Monthly Archive for February, 2010

Why use a Strong Password?

Published on February 24, 2010 in Computers and Internet. 6 Comments Tags: , , , , , , , .

You’ve probably heard the advice the Police offer to households to reduce the risk of burglary. Make sure Windows and Doors are cloBurglarsed and locked, use good quality strong locks on doors and windows, use a Security Alarm preferably with different zones, don’t leave tools lying around outside the home that will make an intruders job easier.

Good advice isn’t it? We all want to keep our homes and belongings safe and sound.

At a guess, if your home was broken into then you probably wouldn’t shrug your shoulders and say it was “one of those things”. Even if nothing of value was taken, you’d probably still feel disturbed that somebody had gained unauthorised access to your property and belongings.

So stop and consider for a moment – how would you feel if the same thing happened and somebody gained unauthorised access to your company computer systems?

***

We recently helped a client migrate their systems from a peer to peer network to a Windows Small Business Server 2008 (SBS 2008) network with central file storage, e-mail and strong security.

In the previous peer to peer network, the security was very minimal. Users had passwords, but they never changed… ever. Passwords were often the same as the user-names, or were very simple – cat, dog, that sort of thing. Files were shared amongst everyone in the system without any permission structure in place.

In effect, anyone who had access to the network had access to ALL the network, and that anyone could include anyone who could guess a logon user-name and password. So let’s be honest, ANYONE!

SBS 2008 takes security seriously, and after implementing the new network infrastructure we talked to the client about the new strong password policy they would have in place. The client had lots of questions, many objections to the new way of working (“But we’ve always done it this way”, “I don’t see the point”, “People won’t remember all that”) and generally a resistance to change. This is human nature – change is difficult, but people are adaptable.

So we explained to the client the pro’s of a Strong Password policy, and the huge disadvantages of sticking with a weak password system.

So what is the difference between a Strong Password Policy, and a Weak Password system?

A weak password provides attackers with very easy access to your computer system. Strong passwords are considerably harder to crack (or break) – and that’s even with the powerful password-cracking software that is available today. Password-cracking software continue to improve, and the computers that are used to crack passwords are growing more powerful than ever. Password-cracking software generally uses one of three different approaches: intelligent guessing, dictionary attacks, and brute-force automated attacks that try every possible combination of characters. Given enough time, the automated method can crack any password. However, strong passwords are much much harder to crack than weak passwords. A secure computer system has strong passwords for all user accounts.

A weak password:

  • Is no password at all.
  • Contains your user name, real name, or company name.
  • Contains a complete dictionary word. For example, Password is a weak password.

A strong password:

  • Is at least seven characters long.
  • Does not contain your user name, real name, or company name.
  • Does not contain a complete dictionary word.
  • Is significantly different from previous passwords. Passwords that increment (Password1, Password2, Password3 …) are not strong.
  • Contains characters from each of the following four groups – Upper-case letters, Lower-case letters, Numerals.

A computer system or network should have a mandatory password policy put in place. This policy will dictate that passwords must be strong, meeting the above criteria, and also be changed after a set period of time – say, 42 days.

If all of this sounds rather a chore, ask yourself the question – should I adopt a strong password policy now…. or after an unauthorised user has gained access to my files? This isn’t scaremongering and it’s not a case of if, it’s a case of when. We regularly see random hacker attacks on *all* our client systems – even those with security in place. Generally these are random attacks probing for weaknesses. But think about this… to use the Household Security analogy again, which house do burglars target, those without signs of security, or those with windows and doors left open. The same is true of Computer Security – by adopting strong security policies, you don’t eliminate the risk of attack, but you do become a less attractive target.

Q – Couldn’t we all just use this same password? It makes it easy for us to log on.

A – You could all use the same password, as it would make it easy for everyone to logon, but that everyone might include the cleaner, the security guard, Mary in Finance, whoseteenage son who has popped into the office to wait for Mom to finish work, hackers trying to access the network from the Internet, an employee checking out his appraisal compared to his colleagues, a disgruntled staff member looking to destroy some data, or worse, your competitor who has gained access to your network. By having individual strong passwords for each user, you’re drastically reducing the risk of these scenarios, or similar, ever occurring.

Q – The boss and our HR department need access to everybody’s files and e-mails – can we use strong passwords but force everybody to write them down so colleagues can access them?

A – If a member of staff writes his password down on a post-it note in his desk drawer, or worse, attached to his monitor, then that password isn’t secure at all and the whole system becomes vulnerable. You could get every member of staff to write their password down on a piece of paper kept centrally, say with HR or the boss, but as passwords are best changed every 30-40 days, this will turn into a laborious exercise in administration very quickly. A better solution would be to simply dynamically give the boss or HR  department access to those files or e-mails they need to from their own logon and computer as and when needed, or less preferably but if necessary, give them permanent access to all those resources from their own logon and computer.

Q – Can we ask the IT department to tell us what Joe or Dave’s password is?

A – The IT department don’t have access to users existing passwords, they can only reset these passwords to something new. This creates an audit trail of who changed a password and when.

Q – When Joe is on holiday or off-sick, Dan needs access to their files and e-mail – if Dan hasn’t got Joe’s password to log on to his computer, how can he cover his work?

A – Rather than sharing passwords and logging on to a computer as Joe, Dan can be given access to Joe’s e-mails and files from his own computer and logon. This could be temporary, so when Joe returns from his absence Dan no longer has access to his files or e-mails.

