Diving into the world of web hosting can feel like navigating a complex network, a bit like the physical landscapes of wilderness paths and waterfalls I often hike. I’m searching for that stable, secure hosting company that not only keeps my online presence running smoothly and sets up a reliable foundation for sharing my experiences with you.
Speaking from my perspective, both stability and security are paramount. I don’t want to hear about compromised hosting, defaced web sites, exploited accounts, and downtime. In this case, when it comes to hosting with HostMantis, the deafening silence has been golden. No alarms, no breaches, no unexpected outages, just consistent uptime and reliable service. For someone involved in computer network operations and vigilantly aware of potential vulnerabilities, this “no news” scenario is the ultimate reassurance. It means HostMantis is doing its job, allowing me to focus on other priorities. In the case of a business owner, it is to get sales from my site; in the case of a newspaper, it is to share newsworthy articles with readers. In my case those priorities are wanting my website to work flawlessly so I can tend to the issues of sharing life and my experiences with valuable readers like you.
For the past four years, I’ve relied on HostMantis to provide hosting services. Their service has consistently exceeded, my expectations. In this review, I’ll share my experience, outlining why HostMantis has been a solid hosting provider and why it might be the stable, dependable, and effective solution you’ve been searching for. From my viewpoint.
A few notes on my baseline site hosting and configuration, including a background on URL and Domains vs Hosting.
My domains are registered somewhere else, I keep the domain registration separate from hosting. Here are a few reasons:
Pro: Avoid vendor lock-in, increased portability: Domain registration is a somewhat static task that is very well defined, and costs are generally constant. Hosting on the other hand is a bit more messy. There are plenty of bad hosting providers. Keeping my domains separate, with a separate billing account, reduces the opportunity for cross issues.
Pro: Security: Separating services can reduce the risk of losing both the domain and hosting if one provider has issues.
Pro: Email control: I maintain a separate Domain Name System (DNS) in order to route mail most definitively. If integrated correctly, mail can be routed directly to a public high availability mail service like Microsoft, Google, or even Yahoo instead of through a web host who then forwards the mail. This avoids any issues with hosting downtime.
Con: Additional costs. Separate renewal fees, and often the host provider will “give” a domain registration with the cost of hosting
Con: Complex management: Yes, it is true, this increases complexity (an enemy of security), but in my experience this is worth the lift.
2. HostMantis Account Configuration
HostMantis provides two factor authentication with any 2FA app. I’ve tried it with Microsoft Authenticator, Twilio Authy, and Google Authenticator. All three worked flawlessly.
Account security appears to be an area that HostMantis takes seriously.
I have not validated their “break glass” system; that is, if I’ve lost access to my account due to hijacking or lost authenticator token (for example, if your phone blows up), I’m unclear what the break glass back door is. I expect calling them would allow them to unlock my account. But, again it has not been tested.
For the package I own, login starts as a Reseller account into a general HostMantis page.
From there, enter the WHM (WebHost Manager) console. WHM is an industry standard from the makers of cPanel and is adopted by every hosting company I’ve used that use cPanel. WHM is where creation and management of individual web pages happens. Creating sites is straightforward.
Migrating Sites Into HostMantis
Migrating active sites into HostMantis proved flawless. I used Duplicator in my old hosting company, downloaded my zip files, and uploaded and ran the php installer. Everything was more than perfect.
SSL Certificates
HostMantis makes HTTPS is available on all sites through the free service Let’s Encrypt, a platform I’ve been using since its official launch in 2016. As a background, in the early days of Let’s Encrypt, securing sites with ssl/tls required cron jobs and other manually configured automation. HostMantis’ solution is integrated in a button.
I would strongly recommend avoiding any hosting providers that do not provide free SSL.
3. Performance and Reliability
PageSpeed Insights
PageSpeed has remained exceptional throughout my tenure with HostMantis. Seeing a 97 on a site makes there not much else to report!
Uptime has been excellent. I test uptime with a test of whether the opening page opens, tested every five minutes. Over the course of two years, according to Uptime Robot, my primary site has experienced four incidents of downtime totaling 8 hours.
Downtime incidents
However, I was not able to corroborate this data point. At each of the downtime reports, by the time I tried to manually test the sites, they were all active again. It may have been an issue with Uptime Robot, not saying it was, but I am not able to assign “real” downtime to HostMantis.
Response times
The UpTime Robot response times are not nearly as stellar as the PageSpeed Insights. I’ll have to defer here to others who may be able to “make this make sense”. If you happen to understand where the discrepancy between the two exists please get in touch with me.
4. Customer Support: Always There When You Need Them
Every one of the minimal tickets that I’ve created has been answered in timely fashion, definitely nothing but admiration for the team.
Pricing and Value
HostMantis does not come cheap, but the uptime and reliability value is baked into the cost.
5. Overall Experience: A Highly Recommended Hosting Company
Considering the excellent performance I’ve experienced from this company, based on my experience over the last few years, I would fully recommend HostMantis as a web hosting company.
Cyberattacks on medical devices are a growing threat to patient safety. Cybersecurity threats to healthcare have increased in both frequency and severity, and continue to be clinically impactful causing healthcare delays. The security of medical devices is essential to protect patient safety and the integrity of healthcare data.
Medical devices are FDA approved solutions that pose unique security challenges when deployed in enterprise networks. There are a number of reasons why medical devices are a cybersecurity and cyber risk challenge.
1.1 Unpatched and outdated systems
Ripe for exploitable vulnerabilities, many medical devices are hosted on outdated operating systems. Medical devices are normally managed by the vendor, not by the customer. As such, the customer is not always “in the know” for when updates occur. Certainly, contractual agreements may exist, but policy safeguards do not always represent the technical landscape. Often the medical device vendor will rightfully cite “FDA approval’ for controlling the system. If an untested patch is installed by a customer, the untested system may introduce medical control issues that affect patient safety.
1.2 Security not first
Being patient focused “first”, medical devices are not normally designed as “security first”. This may be a difficult situation to negotiate with the vendor. For example, a gamma knife scheduling system compromised by malware may be marginally operational, and not affect patient safety. But a gamma knife compromised by malware or ransomware during a medical procedure may introduce lethal situations to a patient.
As security specialists, it is our job to make sure all parties understand the risks to security compromise. Ultimately, it is our job to notify the business of these risks, and the business that decides how to move forward in these situations.
1.3 Highly network connected
Another risk is that medical devices are often connected to hospital networks and potentially directly to the Internet, which means that a cyberattack on one device could spread to other devices on the directly connected network. The fact that these devices may be vulnerable (as pointed out above), and connected to the Enterprise network makes them nominal bastion hosts to jump into the network, therefore a valuable target for attack.
1.4 Sensitive patient data
Additional risk areas are that medical devices often contain sensitive patient data, which makes them directly a valuable target for hackers without even needing to jump into the rest of the network.
2 The statistics
The increasing number of cyberattacks on healthcare organizations is a major concern. In 2022, there was a 74% increase in cyberattacks on healthcare organizations worldwide. This is due to a number of factors, including the increasing use of connected medical devices, the growing sophistication of cybercriminals, and the high value of healthcare data.
The potential risks of cyberattacks on medical devices are significant. They can lead to the theft of sensitive patient data, the disruption of patient care, and even the loss of life. It is therefore essential to take steps to protect their medical devices from cyberattacks.
3 Guidance & recommendations
The following guidelines should be considered when evaluating medical devices. This guidance document is focused on patient safety and introducing medical devices to enterprise networks. The recommendations provide guidelines to safely and securely introduce vendor managed medical devices into operational enterprise networks. There are three entities involved. The customer is the hospital or medical facility; the vendor is the distributor of the medical device; and the manufacturer is the manufacturer on record with the FDA.
3.1 Fully document data system interfaces
Medical devices are often integrated with electronic medical records and other intricate patient health systems. Confirm that the entirety of the medical device data system interface is fully documented with asset information, connected data repository (data source & data destination), ports, and protocols. This information is important when evaluating whether additional protection (such as isolation or network segmentation) is practical. [reference 1]
3.2 Perform threat modeling
All networked devices are susceptible to malicious compromise. In threat modeling medical devices, expect the device is compromised and consider what the threat actor can do with the device. Consider patient safety first, and consider methods and techniques to protect the enterprise from the compromised medical device. [reference 2]
Threat model development are twofold. First is how a threat actor can manipulate the machine itself, potentially affecting patient safety. Second is if the device is compromised, how can that device affect healthcare operations. Threat modeling discussions should include the vendor since the vendor is more likely to intimately understand the vulnerabilities in the device.
While developing the threat model, consider that the hospital is likely not able to thoroughly scan the device for compromise. For example, consider that the device may have explicit but undocumented wireless internet capability (many off-the-shelf computers have built in Internet capable SIM cards), or that a vendor employee may introduce an Internet connected device for maintenance and updates, or that a threat actor could introduce an Internet connected USB leave-behind. Since the hospital is likely not able to scan and control the medical device system, the hospital needs to protect itself from these types of threats.
When performing threat modeling, consider specific examples of what a threat actor could do with the compromised device. For example, a threat actor could:
Cause patient harm: Change the device’s settings or firmware. This could cause the device to malfunction, deliver incorrect treatment, and thereby harm the patient.
Perform data theft: Access and steal sensitive patient data. This could include medical records, insurance information, or financial data.
Leverage as a bastion host: Use the device as a launchpad for attacks on other devices in the networks. This could spread malware or ransomware to other devices in the hospital network.
3.3 Request for software changes & cyber security updates
Medical devices often include general purpose computers and industry available off the shelf (OTS) operating systems. These devices are the responsibility of the manufacturer, and controlled by the manufacturers FDA approval. Untested changes to the device could pose a risk to patient safety.
The device manufacturer bears the responsibility for the continued safe and effective performance of the medical device, including the performance of OTS software that is part of the device. [reference 3, 4]
The manufacturer is responsible for validating cyber security software changes to control vulnerabilities. Any requested cyber security changes are ultimately the responsibility and authority of the manufacturer’s engagement with FDA. [reference 5] Concerns related to device security and vulnerabilities need to be addressed by external measures and compensating controls such as network segmentation.
3.4 Implement compensating controls
Due to the “hands off” nature of medical devices, compensating controls should be utilized wherever practical. For example, network segmentation is a method to improve data and system protection. [reference 6] Network segmentation can be used to protect the medical device, and also to protect the enterprise network from compromised medical devices. Creating a network segment also forces the creation of fully documented medical device data system interface (e.g., data flow diagrams), thereby enhancing the security of the engagement.
3.5 Document maintenance responsibilities and maintenance schedules
It is customary that the manufacturer maintain the medical device and associated software. However, there may be situations where operational staff are involved with portions of maintenance. Fully document manufacturer’s requests for involvement.
3.6 Document cyber security readiness
Cyber incidences happen. It is important to ensure that staff are aware of the security risks posed by medical devices and how to protect the patient from those risks. For example, device specific awareness training will guide the medical staff on actions to take during an attack. In addition, indicators of compromise should be documented and staff properly trained for awareness.
A key to successfully resolving cyber incidences is a preplanned incident response playbook (e.g., a cyber security incident response plan, or CSIRP). Document the cyber security incident response opportunities and agreements between the hospital and the vendor, including the cyber security incident response contact teams.
The cyber security protection plan should include guidelines and procedures to
Identify: Threat landscapes are continually evolving, and it is critical to recognize threats as applied to specific devices. During the device lifecycle, many changes will occur, including changes on the device itself, software patches, and connected network changes. Contractually agree to a regular cadence of “re-documenting” the system to confirm cyber security readiness.
Protect: Periodically review the security controls in place, and confirm that the controls continue to effectively protect the device from newly discovered threat vectors and vulnerabilities.
Detect: Identifying signs of compromise. It is especially important that staff be made aware of indicators of compromise, and what to do if a machine is acting as though it is compromised. For example, fully document who the staff should contact when presented with what is believed to be suspicious activity.
Respond: Methods to isolate the compromised device to prevent additional attacks. Keep in mind that these are medical devices, and immediately isolating the medical device may negatively affect patient care. It is important to understand how to respond to a cyber attack while ultimately protecting patient care.
Recover: Restore operations, restoration of patient data.
It is critical that the CSIRP be tested on a regular basis, and after any significant system change. This testing exercise confirms that the CSIRP remains valid in the dynamic operational enterprise environment.
3.7 Simplicity is the key to security
The “least burdensome approach” to maintaining and protecting medical devices should be considered. [reference 7, 8] Consider the FDA solution a complex “vendor managed solution” where forcing last minute vendor changes are neither practical nor secure. Instead, recognize the device as unmanaged (unmanaged from the customer’s point of view), with unmanaged risks and unmanaged validation, and work to implement a framework of controls around the device that protects both itself, and protects the rest of the enterprise from the device.
3.8 Informal agreements are not obligations
Remember that Emails and discussions are not contractual obligations. Consider the value of the emails and discussions, and document any fundamentally important agreements in contractual obligations. Consider whether the agreements are absolutely critical to the engagement, and apply the principles of “practical security”.
4 Conclusion
Medical devices are capable of directly affecting patient care. These devices are also connected to other infrastructure components with an ability to affect patient records, retrieve and store sensitive patient information, and be used as jump boxes to the rest of a hospital network.
When considering methods to protect the medical device system from attack by a threat actor, and to protect the hospital network from being attacked by a rogue device, the most effective methods are
To coach medical staff on cyber security readiness,
To employ methods to encapsulate and control network traffic,
To regularly revisit the vulnerability landscape for the system, and
To understand how an offensive operator can use that medical system to their benefit, to the hospitals detriment, and to the patients peril.
