Archive for September 2011
IntroductionDesigning, architecting, and implementing a corporate network is a daunting task. It is easy to become lost in
the minutia and overlook some big picture issues. This is especially true in regards to security. Some decisions that make sense in terms of efficiency, throughput, compatibility, ease of administration, etc., might not result in good security. This white paper presents 13 somewhat common infrastructure decisions that can result in poor IT security. (They are not in any particular order.)
1. Choosing Speed over SecurityA high-performance network that supports efficient productivity is highly desirable. However, when a decision must be made between a reduction in throughput versus increased security, security should be valued at least as highly as productivity. Without security, productivity will not last. Without proper and sufficient security controls, malicious code or hacker attacks can quickly render a network infrastructure unable to support legitimate communications or transactions. High-speed communications are important, but we must protect the availability of the network in order to have a network.
2. Implementing a Single Internet ConnectionAny single point of failure is a poor infrastructure and design decision. There should be two exits from every
room. There should be at least two copies of every file. And there should be at least two connection paths out to the Internet. (There is an assumption here that Internet connectivity is an essential utility of the organization. If not, then redundancy is not as important.) With only a single connection to the Internet, there is a single point of failure. One mis-configured connection device, one hardware failure, one payment lost in the mail, one misguided backhoe, and the connectivity is lost. Every aspect of a network should be designed with redundancy in mind in order to avoid single points of failure.
3. Failing to Implement Internal Traffic ManagementMore than half of security breaches are caused by internal personnel. It is often incorrect to assume all users, programs, and processes within the organization’s network are safe and trustworthy. Every moderate to
large network should implement traffic shaping, traffic throttling, and traffic control measures internally. By
implementing these features, no one network service, application, protocol, or user can fully consume all of the network bandwidth to the exclusion of others. Thus, mission- critical communications will always have sufficient bandwidth reserved for them.
4. Not Using Network Event AuditingEvidence of compromise is a valuable asset. However, it can only be obtained at the instant the compromise
is performed. If the network is not already actively recording network events into a log file or audit trail, then
security breaches will go unnoticed. It is better to record events to a log file that are not needed, than to not
record events that are essential to detection, response, and potential prosecution. Without an ongoing permanent record of events (i.e., log files), you have no evidence of benign or malicious activity, and trends toward bottlenecks will go unnoticed as well.
5. Depending on Physical SecurityEvery environment must properly address logical/ technical security, administrative security (i.e., policies and
people), as well as physical security. Each of these three areas is somewhat self-contained in that the security
measures of one do not ensure protection against threats from the other. In other words, logical protections
defend against logical attacks, and physical security defends against physical attacks. It is a mistake to assume a strong physical security solution is compensation for poor or lax logical security. Malicious code and social engineering attacks are still possible even with an impenetrable physical fortress. Just as with logical security, there are a wide variety of physical security options. You need to implement those that are relevant to your specific needs. However, some common examples of physical security controls include security cameras, security guards, lighting, conventional and electronic locks, burglar alarms, man traps, fencing, fire resistant building materials, and fire detection and suppression systems.
6. Assuming the Electrical Service Is Reliable and ConsistentElectricity is the life blood of computer technology. Without power, computers and networks fail. And not just any power; pure, consistent, clean, regulated power is necessary for the long-term viability and stability of computer networks. Power grids can and do fail. The power company cannot guarantee uninterrupted service or prevent electrical noise. You must use surge protectors, power line conditioners, uninterruptible power supplies, and on site power generators to ensure only consistent, conditioned power is fed to your electronics. The loss of power, even for short periods of time, means operational downtime and potentially lost or corrupted data.
7. Failing to Store Backups OffsiteBad things happen. You must be prepared. Backups are the only form of insurance against data loss. Without backups, your data is at risk. Serious risk. Real risk. You need to follow the backup 3-2-1 rule:
- There must be 3 copies of data
- There must be 2 different forms of media
- There must be 1 copy stored offsite
Failing to store a backup offsite is also a failure of taking the real world seriously. Complete and total destruction by fire, flood, tornado, and other acts of nature is common. No home or office building is completely protected. Assume the worst, and then plan to survive it. No, not just survive, but thrive through it. Be better prepared than your neighbors or competition. Be the first to fully recover and be back in business.
