Blog

Security: Backup

So far, we’ve learned the importance of keeping our mouths shut, and the importance of passwords.

But what about when those things fail, despite everyone’s best efforts to the contrary?

You’d better have a backup.

Backups are paramount. If you don’t have one, you’ve already essentially volunteered for everything to fail and be entirely unrecoverable. But what does a good backup look like?

First, there is no situation in which one can have too many concurrent backups. This only becomes a question of resources and time. You can’t reasonably run five separate backup sets at once, or even one after the other, without significantly impacting the performance of a setup, just for example.

Actually you can, but the processes and resources required for this are a little out of reach for your average person. The backup processes for, say, Google, or Microsoft, are actually minute by minute, to second by second. Because they have to be. But they’re also multi-billion dollar companies. They can afford very liteally anything they want at any time.

We’re going to assume that we’re not all Microsoft or Google. We, then, want at the very least a daily backup. For e-commerce, hourly is required. And good news! Most hosting providers, at last as far as websites are concerned, provide you with this exact functionality as part of your hosting cost. Great!

But let me paint a scenario for you, as unlikely as I find it. For some reason, exactly why being unimportant, the backup at your hosting provider is unusable. Oh no! Now what?

Well, it’s a good thing we had two other backups, assuming we have a proper backup scheme.

A good backup includes at least three (3) backups. E-commerce gets a fourth “warm standby”, but we’ll talk about that much further down.

Your three backups should be as follows.

An on-site backup. The one provided by your hosting provider, or if you’re hosting yourself, machine images and folder backups.
An off-site backup. Either moved to a storage location not on your hosting provider’s site (Google drive, etc.), or in the case that you’re hosting yourself, a hard drive kept in another physical location.
A cloud backup through a provider of such things. If you’re using Google Drive as an “off-site” backup, consider something like Mozy or Carbonite.

You may not be hosting your own website, but you may be using on-site accounting software, or documentation. Always keep a backup of it, even if it’s a cloud hosted environment, such as keeping documentation in Google Drive. Keep this in mind when considering your backups.

The backup schemes can be thought of thusly:

In case I make a mistake.
In case there’s a fire.
In case everything goes wrong in every way possible.

So now you have a backup. But now are you sure it’s working?

More than once have I, personally, gone to restore a backup and found that, oh no! last night’s backup failed.

Good thing I had two other backups.

Every day, you should be checking your backups. Every day, you should open the software and see if the backup succeeded.

Once a month, at least, a backup should be tested. Either by downloading a file, or restoring in the morning to last night’s backup. A lot of backup software has a test run utility built in, to ensure a backup is working without having to actually restore from it.

So now you have three backups, and you know they’re good. What else?

If you don’t run an e-commerce site, or don’t have a reason to know what “high availability” means, you’re done. If you can handle 6 hours to 1 day of down time, there’s no reason to go any further. You’ve given yourself all the safety you need in a backup.

E-commerce and other services that require more, that is to say “high availability”, should have something a little more robust. Down time isn’t really an option for an online store, and losing more than an hour of info is hard to cope with.

So now we’re into the world of warm standbys. To understand what that means, in IT we refer to anything live as “hot”. The pot is on the burner, so to speak. A warm standby is kept up to date within the hour, usually by replicating the live site every hour on the hour, and as such is in a state to go live, or hot, at any time.

The setup works thusly. You have your live server, and on another host, an exact copy of that server. It’s kept up to date through some process every hour. If something should happen, you take your live site down, go to your warm standby, change any information that needs to be changed (such as passwords. Going live with the same passwords that were just cracked is a bad idea), and then point traffic to the warm standby.

You are then free to restore to the primary server from the warm standby, collect anything that was missed in the minutes between replication for entry later, and then swap back to your primary site.

This can take place in a matter of 30 minutes, and generally results in no percieved downtime for any users.

There is but one issue with this: Cost.

High availability setups in any environment cost money. Ideally you actually have two warm standbys, just in case. In the case of onsite hosting, it’s usually for updates and patches that require downtime. One stanby takes over while the other two update and patch, reboot, get back in order, an then they swap places again.

But that’s three hosting bills, or three identacle on-site servers. That’s expensive!

And then you also have to manage all of this? Do you actually have the time? Consider that strongly, because there is a point at which hiring someone to manage these things is the right answer. It’s usually at the point you either do not have the time to do it yourself, or do not have the time to understand it yourself. Everyone can come to terms with these concepts and execute the plans, but having the time available to do that is another question entirely.

