I imagine that minutes after the first computer program was created the first support team was born. Over the years the association between support departments and fixing troubleshooting customer issues has become so strong that many (even some in support) believe this is the only responsibility of the support team. As a result support teams at many technology companies have scored poorly on customer satisfaction surveys. Why? Because they end up only interacting with customers when they are having a problem and are angry. Here are some ways support departments can
]]> Focus on education firstOne way Astaro is doing this is by creating a Knowledge base for customers and partners. This Knowledge base will house articles about Astaro product written by Astaro's support team and partners. These articles will explain how to overcome common issues, ways to configure Astaro products and more.
Communication is key
Of course part of education is communication. Support teams should communicate any issues the company's product is having, along with the solution quickly and accurately. Additionally, when product upgrades or enhancements are made, the vendor should create alert systems for the customers along with links to information about the new features.
Like most organizations Astaro has had issues where we needed to communicate to our entire customer base at once. Unfortunately, there wasn't a system in place to do this quickly outside of email. As a result we began developing a unique alert system for our partners using SMS messages. The system is still in the works but we foresee it being a helpful communication tool
Empower your customers
Another way to improve Support services is by empowering them. Make your customers feel as if they have the power to solve their own issues without support, and can to help solve the problems of others. Astaro has a user forum where customers, partners and Astaro employees can discuss issues they are having, talk about unique applications of the product or answer the questions of others. This forum is open to user regardless of their support level status and has a very active community. Even some of Astaro's executives respond to questions from time to time.
Why is this important? It makes your customers feel heard and respected. It also gives them an opportunity to share they knowledge they already have. And when Astaro's Vice President of Product Management responds to your query it lets you know the company is listening.
Keeping these concepts in mind will help organizations understand that if they use their support team for more than just speaking with customers in need of assistance the entire organization will be better off. Support should be a proactive department, just like any other department in your organization.
There has never been a better time to be a professional woman. Most organizations strive to treat men and women employees equally and fairly. Yet, in the technology industry there is still a slight prejudice towards women, making it difficult to foster strong relationships with partners. During my career as a channel manager and director I've encountered partners who were reluctant to create a professional relationship with a woman simply because they assume women are not as adept with technology as men. While this assumption is unfair, it is a reality all women in technology must deal with an overcome. Here are some tips for creating strong professional relationships with your organization's partners - no matter what your gender.
]]> Earn respectDeliver on promises
When you are discussing margins, marketing ideas or any other topic be sure to know what you can actually deliver for your partner. It will take just one failed promise to make your partner distrust your advice or worse, you in general. If you promise your partner additional margins if they sell a certain volume or your product, be sure they receive it when they deliver on their end of the bargain. Failure to do so will mean they will distrust your promises in the future and stop working hard for you. Let's put it this way, if a friend told you they would give you $10 for picking their child up from school and then never paid you, would you be as willing to pick up their child again? In the end it isn't about the $10, it is about being respected. If your partner feels you don't respect them, they won't respect you.
Listen more than you talk
What do you partners need to succeed? What do they hope to get out of this partnership? What are the challenges they are facing? If you don't know then you aren't asking enough question and you aren't listening enough. Creating a successful relationship requires you to understand your partners but you can't do that if you aren't listening to their needs. So ask questions, find out how you can help and once again deliver.
Keep it professional...
Your partner doesn't need to know about your wild weekend in Vegas or your fight with your mother. They come to you for technical, business or sales advise and believe you are incapable of helping them if they see you as a party girl, immature or just plain crazy. The more they know about your personal life the harder it is to get them to respect you as a professional.
But be sure you get to know your partners
That being said, you have to have some level of familiarity with your partners. Relationships, even business relationships are about people. No partner wants to feel like they are working with a robot and no one can be all business all the time. So ask them about their family, talk to them about your weekend at the zoo with your niece and chit-chat about vacation plans or the weather. Short friendly conversations will foster a friendly relationship and a sense of trust. And if your partner likes you your relationship will be stronger.
Know when to bring in the reinforcements
No matter how professional, how confident and how knowledgeable you are, some men will still have a hard time taking a woman in technology seriously or showing her respect. This problem only gets worse if you are young or appear young for your age. So don't be too proud to bring in a trusted colleague to help the conversation progress. At first it may seem like you are deferring to older male co-workers but if you trust your colleague then over time the respect your partner automatically grants him will slowly transfer to you and the relationship will become your own. It may not seem fair, but by slowly gaining respect this way, you will potentially change the attitude of your partner towards young, professional women forever.