8. Leaving Unused Ports OpenLeaving unused ports open and active is the same as leaving your back door unlocked while you go on vacation. Anyone can connect an unauthorized system to an open port. System hardening has two basic steps: remove what you don’t need, lock down what is left. If a physical port is not in use, disconnect it, turn it off, make it go dark. When you need the port in the future, then re-enabled it. Don’t enable any connection path before it is secured or before it is needed for a business task.
9. Deploying Wireless NetworksWireless networks are a challenge to secure and support. Often, the cost in effort as well as budget is not worth it when compared to using a physical cable. Before deploying a wireless network, ask a few questions.
- Will a power cord be needed anyway? If so, running a network cable as well will not be much additional effort.
- Is the wireless for customers or visitors? If so, it does not need any link into the private LAN; a public ISP link would suffice.
- Are any essential business tasks dependant on wireless? If not, you might not be implementing wireless for a real business reason.
I would generally recommend against installing wireless networks for most organizations. This is because interference and DoS are always possible, even with the best wireless security configured and the strongest wireless encryption enabled.
10. Not Planning for Mission-Critical Task Interruptions or DisastersMurphy (as in Murphy’s Law) hates you. The universe tends towards entropy. The only thing that remains the same is change. Assuming your organization will continue to function into the future exactly the way is does now is a fantasy. Things will change; some for the good, many for the bad. Natural disasters, malicious code, fire, thieves, disgruntled employees, criminal hackers, and the rambunctious children of your employees can cause mission-critical task interruptions, downtime, and disasters. By failing to plan, you plan to fail. You must plan your response and recovery now before a business interruption occurs. Disaster recovery planning focuses your recovery on the most mission-critical processes in priority over less essential functions.
11. Avoiding Hardware Replacements Based on MTTF/MTBFThe most common cause of unplanned downtime is hardware failure. Most devices are tested and rated based on how long they should operate under normal conditions before experiencing their first failure. This is a time rating of either mean time to failure (MTTF) or mean time before failure (MTBF). MTTF is for devices that are usually replaced upon failure. MTBF is for devices that can be repaired and returned to service. The MTBF thus serves as the measure for the time frame before the first failure and between all subsequent failures. Hardware should be scheduled for replacement/repair around 95% of its MTTF/MTBF. While some statistical outliers will fail earlier, and some might last for much longer without failure, statistically, the odds are in your favor when you plan to replace devices just before their average failure time is reached.
12. Allowing Outside Portable MediaAny communication pathway that supports legitimate transmission of data can also be used to transfer malicious code. One of the more notorious culprits of this is removable media. Whether CD, DVD, floppy, zip disk, smart card, flash drive, or USB hard drive, all of them present a real and current risk. Many forms of malicious code can spread through removable media one machine at a time. If a system is infected, potentially any storage device connected to that machine can become infected. Then as that storage device is connected to other computers, the malicious code spreads. When anyone brings removable media in from anywhere there is a significant risk of infecting the company network. Make it company policy that all media from outside sources must be screened and scanned on a dedicated malware scanning system before being used on any other office computer.
13. Allowing End Users to Install SoftwareAnother common method of distribution of malicious code is the Trojan horse, which is a supposedly benign
program that happens to contain a hidden malicious payload. When the host program is used, the malware is
delivered. Trojan horses can be obtained from removable media brought in from outside sources, downloaded from the Internet, exchanged through peer-to-peer services, received as an e-mail attachment, and shared across network services. When regular users have sufficient permissions to install new software, they, in turn, also have permission to launch malicious code. One method to eliminate this risk (or at least significantly reduce it) is to prevent end users from being able to install software. One way to accomplish this is through the use of a white list. A white list is a file of the names and hash values of all executables that the organization has deemed safe and necessary for users to accomplish their work tasks. Only the applications on the white list will execute on the user’s system. All other programs, including any installation process or malware, will fail to execute as it will not have permissions to do so. White listing does restrict a user’s freedom, but on a work computer, security is often more important than granting users complete control over their workstations.
