Data Center Hub

I got a call from one of my customers last Friday; the customer told me that they were without power. There was no storm; in fact the weather was bright and sunny in Florida. It wasn’t even a particularly hot day so there wasn’t a tremendous heat or power load in their office either. Unfortunately however, the power transformer that feeds their building was over 40 years old and it had failed.

This customer happens to be one of my few customers who plan ahead for contingencies. They have a beautiful office on the Caloosahatchee in Fort Myers, Florida. In 1998 their office flooded, as a result of this event, the business owner had their building elevated roughly 8 feet above its previous height. It’s not likely now that it will flood again. In 2004 Fort Myers was affected by hurricane Wilma, and the office was without power for several days. To mitigate this happening in the future, the customer installed a propane powered generation system complete with an automatic switch, to provide power in the event that mains power fails. Even though many businesses were down after hurricane Wilma hit Florida in 2006, this customer did not skip a beat. Planning and implementing ahead of time does pay off. Inside their office all the equipment is housed in a rack mount case and utilizes HP/Compaq UPS Systems. While the customer has a server maintenance subscription for their servers and workstations as well as Network Equipment in the office, they have no such service maintenance on the generator system itself. The generator system was initially installed and configured to test itself each Tuesday. At some point in the last few months the testing was occurring yet it was failing each time. Apparently nobody noticed in the office and of course the generator has no way to inform anyone of its other than the total lack of power.

It’s important to be prepared, it’s also important to plan in advance how an event may be handled and include scenarios for unlikely situations. You see in this case I received a call from the customer after the power went out, after the generator had failed, and after the UPS System exhausted its batteries. It is important to shut down complex systems in an orderly fashion rather than simply allowing the power to drain down. Shutting the server down in an orderly fashion allows the cache to be flushed properly and allows the system to be shut down in a known state. Failure to do so may result in data corruption and even hardware failure. Even though the UPS had the ability to shut down the server, it was not connected properly and in this particular situation the shutdown resulted in a hardware failure bringing down the customer’s entire domain requiring several hours of onsite repair. In the future the UPS should be able to shut down the server BEFORE the UPS fails (now that the pesky serial cable is reattached). As bad as it sounds there was no permanent damage, only the inconvenience and expensive weekend service calls. It brings to light the requirement to plan better and the need to have a document on hand which highlights the contacts who may be involved and a course of action corresponding with it.

An incident response plan is more general in nature and broader in scope than a Business Continuation Plan or Disaster Recovery Plan. The plan should cover things such as a network meltdown, lightning strikes, and things such as the broad steps to recover from a security breach.

So here are six steps to take in developing an incident response plan.

1. Plan for events- security breaches, lack of power, data connection failures, toll free line failures. Try to identify as much as possible what could happen and plan around that possibility
2. Identify Responders and Roles. You should choose people for your incident responses before the events occur including backup people (even if they exist outside your employee pool). Look beyond the IT department and include HR and vendors as well.
3. Create a backup communications plan- perhaps an off-site SharePoint based web site, conference bridge lines, and VOIP systems in case your staff need to work from alternate locations. Don’t forget to create a contact list that includes mobile and home numbers as well as alternate email addresses.
4. Decide who is in charge of what in advance. Plan ahead to delegate authority for things such as emergency Purchase Orders or Press Releases.
5. Plan for an alternate work site. Choose a location in advance so that if your regular work location is not available, you and you staff will have a place to work. Make sure you have connectivity, power, and adequate cooling or heating as needed. Consider partnering with a vendor of roughly equal size and setting up a reciprocal arrangement with them. For example you could make a reciprocal agreement with a supplier located 200 miles from your office so that in a time of disaster you can temporarily route calls through or relocate there until normalcy is restored at your regular office.
6. Test your plan ahead of time; there is nothing worse than finding out you missed an important detail while the incident is occurring. Start you evaluation as a quick discussion of events and scenarios first and later work your way up to a simulation. You also should make sure your plan is kept safe (for example- encrypted) and accessible; keep copies in multiple physical locations where it is ready as needed.