To hear the full PodCast interview with Jack Daniel, click here.
]]>It started as a little idea, but it has grown into the Next Big Thing. About a year ago a few people received notices that their proposals for presentations at BlackHat had been declined and they expressed their disappointment on Twitter. After seeing some of the great talks that were turned down, someone suggested holding an alternate event that would give speakers an opportunity to give their talks and let people to hear them. A great deal of scrambling and a few short weeks later, Security BSides Las Vegas happened during the week of BlackHat and DefCon, and it was amazing.
A core group of people, assisted by a large group of volunteers, speakers and sponsors put together a two-day event which offered great presentations on a wide mix of topics, a fun environment, and encouraged conversation and participation.
]]> Before Security BSides Las Vegas ended, plans had begun for Security BSides San Francisco, to run parallel to the RSA Security Conference, and the BSides phenomenon took off from there."Each BSides is a community-driven event built for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of space and time. It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening."
There have now been BSides events in Las Vegas, Mountain View (CA), Austin and Boston. There are several BSides events happening this summer and fall:
• June 18 BSidesDenver "Mile High Security"
• July 28-29 BSidesLasVegas - coinciding with Black Hat / Defcon
o This will be a huge event, the venue is amazing: http://www.2810vegasestate.com/
o The speaker lineup will include both "headliners", and new speakers, covering a wide variety of topics- many that you will not hear anywhere else.
• September 17 BSidesKC (coinciding with an InfraGard supported Cyber-RAID CyberWarefare event)
• September 24-25 Brussels, Belgium, coinciding with BruCon
• October 8 BSidesAtlanta
• TBD BsidesChicago
• November 6 BSidesDFW "Don't mess with Security"
• November 12-13 BSidesOttawa
BSides events are not just a place for experienced speakers, due to the friendly and helpful nature of the community BSides are great places for new or less-experienced speakers to deliver their message in a comfortable environment. The events also strive to provide comfortable spaces for side conversations, or to continue a discussion after a presentation. If you are going to be near any of the upcoming events, please register, attend, and participate.
Why am I writing about BSides events on the Astaro Security Perspectives blog? Well there are a couple of reasons. The first is that education and open discussion is a critical part of securing networks and improving technology in general. How can we solve issues if we don't talk about them? BSides events foster this kind of open and honest communication that mainstream conferences just aren't able to accommodate. Astaro is a supporter of this type of open communications as well as the Bsides conferences and I thought members of our community would be interested in this type of event.
More information can be found here: http://www.astaro.com/news-events/press-releases/astaro-red-simplifying-branch-office-security
I occasionally hear this argument against the use of web content filtering and it is great to hear- but things aren't that simple. Part of the reason managers and employers can trust their employees is that they have built a good working environment, where employees work together and get their jobs done with minimal supervision. As good as this scenario sounds there are other trust relationships which must be considered:
]]> • Your employees trust you to provide a safe work environment, free from hostile or objectionable materials. This can be difficult when even the most innocent Internet searches can return obscene or otherwise offensive content.• Your customers, business partners, and employees trust you to protect their confidential data. The proliferation of web-hosted malicious software has turned web browsing into a dangerous activity, putting your systems at risk of infection or compromise, which in turn puts the information stored on and accessed by those systems at risk.
• An ever-increasing number of laws and regulations require you to protect your employees, to protect sensitive data, and to report any data breaches. This magnifies the importance of protecting your employees and your data.
Web content filtering does not need to be overly restrictive to be effective. And there is no need to threaten the trust an organization has fostered with their employees in order to protect your organization, your employees and your clients from malicious content. A strong web content filtering solution will allow you to filter content based on your organizations acceptable use policy so that you can continue allowing your employees free access to the Internet with the exception of inappropriate and dangerous sites.
Cloud based email archiving solutions can offer many benefits, including scalable storage options, lower costs and secure data. In addition to these obvious benefits of hosted solutions, hosted archiving solutions can also have a positive impact on an organization's disaster recovery planning.
