such as desktops, printers, and monitors.
3. Test your UPS to ensure that it can withstand a brief outage while you shut down the remainder of your systems
4. Talk with your employees to make sure they know what the communication plan is. Even though Irene is set to come by our area between Saturday evening and Sunday. What will the after affects be for your employees on Monday? Will they be able to make it into the office? Will transit services be available? If you allow remote work and everyone is working remotely, will that overrun your systems and make it unusuable for essential work?
5. Gather any documentation and bring it with you. Having a Disaster Preparedness manual sitting on a shelf in the office isn’t going to help you if you can’t get into work.

Do you have a Disaster Preparedness plan? Sign up to receive our Pragamatic Business Backup and Business Risk report for free http://triadanet.com/bdr

If you are a business owner that is concerned about employees wasting time online using non-work-related web sites like Facebook or Twitter – OR WORSE, using company resources to access pornography, gambling sites, hate groups or more – then read on.

Why You Should Be Concerned

While it’s not uncommon for employees to waste a bit of work time on relatively harmless activities, such as shopping or visiting a favorite sports site, times have changed; employers are learning the hard way that employee use or abuse of a company’s Internet system can lead to significant liability and time wasted if not monitored.

For example, one business owner (who will remain nameless) shared that they received a panicked phone call from the office while traveling. The police had shown up and arrested one of their staff for soliciting a minor online. Since he was doing this during work hours from the office, that’s where the police showed up to arrest him – clearly a PR nightmare. And stories like this are happening EVERYWHERE.

Then there’s the wasted time. Social media sites like Twitter and Facebook are addictive. If your employees are constantly “plugged in” to those sites, they won’t be nearly as productive at work as they should be.

How To Solve This Problem

Protecting your company requires two simple steps at a minimum. The first is to have a written company policy that details what employees can and can’t do with company resources or during company hours. Next, you’ll want to have a content filtering system in place that will enforce your policy by automatically “policing” your company e-mail and Internet usage, blocking sites and content you don’t want your employees to access without hindering their ability to work online.

Free Productivity And Security Assessment

Mark Twain once said, “Supposing is good, but knowing is better.” Find out what your employees are doing. Drop me an email at raffi@triadanet.com or call us and we’ll provide you a report on your employee activities over a period of time.

As a business owner you know that your data is important to you and that most businesses can’t run unless their data is available to them when they need it. Backups are preformed in order to make sure that your data can be recovered if something should happen.

The ONLY way to completely protect your data and guarantee that you could restore it after a disaster including theft, flood, or hacker attack, is by maintaining an up-to-date copy of your data in a high quality secure facility.

An online backup service- sometimes called off-site backups, remote backups or managed backups- is a service that allows you to maintain a secure copy of your data in a different locaton than your office. This type of service is usually done automatically via the Internet connection to a high-security facility. There is no question that every business owner should have an offsite copy of their data; however, there ARE big differences among online backup services and it is critical that you choose a good provider or you could end up paying a lot of money only to discover that recovering your data- the reason you got set up online backups in the first place- is not an easy, fast or simple job.

What do you look for?

Most business owners that we’ve met aren’t sure what to look for in a backup service. There are hundreds of companies offering this service because they see it as an easy way to quickly make money. But not all service providers are the same and you want to make sure that you pick a good, reliable vendor that doesn’t burn you with hidden fees, unexpected “gotchas” or with the discovery that your data wasn’t actually backed up, leaving you in the lurch when you need help the most.

1. Military Grade security, data transfer and storage. This may seem obvious but you would be surprised how many providers are keeping your important data mixed up with other customers in a cheap computer in the back of their office.

a. Ask your provider if they are HIPAA, Sarbanes-Oxley, Gramm-Leach-Bliley, SEC/NASD/FINRA compliant. These government regulations dictate how organizations with highly sensity data (like financial services firms or medical practices) how to handle, store and transfer their data.  Even if you are not an organization that falls under one of these regulations, you still want to choose a provider  who is because it’s a good sign they have the right security measures in place.

b. Make sure the physical locatin where the data is stored is secure. Ask your provider if they have a SAS 70 audited facility that includes video surveillance and allows only authorized personnel to enter the site.

c. Make sure the data transfer is encrypted with the highest possible military grade encryption that is available to prevent hackers from accessing the data when it is being transmited to the facility

