Terrapin Technical Resources
Terrapin Technical Resources and Whitepapers
The always handy Terrapin Networks Windows Keyboard Shortcuts Cheat Sheet
Need to get rid of some old computer equipment? See this link
Spam Dangers Explained: AppRiver White Paper
"Ask the Computer Guy" articles for the Grand Traverse Business News
(these are PDF files, and a PDF reader will be required)
"Vertical Software" January 06
"Small Networks", Part 1, October 05
"Small Networks", Part 2 November 05
Other Published White Papers:
First Published in the
Grand Traverse Business News
January 2004
Timothy Gillen
Terrapin Networks
Data Security and Protection
Your organization's computer network exists to enhance your staff's productivity, and the productivity of your staff lies largely in the ready access to data. So what happens if that data goes bye-bye, as in destroyed? Or – and in certain circumstances this can be worse – falls into the wrong hands?
Whether you are involved in a for-profit business with payroll to meet and customers to satisfy, or in a non-profit organization charged with providing efficient services to constituents, the data your outfit generates in many ways defines its existence.How you treat that data can easily mean the success or failure of your efforts.
In the Information Technology (IT) world, we refer to data issues under two headings: Data Security and Data Protection. Data security is making sure the only people who see the organization's data are authorized to do so. Data protection involves protecting your data from harm or destruction.
Data Security
In the old days, back in the deep, dark past in the office world, there were pretty simple rules to handle protecting the company data: keys. Real keys, the type that locked filing cabinets, and closets, and sturdy desk drawers. Who had the keys could get to the data.
I know, that's quaint. And so 20th century. The reality now is very different, and that is a fundamental problem for any manager as he or she takes stock of the organizational data security: just how safe is it, and would I even know the difference?
Before we move much farther, let's step back just a bit and discuss the terminology: what exactly is “Data Security”? For reference, we will return to the 20th century and that bit about the keys, and the locked filing cabinets, and such. And we will think about what data it is that we need to secure. What would we have kept in those filing cabinets and desk drawers?
For starters, there is back office data: employee records, payroll records, and accounting and bank records. Pretty critical stuff. Then the operations data, such as shipping and production schedules, project plans, and vehicle tracking and maintenance. Hard to run the place without ready access to this data. And up in the front office, there is the sales and marketing data, and customer, client, or patient information. If this data is unavailable, or falls in to the wrong hands, your organization is in quite a fix.
That's the data we used to lock up. We tried to put people who needed the data as close to the relevant filing cabinets as possible, and we hired extra staff to file things away so they could be found when needed. It worked at a certain level, but it took a lot of staff to keep track of it all, finding data could be a hassle, and there was no effective way to keep it out of the building in case of fire, flood, or theft.
So now most of that data, certainly the parts of it that require quick access (which is most of it, after all), are to be found on the computer network. And now who has the keys? How do we keep it locked up? That is Data Security.
Data security involves both inside and outside the organization. Inside, there are two issues: malice and mistakes. If the wrong user has the wrong rights they can do a lot of damage. Or a staff person may just do something ill advised, and suddenly critical data is gone. So for the inside folks, your staff, data security involves both malicious behavior and inadvertent errors.
For those outside the organization, the threat is almost exclusively of the malicious variety. The largest exposure here is your internet connection. In the past few years northern Michigan has been blessed with abundant sources of broadband, always on internet connections and many organizations large and small have taken advantage of this wonderful productivity enhancer. (We will deal with the productivity waster part of the internet at a later time!)
It is fair to say many outfits depend on the internet to the same extent they do their phone systems: it simply must be running. An easy mistake to make is to put so much effort into getting your network internet connection up and running that necessary security gets overlooked. You may recognize the syndrome: get it working, then back away slowly and hope it just keeps running. Someone brings up “How is the security on your internet connection?” and you respond “Don't touch it! It's working!” The malicious hacker types out there thrive on that type of inaction. Hey, if the lock on your front door quit working, you sure wouldn't take the approach “Well, I'll worry about that later…at least I can get in the front door!”
Actually, your internet connection brings threats from both inside and outside. Outside threats are easy to understand: exposure to your network from outside hackers taking control of all or part of your network and by extension your data, often without your knowledge.
Inside vulnerabilities from a broadband internet connection include nasty email attachments and spam that your users open (hard to say no those great mortgage rates!). Another problem is if users install and run certain problem user applications. This would include spyware inadvertently accepted, or Gator, or peer-to-peer file sharing programs like Kazaa, and others.
So what is the solution? What are some best practices to address these data security issues?
For inside data security, the solution lies primarily in the network setup and the passwords. First of all, the network must be set up in such as way that security can happen. There must be the right type of equipment in place and it must be configured correctly. While this sounds fairly straightforward, many folks who know computers pretty well don't have a clue about installing and setting up proper internal security. Modern network operating systems make it very easy to set up internal security so users on the network only have access to what they should have access to. The key is having it set up by someone who understands how to do it.
Once the internal security is set up, there must be an effective password requirement in place. Passwords need to be strong, meaning Mary Smith can't use “mary” or “msmith” and they must be kept secret from other users. Letting everyone know your password is not much different than giving out a copy of those file cabinet keys to everyone.
And remember, inside security also includes physical security. If your company's file server sits in the break room, well, don't be surprised if a curious employee on the second shift can't resist the temptation to have a look around. The server or servers need lots of ventilation and to be locked up if all possible.
For the outside threats the starting place is an Internet firewall. This must be on the network and not on workstations. Depending on the size of your network it can be an inexpensive firewall appliance or a dedicated firewall server. Don't depend on your internet service provider (ISP) to handle this for you.