SummaryI hope your organization is not making all of these mistakes in its infrastructure decisions. It is possible that your organization can improve its security in one or more of these areas. Take the time to assess your current security policy in each of these areas to see if there is room for refinement or improvement. Keep in mind that security is never an accomplishable goal. Instead, it is a long and difficult journey that requires vigilance and persistence in striving towards improved security over time.
James Michael Stewart, Global Knowledge Instructor, CISSP, ISSAP, SSCP, MCT,
CEI, CEH, TICSA, CIW SA, Security+, MCSE+, Security Windows 2000, MCSA
Windows Sever 2003, MCDST, MCSE NT & W2K, MCP+I, Network+, iNet+
It’s easy to have a computer get loaded up with junk that slows it down. The worst part is, we invite this garbage into our lives by installing “helpful” utilities, toolbars, and other add-ons. I could easily write a list of 10 kinds of computer-stalling junk. Here are some of the things you’ll want to seek out and remove for best performance:
- Automatic update systems for various applications (but be careful: some apps, like Flash, Acrobat, QuickTime, and Web browsers are prime malware targets and you will want to keep these up-to-date)
- Things that run on startup
- Windows services you don’t really need
- Crapware from the PC maker
- Browser plug-ins (the Skype browser plug-in is an especially bad offender, I’ve found)
- P2P applications
- Web servers and database servers that were installed by since-removed applications, but left behind
Most ISPs love to brag about how much bandwidth they are giving you. But they don’t mind letting the rest of their infrastructure slowly get overwhelmed or deteriorate. Among the biggest offenders are the DNS servers our ISPs use. If you want to know why things seem to take forever to start loading, slow DNS servers are often the cause. Consider adding a fast DNS server as your primary DNS server in your TCP/IP settings. Google’s Public DNS server is a great option.
Defragging your hard drives is a great way to get some more performance. While modern Windows systems automatically defrag on a regular basis, I’ve found that the Windows defragging is fairly unaggressive. We’ve reviewed a lot of different defrag apps here at TechRepublic. I suggest that you check out your alternatives and find one that does a better job for you.
Time and time again, “system slowness” actually is caused by networking issues. Our computers do so much on the Internet that slowness there can affect just about everything you do on a regular basis. While there isn’t enough space to write an exhausting troubleshooting list here, some of the things you should try (or investigate) are:
- Replacing the network cables, switches, routers, WiFi access points, etc.
- Calling the ISP and checking the distance from the CO (for DSL) or the local segment’s current load (for cable); the ISP may need to rewire or rework its connectivity. Satellite customers will want to double-check their dish installation and ensure that it is tightly locked down and pointed in the right direction.
- Malware scanning on all PCs to see if malware is burdening the network
- Inspecting the wiring of the phone lines (for DSL) or coax (cable customers) to look for loose connections, corrosion, or flaky wires
- Cable customers will want to find out how many splitters are between the line from the pole and their modem. If it is more than one (and preferably only a two-way splitter), they should rewire so that they have only a single two-way splitter between the pole and the modem to ensure the cleanest signal possible.
By Justin James
September 9, 2011, 2:17 PM PDT
For some user - such as marketing people, company, etc.- who need to import a lot of contacts from their excel file will be paintful. Desktop manager provide the service, but sometime it fails.
After some experiments, import contact Blackberry using cvs file can be done with Gmail Contacts mediation.
Step 0 - Backup your dataThis is the most important step. For any experiment, ensure to backup the data first. Don't go to other step before you've completed this step.
Step 1 - Synchronize your blackberry contact to gmail accountSee this explanation, on section: Use wireless address book synchronization.
Step 2 - Export your gmail account into csv file
- Login to your Google Contacts
- Export your contact to csv file, choose gmail contact format.
Purpose of this step to get the gmail contact template.
Step 3 - Input your contact
- Adjust your contact data with csv format.
- Ensure to not include the same data with existing, to avoid duplicate contacts.
