SUBSCRIBE
Get what you need to know about information technology solutions to grow your business.
subscribe now »
| » comment |  del.icio.us |
 digg this |
|
 rss feeds |
Fortigate 330A Tutorial
Connor Anderson looks at unified threat management products from Fortigate.
View video »
Connor Anderson looks at unified threat management products from Fortigate.
View video »
| RELATED | MOST POPULAR |
|
Deploying Microsoft Desktop Optimization Pack 2009
Learn four ways MDOP R2 can help you migrate your organization to Windows 7. Preserving Essential Records
If you found out tomorrow morning that you could not bring your company's network online for three days (no matter the reason), would your users still have access to key records they need to do their jobs? Could you access everything you might need to until the calamity had ended? Check out tips that can help you ensure business continuity. Cisco's UC 500
Cisco's UC 500 all-in-one appliance offers everything an IT department needs to deliver effective communications to workers. Data Theft Deterrent
Generally, it's not feasible to forbid employees from using mobile computing devices simply because of security risks. And often today, your employees need them to do their jobs. The HP 4410t Mobile Thin Client can help allay your information security concerns. Securing Mobile Data
With the proliferation and affordability of notebook computers, it's only a matter of time before one belonging to your business ends up in the wrong hands. Start planning now so that when you receive that phone call, you can rest assured your data is safe. ARCserve Backup File Server Suite 12.5
CA tuned the latest version of its backup software, making de-dupe a core component. Our reviewer checks out how well the newest features in the software's File Server Suite stack up for storage management. Security Blanket: Vista's Outbound Firewall
Want an extra layer of security for Windows? Then enabling Vista's outbound firewall just might do the trick. 7 Must-Have Technologies
IT practitioners agree that there are some products no IT shop can live without. Multithreat Protection
The SonicWall NSA E5500 UTM appliance can create a shield to help protect your business's network. A Delicate Balancing Act
High-availability storage success depends on the ability to juggle emergency management within a realistic budget. |
|
A Simple Error Can Create a Big Problem
Information technology, particularly the security field, is often a thankless job. When information security works, there are no system compromises or malware outbreaks, but management and users alike typically fail to realize the efforts information security personnel have invested to ensure that security. Those same managers and users are quick to point fingers and place blame when something does go wrong.
Information security already has a negative reputation in many organizations, and there are enough external threats without creating opportunities for security breaches. With that in mind, it is even more important than usual for information security professionals to be diligent and ensure they do not make mistakes that lead directly to security issues.
There are many common mistakes. A couple of years ago, the SANS Institute cataloged a list of the top 10 security mistakes made by IT professionals (www2.sans.org/resources/mistakes.php?portal=f94a311a055434720eafa6a3830ff5e7). The list includes errors such as connecting unpatched or insecure systems to the Internet, providing username and password credentials over the phone without authenticating the caller’s identity, and not running updated antivirus software.
My Worst Mistake
The list from SANS can serve as a terrific baseline for catastrophic mistakes, but there is one in particular that stands out as the biggest mistake I have ever made. It occurred while I was working at a dot.com Web site as a jack-of-all-trades network administrator.
My job description included anything and everything related to IT short of actually developing the Web site. I had to rack and stack the equipment in the network server room. I installed, configured and administered all the servers, including the domain controllers, DNS servers, Web servers, e-mail servers and a bleeding-edge IP telephony and fax server. My role spanned troubleshooting and supporting user desktops to evaluating and procuring equipment and everything in between.
One function that fell into “everything in between” was to ensure our data was backed up daily. The Web site generated thousands of transactions an hour, and the transaction data plus the accumulated customer information was the lifeblood of the organization.
We invested a great deal of time and money to ensure we had the best tape backup system we could afford. The unit was slick, capable of holding multiple data tapes and robotically switching them out as one filled up to continue backing up without human intervention. We spent weeks learning about the hardware and the software and working to optimize our data backups so that we could back up our data as quickly as possible with as little impact as possible to our users or to the Web site.
We invested hours devising a policy for data retention and a schedule for removing tapes for offsite storage and replacing older tapes to ensure the integrity of the tape, making sure we did not miss a thing. The problem was that we missed a very major thing — validating the data on the tape and verifying that we could actually restore the data if necessary.
When a disaster finally struck, we learned the hard way. After a database server crash, we attempted to restore our most recent backup tape only to find out that it did not contain some of the key data we needed. Because we had never tested our ability to restore data, we were unaware that the backup agent was unable to work with files that were open for use, and that most of the time we were actually not backing up much of our most important data. After going deep into the archives, we were finally able to find a backup tape that let us get up and running, but we lost weeks of customer and transaction data in the process.
Learning From My Mistake
In today’s information security environment, you can expand the concept beyond data backups to disaster recovery and business continuity as a whole. Your plan may look good on paper and your day-to-day execution may appear to follow your process, but you need to test it to be sure. Schedule periodic dry runs or tests to walk through potential disaster scenarios and ensure that your plan will work in the real world. Waiting until the catastrophe strikes is not a good time to learn that it won’t.
Tony Bradley, a Microsoft MVP (Most Valuable Professional) in Windows security, is a computer security consultant with BT INS in Houston and the author of Essential Computer Security.
[ Related Articles ]
Home | Contact Us | About Us | Subscribe | Meet the Editors | Privacy | Site Map | Terms and Conditions
Copyright ©2010 CDW Corporation | 300 N. Milwaukee Avenue, Vernon Hills, IL 60061