]]> Section 802 of the Sarbanes -Oxley act requires organization such as financial institutions, government organizations, hospitals and many other types of organizations to archive all records relevant to audits and reviews, including emails, for a period of at least seven years. In fact, not complying with this regulation can result in up to 10 years in prison. As a result, most of organizations have found ways to comply with this regulation even when the information turns out to be embarrassing, as it recently was for Goldman Sachs. Unfortunately, even organizations that intend to comply with Sarbanes-Oxley regulations are sometimes unable to do so. Employees not accustomed to archiving their email messages may fail to do so, and natural disasters can create a situation where archived emails are no longer accessible.To combat the forgetfulness of employees, organizations elect to deploy solutions that provide automatic archiving, but what can these organizations do to combat a natural disaster? Natural disasters are often referred to as "acts of God" as there is literally nothing any human can do to prevent the disaster. However, there are ways organizations can minimize the impact an event such as a hurricane, tornado, flood, etc. can have on the organization. In the case of complying with email archiving regulations, the answer is hosted or cloud-based archiving services.
Hosted services archive emails "in the cloud" so that the information is accessible even if the datacenter in the office is destroyed. Archiving email in the cloud will not only allow the organization to remain complaint with Sarbanes-Oxley regulations, it will also help the organization begin operating normally sooner. Recovering lost data, including important emails can take time but it is critical to the operation of an organization. When email archiving solutions do not automatically archive emails, messages that employees did not have a chance to archive would then be lost forever. This is why solutions that offer cloud storage and automatic archiving are the best options for organizations. Nothing, in terms of information and messages, will be lost no matter how dramatic the physical damage to the office is.
Email archiving isn't an option so organizations must find ways to comply. By using the same technology intended to facilitate compliance to solve disaster recovery planning, organizations can turn regulatory compliance challenges into an opportunity for increased efficiency.
Keeping students focused in the classroom has always been a challenge. Students would find ways to occupy their mind when they did not wish to pay attention in class. In the past these distractions were unexciting (i.e. doodling or daydreaming) and did not last long. However, the prevalence of classroom computers and other devices which offer Internet access has made it even harder for educators to attract and keep their students' attentions. Trips to computer labs to conduct research, type papers or for other educational purposes often dissolve into game time or involve non-school related web-surfing. The popularity of social networking sites like MySpace and Facebook only add to student's temptations, making it harder for them to remain focused on their lesson or assignment when they have free access to these sites.
]]> It is partially the responsibility of educators to monitor student Internet usage during school hours and on school computers. Implementing guidelines for Internet usage can be affective in curbing access to distracting or inappropriate sites while at school, but these policies are difficult to enforce because students are technology are able to hide their actions well. Often times administrators are unaware what sites are being accessed until after the fact, then it is too late to determine who accessed the site and when the damage is already done.So now that the challenge of keeping students focused during school hours has become even more difficult, what can educators do to ensure their students aren't updating their Facebook page during class time or chatting with friends via an instant messaging service during a lecture? Perhaps not surprisingly, the answer to helping students avoid the distractions technology create is ... technology. Many educational institutions have some sort of firewall or security gateway to protect their network from malicious content. However, few realize that these products can also help enforce Internet usage guidelines and eliminate the potential for students to be distracted.
One such functionality that can help reduce distractions is content filtering technologies. These tools allow educational institutions to block access to websites that are distracting to the educational processes. This means when a teacher brings students to a computer lab for a lesson they can be confident the students aren't spending the time on Facebook, checking their personal email or chatting with friends online. Higher end security products don't require educators or school network administrators to block each distracting site individually. Instead they can block types of sites such as "social networking sites" "instant messaging programs" or even "game sites" keeping students focused on the lesson or assignment.
Content filtering tools have the added bonus of protecting students and the school's network from inappropriate or malicious content - even when the visiting of these sites is accidental. Almost anyone who has done an Internet search has experienced clicking on inappropriate materials inadvertently and then being shocked when the content was displayed. In this case, even a student who is aware and respectful of the school's Internet usage policy wouldn't be protected from this unsuitable content as they did not intentionally access the website. The potential for accidentally accessing inappropriate sites is magnified the younger a student conducting a search is - as is the potential for parental complaints or even lawsuits. Blocking sites that students should not have access to or that have known malicious content prevents students from even accidently viewing content they should not see.
It is often the case that students are more Internet savvy than most of their teachers. They have grown up with technology and they can figure out most programs almost intuitively. Because of this, some students are aware of programs that circumvent content filtering tools. Again, the more sophisticated tools are aware of these programs and block them as well.
But what if students, with their deep understanding of technology, are able to somehow access a distracting website when they should be paying attention to their teachers? Content filtering technologies that are implemented as part of an information security solution also provide reporting tools so that administrators are made aware of attempts to access these sites. This allows administrators to immediately enforce their Internet usage policy and reiterate the policy to students who attempt to distract themselves from their lessons.