- Please ensure your header match with google format.
Step 4 - Import your contact
- Go to your Google Contacts, import it now.
- Wait for couple of minutes to Blackberry sync with your Google Contacts.
1: Tell us about your current positionEmployers want to know about what you are currently doing a lot more than they want to know about prior positions. The reason for this is simple: The world of software development moves so fast that what you did two or more years ago is interesting for background but probably has little bearing on their current work. When asking this question, the interviewer is trying to relate what you currently do to the position the company is offering, and you will want to answer with that in mind. For example, if the position you are applying for involves a lot of database programming, emphasize where in your current job you have worked with databases.
2: Programming challengesMany employers will present you with some sort of programming challenge. These range from being asked to sketch out a piece of pseudo code that implements some business logic or being handed a piece of code and told to find the bugs to being put down in front of a computer and asked to code away. What they are usually looking for is not just a certain level of competency — they also want to see how you go about solving the problem. You can offer to narrate your thought process as you solve the problem. If they take you up on it, that will help them to learn what they are looking for. Or perhaps when you are done, you could walk the interviewer through how you solved it.
3: Do you have any examples of your work?Employers love to be able to look at real-world examples of your work. Unfortunately, this is rarely possible. The truth is, in most circumstances, your work is the property of your employer and you can’t be taking it outside of the building without permission. And it would be unusual to have a boss say, “Sure, go grab a couple of your best apps from source control to take on the job interview!” Instead of being unable to provide any samples, contribute to an open source project or work on an application at home that is sophisticated enough to let your skills shine. Then you will have something that you can show the interviewer and also be able to demonstrate an ability to work on your own and manage your own time, too. These side projects can often serve as a great talking point in the interview.
4: BrainteasersApart from asking you to demonstrate some programming abilities in the interview, some employers may give you a variety of brainteasers. Some people are really good programmers and stink at these, but the idea is to test your overall problem-solving skills. Luckily, you can prepare for these a little bit by picking up a few brainteaser books (usually only a dollar or two) at a book store or supermarket and doing a few every day. Most of these brainteasers follow a similar format, so by practicing, you will understand how to approach the most common types. There are also a few standard ones that come up on a regular basis, such as the one where you need to get a group of people across a river with a boat of limited capacity.
5: Do you have a security clearance?Depending upon the job, a security clearance may be required. Employers prefer hiring people with one already because it simplifies things. It would be a big hassle to hire someone and then discover that they can’t get the needed clearance to do the job. If you have a clearance, make sure that it is up to date. It’s also a good item to list on a resume.
If you do not have a security clearance, ask before you come in for the interview about any security requirements for the job and research whether you are eligible for any security clearances needed. This way, when asked, you can answer with something like, “No, I do not have that clearance, but I have looked into it and I can obtain one if needed.”
6: Background check and criminal history informationInformation about criminal history and other background check items typically will not come up in an interview with a hiring manager, but they will often come up in an interview with HR or a recruiter (especially the recruiters). They do not want details, for the most part, but they want to know whether it will be a waste of time interviewing you. Obviously, it is great to have a squeaky clean record, but there are plenty of good job candidates who don’t. You will need to be honest here, because things show up on the background check anyway. If what you say does not match the check, they will feel that you lied to them. At the same time, limit your sharing to the minimum. You can start with something like, “I have a misdemeanor conviction from three years ago” and take it from there.
7: What is your experience level with XYZ?When interviewers ask about your experience level with a technology, they really want to get a feel for what you have been doing with it, not how long you have been doing it. For example, if they are asking about SQL, is it important to them that you have been writing statements no more complex than, “SELECT id, name, city FROM people WHERE state = ‘NY’” for 10 years? Not really. Performing complex data transformations, correlated subqueries, etc., for six months will be much more impressive. When talking about your experience level, emphasize the kinds of challenges you solved with those technologies and the unique aspects of the technologies you used to solve the problems.
