Your Security is an Illusion

I receive a number of queries about security from administrators and users every month, and many of these questions have links to all sorts of security issues that have occurred recently—everything from National Security Agency (NSA) spying to the Target security breach (incidentally, a number of other businesses have been attacked in the same manner). The fact of the matter is that books such as Administering Windows Server 2008 Server Core, Microsoft Windows Command Line Administration Instant Reference, and Windows 8 for Dummies Quick Reference have been telling you all along that security is a matter of vigilance—that software will never do the job alone. Even so, readers keep sending requests for some sort of magic bullet that will allay all their fears and make the task of security automatic.

Maintaining a reasonably secure system is a matter of observing personal, data, and system-wide best practices. Many other authors have listed these best practices in the past, but here are some of the techniques that people fail to use most often:

 

  • Use complex passwords that are easy to remember so you don’t need to write them down—consider using a passphrase whenever possible.
  • Change your password reasonably often and don’t rely on the same set of passwords all the time.
  • Keep your passwords secret so that no one else can abuse them.
  • Encrypt your data.
  • Perform local data backups regularly.
  • Ensure your applications remain updated with the latest security fixes.
  • Update your system as needed to ensure it provides a full set of modern security features.
  • Install security applications that check the incoming and outgoing flow of data, and block anything that looks remotely dangerous.
  • Check your system regularly for any files, folders, software, or other items that look out of place.


This list doesn’t even include some of the common user foibles, such as opening e-mail from parties they don’t know. In addition, none of these techniques are automated. You have to perform the manually in order to get the benefits they provide. Yes, it’s true that some of the techniques are automated once you start them, but you still have to start them. For example, installing security software will automatically monitor the data flow on your system, but you still have to install the security software manually.

Even with all of these security measures in place, someone who is truly determined can break into your system. You should simply count on it happening at some point, even if you’re incredibly careful. When a security breach does occur, you need to have a contingency plan in place.

Any good contingency plan will include a method of evaluating the damage caused by the security breach. You need to know just what was compromised and what the fallout of the compromise will be. Even individuals experience fallout from security breaches, such as identity theft. Once the damage is evaluated, you need a method for fixing the problems it has caused. In some cases, you may actually have to format the drive and start from scratch, which is where that data backup is going to become critical.

There is no magic bullet when it comes to security. Over the years I’ve searched, in vain, for a magic bullet and it isn’t even possible to conceive of one. Therefore, it’s the user and administrator who are best prepared for the eventuality of spying and security breaches that are in the best position to handle it later. Let me know your thoughts on security at John@JohnMuellerBooks.com.

 

Saving Data to the Cloud

Cloud computing is here—no doubt about it. In fact, cloud computing offers the only viable way to perform certain tasks. Certainly, large organization can’t get by without using cloud computing to keep the disparate parts of their organization in communication. However, I’ve been unimpressed with saving data to the cloud for a number of reasons:

  • Someone could easily obtain access to confidential information.
  • The data is inaccessible if my Internet connection is down.
  • A cloud vendor can just as easily lose the data as I can.
  • The vendor doesn’t have a vested interest in protecting my data.
  • Just about anyone with the right connections could seize my data for just about any reason.


As a consequence, I’ve continued to back by system up to DVDs and store some of these DVDs off-site. It’s an imperfect solution and I’ve often considered using the cloud as a potential secondary backup. However, when I saw the news today about Megaupload and the fact that the data people have stored there is safe for possibly two more weeks, I started reconsidering any use of cloud backup.

Just look at what has happened. The federal government has seized data from the site and then shut it down, making the user’s data inaccessible to them. If someone who uses that service for backup is having a bad day with a downed system, it just got worse. Now their data has become inaccessible to them. There isn’t any means of recovering it until someone decides to make it accessible again.

If the data does become accessible again, the users have two weeks in which to download everything and find another place to store it. Losing the personal mementos is bad enough, but to lose confidential information on top of that (think accounting data) makes the loss terrifying indeed. There is also that federal possession of everyone’s data for use in court no less. Now everyone will potentially know everything that people have stored on Megauploadthe good, the bad, and the ugly.

Of course, everyone is talking about what this means, but personally, I go along with John Dvorak in thinking that this incident gives cloud storage the huge black that it rightfully deserves. These services promise much, but I can’t see how they can possibly deliver it all. Yes, there are advantages to using cloud backup, such as the benefits of off-site storage that is outside of your location so that if an extreme disaster strikes, you should theoretically have your data stored in a safe location. Of course, there is also the convenience factor, assuming that you have an Internet connection that’s fast enough to make such backup of an entire system practical.

Cloud computing is going to remain a part of the computing environment from now on, but I think cloud backup has a lot further to go before anyone should trust it as a primary means of data storage. What are your thoughts about cloud backup? Let me know at John@JohnMuellerBooks.com.