There is always the temptation to ignore planning while everything is running smoothly but don’t do it- a flick of a switch can set you scrambling in ways that might cause you to loose sleep at night. Plan ahead and sleep soundly. Don’t forget as well that over time you will still need to revisit your plans and revise them as needed.
 

Mikko Hyppönen of F-secure has suggested that a new top level domain such as .bank or similar would help alleviate problems of phishing attacks against financial institutions.

Unfortunately the suggestion is a solution which does not cure the actual problem: DNS is insecure. This new top level domain has been the subject of much heated debate, and of course much criticism. I believe I have to count myself in on the criticisms side of the debate at the moment. After reviewing some of F-Secure’s rebuttals of the criticisms, here are some issues I have with the suggestion which F-Secure have not yet addressed. Some of the following are quoted from the F-Secure web log and followed with my own comments.

A new top-level domain will not solve the phishing problem once and for all, so it’s not even worth considering.

This is not a silver bullet. A new top-level-domain (TLD) would not be the end of the phishing problem. But it would be a helpful top-level domain and it would stop a particular subset of phishing completely.

    While it is true that some domains are more trustworthy than others (for example.info domains appear to have the highest level of phishing sites on them ), creating a new top-level domain does not actually solve the problem of phishing-it merely creates yet another domain and as such it is dependent upon a weak DNS system. In fact DNS shows up in the list of top 20 Internet Security attack targets for 2006.

This initiative won’t move further until we find a sponsoring organization that starts to push it and proposes it officially to ICANN. This sponsoring organization is what we are trying to find at the moment.

    Of course the sponsoring organization could officially propose this to ICANN; however, ICANN is not a regulatory agency or governing body. Even know there is presently a .pro domain for doctors and other professionals, creating a .bank domain or another authenticated top level domain does not correct the problem of phishing any more of than a new coat of paint will make a house hurricane resistant.

I do believe the suggestion for a new .bank domain is well intentioned and I don’t question the motives of that- however any new solution which doesn’t correct the actual problem it attempts to solve is not a move in the right direction in my opinion. I believe the move of requesting ICANN to expand its authority is one of the main reasons not to ask ICANN to create a .bank TLD. Given the present state of the domain registration business, there’s no way that a data bank top level domain could be sufficiently authenticated given that there will be likely registrars issuing the domain and not ICANN itself. It is not possible for a TLD such as .bank to be run in the same manner as the .gov domain. There’s not a governing body for domain registration yet. Perhaps the banks themselves can create a group and petition for the TLD but this involves investing money on speculation- something most banks are loathe to do.

Someone recently asked the staff at F-Secure® why there is an uncanny resemblance between their official logo and the logo used for Evil, Inc. in the Austin Powers movies. F-Secure officially denies any association with Evil, Inc. The resemblance is apparently coincidental.

F-Secure had the same situation with the original name for the company, which was Data Fellows, Inc. Once they opened an office in California however, they were mystified as to why they kept getting phone calls intended for Date-A-Fellow Of course this was also coincidental. The staff at F-Secure have a sense of humor about it though. For what it’s worth, I liked their original name better than their present name.

It should seem obvious to most Americans that the cost of low skilled immigrant workers is greater than the benefits offered by having an inexpensive head of lettuce in the grocery store. Having cheap tomatoes for your taco bell burrito is also a falsehood. The fact is that having the cheap immigrant labor in the USA is exactly the same as corporate America BORROWING money from your children. As Americans we should simply not tolerate such bad behavior as hiring undocumented workers as it is against the law.

