Sunday, September 30, 2012

Saving Money with IT Security Processes. Example 4/26: Identifying SPOFs with Network Architecture

Article number 4 in a series dedicated to giving examples of the way IT security processes can help your company save money.

SPOF is a very hackneyed expression, nowadays. However, a certainty remains: SPOFs must be addressed, or your company will loose a lot of money in downtimes. To address them, you must first identify them. One of the objectives of the Network Architecture process is to prevent SPOFed architectures to go into production and to identify SPOFs in the existing production architectures.

This, contrary to the opinion of many, is not a lost race. There is a finite number of 4 kinds of SPOFs, that you must all look for:
  1. The hardware SPOF: your hardware (whether servers, network equipments, etc.) is not redundant.
  2. The network SPOF: your hardware is redundant, but the network links that connect equipments are not crossed. They should normally deserve all redundant hardware just as well.
  3. The configuration SPOF: your hardware is redundant, the network deserves it well but the clients are not aware that they should be connecting to the failsafe servers if the main ones are not available. In my experience, this one type of SPOF accounts for a huge part of forgotten SPOFs and related losses in unplanned downtimes.
  4. The technology SPOF: one of your technologies fails (whether hardware, software or network). As it is the same in the main architecture and in the redundant architecture, both suffer from the same downtime.
Please read my previous article for sample network diagrams of these types of SPOFs. With a sound Network Architecture process, you can reduce downtimes by identifying SPOFs before crashes occur.

Saturday, September 29, 2012

Saving Money with IT Security Processes. Example 3/26: Identifying Low Use or Unused Servers

Article number 3 in a series dedicated to giving examples of the way IT security processes can help your company save money.

Maintaining servers is often costly. Electricity is a point and complexity is another: various technologies, various network connections, etc. The use a few years ago was to have 1 server per business applications.

The flaw of IT services is often to just let things how they are until something bad happens. But losing money day after day is a bad thing, and you can do better with a strong Supervision process. Supervision of servers must include graphs of intensive values: number of connected users, CPU usage, memory usage, inbound network flows, etc. With these graphs, you can identify:
  • Low use deprecated servers and effectively unused servers (happens, sometimes), which you can decide to just stop.
  • Low charge but important servers, which you can virtualize. You'll then reduce hardware costs and decrease complexity through homogeneity.

Friday, September 28, 2012

Saving Money with IT Security Processes. Example 2/26: Retrieving Stolen Smartphones and Laptops

Article number 2 in a series dedicated to giving examples of the way IT security processes can help your company save money.

Companies lose a lot of money in stolen smartphones and laptops. It does not just amount to the price of hardware, it also includes the quantity of time lost by workers without their tools, the quantity of work needed to report the incident and to, optionally, declare it to the police and to an insurer. Besides, the devices can contain valuable information that the company will miss and that may be dangerous to put on the public place or in a competitor's hands.

It's possible to address the loss of smartphones and laptops with a sound BYOD* process. I'm not talking about a policy, I'm talking about a process, that includes:
  • Securing information flows from/to devices with appropriate extranet and telecommuting tools.
  • Making sure devices that will save company's property locally do have encryption features, access control features and geographical tracking activated.
  • Inventory the types of devices and establish required procedures for each type, because the list is ever-growing, you can't do without managing it clearly.
* I'm talking about BYOD because it's time to face it: most devices are now no longer company devices.

Thursday, September 27, 2012

Saving Money with IT Security Processes. Example 1/26: Reducing Virus Crises

Article number 1 in a series dedicated to giving examples of the way IT security can help your company save money.

IT services lose a lot of time and money in virus crises. You can save this time and money with a sound Antivirus process.
I'm not talking about software, I'm talking about process. The process is:
  • To have a baseline antivirus, make sure it's configured optimally and installed on every workstation and laptop.
  • To have a requirement in RFPs that machines your IT service will not maintain will have a running, up-to-date, antivirus, and to ensure service providers do follow this requirement.
  • To analyse unusual network-capable hardware (like tablets, old servers, smartphones, CCTV, storage bays, etc.), inventory them and decide whether they deserve an antivirus or not.

Tuesday, September 25, 2012

Identity Management Steps, from the Ground Up

Norms and legal compliance often require companies to do strong authentication. But it must not be forgotten that strong authentication is merely the cherry on top of the cake.

Strong Authentication is an improvement upon Authentication, weak or not. Authentication is built upon a correct Identification of people. Identification allows for Authorization based on rules, for instance, ORBAC or RBAC.