Q – We have folders that we’d like password protected, is this possible?

A – If you’re following the advice we’ve given previously, with every user having their own logon and password, then any file folder can have very granular security, allowing or denying a single user or group of users access to those files or sub-folders. For instance, you may have a Public Folder containing four folders – Staff Information, Design Drawings, Accounts and HR. Everybody in the company needs access to Staff Information. Everybody needs access to Design Drawings, but only the Design Staff should be able to modify or delete files within that folder. Only the Finance Department and the boss need access to the Accounts folders, and only the HR department need access to the HR folder. It’s very simple to set-up granular permissions for this scenario, provided everybody has their own user-name and password.

***

If you’ve not got a Strong Password policy in place – then why not? Be honest with yourself – are you ignoring that advice from the Police and leaving the windows and doors to your home wide open? Or are you being realistic, realising that threats do exist and you can mitigate this risk by taking reasonable steps?

Thoughts and your own computer security advice welcome! If I can offer any advice or point you in the direction of an IT company who can help you with your own requirements, don’t hesitate to get in touch!

 

Free e-book – Advice for Positive Growth for 2010

Published on February 19, 2010 in Books and Personal Development and Health. 0 Comments Tags: , , , , , .

Back in 2007, when I first became involved with the Small Business IT Community, there were a lot of wonderful helpful people who influenced and inspired me – encouraging me to grow my business, Susanne Dansey was one of those people – front and centre at all the Community events, blogging, podcasting, always providing her time and advice – truly one of the driving forces behind the SMB Community in the UK and globally.

Then Susanne went and left us all, flying off to Australia and a set of exciting challenges away from the SMB Community. How could she!

Well I’m pleased to say that late last year, Susanne grew tired of that awful sunshine and those unblemished sandy beaches in Oz, and returned home to the UK. We’re glad to have her back!

Since then Susanne has been setting up her own business, Purple Cow Ideas Management, helping other companies grow their businesses.

Purple Cow have just released their first free e-book entitled “Advice for Positive Growth in 2010”. It’s free and you can read your copy here!

The book contains some great advice and thoughts from a number of very familiar names and some that might be new to you. I was honoured to be asked to contribute, and I hope my section proves to be of value to those who read it.

Congratulations to all the contributors to the book, and especially to Susanne (who you can find on Twitter) – welcome home and good luck with your new venture, somehow we *know* it’s going to prove successful! :-)

CompTIA UK Resellers Forum and TCA Conference – 25th February – Walkers Stadium, Leicester

Published on February 15, 2010 in Computers and Internet. 1 Comment Tags: , , , , , , , , .

I  recently had the opportunity to sit down with William Linard and Matthew Poyadigi from CompTIA UK. You may be familiar with CompTIA for their IT Qualifications – the CompTIA A+, Server+ and so on. I was personally most familiar with CompTIA due to their strong presence in the US, working with groups such as HTG.

What I wasn’t familiar with was CompTIA’s presence within the UK and the work they do globally within the industry, and this was something William and Matthew opened my eyes to. Just about every major vendor (including Microsoft) is a member of CompTIA, and thus CompTIA listen to these vendors feedback, and through it help to shape the future of the Channel for their members.

After my meeting with Matthew and William, I was invited to attend the CompTIA UK Reseller Forum – an afternoon of CompTIA members sitting and discussing the IT industry we work within. The session was excellent, some great companies and personalities involved, and felt very HTG-like in it’s nature – companies sharing Best Practices and ideas to help mutual acceleration of their growth as businesses. In fact, CompTIA were recently an invited guest at the last HTG 11 Quarterly meeting in London, and we can see many opportunities for members of the two groups to work together.

There was also discussion of plans that CompTIA is working towards in creating an official standard which the public and our own industry recognise as benchmark for ensuring the end user is using competent ICT professionals.

In short, there was a lot of value to the group and I’d recommend it highly to those who perhaps aren’t willing or able to make the large commitment of time and resources that peer groups such as HTG requires, but still want to engage and collaborate with their peers for mutual growth.

You can find out more about the UK Reseller Forum by contacting William Linard, or checking out their LinkedIn Forum. The next UK Resellers Forum is on the morning of Thursday 25th February, 2010, at the Walkers Stadium in Leicester, which, incidentally is also the date and location of the TCA Conference!

If you’re not familiar with the TCA – they are the Technologies Channels Association. Like CompTIA, the TCA have a goal of raising the bar of Professionalism within the IT industry. I met Adam Harris of the TCA at the aforementioned CompTIA UK Reseller Forum where he was a fellow attendee, and have since had a number of really interesting conversations with Adam on some of the challenges facing the IT industry.

Full details and Booking information for the Conference can be found here.

I’ll be attending both the CompTIA UK Reseller Forum and the TCA Conference, so if you’re attending either or both, let me know!

Microsoft Tag

Published on February 6, 2010 in Computers and Internet. 1 Comment Tags: , , , .

What is Microsoft Tag? Instead of describing it, I’m going to suggest you follow these steps and find out for yourself.

1. Visit http://www.microsoft.com/tag/content/download/ and put your Country Code and Mobile Phone Number in to send yourself an SMS text message containing a download link.

2. When you receive the SMS message, click on the link contained within, and install the Microsoft Tag application to your Mobile phone.

3. Run the Microsoft Tag app and point your Mobile Phones camera lens at one of the pictures below

Pretty cool huh? :-)