The folks over at heritage.org have written a paper regarding the true costs to American taxpayers of the benefits received by low skilled immigrant workers versus the taxes paid, the long term cost in the form of automatic citizenship for children born to illegal immigrant parents, and the policy of granting automatic citizenship to parents of Instant Americans. You may ask, what is an instant American? In my dictionary an instant American is any child born in the USA whose parents are illegal immigrants. It is a longstanding policy of the USA to automatically grant citizenship to any child born on American soil regardless of the parents’ citizenship. As a consequence of this policy many immigrants are encouraged to enter the United States illegally so they may create an instant American as a path to citizenship. Once they have created their own instant American, this child, at the age of 21, currently has the right to petition for automatic citizenship for his parents thus creating new liabilities to welfare and Social Security. According to the heritage.org report the true cost for each low skilled worker entering America is a net loss of roughly $20,000 each year. Here’s a chart. The figures increase exponentially once the child’s parents reach retirement age. Those cheap tomatoes will cost the average US taxpayer about $40,000 in the future. We need to stop this now.

Many people believe the United States is a democracy. We’re really a democratic Republic. What this means is in a democratic fashion we elect representatives who in theory know better what we need than we do as average citizens. The new immigration bill before Congress at the present time is one of those situations where the representatives believe they know better than we do as average Americans. What they are really doing is simply telling us what we would like to hear while catering to the needs of corporate America at the expense of the American citizenry.

America is a nation of laws, if a person does not follow the rule of law there are consequences in the form of punishment. For example if you attempt to navigate the interstate at speeds in excess of the posted speed limit, you can expect that the law will be enforced and you will be detained and issued a ticket for your violation. Unfortunately, at the Federal level, we seem to have a rather spotty record of enforcing laws in a consistent manner.

It should seem obvious that we have enough laws in place for immigration and that the issue is not actually immigration itself. The issue at hand is the obligation of the Federal government to protect our borders and enforce existing immigration laws. It should also seem obvious that if we cannot keep three million illegal immigrants from entering our country we certainly cannot keep terrorists from entering our country. So what should we do? As Americans we should insist that no new legislation be passed until the existing legislation is enforced in a consistent manner and enforcement of our borders is realized. It is a fundamental function of the Federal government to protect and enforce our borders as this is a job that individual states would not be able to do except within the bounds of their own borders. The failure of the U.S. government to protect our borders in an effective manner clearly indicates our lack of sovereignty. The United States appears to be the welfare agency of the majority of central and South American countries. While America has always desired to have good relations with our southern neighbors it has reached a point of abuse. This abuse is a condition which the average elected representative does not see on a daily basis. It is certain there are no senators who, upon entering a burger king and attempting to order a number two meal, have had the person at the register fail to recognize and understand what was said. It’s also certain that no senator has ever asked to speak to the manager of a burger king restaurant and been told “everybody speaks Spanish, you better get used to it”. I can certainly order a number two meal in Spanish- however I do not live in a Spanish speaking nation. I do not believe that people who are here as guest workers or people who are here to become Americans should force their values and their language upon their host. The very fact that the many of the newest wave of immigrants to the United States are not assimilating is in fact changing the USA into the very third world nation which they seek to escape. The subjugation of English as language of the United States may seem to be merely an annoyance as many of us do speak more than one language-the reason for this illustration is not simply the matter of the annoyance itself, but rather to illustrate the indignant right and expectation of entitlement that are southern neighbors are currently expressing. At some point there may be more Mexicans in America than in Mexico-so perhaps America should consider a course of annexation for the Mexican nation as they fail to enforce their borders as well. One forgets in the course of this discussion that there are two sides to each border. Our neighbors to the north in Canada do not seem to have the same border enforcement issues that are neighbors to the south have.

What can Americans do?

1. Contact your senator and express your opinion very loudly regarding enforcement of existing laws and protecting our sovereignty -a nation at war which cannot control its borders has lost any conflict whether the conflict exists directly at the borders or not.
2. Wait for your elected representatives to do the right thing. For example, the annexation of Mexico solves the problem permanently and ultimately gives the USA a much smaller border to the south. We are already at war so expanding the scope to include those who are actively supporting an invasion of our nation does not seem unreasonable.
3. Move to the European Union and forget about being American; skip that idea, due to immigration quotas you probably will not be allowed to move to most EU countries, although I hear Sweden is accepting many of the casualties of our war on terror. Forget about migrating to Canada too unless you have lots of education and money.