1. Multiple data centers that are geographically disbursed. Around the country and even the Northeast, we have seen events that have disrupted whole regions. Similarly, your backup vendor should have their systems in different locations to make sure you have availability during an event that effects one of their facilities.
2. Demand the ability to receive overnight copies of your data on DVD or some other data storage device. If your entire network gets wiped out, you don’t want the Internet to be the only option for recovering your data because it could take days or weeks. Ask your online backup provider if they will provide your data back to you on DVDs or a USB Drive.
3. Similarly, ask your service provider if you have the option to have your initial or seed backup performed through a hard copy. Trying to transfer a large amount of data online could take days or weeks. If you have a large amount of data to backup it would be faster and more convenient to ship them a USB drive.
4. Make sure your data can be restored to a different computer than the one it was backed up from.  Believe it or not, some backups can only be restored to the same computer they came from. If the original computer is no longer available (burned in a fire, stolen, crashed, destroyed in a flood) you’re left without a viable backup
5. Demand daily status reports of your backup. Although your backup vendor should be managing the backup to ensure they are working properly and are on top of any problems, they should provide you an option to provide you a report of whether or not the backup ran and if it was successful. The more professional providers should allow you to notify more than one person in additional to yourself.
6. Demand help from a qualified technician. Many online backup services are “self-service.” This allows them to provide a cheaper service to you. But if your backup isn’t set up properly, the money you save will be insignificant compared to the losses you may suffer. At the very least, ask your provider to get on the phone with you or to remotely check your setings to make sure you did the setup properly.

The Single Most Important Thing To Look For When Choosing an Online Backup Service Provider

While all of the above checks are important, one of the most critical characteristics is finding a company that will do regular test restores to check your backup and make sure your data is recoverable. You don’t want to wait until your data is wiped out to test your backup; yet, unfortunately, that’s what most people do.

If your data is sensitive and you can’t afford to lose it (and who could?) then test restores should be done at least monthly. If your situation is a little less critical, then quaraterly tests would be fine.

Backups can become corrupt. By testing it perodically you’ll sleep a lot easier knowing you have a good solid copy of your data available, just in case.

If you are interested in receiving our Free Whitepaper on Pragmatic Business Continuity and Business Risk, click here and fill out the form

or contact us for a Free Data Security Analysis

If you’ve read my previous post regarding password risk, you’d probably correctly guess that my answer to this question is “yes.”  Most people select simple passwords and use it on multiple websites.  If one site is compromised that may be a low security risk (blogging website) it can then be used to connect into a medium security website (Facebook), or a high security website (banking).

It’s recommended that you use different passwords on different websites. This can be managed using a password management tool like Lastpass or 1Password. Another way is to use different passwords for your high and medium security vs your low security sites.

While listening to the Risky Business Podcast Patrick Grey interviewed Daniel Grzelak of ShouldIChangeMyPassword.com. Daniel compiled a database of all of the email addresses from recent breaches. These databases were acquired when hackers placed them in the public domain.  Daniel provided a system for you to look up to see if your email address is on one of those lists and the date of the breach. On his sources page, it shows what breach databases were acquired on what dates so you can see which attack exposed your information.

On the surface you may think that this would provide hackers information about your account (i.e. if I enter joe@domain.com and it comes up that it was compromised by Lulzsec on 6/25) and make it easier to attack. Frankly, the hackers already have these lists and can easily obtain what your credentials are used during these attacks. Checking out this website with your email address you can find out if you were on these lists.

We visit companies each week that are receiving their IT support in different ways. Unfortunately, most small business owners and employees are not aware of another way of doing things or feel that making a change will lead to a significant increase in cost. We find that most small businesses are spending more for their IT services than they realize both overtly and hidden.

Inside Job

More frequently than not, there is an employee in the company that is more tech savvy than the rest and he/she gets saddled with doing the technology work. Frequently this person may be a power user but may not necessarily be able to resolve the issues that may come up. They will be online searching for answers and help, meanwhile not doing their “day job.” The loss of productivity of this staff-member (or the owner!) can be costly and ultimately may put the business at risk.  Most of the solutions that are implemented with have its roots in home-user technology or the stuff that can be easily purchased from a big box or consumer electronics store.  However, even really small businesses are underserved by this sort of setup and the seemingly low costs associated with purchases will lead to more expensive issues down the road.

Uncle Bob

We receive calls from companies that utilize a family member or a friend of the family that may work in Corporate IT and does some work on the side or as a favor. The problem is that person isn’t always as available as a small business that relies on their technology needs. Most Corporate IT Professionals will have a narrow view of just their company and may not know the most efficient way to support your small business. They may also have a specific specialty like networking or email and most businesses needed a broader view.

Feed the Meter

For those companies that have made the jump to hire an IT services firm, the majority are paying Time & Materials or by the hour. Every time you have an issue or contact the vendor, the clock starts running and a bill is issued. This may seem like a cost effective way to run your business as you only pay for the services that you need. These companies are profit each time you have pain. It is difficult to budget for as you don’t know if something that was just fixed wouldn’t just break again a few weeks down the road. If it’s an issue that they have not uncovered before, you’ll be paying for them to learn how to solve it for their next client that has the same issue, since they’ll be able to solve it faster in the future.