Another threat that can hit from either outside or inside is a virus. You will need network anti-virus software. This needs to be from one of the main suppliers for anti-virus software and should be set up to update and scan files automatically. It must be installed at the file server as well as the workstations to have optimum effectiveness.
Data Protection
Data protection is protecting your data against loss. As in data security, threats come from both inside and outside. Data protection is all about the ability to get your organization back up and running in the event lost data impedes your ability to function. That could mean a catastrophic event such as a fire or flood, or a break-in and robbery. And as in our other scenarios, data loss can be staff generated, either by inadvertent mistake or malicious act.
Data protection, in large measure, revolves around backups. In most cases, this boils down to a tape backup drive, which is still the best solution for most networks as a primary backup device. Network Attached Storage (NAS) devices are becoming viable for smaller networks, but from a data protection they are still only a piece of the puzzle. Likewise for other types of backup other than tape; they often have their place. But for now, tape is still king. And keeping at least one recent copy of your backups off-site, meaning out of your building, is also critical. That is your only protection for fire, flood, theft, or what have you.
It is imperative that your network is set up in such a way that all the data ends up on the file servers protected by the backup devices. An organizational policy stating no data on the workstations, along with proper network configuration, is necessary. Otherwise you will have sensitive data on user workstations where it is not backed up, and that's not good.
Some common pitfalls to avoid:
- “Oh, we're just a small organization. We don't need to make a big deal about it.” Here is a simple question to ask yourself to see if this really applies: Do you regularly leave company payroll reports laying around in the break room? The betting here is that you wouldn't think of doing that.
- “Heck, nobody around here knows anything about computers. We don't need all that fancy security stuff”. Simple test question: Are you sure? Sure enough to bet your business against it? To assume that since you don't know much about computers then neither does your staff is really risking a lot. Some of the things a malicious staff member can do to an unprotected network are not very high on the overall computer skills meter.
The moral of the story: take this stuff seriously. You will be accused of being paranoid and delusional as you attempt to implement these types of practices on your organization's network. That's OK, don't be discouraged. Forge ahead in your efforts. Remember, as Mark Twain once said, “Just because you're paranoid doesn't mean they aren't after you!”.
Network Documentation – Do Your Computer People Have the Right Stuff?
By Timothy Gillen, CNE
Terrapin Networks
Terrapin Networks
Originally published in the Grand Traverse Business News
February 2005
It's the day before payday, and your accounting staff is working on the payroll. Except the checks aren't printing right! It all worked fine for the last pay period. Now's definitely not the time for your computer network to start misbehaving. And to make matters worse, everything is on hold while your computer person looks for an obscure piece of information that seems to have disappeared.
Your IT system, (short for Information Technology) is likely as much the lifeblood of your business as are the telephones. If it goes down and your people can't do their work, you may forced to send them home for the day. Ouch, that could cost you some big $$$!
The faster you can get your IT system up and running, the less a failure will cost you. One important, but often over looked, step to a quick recovery is adequate network documentation. But you'd be surprised at how many businesses have little or no organized documentation for their computer systems.
Simply put, network documentation is a detailed road map of your computer system that shows how all of the pieces of the puzzle fit together. When problems occur, it's likely that you will need to refer to this map to locate the source of the trouble. The landscape can be daunting: The computers at everyone's desk; the file servers back in the back room; the software that your employees use everyday; the various printers, the internet connection, the ancillary pieces such as the data backup devices, internet firewall, anti-virus software, email servers and software, and perhaps even a company web site. Whew! That's a lot of stuff to keep track of.
Just as you keep documentation on your staff: when they were hired, vacation days, pay records, etc., it's important to keep up to date information on your IT system. Because sure as rain, it will likely go down the week after your IT person, who kept all of this stuff in his/her head, makes a career move and leaves you searching through files to find a user ID.
It is essential that you, as the company CEO, insist that your IT people (or IT contractor) keep these records, because it's one of those pesky things that always seem to be put off. Here's a short list of the things that need regular updating and some suggestions on how to accomplish them:
Start with a network map. This is a visual representation of how the parts are connected together. There are lots of software packages that help with this; a common choice is Microsoft Visio, which includes graphics of workstations, file servers and such to help make your map. Lanflow is another excellent choice.
Once you get a good map together, proceed with details on all the relevant equipment: workstations, file servers, routers, and so forth. You will want specifications, serial numbers, asset tags, everything. Then move on to all of your software. Document current release versions and licenses for each package. As with the network map there is excellent software to help with this task; an inexpensive piece of software that works quite well is EZAudit; in the Track-IT software from Intuit. iQuate products are good choices, too. These types of programs, and there are many, fall under the heading of “Asset Inventory” and “Software Auditing”. Next, document the more technical stuff such as IP addresses, domain names, router and firewall setups, specific security settings, tech support numbers, user IDs, and so forth.
And finally, it's good idea to include a narrative of the IT system and how, in general, it is set up. This would include any custom software you may be running: it's name and which department it's used for. It would look something like an essay, where the IT system setup is described in everyday terms (as much as any IT system can be described in “everyday terms”!).
Network documentation is the job of the IT department, so make them do it. Whether you utilize an in-house or outsource IT department (or a combination of both), you need to communicate to them that this is important and that you want it done for the good of the company. Don't let them just keep it in their head, as that won't help you when that tech's head is no longer part of your organization. Have them print out 2 or 3 copies of everything – one for you, another for the office manager or controller and one for the IT department itself. Do this on at least a quarterly, if not monthly basis. With the software I mentioned above, it really doesn't take that much time to keep it all up to date.
Remember, having your IT system well documented is an important step toward a faster recovery when problems occur.
Timothy Gillen is the owner and CEO of Terrapin Networks in Traverse City.
He can be reached at 231-941-2100