Medical devices & systems are a critical part of patient care, and securing these systems is essential to protecting patients and providing healthcare services.
Reference material
1 Food and Drug Administration (FDA), “Medical Device Data Systems, Medical Image Storage Devices, and Medical Image Communications Devices Guidance for Industry and Food and Drug Administration Staff”, September 28, 2022, https://www.fda.gov/media/88572/download
2 MITRE, “Playbook for threat modeling medical devices”, November 30, 2021, https://www.mitre.org/sites/default/files/2021-11/Playbook-for-Threat-Modeling-Medical-Devices.pdf
3 Food and Drug Administration (FDA), “Guidance document, Off-The-Shelf Software Use in Medical Devices, Guidance for Industry and Food and Drug Administration Staff”, September 27, 2019 (originally issued September 9, 1999), https://www.fda.gov/regulatory-information/search-fda-guidance-documents/shelf-software-use- medical-devices
4 Food and Drug Administration (FDA), “Global Approach to Software as a Medical Device”, https://www.fda.gov/medical-devices/software-medical-device-samd/global-approach-software-medical-device
5 Food and Drug Administration (FDA), “Guidance for Industry Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software”, https://www.fda.gov/media/72154/download
6 National Institutes of Health (NIH), “Information Technology and Medical Technology Personnel´s Perception Regarding Segmentation of Medical Devices: A Focus Group Study”, https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7151197/
7 Food and Drug Administration (FDA), “Guidance for Industry: Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software”, January 14, 2005, https://www.fda.gov/regulatory-information/search- fda-guidance-documents/cybersecurity-networked-medical-devices-containing-shelf-ots-software
8 Hoffer, Gregory, “Complexity is Still the Enemy of Security”, https://www.cyberdefensemagazine.com/complexity-is-still-the-enemy-of-security/
Are you an experienced Python programmer? Then this article is absolutely for you. On the other hand, if you are a new Python programmer, or new to programming? Then this article is DEFINITELY for you!
Colaboratory, or Colab, is a game-changer for anyone who wants to code with Python. It’s a free, cloud-hosted Jupyter notebook environment that lets you write and execute Python code right in your browser, without any setup required. Whether you’re a seasoned data scientist, a curious student, or just someone who wants to tinker with code, Colab has something to offer you.
What is Colab?
Colab is a virtual machine running in the cloud. It comes pre-installed with all the popular Python libraries, including NumPy, Pandas, TensorFlow, and PyTorch. You can access it from any device with a web browser, making it incredibly versatile and accessible.
What can you do with Colab?
The possibilities with Colab are endless. Here are just a few things you can do:
Data science and machine learning: Analyze data, build machine learning models, and train them on powerful GPUs
Deep learning: Experiment with deep learning frameworks like TensorFlow and PyTorch without having to install anything on your own computer
Scientific computing: Perform numerical computations and simulations
Education: Learn Python and data science in an interactive environment
Web development: Build and deploy web applications using Python frameworks like Flask and Django
Getting started with Colab
Getting started with Colab is easy. Just visit https://colab.research.google.com/ and click “New notebook.” You’ll be up and running in seconds, with a blank notebook ready for your Python code.
Benefits of using Colab
There are many benefits to using Colab, including:
Free to use: You don’t need to pay anything to use Colab
No setup required: Just open your browser and start coding
Accessible from anywhere: Use Colab from any device with a web browser
Powerful hardware: Colab runs on Google’s cloud infrastructure, giving you access to powerful GPUs and CPUs
Pre-installed libraries: No need to install any Python libraries yourself
Collaborative: Share your notebooks with others and work together on projects
Final thoughts
Colab is a valuable tool for anyone who wants to code with Python. It’s free, easy to use, and powerful.
Future parts of this post
…may include…
Tips and tricks for using Colab
Examples of cool things you can do with Colab
A comparison of Colab to other Jupyter notebook environments
Have you ever received a phone call where the caller’s first question is, “Can you hear me?”
A lot of talk on the internet since around 2017 with people saying they were encouraged to say “Yes!” only to later have their voice used to pay for services.
Disclaimer: I am not a lawyer, and I do not play one on television. I am however familiar with social engineering. I can tell you, in my professional opinion, of all the things that never happened, this never happened the most.
But… really? Is this for real? Or is it fear mongering, which is quite common on the internet? With a simple one word answer, can someone really steal my identity, or obligate me to a purchase?
Can I be obligated with a single word?
The answer is: Probably not. Realize, you likely have dozens of video clips with you and your friends on YouTube, or Instagram, or TikTok, or Facebook. And can a single word be used to identify you? So the perpetrators of this likely hoax are saying that a bad actor can order stuff on the internet, be on a call with whoever sales person for however long they need to be on, and then at the crux of the call they will change their voice completely and insert your voice with a single word response “Yes”?
Does that even sound reasonable? Of course it doesn’t sound reasonable. But it makes for good click bait, and fear mongering creates a lot of interest. The problem is, it also distracts you from real adversaries. Distractions are sometimes fun, but distractions are usually not very good use of your time.
Why the “Hello can you hear me” then? What are more reasonable thoughts on why these calls come in with that odd question?
Confirming you are a real person
The reason for the can you hear me is most likely a robocall where the calling company doesn’t want to waste the time of a real agent. Robo companies are operating on volume – the more the calls the better, because some percentage of people will actually buy what they are selling.
If an answering machine answers, there is no reason to waste the time of a real agent. When the “just say yes or no” happens, it is because the robocall recognized a voice, but thinks it has an answering machine.
Buying time for the operator
A second reason is that the robocaller just transferred the call to a real agent, who is trying to buy themselves time in the awkwardness of having the phone answered. You may have said “Hello” or something else, and they don’t know what you said, so in order to trick you into thinking they were having phone issues they ask you to basically repeat yourself with the cue “Hello? Hello? Can you hear me?”
Final thoughts
There are many reasons that a caller would ask whether the called party can hear them, including
A delay tactic, while being transferred to a live agent.
A simple way to start a conversation and to get the other person to respond.
Allows the scammer to test the audio quality of the call and to make sure that they are able to understand the other person.
A way to gauge the other person’s interest in the scam. If the other person responds positively to the “Can you hear me?” question, the scammer is more likely to continue with the scam.
A way to confuse or startle the other person, making them more likely to fall for the upcoming scam in confusion.
A basic tactic for sales, get the potential buyer to get used to saying “yes” in the conversation.
Now that said, these are my professional opinions. And remember, just because you are paranoid doesn’t mean they aren’t out to get you, so hanging up the phone is the right thing to do.
tl;dr? My video solution is Davinci Resolve, my go to non linear video editor.
Along with their static reading blog cousins, vlogs (Video Logs) have been all the rage for a few years now. I’m sure you have seen a few. In fact, if you have ever looked at any video on YouTube, you were likely looking at a vlog. Vlogs are often shot on phones or other minimal capture devices, then edited in a video editor.
HostMantis is a web hosting company that has been providing reliable and affordable hosting services since 2014. They offer a range of hosting solutions, including shared hosting, reseller hosting, VPS hosting, and dedicated servers.
One of the standout features of HostMantis is their excellent uptime guarantee. They promise 99.9% uptime, and many users report that their sites are up and running smoothly without any issues.
HostMantis also offers fast and responsive customer support. They have a support team available 24/7, and users can contact them via live chat, phone, or support ticket. Many users report that the support team is knowledgeable and helpful, and they always go the extra mile to solve any issues that arise.
Another great thing about HostMantis is their user-friendly control panel. The cPanel interface makes it easy to manage your website, set up email accounts, and install popular applications like WordPress.
HostMantis also provides a range of security features to keep your site safe from cyber threats. They offer free SSL certificates, daily backups, and malware scanning and removal.
Configuring a new host is meaningfully time consuming. Do the right thing today, and there should be smooth sailing tomorrow.
HostMantis proved extremely efficient at setup and installation. Website installation through ftp was flawless, and there was sufficient compute site services to perform the unpacking and installation of WordPress zip files.
I did not use the service, but HostMantis offers free website migration services for customers who want to transfer their website from another hosting provider. Their migration team handles the entire process, including transferring files, databases, and DNS settings, making it easy for website owners to switch to HostMantis without any hassle.
Uptime testing
Uptime guarantees are a contractual Service Level Agreement. In these agreements, the vendor will promise to compensate the buyer if uptimes are not adequately provided. The problem is, you as a consumer usually aren’t interested in uptime guarantees, you are interested in uptime for your customers.
Say you own a restaurant. You’ve contracted with a company to provide “99% uptime guarantee, or we will refund your entire month of service!” Well, that sounds good, if they experience less than 99% uptime, you will be refunded the $100/month service fee they charged you. But how is this going to affect your company? 99% uptime is 8 hours downtime per month. This means your restaurant could experience two four hour downtimes during the most busy days you have, and they’ve met their contractual obligation. How is that going to work out for you? What are your business continuity plans for the eight hours of downtime? Even worse, if they exceed the 8 hours, their only obligation is going to be the $100 fee they’ve charged you.
Testing process
We will be testing HostMantis uptime over the next two years, and report back to you on findings.
Testing the uptime guarantee of a web hosting service can be a tricky and time-consuming task, but it is an essential aspect to consider before choosing a hosting provider. The uptime guarantee is the percentage of time that a web hosting service promises to keep your website up and running without any interruptions. Most reputable web hosting providers offer an uptime guarantee of at least 99.9%.
To test the uptime guarantee, you need to monitor your website’s uptime continuously over a period of time using a reliable monitoring tool. These tools check your website’s availability at regular intervals and alert you if it goes down. Some popular monitoring tools include Pingdom, Uptime Robot, and StatusCake.
When monitoring your website’s uptime, you should set up alerts for downtime and track the uptime percentage over time. This will give you an idea of how often your website experiences downtime and whether it meets the uptime guarantee promised by your hosting provider.
It’s important to keep in mind that downtime can be caused by factors outside the hosting provider’s control, such as internet outages or server maintenance. However, if your website experiences downtime frequently or for extended periods, it may be a sign of poor server performance or inadequate resources, and you may need to consider switching to a more reliable hosting provider.
HostMantis uptime results
Testing after two years was unexpected and impressive. Two different uptime monitors were used through the two years of hosting through HostMantis.
The results were that HostMantis provided 100% uptime through the terms of service.
Security is critical to success
Web site security is critical to success. Whether you are running a multinational corporation, or a home based business, web security is going to be reviewed by your customers.
TLS/SSL (Secure Sockets Layer) is an essential technology for securing online communications and protecting sensitive information on the internet. SSL is a protocol that establishes a secure, encrypted connection between a website and a user’s browser. This encryption ensures that any data transmitted between the user’s browser and the website is protected from being intercepted by hackers or other malicious actors.
The importance of SSL cannot be overstated, especially in today’s digital age, where online security threats are becoming more prevalent and sophisticated. Without SSL, sensitive information such as login credentials, credit card numbers, and personal data are vulnerable to interception, which can lead to identity theft, fraud, and other security breaches.
In addition to protecting sensitive information, SSL also provides website visitors with assurance that the website they are visiting is legitimate and trustworthy. SSL certificates are issued by trusted Certificate Authorities (CAs), who verify the identity of the website owner and ensure that the SSL certificate is legitimate. This verification process gives website visitors confidence that the website they are visiting is not a phishing site or a fraudulent site impersonating a legitimate website.
Having an SSL certificate is also important for search engine optimization (SEO). In 2014, Google announced that SSL was a ranking factor in their search algorithm. This means that websites with SSL certificates are more likely to rank higher in search engine results pages (SERPs) than websites without SSL certificates.
HostMantis SSL included
HostMantis provides an excellent SSL (Secure Sockets Layer) certificate service that offers reliable and secure encryption for websites. SSL certificates are essential for protecting sensitive information such as login credentials, credit card numbers, and personal data from being intercepted by hackers or other malicious actors.
HostMantis offers free SSL certificates for all of their hosting plans, which is a significant benefit for website owners who want to secure their website without incurring additional costs. Their SSL certificates are issued by Let’s Encrypt, a well-known and respected certificate authority, which ensures that your website’s encryption is both secure and reliable.
HostMantis SSL certificates are easy to install and integrate with your website. They offer a range of SSL certificate types, including Domain Validated (DV), Extended Validation (EV), and Wildcard certificates, depending on your website’s needs.
Stress testing
Stress testing is an essential part of web development and website maintenance. It involves simulating heavy traffic and high user loads on a website to evaluate its performance under extreme conditions. The purpose of stress testing is to identify potential bottlenecks and weaknesses in the website’s infrastructure before it goes live.
To perform a stress test, a testing tool or software is used to simulate large volumes of traffic to a website. The tool sends multiple requests to the website, emulating the behavior of a large number of users accessing the website simultaneously. The requests are designed to simulate a range of user actions, such as loading pages, submitting forms, and downloading files.
During the stress test, website performance metrics such as response time, CPU usage, memory usage, and server load are monitored and measured. These metrics help identify any potential bottlenecks or performance issues that may arise under heavy user loads.
Once the stress test is complete, the data collected is analyzed to identify any areas of weakness or performance issues. These issues can then be addressed through optimization and performance tuning to ensure that the website can handle high traffic loads without experiencing downtime or slow performance.
Stress testing is particularly important for websites that experience high volumes of traffic or that are critical to business operations. By identifying and addressing performance issues before they occur, website owners can ensure that their website remains available and responsive even under extreme conditions.