Monitor and React

In an effort to drum up more business, many IT services firms have been installing monitoring systems that will alert them when something goes wrong, then they charge you to fix it. Although it is proactive, it is a proactive way to increase billable time rather than proactively resolving the issue. It is just as difficult to budget for as the hourly services company and similarly it capitalizes on your pain, although reaction times will typically be better than the reactive support model.

True Managed Services and Infrastructure as a Service (IaaS)

The latest evolution of IT services provides small businesses (and even larger businesses) a better approach to management and support. It includes reactive services and monitoring as noted above but it will typically be unlimited in nature. These companies are able to do this because they add a layer or proactive maintenance around all technology systems whose purpose is to optimize the IT environment, minimize downtime and ultimately increase productivity for a fixed price. This is your typical baseline Managed Services-based IT provider. Others will also include CIO-for-hire services, vendor management, business continuity design and planning, and design-desk resources to the plan to give the small business owner a complete technology story. These providers receive the same pain that you do when you are down as it costs them money. The faster they can get you back up and running with minimal resources, the more profitable they are, and the more profitable you are. An extension to this are the IaaS companies that will also add things like hosted/cloud applications and servers, Hardware as a Service (no capital outlay), and other services that will bring you one fixed price to pay each month with no surprises.

Granted this isn’t for everyone. Your company would have be the type that relies on its technology, networks, and computers to work and be available to reap the value provided.  For the same or less cost with hiring a full-time IT person, small businesses can get better support for their systems, proactive maintenance, and a broader vision of what IT should be and how it can service and enable your business to move forward and grow.

It’s that time of year again. Summer has arrived and kids are getting out of school. With more families staying home rather than sending kids to camps or going on vacations, kids will have some idle time on their hands. As a parent, I completely believe that you should keep your kids as busy as possible without burning them out. That includes sports and other outdoor activities, reading (I’m a bad example there), and tinkering in their own hobbies.

Unfortunately, our kids have a lot of negative influences on them from the TV and online worlds. The vast resources of the Internet are both a blessing and a curse. How do busy parents keep on top of how their children are using the Internet? I’m not about to tell you how to raise your kids, but I wanted to provide you a few tips we use in our home.

1. Computers must be used in common areas of the home. In our small town, the police officers are constantly patrolling our streets. It keeps crime down because there seems to be a patrol car around the corner most of the time. Similarly, our children are less likely to browse websites that we don’t approve of if they used computers in the family room, den, or play room.
2. Use a “whole house” filter. There are many tools out there that allow you to lock down your computers and add parental controls. Both Windows and MAC computers have some rudimentary parental controls built right in. But many kids today have iPods, iPads and other devices that you can’t easy load software on to monitor and block this sort of activity. We use OpenDNS (http://opendns.com) as a way to ensure the really bad stuff is being blocked and that anything else is logged. It is free to use and fairly simple to set up.
3. “Trust but verify”- Although OpenDNS is very good at dealing with web traffic, there are other items that you may want to keep an eye on such as activity on social networks like Facebook or video chat programs like Skype or ooVoo. If your kids are old enough that you allow them to use these services, keep on top of it, check out their chat logs either directly or through some surveillance software like SpectorSoft (http://Spectorsoft.com –full disclosure: Triada Networks is an authorized reseller of SpectorSoft).
4. Communicate- Probably the most important tip is to communicate with your kids about the safe use of the Internet. Use articles or news topics to discuss issues such as online bullying or harassment, and talk about embarrassing photos that others have left online only to bite them in the future. Ultimately you can’t rely on tools and tricks to protect your kids. You just have to be there and hope that you stop the accidental stuff or when curiosity goes beyond what you think is healthy.

Here are some additional websites:

• http://www.netsmartz.org
• http://www.google.com/familysafety
• http://www.fbi.gov/fun-games/kids/kids-safety

What do you do in your home?

I recently was brought a friend’s computer that had been compromised by some malware. It was infected with a rootkit, which is software that allows access to the computer while it hides its presence from anyone that has administrator access to the machine by injecting itself into key components of the operating system, and several other bad guys.

After using multiple tools to do some cleanup (one tool rarely is enough anymore) and bringing the computer up to date with the latest Windows patches and other software, I was discussing the situation with my wife and she asked a poignant question, “could they have taken anything off of the laptop?” And of course the answer was a definite possibility. So to alleviate my fears I wanted to make sure that the owner of the laptop did not have an Personally Identifiable Information (or PII) on their laptop. This would include Credit Card Numbers, Social Security Numbers, Drivers License Numbers, etc. I used to know of a tool several years ago that used some DNA fingerprinting algorithms to identify PII and other things, but the software company (and its owner) disappeared several years ago. In my search I came across two tools that I found interesting and easy enough to use for anyone.