Sometimes, the types of sites that can create distractions for students can provide educators with valuable teaching tools. A great example of this is YouTube. YouTube is home to videos about dogs on skateboards and music videos, content that can be very distracting to students. However, it is also home to some educational content. In a history class, for example, a teacher can access clips from documentaries or videos created during a particular time period. These materials can be very engaging for students, elevating their classroom experience. However, students should not have access to YouTube as it is not only distracting when not used appropriately, but it also has content which should not be accessed in schools or by young students in general.
To help work around this issue, some content filtering technologies offer educational institutions the ability to set up user groups and filter content according to each groups' needs. So, for example, computers in a computer lab will not have access to YouTube, while teachers' personal classroom computers will. This makes it possible to take advantage of the educational opportunities the Internet presents while continuing to protect students from inappropriate content and keeping them focused on their lessons.
The Internet can be a valuable educational tool, but it can also be a great distraction for students. While content filtering technologies cannot guarantee students will not daydream in class or become distracted in other ways, they can help educators ensure their students aren't focused on web surfing when they should be focused on a lesson, lecture or specific assignment. They also protect students from accidentally accessing websites that are inappropriate for student viewing. Security solutions can do more than just protect your network from viruses; they can keep your students focused.
While complying with PCI standards does not necessarily mean an organization's network it adequately secured, compliance is still a challenge all companies that accept credit card information must meet. Understanding and then creating policies that ensure compliance can be difficult enough for an organization, but when you add the challenge of complying to these standards at all remote locations a new level of complexity arises.
]]> The very nature of PCI regulations means it will affect organizations with multiple locations, like franchises, retail and wholesale stores, banks, credit unions, as well as restaurants and other consumer facing businesses, because they are the organizations most likely to touch credit card data. It is not enough for these organizations to create security policies and compliance procedures for their main offices or flagship store. These businesses must also circulate these policies, guidelines and efforts among all their branches and then update each branch's policies when a change is made. This can be very time consuming, especially when it comes to PCI compliance.Adding the headache of keeping all of an organization's branch offices compliant to the already confusing and complicated task of creating PCI compliance rules for an organization makes PCI compliance almost unbearable. It is unrealistic to expect an organization such as a bank or retail store to have dedicated IT staff, let alone a security expert, at each locations. The costs associated with doing so are too high and despite its complexity there aren't enough tasks to sanction having an IT employee at every retail store. Additionally, PCI standards require organizations to regularly "test security systems and processes" as well as "track and monitor all access to network resources and cardholder data". With store fronts and office locations spread across countries and continents regularly testing systems may take a backseat due to budget constraints.
Despite this, all branches must be PCI compliant or they risk a myriad of penalties, the worst of which is losing their ability to accept credit cards as a form of payment - effectively making it impossible to run a business. With ignoring the standards no longer an option, there are two remaining options these organizations have for dealing with PCI standards.
The first is to roll out individual security products at each location. This requires sending IT staff to each location to set up and configure the devices. Then each time a new security policy is created, the IT expert must travel to all the sites and reconfigure each device. Of course the business could elect to hire an IT professional at each site for the sole purpose of managing the site's security, but again, in many cases this is not an economical solution.
The second option would be to manage all security through a centralized point (i.e. headquarters) using a single security device and connection points at each office. The challenge there is connecting all branches to the central office -no small task when some offices may be oceans away. Even a distance of a few miles would make connecting the branch office to the headquarters difficult without the right technology. The right technology will connect and secure the remote locations and provide the IT staff at the headquarters or central office to control PCI related policies as well as all other security policies. This tool would have to be simple to set up so that any employee at a retail store or credit union branch could install the device themselves, eliminating the need for IT staff travel.
"What time is it?" seems like a simple question. We take for granted that a glance at our watch, computer, phone, auto dashboard or a myriad of other places will give us a "close enough" answer. What if we REALLY need to know what time it is, with a high degree of accuracy? Most mobile phones get a signal from the carrier which is pretty good, and sometimes we can rely on our computers, but only "sometimes".