HostMantis stress testing
HostMantis is an exceptional web hosting provider that delivers reliable and efficient web hosting services. Their commitment to performance and stability is evident in their ability to handle stress testing for up to 1000 users.
A recent stress test on a website hosted by HostMantis demonstrated exceptional performance under extreme traffic loads. Throughout the test, the website remained stable and responsive with minimal slowdowns or errors.
HostMantis’ proactive approach to performance optimization was noteworthy. They provided detailed performance metrics and optimization recommendations that helped fine-tune the website for optimal performance under heavy user loads.
Customer support
Customer support cannot be overstated. You don’t need them… until you need them. It is like the fire department. Do you think about the fire department when you are driving to work or having dinner with your family? Probably not. You only think about them… when you need them.
No different than customer support in web hosting. Customer support is a critical aspect of any web hosting provider, and HostMantis sets a high standard in this area. Their commitment to customer satisfaction is evident in their comprehensive and responsive customer support. The support team is available 24/7 via live chat, phone, or ticketing system and is highly knowledgeable and professional. Their technical expertise and willingness to go the extra mile to resolve customer issues promptly are impressive.
As a customer, it is reassuring to know that any issues or questions can be addressed promptly and efficiently. HostMantis’ customer support provides a seamless and stress-free hosting experience, ensuring that any concerns or problems are resolved quickly and effectively.
The importance of customer support cannot be overstated, and HostMantis delivered exceptional customer support that prioritizes customer satisfaction. Their commitment to providing a reliable and stress-free web hosting experience is evident in their comprehensive and responsive customer support.
Concluding remarks
So far, HostMantis has proven to be an effective and efficient web hosting company. Continued monitoring and testing over the next months and years will be reported. If you have any particular concerns or questions about HostMantis, feel free to send me a note. Otherwise, stay tuned to this channel for more information as it evolves!
Free internet fax options allow you to send and receive faxes over the internet without the need for a fax machine or a dedicated phone line. These services are often referred to as “online fax services” or “virtual fax services.”
There are several benefits to using free internet faxing, including:
Cost Savings: Free internet faxing eliminates the need for a physical fax machine and dedicated phone line, which can save you money on equipment, maintenance, and phone bills.
Convenience: With internet faxing, you can send and receive faxes from anywhere with an internet connection. This means you can send faxes from your computer, tablet, or smartphone, making it easier to manage your faxing needs on-the-go.
Efficiency: Internet faxing allows you to send and receive faxes quickly and easily, without the need to print out documents or wait for them to be delivered. This can save you time and help you stay productive.
Security: Many internet faxing services use encryption and other security measures to ensure that your faxes are transmitted securely. This can help protect your sensitive information and reduce the risk of identity theft or other types of fraud.
Environmental Benefits: By eliminating the need for a physical fax machine, internet faxing can help reduce paper waste and save trees. This can be a positive step towards a more sustainable future.
Overall, free internet faxing can be a convenient, cost-effective, and eco-friendly solution for businesses and individuals who need to send and receive faxes on a regular basis.
Here are a few free internet fax options. These intentionally exclude “free for a month after you give us your payment card information”, and other gimmicks.
FaxZero: FaxZero allows you to send up to five free faxes per day, with a maximum of three pages per fax. However, there are advertisements included on the cover page.
HelloFax: HelloFax offers a free plan that allows you to send up to five faxes per month. The service also includes a digital signature feature.
Commentary on image:
HelloFax didn’t identify this during signup, but while trying to send a fax, the system reported that faxes are limited to three pages, plus the cover sheet.
And there is a five page per month limit, not a five fax per month.
GotFreeFax: GotFreeFax allows you to send up to two faxes per day, with a maximum of three pages per fax. There are no advertisements included on the cover page.
“The future of malware” is a trigger for most of us in computer security. Most cyber professionals have an idea of what they think malware looks like in the next few years, but truly few of us write about it or document it in a formal way. In 2013, I presented on the “future of malware”. My predictions at the time were that initial attack vectors would pivot strongly away from IP based network attacks and towards (1) social engineering, (2) insider threats, and (3) overprivileged systems. At the time, application sandboxing was somewhat in an infancy (especially phone based applications), and phishing was gaining speed. Stuxnet was at the time a recent exploitation that was still being discussed in the industry.
Since then, Target was attacked through an over privileged thermostat — it was a control unit that was on the same layer of protected network as the rest of the enterprise and credit card machines. Then along came SolarWinds, where the attackers compromised service delivery of an application that was then distributed by the vendor to their clients.
Without much further ado, I’d like to present an interview with ChatGPT, and discovering what an artificial intelligence makes of the future of malware.
ChatGPT was asked to write a 1000 word essay on the future of malware. This is the result. I’ve added notes to each paragraph. ChatGPT content is italicized.
Malware, short for “malicious software,” is a term used to describe any software that is designed to harm or exploit computer systems. It has been a significant threat to individuals and organizations for many years, and it is likely that it will continue to pose a threat in the future.
This is an accurate description to the question “what is malware?”, and the status of malware in the industry. Kudos ChatGPT.
One trend that is likely to continue is the increasing use of malware as a tool for cybercrime, such as ransomware attacks that hold data hostage until a ransom is paid. These attacks can be especially damaging to businesses, as they can disrupt operations and lead to lost productivity and revenue. In recent years, there has been a rise in the use of ransomware as a tool for extortion, and it is likely that this trend will continue in the future.
Types of malware come in many forms. My own opinion of this is that the trend is likely to pivot to data exfiltration and blackmail based on content (compromising the Confidentiality of data while leaving the data itself largely intact and Available) rather than the current lock and hold for ransom (Availability disruption). My basis for this argument is that more companies are using endpoint protection, “thinner” clients, and vendor segmented SAAS solutions where Encryption of large scales of data will be difficult. That said, this is a professional opinion, and I wouldn’t say ChatGPT is “wrong”. Kudos ChatGPT.
Another trend that is likely to continue is the increasing sophistication of malware. As security measures and technologies evolve, malware will also continue to evolve to become more sophisticated and harder to detect and remove. This could include the use of machine learning algorithms to evade detection and the development of “zero-day” vulnerabilities, which are security vulnerabilities that are unknown to the vendor and can be exploited by attackers before a patch is available.
Well, on this one there are a lot of fancy words being used like “sophistication of malware”, “evolve”, and “zero day”, all of which many of us in cyber war have written about. I’m going to say this paragraph is more fluff than fodder No bonus points ChatGPT.
One potential future development in the field of malware is the use of artificial intelligence (AI) and machine learning algorithms by both attackers and defenders. On the one hand, AI and machine learning could be used by attackers to more effectively evade detection and launch more sophisticated attacks. On the other hand, AI and machine learning could also be used by defenders to more effectively identify and respond to malware attacks.
Agreed, and it is of benefit that artificial intelligence is being mentioned. To note, my thesis is in Artificial Intelligence, and I likely would not have mentioned AI in attack and exploitation. While this paragraph doesn’t present many details, it does bring up the subject. So… Kudos to ChatGPT for mentioning it.
Another potential future development is the increasing use of malware in the Internet of Things (IoT). As more and more devices are connected to the internet, they become potential targets for malware attacks. This could include attacks on smart home devices, industrial control systems, and other connected devices. Protecting against these types of attacks will require new approaches and technologies.
Agreed, yes, absolutely. The security perimeter becomes the node or system itself, instead of some artificial boundary between “enterprise” and “Internet”. Up until 2010 or so, breaking the perimeter usually meant bypassing the firewalls protecting the Internet border. That border is now already broken, because IOT (such as that thermostat at Target, or even SolarWinds if it is considered an appliance) is already in the building. Kudos ChatGPT.
To protect against future threats, it is important for individuals and organizations to implement strong security measures, such as keeping software and security systems up to date, using antivirus and firewall software, and being cautious when opening emails or downloading files from the internet. It is also important to regularly back up important data to prevent loss in the event of a successful malware attack.
Hmm. This paragraph on malware protection really seems to fall short. Anti-malware software only helps once signatures have been developed. Patching systems, using antivirus, check, agreed. However, earlier ChatGPT mentioned zero days, and of course zero days have no patch. I think ChatGPT should have tied these two concepts together. Good ideas ChatGPT, but there is something missing.
In addition, it will be important for individuals and organizations to stay informed about new threats and developments in the field of malware. This could include staying up to date on security patches and updates, participating in security awareness training, and staying informed about the latest trends and techniques used by attackers.
There is a quote from the cold war that I’m going to paraphrase for cyber warfare. “In order to beat an attack, you have to think like an attacker.” Defenders will never win until they become the attacker. My recommendation is to regularly rotate the Defender staff out to Attacker mode, let them learn the Attack and Exploitation game, then come back and Defend for awhile while the next group rotates out. A defender will never win until they think like the attacker, and even then, the defender cannot “win”, they can only thwart an attack that is underway. As soon as the Attacker recognizes the Defender has caught on, the Attacker then pivots to a new Attack vector. So… with regard to “staying informed”, I’d say that is implemented as, let the Defender put the Attack hat on from time to time. Kudos to ChatGPT.
In conclusion, the future of malware is likely to be marked by increased sophistication and the use of new technologies, such as AI and machine learning. Protecting against these threats will require strong security measures and a proactive approach to staying informed about new developments in the field. By taking these precautions, individuals and organizations can help protect themselves against the ever-evolving threat of malware.
Great conclusion. Kudos ChatGPT.
Let’s take a look at this!
Overall assessment
ChatGPT as of 2022 provides some clever ideas and insights, and puts together a reasonable basic essay. There doesn’t seem to be much depth, and ChatGPT doesn’t bridge ideas together. There are what I call “flower words and phrases”, such as “increased sophistication” and “new technologies” without explaining why. Diving into this, every year the technology world experiences “increased sophistication” and “new technologies” — so the words and phrases really don’t do much to increase the sophistication of the essay, or to help the reader understand why these statements are being made.
For basic layout, the Chat bot does a decent job at assembling a basic non sophisticated essay. For this example in discovering the future of malware, the bot did a basic 101 level essay on the topic, but not much more.
Chess automata
Concluding remarks
Chess computers have been theorized for a hundred years. The Cray Blitz in the 1980s was the first chess automaton to register as a chess master. Twenty years later in 2006, the world champion Vladimar Kramnik is defeated by Deep Fritz in a 4-2 match. No human has topped a chess computer since.
In the same way, ChatGPT is in its infancy. This is just the beginning. Today, ChatGPT is demonstrating basic and very good writing techniques.
That all said, this is the beginning of ChatGPT and automata writing engines. Give the bot a few months or a few years, and I’d expect the sophistication of the bot to be on a competitive level to human writers. My prediction is that ChatGPT and automata writing engines will be used for “basic framework”, then more advanced human writers will add to the basic text that is generated — very similar to what I myself did in the earlier section. Let ChatGPT and automata do what they are good at (not much different than having an entry level lawyer write the beginning of the contract), then have a more advanced human take over to edit and include details that may have been overlooked by the automata.
So tell me, what are your thoughts? Where is this technology likely to wind up in the next few years?
Dead links are absolutely “no good” for your SEO, and even worse they are no good for your visitors!
There are two kinds of dead links. Links to external sites need to be monitored since the external site might change their structure, or they might even go out of business. In either case, new related articles need to be discovered, or simply kill the dead link.
Links to your own site sometimes go dead because of site structure changes. For example, if you’ve moved WordPress to a “different” subdirectory while migrating to a new hosting company, site destinations may have changed.
This article outlines a few free link checker sites that will review a site for dead links.
Emergency situations call for emergency preparedness. The term “breakglass access” derives from the world of emergency alarms (such as fire alarms) that are protected by “break glass” stations, where once the alarm is activated it cannot be “turned off” without replacing a part of the station. Sometimes the fire alarm has a glass or plastic insert that has to be replaced after the alarm is activated. In any case, a responder is going to immediately recognize that the alarm has been pulled.
In computing, “break glass” is the procedure to access a system that bypasses normal security controls during critical emergency situations. Break glass procedures rely on pre-staged emergency user accounts that are documented, tested, and managed. For example, a “break glass” admin account may be created for situations when network based authentication/authorization services (such as Active Directory) have become unavailable. The break glass accounts should be made in a way that they rely on (1) the user and (2) the target system, with very little tertiary system involvement.
Of course, in all break glass situations, be aware that the break glass accounts can also be weaponized by threat actors. Since the break glass accounts bypass potential mitigation steps, a threat actor may be able to use them. For example, break glass accounts rarely enable conditional access policies such as MFA. Without a second factor to security, a threat actor has easier access to the systems that are being protected.
It is also important to note that “break glass” access is not always a “break glass” account. Break glass access might be a method or procedure. For example,
Break glass in a data center might mean that there are methods to boot the affected system in a Safe Mode container that provides properly authenticated access
Break glass in a cloud environment might mean that there are procedures available to call the service provider and have a new account created.
B. Retain role based security – Emergency access to particular levels of “the stack”
Software is a many faceted beast, including infrastructure (networks & servers), platforms (operating systems), and software (reference AAS sisters). Emergency special access rights need to be configured for all three layers of the beast.
For example, let’s say you have a website built on WordPress deployed on a web hosting server. There are several break glass opportunities and scenarios. To outline a few, there are (1) the website, for example, where new articles are created; (2) the WordPress deployment, for example, where new users are created; and (3) the web hosting login, where a new WordPress might be created. There are of course many others.