Or, if we put it into natural questions:
  1. Who are we speaking about? Identification
  2. And who's that? What's he supposed to be doing around here? Authorization
  3. Let him prove he's really who he means! Authentication
  4. Let him prove that he's not cheating on authentication! Strong authentication.
Strong Authentication

The most important is to understand that a compliance requirement about Strong Authentication is only the tip of the iceberg. Any project targeting Strong Authentication should first concentrate on cleaning and validating Identification (list of users → list of all users → list of all users individually identified → up to date list of all users individually identified → up to date list of all users individually identified with all information related to their work assignments and related Authorizations), then choose specific areas among all possible Authorizations (among the many things people are allowed to do in the Information Systems, which are now to be protected?) and then enhance Authentication into Strong Authentication.

Monday, September 24, 2012

Symantec Endpoint Protection v11, Switching a Client PC from Managed to Unmanaged

This procedure is intended only for version 11 of Symantec Endpoint Protection.

This procedure is for a client PC that was configured as "Managed" and, thus, takes its configuration from a server. You may want to make it an "Unmanaged", standalone client for specific reasons, eg testing specific configuration parameters or because the server is no longer available.

If the server is still available to you, you can use the method given by Symantec.

If, as was my case, you cannot access the server and you do not want to reinstall the whole software suite, you can proceed this way:
  1. Open regedit and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\LiveUpdate.
  2. Set the key named AllowManualLiveUpdate to value 1.
  3. In the folder: C:\Program Files\Symantec\Symantec Endpoint Protection backup the four files SyLink.xml and SyLink.xml.bak, serdef.dat and serdef.dat.bak.
  4. Kill the Smc.exe process and quickly delete SyLink.xml, SyLink.xml.bak, serdef.dat and serdef.dat.bak before the process respawns.
  5. The respawning process will recreate an appropriate default config and let you update everything manually from the Symantec server on the Internet.

Thursday, September 6, 2012

Petite arnaque facebook

Une amie s'est fait voler son compte Facebook. Aussitôt le voleur en profite pour essayer de me faire envoyer un SMS certainement surtaxé. Je me demande tout de même combien ça peut rapporter !

Security ROFL 7

Wednesday, September 5, 2012

Petit manuel anti-dépression à l'usage des administrateurs systèmes et réseaux

Il est toujours bon de revoir ses classiques et je me permets de pomper le site de Gérard Milhaud pour présenter à ceux qui ne la connaissent pas cette petite perle : le

Petit manuel anti-dépression à l'usage des administrateurs systèmes et réseaux

Quoiqu'il date de 2004, la teneur est encore bien d'actualité. Voilà ce qu'en disaient Gérard Milhaud et Olivier Pagé, Responsables informatiques de l'ESIL et de Centrale Marseille.


Dans une première partie, nous isolerons clairement les problèmes actuels du métier d'Administrateur Systèmes et Réseaux (AS&R par la suite), en donnerons les causes principales et leurs implications pour la fonction : nous montrerons que le mal-être et l'état bien trop souvent dépressif de l'AS&R provient essentiellement d'un énorme surbooking, lié à la faiblesse des ressources humaines, qui n'ont pas suivi l'accroissement spectaculaire des ressources matérielles et des services nouveaux offerts à l'utilisateur depuis l'avènement de l'Internet pour tous au milieu des années 1990. Nous verrons à quel point cette situation généralisée est alarmante et entraîne une très mauvaise utilisation des compétences des personnels en place.
Dans la deuxième partie, nous tenterons de donner des solutions, tant sur le plan technique que sur le plan organisationnel et humain, permettant de gérer au mieux ce surbooking, en le prenant comme contrainte principale et prioritaire de l'activité. Même si elles ne peuvent prétendre remplacer un inévitable recrutement massif, nous exposerons des « recettes » qui permettent de l'attendre plus sereinement, en dégageant du temps pour les tâches fondamentales de coeur de métier, motivantes, que l'urgence nous vole trop souvent, générant des cohortes d'AS&R frustrés.

Téléchargez l'article, présenté à la conférence JRES 2001 (10-14 Décembre 2001, Lyon) :
NOUVEAUTÉ 2004 : téléchargez la présentation updatée pour 2004 présentée lors de la journée thématique "Administrateur Systèmes et Réseaux, un métier qui se transforme" du réseau grenoblois SARI :
Désolé pour les formats propriétaires .doc et .ppt mais c'était l'une des obligations de la conférence. Nous avons choisi de les diffuser dans leur format original car la traduction HTML fournie par Word et Powerpoint appauvrit trop les 2 documents à notre sens. En attendant une éventuelle traduction en LaTeX quand on aura 5 minutes (avant 2005 on l'espère), c'est mieux que rien.

Bonne lecture.