8: What’s the hardest challenge you have had to overcome — and how did you approach it?This is a stock interview question, but it has some special pitfalls for the programmer. One of the failures I’ve seen in interviews is that candidates do not properly set the context of their answer. I have faced some challenges that at that point in my career were difficult but that later on were trivial. If I brought them up in an interview without explaining my experience level when they arose, it would put me in a bad light. The interviewer would be thinking, “Why would someone with his experience struggle with this?” So when you answer, give a short (one sentence) scene setup. Also, put your focus on the problem-solving steps you took, not the technical details. No one really cares if the problem turned out to be that the variable was one character shorter than the data going into it; they want to know how you did the research to discover it.
9: Describe your programming habitsThere are a number of variations on this question, some of which just ask about things such as:
- Source control
- Variable/file/class/whatever naming
- Application architecture decisions
Other times, we simply have bad habits; in those cases, it is better to recognize them and show that you are trying to change them. You could say something like, “I tend to not write as many unit tests as I should, but I have been working hard to ensure greater code coverage.” Of course, don’t lie about this. But employers like to find people with enough self-awareness to see and correct their flaws, and the honesty to be able to discuss them.
10: Tell us a little bit about yourselfOften, job candidates go way off the deep end on this question, talking about things they do not need to be discussing in a job interview, personal stories and relationships, and so on. Or worse, they bring up things that present them in an unflattering light. What the interviewer is really looking to learn is how your personality relates to the job of software development. For example, if you enjoy restoring antique furniture, you could point out that it requires a lot of patience, eye for detail, research, and so on. Of course, you will want to talk about your personality traits as well. Unusual experiences or education can be brought up here, too. What you definitely do not want to do is talk too long. Try to make it a back-and-forth conversation, but if it isn’t, limit your time to a few minutes and don’t trip all over yourself trying to cram in every last detail.
The hottest topic in some famous IT articles/magazines in early 2008 is GreenIT. For examples InformationWeek, February 2008, give headline “Energy Crisis” and eWeek ran a story in March called “Watt a Shock” (John J. "Jack" Mc Gowan, 2008). World is getting hotter day by day. Global warming becomes hot topic in many conversations.
Information Technology include as the “person” who gives contribution in adding carbon dioxide – causes of global warming. Some research said that IT use bigger resource compare with the airline industry. Bad waste management, inefficient use of electricity, inefficient usage of server, will contribute greater bad effect to the environment.
There are some solutions has developed, such as: virtualization technique, power generation alternatives, power management, newer hardware, materials recycling and mobility efficiency. There would be initial cost to implement some/all of those techniques. Some companies do not want to spend some capital for this project. And some company thinks this is important, but not necessary to do it now, there are still many urgent projects to be done. Most businesses aren’t about to spend more money than they have to for eco-friendly IT measures. They will do so only if the payback is there—if the green of dollar savings matches the green of environmental benefit (Gibson, 2008).
Similar with conducting business ethics, Green IT will give long term and sustainable benefit for the company. By spend initial cost to create Green IT, company will get saving cost such electrical, IT resources and telephone bill in long term. In the other hand, the environment will be well taken care. For every layers of the company; small, medium or enterprise should think to start the Green IT to get double side solution: cost reduction and environment friendly.
|Green IT is a solution!|
Information Technology becomes one of critical part in business operation. Corporate, medium, until many small companies, use Information Technology as critical part in doing their business. Many business used Information Technology as their core competence, if it’s down for a few minutes will create many losses, including losing their customers.
Environment disruption can be seen from the temperature increase nowadays. Increasing global temperature will cause sea level to rise, and is expected to increase the intensity of extreme weather events and to change the amount and pattern of precipitation. Other effects of global warming include changes in agricultural yields, trade routes, glacier retreat, species extinctions and increases in the ranges of disease vectors. Energy consumes in huge amount and creates huge wastes to support human activity. For an example electricity become one component needed for almost activity conducted.
“Green IT” issue raise because of many experts concern regarding the environment risk. If many companies do not care about the electricity problem, the environment will worsen day by day. They provide some solutions to reduce the bad effect of it. Green IT promises an enormous double side solution for IT: a chance to save money -- and the environment.
read more this paper
Keywords: implementation of IT, impact of IT, green technology.