But there is no reason to get carried away with break glass accounts. As a reasonable starting point, understand what each break glass account is capable of doing. Do you really need this many break glass accounts? Probably not if you control the entire stack.
If access to the website account is lost, the normal WordPress Admin account authorizations can be used to change the website account password.
If access to the WordPress Admin account is lost, a new account can be created by the normal web hosting login.
If access to the web host is lost, a reasonable break glass procedure might be to call the hosting provider and have the access credentials reset.
C. Use cases: When emergency access is required
To better understand how to protect systems with break glass access, let’s explore why emergency access may be required. To name a few, emergency access may be required in the following situations:
Cyber attack (insider or external) has deleted or removed access to all accounts. In this way, the system is unavailable by all methods other than break glass.
Accounts are federated, and the identity provider is not available. For example, if access to AD has been compromised by way of a cyber attack, or a network outage has prevented access to AD, the system is unavailable by all methods other than break glass.
Multi factor is enabled on all accounts, and the Multi factor grid is not accessible or has become compromised. For example, in a global phone outage (text based MFA), or if an MFA app provider has become compromised. In this situation, the system is unavailable by all methods other than break glass.
Remembering that break glass access can also be weaponized by a threat actor. It is best to restrict the number of methods to gain access, to reduce the vulnerability exposures.
D. Emergency access suggestions
Break glass access is typically either
by way of system access procedures, for example, console access;
by way of contacting a provider company that has access (for example, in a cloud hosted environment);
by way of an account.
In any of the scenarios, the process should be documented and well tested. You don’t want to try to “figure it out” during a real outage that is affecting your users and customers.
Here are suggestions for emergency access:
Top five criteria for all emergency access methods
Fail proof – it has to work 100% of the time
Sufficiently privileged – in order to recover from every situation
Perpetual – not subject to lockout under any circumstance. Cannot be deleted, expired, nor deactivated, so that if a malicious user gains access to the system, the malicious user cannot execute a Denial of Service to the Break Glass account.
Not used for any access other than absolute emergencies – these are not daily access accounts
Regularly tested – triggered by time (say every 90 days), upgrades, updates, new break glass users, terminated break glass users
Additional criteria for emergency access
Simple – since the accompanying emergent situations is already increasing stress levels
Audited – with no ability to destroy audit trails, so that a “break glass” event is evident to observers
Protected – access methods should be stored in a manner in which if the method is accessed, the access is easily identified. For example, if break glass account, store the credentials in an envelope in a locked firesafe where the envelope itself has to be destroyed in order to access the credentials. In this way, anyone who has access can identify if the account information has been accessed.
Monitored – so that if the method is used, every user becomes immediately aware. For example, every admin is immediately notified that the break glass process has been invoked. Keep in mind if an adversary has gained admin access and admin notification occurs, the adversary will then immediately be notified that Break Glass has occurred.
Minimum necessary privilege to recover – for example, the ability to create and manage Admin accounts, where then the admin account can be used for the rest of the recovery process.. Remember, Break Glass is to regain access. The person who logs into the Break Glass account is not likely the person who manages daily access to the system. In a large environment, the Break Glass action is going to be used to establish a “fix beachhead” that is then used to regain global access for multiple other users.
Protected against single person insider threats – for example, requiring more than one person to gain access
Not assigned to an individual – since emergency access is to recover from an emergency, and the individual may be a contributing reason for the emergency (an insider threat bad actor)
Procedures kept current for any new versions or deployments of infrastructure, platforms, or software
Does not require reset, so that if part way through recovery another situation is encountered, the same break glass method can be used
Intentional – to protect against “accidental break glass”
Special considerations for “break glass” accounts
Not multi factor – because multi factor may be a contributing reason for emergency access
Local account – not relying on any centralized authentication or authorization services
Username/Password stored in a container where access is easy to identify and requires “new glass” (such as an envelope) to reset, that is, cannot be easily reversed.
Explicitly excluded from automated cleanup and lockout – cannot be locked out, ever
Explicitly excluded from lockout due to failed passwords – since an adversary could simply DOS the account to lockout break glass access during an attack
Access passwords or password locations changed when staff changes
Bonus: Password separated into two or three parts stored separately, with potentially different people having access to different parts of the password. Remember, breaking a password into separate pieces reduces the cryptographic complexity of the password. For example, if a 12 character password is broken into two 6 character segments, the resulting security is only that of a six character password. If an adversary obtains half of the password, only the second half needs to be cracked.
Other notes on methods and accounts
Of course, “ideal” break glass methods typically require cooperation and configuration from the vendor. For example, with regard to break glass accounts, most vendors provide administration authorization that is universal administration, not limiting the account authorizations to “only account creation and management”. With this in mind, be conscientious in creating break glass methods that can be implemented on the systems that are being managed.
E. Concluding remarks
Dealing with adverse situations is the foundation of business continuity planning. The situation of losing access to a system or server is no different than any other adversity. Break glass access methods are part of the recipe of a comprehensive recovery plan.
I hope this article has been helpful! If you have any recommendations please drop me a line.
Abstract: Have you ever wondered about Link tracking and who clicked my link, fake link to see who clicks, link that tells you who clicked it, or just how to know if someone clicked on your link. However it is asked, the answer is the same! This article will help with your request.
There are times that you’ll want to know if someone has “clicked the link” that you’ve shared. Say, for example, you have interest that “a scammer” is up to no good, and you’d like to know where that scammer is. This article is going to show you some tools available for click tracking.
If you have a web site you’ll likely be using Google Analytics or one of the other “site visitor” trackers. That’s good stuff! But sometimes it isn’t a site visitor that you are looking to track. Of course, this goes hand in hand with the first rule of computer security: “Be aware“.
In comes: Link trackers!
As always, we are only interested in the free link trackers. Here are a few.
Bitly is one of the “original” logger/shortener sites. The free version is “generous”, with up to 1000 different tracked links per month, and a 30 day retention on click through. 2FA is available for those of you who are security conscious — which should be everyone who reads my posts! 🙂
2. Grabify IP Logger
works reasonably well. You provide a web url, and it creates a tracking url.
Grabify logger Create Link page
Grabify works great, and it provides detailed information on your clickers.
Grabify Link Information page
Pros and cons:
(pro) The results page is easy to understand.
(pro) As a bonus, if requested, Grabify will send you an email whenever anyone clicks one of your links.
(negative) Be aware, there are a LOT of advertisements on Grabify. One of the “benefits” to having a free service!
(con) Also be aware that as of the time of this writing, the base domains are all “non normal”. This may or may not be a consideration for you.
(con) there is a lot of delay before the link unwraps to the real URL. Your users may get tired of waiting.
3. IP Logger
IPLogger is another choice in IP Logging. The user interface is cluttered but functional.
4. Wow Link
Wow Link is another excellent choice in IP Logging. The dashboard is clean and modern.
Note though that Wow Link has a lifetime limit of 5000 links and 10,000 total visitors that can be monitored. For a casual user it will take awhile to get there, with a maximum of 25 links per month.
Wow Links limitations with “Free” plan
Final words
It was difficult to find the first few, but once I found a few (as in, replacing goo.gl), it opened up a river of options. My recommendations are to
find one with generous Free allotments, and
start using it.
Once you figure out if you really want to go to all the trouble, then consider doing more research to find a potentially “better” one. But nearly any of these will do.
Oh, and because there are a lot of scam sites out there, I’d recommend using a throw away email address.
Let’s be safe out there!
References
there are a lot of ways to ask about fake link to see who clicks, or link that tells you who clicked it, or even the simplest few words of who clicked my link, wikipedia does a decent job of describing the technique: https://en.wikipedia.org/wiki/Click_tracking
Searching for a photo of the Empire State Building from a plane? A whale breaching the surface of the ocean? It is often difficult to take your own “perfect” photo for your posts. And you can’t just “take” an image from someone else’s web site — or you’ll potentially face a DMCA takedown notice and demand letter.
So what do you do?
Well, for starters, always document where you find your images! And second, whenever reasonably possible (which is almost always!), find images that are identified as sharable, public domain, and no attribution required. Why no attribution? For sure, you should provide attribution! But when attribution is required, there are potentially difficult ways in which the documentation has to be referenced. I’m all for attribution, but don’t make it difficult.
Here’s a collection of web sites that provide free photos, videos, images, and other media. But be careful! Some of the sites also have “paid” offerings that are mixed with the free ones.
Be careful with Pixabay though. There are “sponsored links” and otherwise non allowed photos. Follow the download rules and you’ll be fine, but make sure the photos that you are downloading are actually the “free” photos promised.
Pixabay “sponsored link” photos — be careful about the downloads!
Pros and cons
+ Great free photos
– There are “sponsored links”. Make certain that you are downloading an official “free” image.
The photos are of excellent quality, beautiful images and are free for any purpose. You just should not appropriate the authorship of the photo. They have an open license, that is, they are for public use. That is, for personal, commercial use, modify and distribute without permission. Totally recommendable. Your email will not be required.
They have a universal license, that is, an open license to copy, distribute, modify, work commercially without having to ask for permission to do so. The logical thing is that you do not credit yourself because this would be wrong, I say very wrong. His gallery is small but what you will find there is of very good quality and very beautiful.
The photos are of excellent quality, beautiful images and are free for any purpose. You just should not appropriate the authorship of the photo. Recommended although its gallery is quite limited. To download an image you must accept the terms and conditions agreement which is extremely short and easy to understand.
This portal is very, very good. Photos of excellent quality, very beautiful. You download the photo without giving data or anything for the summer. It also has a lovely premium section. It is in a word great. I loved this portal. They do not have a CC0 license, so I recommend you read beforehand about what you can do and what you should not do with these images.
This portal is the best of all this group to which I have made my evaluation. It is spectacular. Yes, its free. Your data will not be required and the photos are of the highest quality. The gallery is great and you can also use it on your blogs or commercially, edit them, copy them. They will invite you to do an accreditation to the author but it is not mandatory at all. It is phenomenal. The gallery is immense and it is one of the most recognized portals of free images of high definition and excellent quality. Highly recommended.
Just avoid these
In my experience, these sites do not provide free artifacts. In my opinion, just avoid them. This is only my opinion.
(avoid) bigstockphoto . com
This is not a free photos portal, you must pay to get them without a watermark. You must leave your email and card details to access a 7-day free sample. The standard license has countless clauses. The photos are beautiful but expensive.
(avoid) freefoto . com
Some are free but I particularly think they don’t have a nice variety of photos. You must leave your email and accept an agreement so that you can download the photo. Many rules. In addition, it is mandatory that you prove authorship and place the link where the photo is on the portal or the home link of freefoto.com. Very complicated for the user.
(avoid) classroomclipart . com
You will not find free images on this portal. You can download them for free but will have the watermark. I wonder, what is it for?
Operational enterprise environments are tempermental. Touch one thing, break another. Replace a server, break the interfaces to that server. Increase the security posture of the organization by changing an operational firewall? Well, we don’t want to think about that!
Wait. Actually, we do want to think about increasing the organization’s security posture.
This article focuses on protecting enterprises with outbound firewall rules. We’ll also explore network based threat hunts, how netflow models can trigger Hunt alerts, and how the models provide valuable metrics for hunters.
Firewalls are security devices that protect enterprises from uncontrolled network flows, in much the same way as dams protect towns from uncontrolled water flows. Most enterprises recognize firewalls as “inbound protection devices”. But firewalls are much more than inbound protection devices. Configured correctly, firewalls protect against unauthorized inbound traffic AND unauthorized outbound traffic.
What does this mean? Consider an adversary (possibly an insider) that has landed on your network. This is already a bad situation — something has happened that allowed the adversary to wind up on the network.
This is where your outbound firewall configuration comes in. Without a firewall, the adversary is able to exfiltrate your sensitive data without you even knowing. That said, a properly configured firewall can make it more difficult for the adversary to exfiltrate data from your network. Even though the adversary is on the network, getting sensitive data out of the network can be made more difficult with the use of firewalls.
Define your network
Dealing with thousands of individual objects is a difficult task. When presented with thousands of individual objects, our minds work to categorize the objects.
Network objects are no different. Combining dozens of objects on a small network quickly become complex. Consider your home network. Probably pretty simple. You might have a half dozen cameras, an Internet ready doorbell, WiFi keypad locks, a couple of computers between you and the family, several phones, a WiFi thermostat or two, printers, WiFi smart watches, network enabled refrigerator, and several other devices. Even in this “pretty simple” environment, simple means dozens of devices.
Dozens of devices potentially means at least dozens of Firewall rules. And every new device means reconfiguring the Firewall. This effort can become unwieldy quite quickly.
So how to proceed? First, recognize that this process is iterative. Each iteration is a brand new opportunity to refine the solution.
Grouping network objects based on “service”
Dealing with large numbers of diverse objects is difficult. It is much better to group objects into “similar” or at least “similar enough”. When it comes to networks, shiny objects are not all created equal. One easy grouping of devices might be based on the “nature of network access”. For example, the groups might include:
(a) INTERNET ACCESS devices that need outbound connected Internet access, but no Internet device needs to initiate access into these devices. These devices include computers, laptops, and phones.
(b) INTERNET BLOCKED devices that do not need Internet access. They never need to communicate to the Internet, and the Internet never needs to initiate traffic to them. These devices include individual cameras that connect to a local DVR, WiFi enabled thermostats that are controlled only by phones that are on the network, and printers. Remember to consider that the devices will not be able to update themselves either, since they will not have direct access to the Internet. Creating a workflow for updating the devices is important, and usually handled by manual updates or by having a local server they’ll attach to that will allow updates.