Cornell Spider

http://www2.cit.cornell.edu/security/tools/

Cornell Spider is an Open Source project from Cornell University as the name suggests. It currently has a version 4 Beta that is available for download. Once its installed it has a simple dialog box that you select what you want to search for and where and its off to the races. Its limited to search for Social Security Numbers, Credit Cards and Drivers License Numbers in the US and Canada. This was enough of a search for me. It scanned through the hard drive and identified all of the places where it thought there was PII data lurking. I ran the Cornell Spider against my machine and it identified a number of files of potentially containing PII. I found that most of what the Cornell Spider found were false positives, but it did identify several locations that indeed had credit card numbers. Mostly PDF files that I had filled out and faxed to vendors. Unfortunately the Cornell Spider (although successful on my friend’s laptop) crashed before it completed on my computer.

Identity Finder

http://www.identityfinder.com

Identify Finder is a commercial product that has several licensing options for individuals and corporations. I downloaded the free home version that runs in Windows (they have versions for Mac OS X as well). Identity Finder had a simple wizard that it went through for a quick search. The Free version will only look for Credit Card Numbers and passwords and only in your standard Documents or My Documents folder. I decided to go ahead and purchase the Premium Identify finder which was less than $40 for up to 3 computers and 1 year (Mac or Windows). I reran my original search to compare it to what Spider found before it crashed. Identity Finder more thoroughly scanned through file types that Spider could not and identified locations that potentially held identifiable data. The Premium version also had some additional features like securely destroying, redacting, or vaulting these items that are stored in the clear. Another handy feature is the ability to put in your own search terms like your Mother’s Maiden name or perhaps the name of that secret formula you’re working on. You know which one I’m talking about. It was very simple to identify the type of PII information that was found (passwords vs. bank account numbers for example).

Summary

Both of these tools (and there may be others) are definitely useful, but for most businesses and home users, IdentityFinder is definitely easier to use and find your risk points. And for the price, it’s worth giving it a shot. Just as a disclosure, Triada Networks does NOT have any relationship directly or indirectly with Cornell University or the makers of Identify Finder. However, after what I’ve seen what it can do for consumers, that may change. With the rampant data theft occurring in businesses and the public sector, it is important to understand where your risk points are and make decisions based on that.

I recently did a presentation on datacenter performance monitoring with Ziff-Davis. Here are my slides if you are interested:

The biggest technology related news this week, besides the Royal Wedding, has been the various outages with online services and cloud providers including Amazon, Rackspace, Yahoo, and Sony. This isn’t the first time this has happened and it won’t be the last. Cloud detractors use it as a way to show how the cloud or more broadly online services can’t be trusted for your corporate data or applications.

I’m not going to argue that fact. I think there is enough fear, uncertainty and doubt (FUD) around that and there are plenty of cloud cheerleaders that are positioning themselves on the other side. However, I wanted to discuss something that is being somewhat forgotten in the midst of all the cloud-frenzy and that is proper planning. It seems for many companies, both large and small, are putting applications and data in the cloud and are automatically going to be resilient to outages. Cloud proponents maintain that service providers who are in the business of providing hosting services are better positioned to run datacenters and infrastructure than most businesses. I frankly don’t disagree with this statement, however ultimately it is the business’ or their consultant’s responsibility to properly design the entire environment that sits on top of the cloud provider’s infrastructure. A failure in a component of the cloud ecosystem should not cause a complete outage.

If you are building a system that your business dictates that it requires high levels of uptime, you must include that in your design, whether it is a cloud based or traditional infrastructure. It is as if a failure in a database driven web application with two or more web-servers but only had one database server would be the fault of the database server vendor as opposed to the architect that set up the infrastructure to begin with. Similarly if you are building services that are using an elastic compute front-end and its back-end storage is only on a single storage system, you run the risk of an outage affecting the storage system taking the whole system down.

There are always trade-offs between the cost of a resilient system and the amount of uptime required. For example, if you require 99.9% up time (which amounts to around 9 hours of unplanned downtime each year) then you need to build a system that supports that and adding additional ’9′s grows the cost exponentially. An online flower merchant should plan based on the fact that these 9 hours may occur during the days leading up to Valentine’s Day, for example. Of course in all likelihood outages wouldn’t collect together and happen at the same time.

Unfortunately, businesses that have been hastily throwing their applications and data in the cloud (even very large systems) without failure planning. Without failure planning, businesses leave themselves to undo risk. Whether you are planning applications in your office, at a hosted datacenter, or in the cloud, proper planning with failure in mind is more important than anything.

We have a free whitepaper available at http://triadanet.com/bdr that talks about risk reduction through planning in backup and disaster recovery in broader terms for the entire organizations.