]]> When it comes to our computer systems, many people get away with default configurations in Windows and just set the time on various bits of network gear- and it works acceptably most of the time. Active Directory authentication works as long as the clients and servers are within a few minutes of each other, and many administrators are content with that- at least until something goes wrong and they start trying to compare logs between different systems to correlate events. Even if you are fortunate enough to have a SEIM (Security Event Information Management system) gathering all of the information for you, the time on the individual devices needs to be consistently accurate.For those situations when "close enough" isn't, and "sometimes" isn't acceptable, we need a better system of timekeeping. Thankfully we have a variety of tools based on NTP, the Network Time Protocol to help us manage timekeeping and synchronization on our systems. The NTP folks also maintain a list of NTP servers you can use, details are at http://www.pool.ntp.org/en/. For most users, getting updates from one of the NTP pools is the best configuration. Simply select the closest regional pool from the list at http://www.pool.ntp.org/zone/@ (for the US, it would be us.pool.ntp.org), this will resolve to an up to date list of servers in your area.
Simply enabling automatic time updates isn't enough, however, some thought needs to go into the hierarchy of the network.
In simple networks, enabling NTP services on a perimeter device such as router or firewall is probably adequate, the device can retrieve updates from Internet servers and client systems can be configured to retrieve NTP updates from the gateway device. For a little extra redundancy, you can add Internet NTP servers as secondary time sources on your clients, but if you only have a single path to the Internet and it is down, that will not help.
For larger or more complex networks, you will need a distributed NTP infrastructure with some redundancy and fault tolerance built in. If you have multiple Internet access points, configuring routers, firewalls, or other gateway devices on each connection as both NTP clients and servers is a good first step to provide redundancy. Internal servers and network devices can then also be configured as both NTP clients and servers, retrieving updates from a list of gateway NTP servers, and answering NTP queries from client systems inside the network. At the client end of your NTP network, configure client systems to query at least two of the closest internal servers or network devices. With this configuration, all of your systems should be synchronized and able to maintain synchronization through isolated network outages.
In some situations even more may be required, dedicated NTP time sources, peering of local NTP servers, or multi-layer hierarchies, but the above should give most networks stable and reliable timekeeping. NTP is a stable and low network impact protocol, so once set up there should be very little maintenance required.
Social media sites such as Facebook, Linkedin and others have become parts of our everyday lives. People announce their engagements on Facebook and network without ever leaving the house. They play games and even discuss political arguments right on the 'wall' of their personal profile pages.
]]> According to a study done by The Nielsen Company back in December 2009, consumers around the world spend an average of five hours and 35 minutes during the month on social media sites. This translates into billions of hours logged onto sites like Twitter. With so many people spending so much time on social media sites these sites have become the most dangerous part of the Internet. Or at least that is what many security bloggers or reporters would have you believe.We read stories about Facebook users being targeted with spam and Social Media as a tool for Phishers and that most breaches now originate from social media. We are also told that we need new methods for combating this problem. But I ask why?
While social media has made it possible to easily connect with and follow the daily actions of your best friend from kindergarten, it has also made us complacent. We assume that because a link was posted by a "friend" that the link must be safe. We assume everyone on Twitter has good intentions and that the information we post online won't be used against us. Of course, none of this is true, but this does not mean we need new technologies or new tactics for keeping our computers and networks safe from malicious content on social networks. What we need to do is treat social media like email - albeit very public email.
Almost everyone with an email address knows not to click on the link sent by a Nigerian prince. They know not to open files that are sent from people you don't know and they know they should not use 123456 as their email password. People, of course, still do, but at least most people are aware they should not. Yet somehow, when they log onto Facebook all this common sense disappears. The person who wouldn't dream of opening an attachment in an email from an unknown source is suddenly downloading games off of Facebook.
Bill Brenner of CSO wrote some great tips to "Smarten Up" about social network sites. While the tips about not posting when you are going on vacation are unique to social networking, they are also unrelated to network security and focus on personal security. However, there are some great tips for avoiding a security breach as well so it is worth posting here.
When it comes to network security the best way to stay safe is to treat social media sites like they are your email accounts. It is estimated that somewhere between 80%-90% of all email messages are actually spam and we all know many spam messages can be dangerous. I would argue that many of the postings on social media sites are also spam. How else would you classify a complete itinerary of someone's day, or the lyrics to the song which best describes how sad a person is about a recent breakup? While this isn't dangerous it still falls in the bucket of spam. So when you see a message on a social media site about making $500 a week working from home assume it is spam - even if your "friend" posted it.
The threats and tactics aren't new - it is just the medium that is different. So continue to use the same common sense you use when opening emails, and the same content filtering you use to block sites with known malicious content, and you'll be fine on social media sites - as long as you don't post the times and dates of your next vacation.