(c) DMZ DEVICES devices that need to be controlled or accessed by the Internet. These devices require firewall routes from the internet “into” your network. The devices might include a web server if you are locally hosting web sites. This class of device are typically deployed in DMZs (network demilitarized zones) and will not be covered in this short tutorial.
To summarize, a simple categorization or segmentation is (a) devices that can access the Internet, and (b) devices that do not access the Internet.
It is easy to argue that “This binary Yes/No, Open/Blocked network segmentation is insufficient!” And yes, that is an accurate statement. Build as many different groups of devices as you wish, and remember this is an iterative process. At some point you’ll need to get started.
Deploying firewalls in new enterprises
Greenfield
Configuring firewalls in new environments is a much simpler task than configuring firewalls in operational environments. In a new environment, the firewall can start life with outbound connections set to Block All. Each new device, each new service, can be assessed for traffic requirements. For example, you know your employees need to access web sites? Open outbound TCP 80 and 443 for the workstation endpoint IPs. You know a server engineer needs to sftp to a remote server? Open outbound TCP 22 for that server IP.
In the Groupings solution defined above, onboarding each new device requires that the device is categorized as either (a) Internet access necessary or (b) Internet access is blocked. It is quite valuable to have subcategories as well. For example, the workstation endpoints should not necessarily have 22 open. On the other hand, Server endpoints often do not have 80 & 443 open (you don’t want your Server engineer to browse potentially nefarious web sites and download malware).
One thing to remember is to create policies & processes for onboarding new devices. Each new device should be attached to a group that will allow the appropriate and reasonable amount of Internet traffic.
Deploying firewalls in operational environments
Operational environments require a bit more planning and diligence. The problem is that blocking all ports is going to break everything — suddenly, nothing will work.
Complexity is the enemy to security
The basis of this recommendation is: Make a plan! Whatever you are going to do, make sure you’ve developed a plan, and make sure the plan includes backout steps.
Here is an operational plan for changing firewall rules that will work in every environment.
1. Monitor and capture netflows
Goal: Identify each (a) device that is communicating to the Internet, and (b) the remaining devices that have no need to access the Internet.
Understanding basic network metrics is the best place to start in protecting an existing environment with firewalls. Users are not impacted during the monitor and capture phase since traffic shaping does not occur during the monitor phase.
The monitor phase should continue for at least a month, more reasonably at least a quarter. The reason for this extended timeframe is to capture as much “known traffic” as practical. For example, vendor software updates are normally scheduled at least quarterly. By monitoring for at least a quarter, the capture will include vendor software update flow. To note, Microsoft and other vendors initiate the infamous “Patch Tuesday“.
The monitor phase metrics results in two useful artifacts.
First, ports that are not used during the normalization phase can be considered for blocking (explained in the next phase).
Second, the netflows can be used during threat hunts. The way this is used during a hunt is that the hunters have a model for “normal” traffic, and thereby can also recognize “not normal” traffic.
Know that this step is not going to stop an existing bad actor that has already infiltrated your network. In fact, you aren’t even going to be made aware of a bad actor during this step.
Bird of prey
Threat hunting
Recognizing “not normal” traffic is a key to network threat hunting. During a threat hunt, the team is looking for anomalies, for traffic that doesn’t belong. If a “disallowed” netflow shows up in a capture, the netflow might be an indicator of compromise, a key sign of trouble that needs to be investigated by the threat hunt team.
To explore this a bit, network modeling is not “binary”. That is, it isn’t just the “disallow” list that is important to modeling netflows. Ports that wind up on the “allow” list should continue to be monitored for excess traffic. An artful threat hunt includes investigating abnormal traffic spikes. If a port model demonstrates a certain daily traffic volume, then suddenly experiences a traffic spike, the excess traffic should result in a Security Alert.
2. Explicitly allow “active” netflows; explicitly deny all others
The second phase of tuning the outbound firewall rules is to only allow the “known active” ports. This is performed by explicitly Allowing netflows that were observed during Phase 1 Monitoring, and explicitly Denying all other flows.
Active block in a previously open enterprise is likely to introduce issues. The team needs to have a plan and procedure ready to “unblock” required flows. This step of “Explicit block” should be delayed until the policies and procedures are available. Blocking netflows in large complex enterprises should be handled delicately since these environments may require flows opened that simply didn’t show up during the analyze phase.
For complex poorly documented operational environments, it may be more reasonable to “alert on unused ports” instead of “block unused ports” during the early parts of the transition. However at some point the phase of “explicit deny” must conclude with “block unused ports”.
Threat hunting
Advanced organizations might consider replacing simple “blocks” with redirects. For organizations that actively threat hunt, redirecting an unallowed/unused flow to a honeypot can quickly alert the crew to call Hunt On! Unused ports are easily identified in the Netflow capture since the unused ports simply will not show up in the list. For example, if Port 3389 (a port associated with Remote Desktop Connection) doesn’t show up during the monitor phase, and the team knows that there are no reasonable and acceptable outbound remote desktop connections, then an advanced team might consider redirect 3389 to a honeypot. If any devices wind up landing on that honeypot, the hunt team needs to search for the rogue device and user.
3. Refactor “active” netflows
Once the “known unused” ports have been handled successfully and the organization defaults to “Block” or “Redirect to Honeypot”, it is time to move on to refactoring the “active” netflows.
Refactoring reduces the firewall ruleset. If there are 150,000 endpoints in an environment, it is likely a good idea to distill those into different types of endpoints — for example, Workstations, Servers, Phones, and Cameras. The simplest refactoring will identify “all <specific types of> endpoints” allowed outbound traffic to “all destinations” over “listed ports”. For example, “<all Workstations> allowed outbound traffic to <all Internet destinations> over port 80 & 443”. However, this is just the beginning of this phase of tightening down the firewall.
In operational environments, refactoring operational ports is likely a multi-phased approach; one phase covering workstation endpoints; another phase covering servers; and several phases covering “other endpoints” like phones, cameras, and keypads/door entry systems. Eventually the firewall will have a collection of rules for many different types of endpoints.
Example: SMTP
For example, say that Ports 25, 465, and 587 show up in the “operational port” report. These ports are associated with SMTP (also known as Simple Mail Transport Protocol). While it is reasonable for a mail relay such as an Exchange server to communicate over these ports, it is less reasonable that a workstation/user endpoint relay their own mail. The ruleset should Allow the Exchange server and Deny all other systems.
Example: Web traffic
Another example exists for web traffic over 80 and 443. While it may be reasonable to open web traffic for all endpoints, an adversary can use those allowed flows to exfiltrate traffic. One might consider, is it reasonable for a Server to contact web sites over 80 & 443, or only Workstation endpoints configured for user traffic? Even moreso, is it appropriate for even the Workstation endpoints to communicate out directly, or is there a web proxy protecting the end users from visiting known malicious web sites?
Threat hunters are in a constant battle with threat actors. The more data available for the hunt, the more likely the hunt will succeed.
Threat hunters need data, and netflows are an invaluable form of data to a hunter. Continue monitoring netflows even after the firewalls have been normalized. The continuous monitoring provides data that is useful for computer network defenders and threat hunters. Identifying anomalies is a bases for alert generation, and identifying anomalous traffic volumes is an event that should trigger an alert.
Conclusion and after thoughts
Firewalls are “moderators to the real world”, they defend against inbound malicious traffic, and they defend against adversaries who are trying to exfiltrate traffic on outbound ports. Defending your precious sensitive data requires a fully operational bi-directional firewall.
Managing operational environments is a task in balancing many parts of a complex puzzle, from satisfying user demands, to enforcing security, to addressing Cxx level board room concerns. Managing underused firewalls in these operational environments can be an undoubtedly perilous concern, and managing firewalls is equally necessary to properly protect the environment.
As always, Prior planning prevents poor performance, and this adage holds true for deploying Firewall changes in operational environments. Make a plan, and stick to it. But what happens if the plan has too many edge cases? If the need arises to deviate from the Firewall Protection Plan, change the plan itself and restart instead of deviating from the plan.
LinkedIn is the worlds largest professional network, an incredibly diverse social platform both for job seekers and for companies wishing to fill open positions. In a way similar to how Facebook and Instagram connects people in a personal way, LinkedIn offers an opportunity for professionals to engage with one another and with the companies they represent.
Especially today, in the world of social distancing, optimizing your job search is incredibly important. Regardless of your discipline, social media is going to play a key role in finding new work.
We’ll look at a few basic steps involved with maximizing your exposure on LinkedIn.
Before embarking on your LinkedIn journey, it is good to understand how other people — read this, “how recruiters and hiring managers!” — find their candidates on LinkedIn. If you understand the search strategy, you’ll better understand how to leverage that opportunity in your favor.
LinkedIn is a Searchable database
Detective
LinkedIn is a search platform with half a billion resumes. Your goal is going to be to stand out in those searches.
Case study: Searching for an accountant
Let’s consider you are a hiring manager. Say that you are searching for someone with a certain skill set, for example someone with (1) experience in accounting. You wind up with 150 million candidates. Of course this is just too many people. So it is time to refine those requests.
To further refine the search, say the business is focused on (2) ultra-high-net-worth estate planning where many clients have (3) foreign interests and some clients wind up (4) wanting to research their heirs before establishing their trusts. Now our search includes “accounting”, “estate planning”, “international”, and “forensic”. Now we’ve refined our 150 million candidate profile into something a little more manageable.
Keeping up on refining our candidate pool, we know this is an advanced level position, and we are going to provide an aggressive relocation package. But because of antitrust issues, we can only hire domestic employees. We therefore limit the search only to our own country.
Case study: Flip the script!
Now flip the script. Say you are that forensic accountant with international estate planning experience. Make sure to include all of these key words in your profile. In this way you will be more likely to show up in recruiter searches!
2. Get created!
Creating your LinkedIn profile is easy, but there are quite a few options and many ways to do this imperfectly.
Create yourself!
Be careful about the personal information that you put on LinkedIn. Each piece of you can help create an opportunity for identity theft. Remember, this is a social media platform, and it is open to the internet. Consider whatever you put on LinkedIn is available to the world — and forever. For example, my recommendation is to not put your personal home address on LinkedIn anywhere. Once it is up there, it is up there forever. Wonderful people use the Internet. But remember, there are also not so good people. Even people you’d rather not have contact with will have contact with you. Just be careful out there.
Computer security starts with you
Let’s start with these areas on your LinkedIn profile.
Picture
They say a picture is worth a thousand words, so start your profile with a great picture. A headshot is perfect in most situations. If you have a particular industry where something other than a headshot is beneficial, consider your options. For example if you are a race car driver, you might want a race car in the image. If you are a model or in an industry where multiple photographs are important then have a separate web site with additional photos.
Headline
You have 120 characters to entice a reader to read more about you, make it count!
Summary
You have 2000 characters to tell your story. Be sure to explain who you are. Be vibrant, and be honest!
Experience
Include relevant experience, both paid and unpaid engagements.
Education
List your education. If you’ve completed high school, list that as an accomplishment. If you have an advanced degree, list that as well.
Awards
List awards. Make your profile stand out!
3. Get connected!
Get connected!
LinkedIn is all about being connected, and being an influencer. Wherever you can get connected to others, do so.
LinkedIn emails are only free for connected individuals. If you are directly connected, then you can email. If you are not directly connected, then you cannot email to that person.
LinkedIn Open Networker
LinkedIn Open Networkers, sometimes known as LION, are a special animal who seek to get to know people where their first connection is through an online social media platform. You may never meet them in person, but you can get to know them by their posts, and they will equally know you by your posts.
LinkedIn used to frown on LIONs. At the time, you were only supposed to connect with people you knew in person. Of course, this becomes quite difficult at times. LinkedIn has relaxed the rules on “open networking”. Take advantage of the opportunity!
Connect with groups
Find groups that represent what you do and where you see your career going.
When you search for groups you’ll be able to see “how many” people are in each particular group. Connecting with low member groups isn’t going to hurt, but connecting with highly-active, high-member-count groups is definitely beneficial.
Are you part of the intelligence community? Join highly popular intelligence community groups. Are you looking for a marine career? Join highly popular marine groups. As you start looking for groups you’ll better understand which groups make sense and which just don’t.
Connect with individuals
Individual connections are the LinkedIn cornerstone. Connect with those you know, connect with those who respond back to your content, connect wherever is reasonable.
5. Get creative!
Paper
Finally, like all great endeavors on the Internet, LinkedIn circles around content. Create great content!
Post the content to your blog. Post the content to your page. Post the content to your groups.
6. Concluding remarks
LinkedIn is a special kind of social media platform. The platform is used by companies, by hiring managers, by specialists looking for gig opportunities, and by candidates looking for work. It isn’t a Facebook, and unless your job is specifically related to politics, religion, or animals; that type of content shouldn’t be there.
Here’s the key takeaways. 1. Create an account. 2. Get connected. 3. Post content. Most of all, have fun!
If you tell all your friends about that great five or six character domain name, and they tell their friend, and they tell their friends before you actually register it? Right. Someone else might just register it before you can.
But it is worse. It has been my experience that searching for a domain name on the internet, looking at various whois registries, asking if a domain is available to your favorite domain registrar, that someone somehow intercepts the information and poof, registers the domain before you do! Then they’ll gladly sell you the front run domain at their price. This practice is known as Domain Name Front Running, it is a real thing, and Network Solutions even admitted to the practice.