One thing is clear to me; Canadians and EU residents get more respect than Americans. I wonder why? Is it because they enforce their borders better than the USA or is it because they enforce their laws?

Who needs IT security policies and what types of organizations must comply?
Regardless of the size of your company, you should have an IT security policy in place. Even if you’ve not put one in writing yet, you have a policy already. In most small companies the policy is an island approach where every individual is left to his or her own devices and while this has worked well in the past, it must change in the future. In the past, with the exception of burning down your offices, damage from a single employee’s actions would usually be limited to their own files and sphere of influence. Today, the actions of one can affect your entire IT structure and wreak havoc and even destruction or disclosure of your data. Running your business without a policy in place is akin to setting sail in a boat with no rudder. The winds may carry you safely somewhere, or smash you into the rocks at any time. At a minimum the security policy should act as a guide for your business. If you have more than one employee, you should have a policy in place. For companies with up to 200 employees, the ISO 17799 standards allow management to have a better awareness of IT security and for larger organizations, the standards should allow the creation of a mature and compatible IT security culture within the company.

What organizations are required by US law to have IT security policies? The short answer is all public companies and virtually all companies in the health care business who handle electronic patient data.
The Sarbanes Oxley Act (SOx) section 404 requires public companies to document their IT and financial controls as well as issuing an annual statement of the effectiveness of the controls. Whether your company is large or small, if you make periodic filings under section 13 (a) or 15 (d) of the Exchange act, you’ll need to comply with SOx.

HIPAA Subpart C Section 164.306 (c) requires covered entities to apply specific security standards regarding all protected health information.

How does one implement a policy and what standards are involved?

Of course, you can go the the ISO web site, purchase a copy of the ISO 17799:2005 standard in PDF, and write your own policies from scratch. Or you can start based on templates created by others.

One of the simplest ways to get started is by evaluating a sample policy based on ISO 17799. There are two easy ways to do this. One is to purchase a commercially available template system, and the other is by using Open Source documents as a starting point for your policies. The Lazarus Alliance started a wiki for this purpose about a year ago and while it’s a work in progress, reviewing the ISO 17799 documentation in the wiki should give you a good start towards ISO 17799. Bear in mind that the wiki is a work in progress and may not offer a policy as comprehensive as a commercially offered set of templates.

For commercial templates, there are quite a few revealed with a simple search on Google. The majority of those in the top results appear to be from the same creators with similar descriptions and pricing. The hype of this creator lends me to have a jaundice eye towards the product (for example they claim Patriot Act compliance- unless you are an ISP, you need not worry about this act. Having said this please note I am not an attorney). I personally would demand a review period to evaluate the quality prior to committing money to the e-janco templates. Another sample template system is available for a free review in PDF format from RUSECURE. Having reviewed this template, I can opine on the quality and thoroughness of the policies in their templates. At half the price of the Janco templates and with a seven day money back guarantee it would be hard to go wrong with this template set.

You may also consider buying a software solution to generate your security policies. One such solution is produced by Callio though you will find many others on the market for a DIY approach.

Another option is to hire a consultant to do all the steps for you. In most cases, the consultant will likely start with a software toolkit or templates and customize them as needed for your business. This is by far the easiest way to get a policy in place but do remember to do your due-diligence on the consultant and inquire as to his background, qualifications, and real-world experience prior to hiring. A good consultant should also be able to provide a clear detailed proposal covering costs and milestones prior to beginning work. One last bit of advice: never pay the full consultant fee in advance. My experience from both sides of the table indicates structured payments based on milestones with a final payment upon full deliverables works best for all concerned.