The places to go for domain search
So where is it safe to search? In my experience, I use two different engines, and avoid everything else.
Don’t work with red hot dealers! They may be front running you!
GoDaddy? In my opinion just say no
My experience, and this is just one of my experiences. At one point in my history of life, I used to use Go Daddy as my domain registrar. I was looking for a new domain name, so I of course went to Go Daddy to do the searching. I entered hundreds of different names, most of which were already taken. But there were a few great short domains that I came up with! I was excited! I decided to sleep on it. A couple of days later, the domains were registered by someone else, of course the domains were using private registration, and the domains were parked on Go Daddy “This domain is for sale” pages.
I of course cannot confirm that Go Daddy systemically takes potentially popular domains from the sea of domains for which their customers search, and it is completely possible that the domains were just cool names that someone else also thought about at the same time I thought about them. It is also possible that a disgruntled Go Daddy employee decided to search for the search terms their customers were using and decided to steal the domain — not really stealing, maybe more being opportunistic, but it sure felt like a stealing at the time.
Note that Go Daddy claims they are not involved with front running here, and here, and here, and I am not accusing anyone of front running, not even Go Daddy. I just know I had a bad experience with front running, and it is reasonably easy to avoid being front run.
The Coronavirus quarantining and social distancing has resulted in tight quarters. More of us have combined working and living in the same physical spaces now, working remotely or working in other unusual spaces. There is not the same “clean separation” between Work and Personal space where you leave your home and drive to your work. However, separating your “Work Identity” and “Personal Identity” remains very important, both for your protection and for the security of your company.
LinkedIn is a personal social media site. Use your personal email address for personal sites
When you create online accounts, consider whether the account is something that you wish to retain if you separate from your company, or whether the company needs to retain the account information. Also consider whether you want your company to monitor everything about the account.
For example, a B2B supplier would likely be a “Work Identity” account. For those accounts, use your Business email.
On the other hand, a LinkedIn account, Facebook account, or account at your child’s school are “Personal Identity”. For those accounts, use your Personal email.
Take away
Personal identity and Work identity need to remain separated, for both your personal security and the security of your company. Only use your Work email address when representing the company and when necessary for company business. Use your Personal email address for your personal online identity.
In today’s world of privacy, with regulations surrounding PHI/HIPAA, PCI, and SOX, you may be surprised to know that your company is required to keep records of your using their computers — everything you do on their computers. For example, your company likely monitors and records Internet access from any of their computers when you are shopping online, when you are browsing for training videos or research articles, when you are accessing personal Gmail or Yahoo accounts, and even when you are accessing your child’s school website or sending what you believed to be “personal” notes to family and friends.
Okay, so what? You are thinking, you aren’t doing anything “wrong”, so what, who cares, you are only using the computer during lunch or after the end of the day. You might think that, but you really should rethink that. Sure, those records are available to management, and you don’t care.
Stalker much?
But here’s the issue. Your records are also available to lawyers and the courts during discovery (going through a divorce?), your records are available to hackers who breach your company’s assets, and most nefariously your very personal records are also available to rogue coworkers who want to “know more about you”. Stalker much?
How can you keep private matters private? Here are a few “privacy safe” ideas!
Personal contact information
Use personal contact information for personal business. Do not use your employer’s email account. Use your personal email, your personal cell phone, and your personal physical mail address. When in doubt? Use your personal contact information.
Personal internet
When you need to access the internet or your emails, use your personal cell phone or wait until you can get to your home computer instead of using your employer’s computers.
Personal devices
Integrating your cell phone with your business? Be careful! Many times, your company has the ability to “observe” your personal data on your personal phone. Why? To catch what is called “data loss”, such as when an employee inadvertently downloads sensitive information to their phone. How to avoid this snafu? Just use a second phone. Simply, either (1) add a phone to your existing cell phone account, or (2) use an old phone and attach via WiFi hotspot to your primary phone. Best advice is to keep business and personal information separated.
Do you remember when domain names were free? Then you had a domain before I did! Yes, they were free before 1995.
Do you remember paying more than $100 for two years of domain name registration, and self hosting the sites on your own servers? Then you’ve been in the domain business as long as I have, since the late 1990s. And over the course of twenty years, you have likely wound up using many different hosting companies. If you recall, in the late 1990s and early 2000s, it was most common to host your own websites on your own servers on your own DSL line or some other self hosting configuration.
Nowadays I’m a big proponent of cloud services. Find yourself a good “As a service” vendor, and host there. And yes, sometimes it is finding a “good enough” hosting vendor.
My last vendor of many years went out of business, so I was left with a dozen personal sites that I run — and no host. Out went proposals, and came up on top of my list.
This article last updated after a year of hosting with InMotion.
1. In the beginning
Establishing an account with InMotion went very smoothly. Sales set everything up perfectly. The documentation provided is extensive, and support is available 24×7 via chat and phone.
However, there were technical issues with establishing the package. The first day, I was informed that there was a database platform problem that would not be resolved until the next day. Okay, these things happen. So I waited 24 hours and started again.
Then there were problems with AutoSSL. At the time of setup, InMotion was using Comodo. Truly, in the day of free SSL through LetsEncrypt, I was surprised to see Comodo. Accounts with InMotion are set up to auto renew SSL though, so it really doesn’t matter to the end user.
But the problems persisted. For four days.
While the help desk is available 24×7, it was difficult to get anyone to do anything other than change passwords and tell me to “wait 24 hours”. Finally, through the course of so many chat sessions it felt like I was social engineering myself into a solution, I wound up with someone who was actually able to fix the problem. According to the representative, there was a queuing problem on InMotion’s cPanel configuration that was affecting all users, including his own accounts. He explained that earlier in the week there was a cPanel update on their servers that appears to not have gone smoothly.
2. Since the beginning
Since that first week, InMotion services have been working smoothly but erratically. Uptimes have not been great. Seven day average for one WordPress domain was 90%, with 30 day uptime around 97%.
Example Uptimerobot monitor
To put “uptime” in perspective:
There are 168 hours in a week. Uptime at 90% is 16 hours DOWN in one week. That is two full 8 hour working days down in a five day work week, or of course it might have been three hours each night for five days when no one was accessing the site, but when dealing with uptime one should consider worst case scenarios.
There are 720 hours in 30 days. Uptime at 97% is 21 hours DOWN in 30 days. That is three full 8 hour working days down in a 20 day working month.
Here’s a stat clip:
A demonstrated instance of more than 14 hour downtime
To note, these are WordPress sites, and the test is against having a text artifact on the WordPress site completely load. In creating a monitor that loads a simple text file, the uptime response was much higher (not 100%), but testing a single file load doesn’t help identify “site uptime” when the site is hosted in WordPress. Think of it this way: If the first few bytes of your WordPress site load fine, but the WordPress engine itself cannot render your site because of server constraints, then your users and customers still cannot interact with your site.
3. Logging in
In my opinion, logging in and managing sites was made more difficult than necessary.
Login to management site
Logging into the main site (or Management Site) Login page works as one expects. Go to and click Login.
Login to cpanel site
To login to a cpanel, go to https://yoursite/cpanel
But of course this requires yoursite to already resolve in DNS.
4. Speed and responsiveness
Websites seem to have periodic issues with speed tests. Going to the inmotionhosting main web site is always very fast, but the hosted sites are not necessarily fast. Let’s take a look.
Duplicator backups
Resource constraints seem to be a common occurrence. For example, I use (and recommend) Duplicator for backups. However, the sites under test on inmotionhosting aren’t easily backed up with Duplicator.
Pagespeed insights
Google’s Pagespeed Insights (PSI) is an invaluable tool for identifying poorly performing sites. Why Pagespeed Insights? Because Google is going to judge you on the speeds they experience!
Here are a couple of clips of this page with PSI
Adding gzip compression in .htaccess did not materially change PSI.
A common error message obtained was a server response timeout in Lighthouse. Trying the test several times eventually bypassed the problem.
Email
I have not tested email capabilities. Since the uptime was not near 100%, I chose to not configure inbound email capabilities on the sties. Instead, the domain registrar (Google Domains) allows configuring the MX records to manage emails directly and independently of the web host. I also do not use inmotion for outbound emails. Instead I use a relay where I can add monitoring capabilities to my emails.
Remember, emails are important, and important emails are more important. You need as close to 100% email capability, regardless of whether your web site is alive. If your web host goes down, you want to continue to send and receive emails!
Security
I’ve experienced no security issues with inmotion hosting.
Two factor is limited to specific carrieres for SMS and to Google Authenticator. No other 2FA is available. This is a limitation, especially in the current security world, since there are many authenticator apps available. If you are using one particular authenticator app that happens to not be Google Authenticator, you are forced to use Google just for this one company.
5. Concluding thoughts
I used the InMotion Hosting service for about two years.
There were some technical issues in configuring the account, but everyone was professional — including the help desk fellow who kept trying to get me to call back to someone else. Okay, maybe that one was not quite as professional as the rest! 🙂 . Eventually the services were created (about a week), and I’ve been running on those servers since then.
Speed and resource constraints were common. Had to identify different methods to perform backups, for example.
Uptime was poor. The InMotion engineers contacted claimed 100% “server” uptime, while running WordPress resulted in poor uptime results. If you are using WordPress, be aware of this limitation.
” Florida gas pump thefts rise as credit-card skimmers get more savvy ” [Orlando Sentinel]
” Men from Florida charged with using stolen credit card numbers ” [WHNT]
Seems every day there are new reports of payment and credit card theft. Lest one consider these news reports as overhyped, read the statistics: In 2016 alone, fraud losses topped $16 Million. Nearly 50% of us in North America have been a victim of payment card fraud. Of those who have been defrauded nearly 2/3rds lost money in the process. That means, if you have not experienced payment card fraud, statistics say your neighbor has.
This paper will explore payment card theft techniques, then make a case on how to protect yourself from payment card theft, and finally provide a few interesting statistics and quotes related to payment cards.
In order to understand how to protect yourself from payment card theft, first consider a few ways card information is compromised.
Data breaches
Pixabay – Data breaches are never as beautiful as this humpback whale breaching
The most newsworthy payment card theft is data breaches, with retailers such as Target, Home Depot, Whole Foods, Delta, and Best Buy being recent targets where their customers were the victims.
Skimming/shimming
Skimming
A less impactful but equally common situation is payment card skimming/shimming. In this malevolent technique, the bad actor places a secondary reader over the existing point of sale terminal that captures individual (per transaction) payment card track information and uses that information to replicate the cards.
Online interception
A similar “skimming” technique happens with online merchants, where a bad actor intercepts credit card information in transit to the merchant.
Physical interception
Physical interception of the card itself is another technique. In this process, the bad actor steals the payment card information during the point of sale transaction, such as a cashier or restaurant worker making a copy of the card information before returning it to the owner.
2. How to avoid being a victim
Now that you know some of the basic methods of payment card theft, let’s consider how to avoid being a victim. Here are a few ideas:
Real time alerts
Pixabay – real time alerts
Add real time alerts on cards and bank accounts! While this will not prevent the “very first” transaction, you will quickly know someone is using your payment cards. If unexpected transactions come through, quickly call your credit card company.
Reconcile payment card bills
Check your transactions! Reconcile your transactions weekly or monthly, so you know the charges against your accounts.
Use credit cards
Use credit cards if possible! Avoid using debit cards for retail and online transactions. Be sure to understand your liabilities in either case. With most credit cards, the consumer is not liable for fraudulent activity if the issuer is notified quickly. With debit cards, fraudulent activity loss is normally capped at no more than $50 if the issuer is notified quickly. However, if a thief controls a debit card attached to your checking account, your funds could be (at least temporarily) depleted. The problem is that while the bank is likely to replenish the losses, if you need that money to clear checks before being restored, you may wind up overdrawn or having checked returned with non-sufficient funds (known as NSF). The bank may reimburse their own overdrawn fees, but the merchants you have paid may not be as forgiving.
Be alert!
Most of all be alert! Look for skimmers at point of sale transactions, and look for HTTPS leading the web address with online transactions. In general, look for signs of trouble. Use higher traffic machines if possible, since more people will have had the opportunity of identifying “not so right” situations. If you have nagging questions about a physical machine or an online merchant, “just say no” and find a different merchant. Remember, security starts with you.
3. Did you know?
Only 10% of the words currency is physical money. The rest exists on computers!
Electronic payment company ACI Worldwide estimates that 46% of Americans have had their card information compromised at some point in the past 5 years.
The U.S. adopted EMV in 2015, a technology that makes counterfeiting cards more difficult. While EMV helps with reducing in-store fraud, it does not help online fraud. In addition, with the difficulty in counterfeiting cards, fraudsters now target new accounts (as opposed to existing accounts). By the end of 2015, there was a 113% increase in new account fraud, which accounted for 20% of all fraud losses.
In 65% of fraud cases, credit card fraud results in a direct or indirect financial loss for the victim.
Florida tops the list of Federal Trade Commission fraud reports, with over 300,000 fraud complaints filed in 2015 alone.
Credit card fraud losses topped $24.71 billion in 2016 according to The Nilson Report, a 12% increase over the previous year.
There is a new identity theft victim every two seconds according to a report from Javelin Strategy, and many of the incidents involve credit cards.
Almost half of the world’s credit card fraud (47%) happens here in the United States according to a report from Barclays.
Ready to show off a new domain? Want to use a “personalized” domain for a new customer, but don’t wish to buy the domain until the customer actually engages you with a contract? Sometimes having a free domain is of benefit.
I’ve updated this article quite a bit from how it looked at the start. Before? I recommended free second level domains like those found with *.tk (such as “marksatterfield.tk). Today? My attitude is much different. My experiences with *.tk helped to solidify my new recommendation: Just Say No!
The problem with free domain registrars is that you are likely not the owner of the domain. If the company goes out of business, your url likely disappears with the company.
What are your options? One option is to buy a domain for each of your tests. This can get quite expensive.
Other options? One other option is that you buy a single second level domain (for example, marksatterfield.com), and then host subdomains such as “salestemplate.marksatterfield.com” and “wootemplate.marksatterfield.com”. In this way, you wind up owning the primary domain, and controlling the subdomains as well. Need a temporary one for the new pizza store around the corner? Show it off on “joespizza.marksatterfield.com”.
Not recommended: Freenom
Freenom is the registrar for a number of free sites, including those associated with the TLD .tk, registering through dot(.)tk.
Snip of a portion of dot tk’s welcome page used for educational purposes
I thought dot(.)tk was a great resource in the past. However, it seemed as though my domains would be randomly deleted. When trying to re-register I’d receive what appears to be the now infamous
At this moment we are unable to register any domains or other services in this account. Please contact support for more information. Error code 0x08823.
Through searching for options, I found any number of people who have also had problems with Freenom. According to many reviews, it seems that Freenom grabs back their domains (you don’t own them after all) when the site starts receiving a certain number of hits per month. Going back to Freenom, you have the option of buying the site back … or, well, hitting the road. Kind of felt a bit like front running .
You can google search for other comments on Freenom. Please note that these are based on my experiences. Your experiences may differ.
Not recommended: Site builders free URL
Any number of “free website builders” are available. But almost every one of them lock you into a proprietary web experience.
In my experience, I recommend building your site with WordPress or other transferable site builder. Being “stuck” in a proprietary system is no fun.
Conclusion
My recommendation is to buy a “testing” domain like “mytestcompany.com”, and placing all of our test companies as subdomains to that, like “joespizza.mytestcompany.com”. You’ll pay less than $20/year for the domain mytestcompany, and you’ll be left owning that domain.
Computer security incidents happen. Why? Because computer defense is reactive. Regardless of the expansive and proactive nature of any particular defensive team, the Computer Network Defense (CND) job must include Computer Security Incident Response.
A properly running CND team includes a Red Team subgroup of Attack and Exploitation experts. The Red Team actively looks for vulnerabilities in your network. However, that subgroup is dwarfed by the number of active attackers in the world.
So what should a CND team do? The team should prepare for incident handling and response. As it turns out, when it comes to incident handling and response, prior planning provides utmost performance.
In the beginning was ARPA. And the Internet was with ARPA. And the Internet was ARPA.
History of the Internet
The Advanced Research Projects Agency (ARPA, later known as DARPA) network was established in 1969. ARPANET was developed with guaranteed delivery, high availability, multi connection, and multi path in mind. ARPANET was the precursor of what we now know as the Internet.
Internet expansion to universities
In the early and mid 1980s, NSF (the National Science Foundation) established a network of supercomputers at colleges and universities around the United States. NSFNET brought DARPANET to a more general and wide reaching audience, expanding the usefulness of the connected network to sharing tens of thousands of very high cost computer assets.
Robert Morris worm
In 1988, a young Cornell student named Robert Morris created an application intended to search the interconnected network for all computer assets, and report back what it could find out about each of the end nodes. The intent was to gauge the size of the “internet” by replicating the application to each of a particular computer’s peers using a sequence of weak passwords and services available universally known at the time. The application then called back to a central server to identify “node alive” status.
Pixabay nasty computer worm!
Unfortunately, Morris poorly crafted his application. Instead of replicating on peers forward, the application replicated on every peer of every site repeatedly. That is, if two peers were available to a particular node, each of those nodes would be infected by the originating source. What happened instead was that the targets infected their peers, and also reinfected the source node. Eventually every interconnected node reinfected to full saturation and was no longer able to respond resulting in a Denial of Service.
Even worse, when a network engineer or systems administrator rebooted the machine to regain access, the nearby computers would quickly reinfect the machine. Recovery was not a simple task, and the Internet came to a screaming halt.
Morris made international history by this simple coding mistake. The infectious application became known as the Morris Worm.
Computer Emergency Response Team
At the time, DARPA and the Defense Department were positioning the Internet to provide a guaranteed delivery, always available information network. The Morris Worm realize the vulnerability of the Internet, and DARPA’s response was to create the Computer Emergency Response Team (now known as CERT[tm]) hosted under the Software Engineering Institute (SEI) at Carnegie Mellon University. The charter for CERT was to be a coordination center for computer network operations defenders in the United States and around the world.
2. NIST incident handling guide
NIST’s Computer Security Incident Handling Guide (NIST Special Publication 800-61r2) is an excellent source of how to organize and design a Computer Security Incident Response Capability. Realize, it will take some time to digest the entire document. You’ll have to forget some ideas you’ve likely held on to, and learn new techniques that have been proven in the art of incident response.
But why would you want to rewicker your incident handling policies, plans, and procedures? This is a costly endeavor, no? Well, yes, it is. But it is going to help your organization prepare for incident response, will help in the process of incident response and recovery, and may even help in preventing an incident in the first place.
If your management is resistant to reviewing the policies, plans, and procedures in place, you might want to help them reconsider their position. If you happen to work in an industry or at a company who is responsible to external validation, or maintaining information that requires response to incidents (read this: just about everyone, including those who handle SOX, PHI, PII, PCI, and nearly any other data), you might want to make sure your policies, plans, and procedures follow NIST or some other industry accepted guidance platform, even if not strictly required. When you are breached (and it is a when, not an if), your adherence to NIST or other standard is likely to go a very long way in reducing your fines.
3. Reviewing the NIST guide
The NIST Computer Security Incident Handling Guide SP800-61r2 is a comprehensive industry accepted incident handling guide. The following sections take abstracted quotes from the NIST guide.
Executive summary
Computer security incident response has become an important component of information technology (IT) programs. Cybersecurity-related attacks have become not only more numerous and diverse but also more damaging and disruptive. New types of security-related incidents emerge frequently. Preventive activities based on the results of risk assessments can lower the number of incidents, but not all incidents can be prevented. An incident response capability is therefore necessary for rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring IT services. To that end, this publication provides guidelines for incident handling, particularly for analyzing incidentrelated data and determining the appropriate response to each incident. The guidelines can be followed independently of particular hardware platforms, operating systems, protocols, or applications.
Establishing an incident response capability should include the following actions:
Organizations must create, provision, and operate a formal incident response capability. Federal law requires Federal agencies to report incidents to the United States Computer Emergency Readiness Team (US-CERT) office within the Department of Homeland Security (DHS).
Organizations should reduce the frequency of incidents by effectively securing networks, systems, and applications
Organizations should document their guidelines for interactions with other organizations regarding incidents
Organizations should be generally prepared to handle any incident but should focus on being prepared to handle incidents that use common attack vectors
External/Removable Media: An attack executed from removable media (e.g., flash drive, CD) or a peripheral device.
Attrition: An attack that employs brute force methods to compromise, degrade, or destroy systems, networks, or services.
Web: An attack executed from a website or web-based application.
Email: An attack executed via an email message or attachment.
Improper Usage: Any incident resulting from violation of an organization’s acceptable usage policies by an authorized user, excluding the above categories.
Loss or Theft of Equipment: The loss or theft of a computing device or media used by the organization, such as a laptop or smartphone.
Other: An attack that does not fit into any of the other categories.
Organizations should emphasize the importance of incident detection and analysis throughout the organization
Organizations should create written guidelines for prioritizing incidents
Organizations should use the lessons learned process to gain value from incidents
Chapter 1: Introduction
This document has been created for computer security incident response teams (CSIRTs), system and network administrators, security staff, technical support staff, chief information security officers (CISOs), chief information officers (CIOs), computer security program managers, and others who are responsible for preparing for, or responding to, security incidents.
1.1 Authority
1.2 Purpose and Scope
1.3 Audience
1.4 Document Structure
Chapter 2: Organizing a Computer Security Incident Response Capability
Organizing an effective computer security incident response capability (CSIRC) involves several major decisions and actions. One of the first considerations should be to create an organization-specific definition of the term “incident” so that the scope of the term is clear. The organization should decide what services the incident response team should provide, consider which team structures and models can provide those services, and select and implement one or more incident response teams. Incident response plan, policy, and procedure creation is an important part of establishing a team, so that incident response is performed effectively, efficiently, and consistently, and so that the team is empowered to do what needs to be done. The plan, policies, and procedures should reflect the team’s interactions with other teams within the organization as well as with outside parties, such as law enforcement, the media, and other incident response organizations. This section provides not only guidelines that should be helpful to organizations that are establishing incident response capabilities, but also advice on maintaining and enhancing existing capabilities.
2.1 Events and Incidents
2.2 Need for Incident Response
2.3 Incident Response Policy, Plan, and Procedure Creation
2.4 Incident Response Team Structure
2.5 Incident Response Team Services
2.6 Recommendations
Chapter 3: Handling an Incident
The incident response process has several phases. The initial phase involves establishing and training an incident response team, and acquiring the necessary tools and resources. During preparation, the organization also attempts to limit the number of incidents that will occur by selecting and implementing a set of controls based on the results of risk assessments. However, residual risk will inevitably persist after controls are implemented. Detection of security breaches is thus necessary to alert the organization whenever incidents occur. In keeping with the severity of the incident, the organization can mitigate the impact of the incident by containing it and ultimately recovering from it. During this phase, activity often cycles back to detection and analysis—for example, to see if additional hosts are infected by malware while eradicating a malware incident. After the incident is adequately handled, the organization issues a report that details the cause and cost of the incident and the steps the organization should take to prevent future incidents. This section describes the major phases of the incident response process—preparation, detection and analysis, containment, eradication and recovery, and post-incident activity—in detail. Figure 3-1 illustrates the incident response life cycle.
3.1 Preparation
3.2 Detection and Analysis
3.3 Containment, Eradication, and Recovery
3.4 Post-Incident Activity
3.5 Incident Handling Checklist
Chapter 4: Coordination and Information Sharing
The nature of contemporary threats and attacks makes it more important than ever for organizations to work together during incident response. Organizations should ensure that they effectively coordinate portions of their incident response activities with appropriate partners. The most important aspect of incident response coordination is information sharing, where different organizations share threat, attack, and vulnerability information with each other so that each organization’s knowledge benefits the other. Incident information sharing is frequently mutually beneficial because the same threats and attacks often affect multiple organizations simultaneously.
As mentioned in Section 2, coordinating and sharing information with partner organizations can strengthen the organization’s ability to effectively respond to IT incidents. For example, if an organization identifies some behavior on its network that seems suspicious and sends information about the event to a set of trusted partners, someone else in that network may have already seen similar behavior and be able to respond with additional details about the suspicious activity, including signatures, other indicators to look for, or suggested remediation actions. Collaboration with the trusted partner can enable an organization to respond to the incident more quickly and efficiently than an organization operating in isolation.
This increase in efficiency for standard incident response techniques is not the only incentive for crossorganization coordination and information sharing. Another incentive for information sharing is the ability to respond to incidents using techniques that may not be available to a single organization, especially if that organization is small to medium size. For example, a small organization that identifies a particularly complex instance of malware on its network may not have the in-house resources to fully analyze the malware and determine its effect on the system. In this case, the organization may be able to leverage a trusted information sharing network to effectively outsource the analysis of this malware to third party resources that have the adequate technical capabilities to perform the malware analysis.
This section of the document highlights coordination and information sharing. Section 4.1 presents an overview of incident response coordination and focuses on the need for cross-organization coordination to supplement organization incident response processes. Section 4.2 discusses techniques for information sharing across organizations, and Section 4.3 examines how to restrict what information is shared or not shared with other organizations.
4.1 Coordination
4.2 Information Sharing Techniques
4.3 Granular Information Sharing
4.4 Recommendations
Appendix A: Incident Handling Scenarios
Incident handling scenarios provide an inexpensive and effective way to build incident response skills and identify potential issues with incident response processes. The incident response team or team members are presented with a scenario and a list of related questions. The team then discusses each question and determines the most likely answer. The goal is to determine what the team would really do and to compare that with policies, procedures, and generally recommended practices to identify discrepancies or deficiencies. For example, the answer to one question may indicate that the response would be delayed because the team lacks a piece of software or because another team does not provide off-hours support.
The questions listed below are applicable to almost any scenario. Each question is followed by a reference to the related section(s) of the document. After the questions are scenarios, each of which is followed by additional incident-specific questions. Organizations are strongly encouraged to adapt these questions and scenarios for use in their own incident response exercises.
A.1 Scenario Questions
A.2 Scenarios
Appendix B: Incident-Related Data Elements
Organizations should identify a standard set of incident-related data elements to be collected for each incident. This effort will not only facilitate more effective and consistent incident handling, but also assist the organization in meeting applicable incident reporting requirements. The organization should designate a set of basic elements (e.g., incident reporter’s name, phone number, and location) to be collected when the incident is reported and an additional set of elements to be collected by the incident handlers during their response. The two sets of elements would be the basis for the incident reporting database, previously discussed in Section 3.2.5. The lists below provide suggestions of what information to collect for incidents and are not intended to be comprehensive. Each organization should create its own list of elements based on several factors, including its incident response team model and structure and its definition of the term “incident.”