The best reason to be Section 508 compliant (besides the Law) is increased visibility in search engines and better usability for your visitors. Another benefit is the ability to have your content viewed in a wider variety of User Agents (such as cell phone based web browsers).

It is almost ten years now since the US Congress amended the Rehabilitation Act requiring agencies to make their electronic and information technology accessible to people with disabilities.

Section 508 was enacted to ensure people with disabilities are not excluded from accessing information by requiring the elimination of technology barriers. The barriers most often encountered by the disabled on the Internet are excluding technologies such as Java, JavaScript, and the overused technology of Flash animation. First, let me say I am not an anti-Flash extremist. I have in fact used Flash technology in designs and find there are many compelling applications for it. YouTube is a fine example; as are interactive training applications. The NOAA web site illustrates the proper use of Java technology in a 508 compliant manner well. Unfortunately, most of the applications of Flash and Java technology are gratuitous and seem implemented by otherwise well meaning web designers, much to the detriment of both the web site and the disabled visitors (customers) of the site. The most significant sight impaired visitor your web site will ever have is a search engine robot. You should always design your site as if the robot were your prime audience FIRST and then add the eye-candy (read Flash) later.
Here are some reasons and places on your site not to use Flash:

* Navigation. You should never make your web site navigation accessible only via Flash. This is a sure way to eliminate the disabled visitors of your site from navigating it. It also eliminates spiders from crawling your site if the only links are embedded in Flash.
* Content. Embedding content is a sure way to control the presentation of your site and also a sure way to prevent most search engines from including your site in their results. If a person is sight impaired they may not be able to access your content no matter how pretty it may appear to the sighted.

Other design errors to avoid for Section 508 compliance include the use of Frames and lack of a text equivalent for every non-text element such as images or Flash animations. I suppose at this point the quickest way to demonstrate what not to do would be by an example and illustration of what the sight impaired person (or search engine robot) may “see”.

Here is an example of what not to do for a Section 508 design: City of Stuart, FL Web Site

Here is a nice screen shot of this web site rendered in a (sight impaired) text based browser. As you can see from the image, the sight impaired get a message of “go away” rather than the alternate content which should be there. Of course this should bring home the fact that frames are possibly the worst thing you can do for your web site.

Now let’s go a little further and follow what links we DO have. The first is labeled “banner”.
I won’t bore you with an image of the banner frame- the frame contains this text: [banner_rev2_web.jpg] -which should drive home the reasoning behind the ALT requirement for non-text elements. An alt tag should be there to label the image with something such as “The Official City of Stuart web site” or similar.

Following the main frame link we have this page rendered in the Lynx browser:

You should see the first thing on the page is navbar.swf - a Shockwave/Flash file containing the navigation for the web site. Most search engines (and virtually all sight impaired visitors) will not be able to navigate the rest of the site other than the regular links on this frame page. The item on this page labeled EMBED is ironically a request to take a survey for feedback on this web site. The form posts to a simple FrontPage web bot save results component so the use of Flash here is gratuitous. A text link to the survey would work much better. In both cases where Flash is used here, GIF images with alt texts could have done the job with widespread support for virtually all user agents, even for the site impaired.

The fact that the designer took the time for a survey on her site indicates her care for the improvement of her customer’s experience with their web site product. Unfortunately, this site needs much improvement and perhaps more so is typical of the implementation seen with many service oriented web sites. It is important to remember the site exists solely to serve the visitors and failing that service leads to increased load on your staff as well as other costs. A Section 508 compliant web site has many benefits and chief among them is the saving of your resources when visitors can locate and access information quickly without tying up your staff on the phones, with email, or Faxes.
You may be wondering how you can check your site for Section 508 compliance. A quick check can be done using Cynthia Says which has an automated Section 508 test. It should give you a quick checklist of issues to resolve with your web designer should the test indicate failure. Most web sites will not pass all the tests and you should use the results as a guideline rather than looking for strict compliance. You can also find more information on the Official Section 508 website.