B.1 Basic Data Elements
B.2 Incident Handler Data Elements
Appendix G: Crisis Handling Steps
This is a list of the major steps that should be performed when a technical professional believes that a serious incident has occurred and the organization does not have an incident response capability available. This serves as a basic reference of what to do for someone who is faced with a crisis and does not have time to read through this entire document.
1. Document everything. This effort includes every action that is performed, every piece of evidence, and every conversation with users, system owners, and others regarding the incident.
2. Find a coworker who can provide assistance. Handling the incident will be much easier if two or more people work together. For example, one person can perform actions while the other documents them.
3. Analyze the evidence to confirm that an incident has occurred. Perform additional research as necessary (e.g., Internet search engines, software documentation) to better understand the evidence. Reach out to other technical professionals within the organization for additional help.
4. Notify the appropriate people within the organization. This should include the chief information officer (CIO), the head of information security, and the local security manager. Use discretion when discussing details of an incident with others; tell only the people who need to know and use communication mechanisms that are reasonably secure. (If the attacker has compromised email services, do not send emails about the incident.)
5. Notify US-CERT and/or other external organizations for assistance in dealing with the incident.
6. Stop the incident if it is still in progress. The most common way to do this is to disconnect affected systems from the network. In some cases, firewall and router configurations may need to be modified to stop network traffic that is part of an incident, such as a denial of service (DoS) attack.
7. Preserve evidence from the incident. Make backups (preferably disk image backups, not file system backups) of affected systems. Make copies of log files that contain evidence related to the incident.
8. Wipe out all effects of the incident. This effort includes malware infections, inappropriate materials (e.g., pirated software), Trojan horse files, and any other changes made to systems by incidents. If a system has been fully compromised, rebuild it from scratch or restore it from a known good backup.
9. Identify and mitigate all vulnerabilities that were exploited. The incident may have occurred by taking advantage of vulnerabilities in operating systems or applications. It is critical to identify such vulnerabilities and eliminate or otherwise mitigate them so that the incident does not recur.
10. Confirm that operations have been restored to normal. Make sure that data, applications, and other services affected by the incident have been returned to normal operations.
11. Create a final report. This report should detail the incident handling process. It also should provide an executive summary of what happened and how a formal incident response capability would have helped to handle the situation, mitigate the risk, and limit the damage more quickly
No matter where you live, you’ve probably heard about the many breaches of data that have occurred over the last few years. It is even worse than what you read: identity theft is on the rise. Just to name a few (and no, I’m not singling out any particular companies):
Let me ask an honest question. Would you rather be doing business with “bobrx153@hotmail.com” or “bob@randolf.com” ? Which one looks more professional? Which one looks more trustworthy?
The term Artificial Intelligence (or AI) was coined in the mid 1950s. AI technology was heavily funded by the Department of Defense for many years. Unfortunately, the practitioners at the time were overly optimistic and failed to overcome some of the difficulties that they faced. By the mid 1970s, funding was largely cut in favor of more promising projects.
This article explores basic business planning ideas that you should keep in mind as you are starting or continuing your business. It is intended to provoke deeper thoughts for you and your executive team. From business continuity, to free coffee and free WiFi, we’ll look into ideas that are important to businesses… and to customers.
Cloud service providers are in the news every day. Whether it be that Disney or the NFL is “moving to the cloud”, or that a vendor is forcing Cloud adoption with their offerings, Cloud is newsworthy. And for providers, whether it be Microsoft’s Office365, Amazon Web Services (AWS), or a vertical market solution, Cloud Computing is here to stay.
But the first step to adoption is getting rid of the “fear factor” associated with change. And we all understand, cloud computing is a gigantic change. Cloud is changing the boardroom cost and revenue profiles, it is changing the management staffing profiles, and it is changing the individual contributor’s job profile. Just like every industrial change, Cloud requires a changed mindset. And this article is intended to help reduce those fears!
Think cloud!
This article focuses on understanding how “as a service” can help your business. First, we’ll define the continuum of primary “as a service” technologies. Next, we’ll explore some of the many cloud computing advantages and disadvantages – for there are many! Finally, we’ll apply Cloud Computing architecture and describe how real, live businesses use “the cloud”.
Content Filtering companies have gained quite a bit of traction in the Computer Network Defense (CND) industry. The goal of content filtering is to attempt to stem the carnage that malicious sites can wreak on unsuspecting individuals and companies by blocking access to malware and other forms of ransomware.
The filtering engines work by way of proxying requests between the end user and the destination site. They are performing a “man in the middle” attack between the user and the destination by a number of different ways such as DNS cache poisoning (Cisco’s Umbrella), and content interception (Symantec’s Bluecoat). Filtering engines use a combination of human control and machine learning to differentiate safe sites from malicious sites. Even more than static understanding of sites, filtering engines can identify when a safe site is hijacked and will block traffic when that known safe site is compromised.
Identifying safe sites is not precise nor exact — the task is all a best effort. The beginning of the best effort is listing your site in the filtering engines. If you don’t have your site listed as “safe” by the content filter company, you will likely be blocked!
“You don’t know me, but I know your password. Let me get right to the point. I have access to your computer. I recorded you through your camera. You can pay me in bitcoin and I will disappear. If you don’t pay me I will send the video to everyone on your distribution list.”
Popular online scam
Have you ever received a threatening email by an unknown assailant who claims they have access to your accounts and have collected damaging information about you? Well sure, the email might be just a scare email with no real “meat” to it, or… it could be a bit more insidious. How can you know for sure whether this hacker really has control of your computer, or really recorded a video of you?
So you’ve looked at your local phone bill and it was… oh my, I’m paying that much for a simple landline phone number? This doesn’t seem right! How can I be paying $40 a month for a landline phone (base price around $15/month, plus “options” price like call waiting around $20/month, plus taxes around 22%, plus plus plus)?
Business Continuity Planning (BCP) is the pre-planning effort put in to make sure your business continues to operate even during adverse situations. BCP is the work put in before those imperfect days, in order to smoothly transition between “normal” operations and “backup” operations.
A backhoe digs through the internet cables, the electricity goes out, a computer stops working, the delivery truck is involved in an accident. In all of these situations, what is the backup plan?
A car accident can wreck your business (photo courtesy Pixabay)(more…)
Risk management is an essential skill for any business professional. Whether it be having a second screwdriver available on the job in case one is lost or broken, or it be having Errors and Omissions or liability insurance, we are constantly evaluating risks and the costs associated with managing those risks.
In this paper we are going to focus on understanding risk management. If you better understand that you have options when it comes to risks, you may be more comfortable with the risk brainstorming cycle.
Risks are often complex. In an effort to disassemble or distill the risks, we’ll break them apart into two different underlying components. Each of the components of a risk are normally managed separately. In this case, we’ll be working with the likeliness of a risk actually happening, and the impact of that risk against our organization. Risks can then be more easily visualized on a basic X-Y graph.
a. Likeliness or probability
Controlling the risk is actually two exercises in one. The first is to control the likeliness of a risk, that is, reduce the likeliness that the risk will occur. For example, say our software shop has been hired to create a feature rich point of sale system. We may mitigate the risk of not meeting the customer’s feature list by increasing the schedule or by adding additional engineers to the staff. An option to reduce the likeliness of not meeting the customer’s expectation is to use a spiral, agile, or incremental release schedule in lieu of a waterfall development lifecycle so the customer is able to see early on what they will be receiving in the end. 5 The US DoD categorizes the four options as Avoid, Control, Accept, or Transfer (ACAT).
b. Impact or severity
The second is to control the impact of the risk, that is, reduce the negative impact to your business. Say you are concerned about fire: You can install fire suppression equipment to reduce the impact of the fire. Or consider lighting strikes: You can install lightning rods to reduce the impact on the building and it’s contents from the damaging effects of lightning strikes. You can install redundant or high availability computer equipment to reduce the impact of technology failure that would otherwise negatively affect your business (systems remain operational through a failure).
2. Risk treatment
When it comes to risks, remember to mind the gap! (Photo courtesy Pixabay)
Risks in themselves are not “bad”. In fact, risks can create opportunities – some businesses actually cater to helping people manage their risks, like portable air conditioning services are there to help people in crisis, where their primary air conditioning system has failed.
But risks can be bad, especially if they are not managed correctly. How can we reduce the likelihood or the impact of a risk? There are basically four ways to manage risk,5and a few more we’ll discuss. Makes this pretty simple, no? We’ll look at each of these options in the order that you should be looking at them.
The United States Department of Defense Defense Acquisition University enumerates the risk treatment opportunities ACAT, a mnemonic for Avoid, Control, Accept, or Transfer.
A: Avoid, eliminate, or withdraw from the source of the risk
Avoiding risks is sometimes an option (photo courtesy Pixabay)
First, you can avoid the risk altogether, that is, eliminate them completely. Now that sounds great, right? Avoidance is extreme mitigation! But risk avoidance is likely not practical in most situations. Let’s look at a few situations.
Let’s say you are a software shop. You’d like to add a new function to your software that includes automatic electronic data transfer to a bank. You realize this is a risky function, since it will have regulatory impact. In this case, you can avoid the risk by not implementing the feature. There is a drawback, though, and that is that you may lose sales because the feature is not present. Is this reasonable? Maybe.
Take another example, say you own a hair salon. You realize there is a risk that someone may get cut with a pair of scissors, and in fact the insurance company has identified the hazard and offered a significant discount if you do not use scissors in your practice. Great, to avoid that risk, get rid of all the scissors! But is this reasonable? By avoiding the risk, you are also avoiding any hair cut engagements that require scissors. Sure, you can still do clipper cuts and razor shaves, but you cannot layer hair with scissors. Does this sound reasonable? It may be fine if you are on a military base and only cut men’s hair in a strict military style. It may not be so fine if you also cut hair for the wives of the servicemen.
C: Control, reduce, optimize, or mitigate
Control risks if you can! (Photo courtesy Pixabay)
Second, you can reduce or “control” the risk. Risks are composed of two dimensions. In the case of controlling the risk, you’ll be working to optimize either the likeliness or the impact of the risk.
A part of mitigation is monitoring. Say for example you are a roofing contractor and have a firm fixed price (FFP) contract to replace a roof. Since this is FFP, you are responsible if material costs increase – but there is also an opportunity to make more money if you purchase the goods at a better price. You may decide to monitor the selling price until the kickoff. If the price goes up to some pain threshold and you believe further price increases are coming, you may purchase the goods early. If on the other hand, prices continue to erode, you may wish to continue to monitor until you absolutely need the material.
A: Accept, or retain
Accept the risk (courtesy Pixabay)
If all other options are too costly, too disruptive, or otherwise unacceptable, you can retain, or “accept” the risk. This is kind of like “self insurance”. Accepting a risk is completely viable where the cost of other mitigation options is too costly. Take for example insurance policies that normally do not cover acts of war. If your business is destroyed by an act of war, you are by default self insured, and you have accepted the risk.
Say you are part of a Business Warehouse Cooperative. You realize there is a risk that a hurricane could hit. It is impossible to avoid this risk, since you happen to live on the Gulf Coast. You can mitigate the risk by installing hurricane windows and shutters, and you have off site backups and online cloud computing resources to protect your data. But there is still residual risk, you could lose your building, and you could lose your customers. You look into hurricane insurance and Business Interruption Insurance, and you believe the likeliness of occurrence is less than the cost of insurance. In this case, you self insure, and after all the mitigation, you retain the residual risks associated with a hurricane strike.
T: Transfer to another party
Transferring risks requires an agreement (photo courtesy Pixabay)
Third, you can share, or “transfer” the risk. Transfer of risk is actually quite common. Most of us have car insurance. Car insurance is transferring the financial risk of an accident to a third party.
There are also other forms of insurance. Say you are hiring a small computer and Information Technology shop to do a highly important deployment. You may wish to purchase “key man” insurance to transfer some of the risks associated with hiring this shop, just in case the key man dies during the deployment. Another common form of insurance to transfer or share risks is E&O or Errors and Omissions insurance. This form of professional indemnity insurance or professional liability insurance helps to protect you in defending against negligence claims.
E: Another option: Exploit!
Risks can be opportunities! (Photo courtesy Pixabay)
Exploiting a risk is an interesting idea. If you are a Home Health Agency, and you see a significant risk with HIPAA, you may create a new business focused on helping Home Health Agencies with HIPAA compliance.
3. Conclusions
Risks are a part of everyday life. Every day, we are faced with risks, and managing those risks. Risk management is an essential skill required to effectively running a business.
In this short paper we’ve looked at concrete methods to manage risks. Risk management playbooks are important, and prior planning prevents all sorts of problems. However, remember that risks are ever evolving, and managing risks requires some amount of flexibility in the practitioner.
“This publication describes the Risk Management Framework (RMF) and provides guidelines for applying the RMF to information systems and organizations. The RMF provides a disciplined, structured, and flexible process for managing security and privacy risk that includes information security categorization; control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring. The RMF includes activities to prepare organizations to execute the framework at appropriate risk management levels. The RMF also promotes near real-time risk management and ongoing information system and common control authorization through the implementation of continuous monitoring processes; provides senior leaders and executives with the necessary information to make efficient, cost-effective, risk management decisions about the systems supporting their missions and business functions; and incorporates security and privacy into the system development life cycle. Executing the RMF tasks links essential risk management processes at the system level to risk management processes at the organization level. In addition, it establishes responsibility and accountability for the controls implemented within an organization’s information systems and inherited by those systems.”