A backup is an essential part of security. It provides a process for recovery even when best efforts go awry. Everyone should have a backup of anything they find important, and ideally they have three.

Stay safe online, and in the wide world.

~AJ

Security: Passwords

What does a good, secure password look like?

You won’t like the answer.

Because it’s this: 456965230ee038b6ebd0e9369062113c861f5423e1146137e0bee8b2d322cbfb

That is an excellent password. It’s long, it’s complex, and most of all, you can’t remember it.

“Hold on,” I hear you say, hypothetical reader. “Why shouldn’t I be able to remember my own password?”

Because you are point of failure Number 1. How many passwords have you given out to people? Can you trust them? Can you really?

I don’t say that to sound scary. But it’s a practice in security circles that if a password is actual very, very important, that not even the person(s) who use it can call it up easily.

It gives you time to think, and to act on the thought, “Does this person actually require my password?” 99/100 times the answer is a very firm “No.” For example, your bank calls you. They tell you that there’s some potentially fraudulent charges made against your card. What does your bank actually need to verify that it’s you?

It’s not your card number. That’s in their database. They already know it. It’s not your name, same situation. It’s not your address, phone number, zip code, PIN number, SSN, none of it.

Typically, they will, instead, ask for the last 4 digits of something, a card, your SSN, etc. Even better is when they ask for just the numbers on your address. They know the rest. Someone asking for too much info is red flag number 1 that something is wrong with any situation.

People engaging in social engineering will usually move too quickly to give you much time to think. They’ve presented you an emergency and you need to act right now! But you don’t. What really happens if that call is legitimate and you hang up? You call your bank at its number and go through and get the charges declined. No love, time, or money really lost. A real bank employee, should a real person call you for this sort of thing, will absolutely understand if you respond with, “I will call my bank back directly, thank you.”

But say you’re not very good under pressure. You fold quickly. That’s fine. Your password is long and unmanageable , and you have to go look it up to even give it out. Now you have precious long minutes to consider if this is even a little bit real.

“Well, okay, good point, but,” I hear my lovely hypothetical reader say, “now I have this long string of numbers and letters just sitting in a note pad document, or, worse, on a note pad. That’s just as bad!”

Well, yes. So don’t do that.

Instead, use a password manager.

First, they generate hilariously long passwords like that for you, so you don’t have to play a miniature drum solo on your keyboard to generate a password. Second, they store the passwords in an encrypted database, so they’re not in an unsecured word doc, or on flammable, easily stolen, note paper.

There are hosted services, like OnePass, LastPass, or Dashlane to use. There are decentralized services, like Myki, and then there’s the favorite of IT Professionals everywhere, Keepass, for keeping a local database.

Hosted services are great! If you feel you can put your trust in another company to securely host your passwords. Which you can, by the way. That’s not scare tactic. If any one of them decided to lose their minds and start selling password data, it’d be found out quickly, and many, many bad legal things would happen to them. But if you have a personal hang-up with cloud hosting, I get it.

Myki is the only decentralized service I’m aware of. Each device the app is installed on keeps its own encrypted local copy of the database, which in turn can be restored or accessed from any of those devices. The only thing that touches Myki servers is an encrypted packed to pass the data between devices when a update to the database happens. They can never actually see any data you move between devices. But, again, you are using someone else’s device to push your data around, and some people have hang-ups with that. Understandable.

Keepass is your solution for total control of a single encrypted password database. You just keep a cloud backup of it every night, and don’t lose your password. Bam. Done. No issues.

“Okay, that’s nice. But,” I once again hear my hypothetical reader ask, “What about that one password you’re using to unlock the database. Shouldn’t that be really long? Should I be able to remember it?”

Yes. To both questions.

“Doesn’t that create a single point of failure?” You ask, pointedly, hypothetical reader.

Yes. However.

First, any given hosted service is going to be up to current best practices and standards for storing and preventing access to encrypted data. Second, if you are using a hosted service, Two-Factor Authentication is your friend. Please use it.

Third, a decentralized service attack requires that an attacker have administrative access to one of your devices. If they have that, you have larger issues than your passwords being stolen.

And, finally, an attack on a local database requires, that, again, an attacker has access to the hosting device. Which would create a much larger issues than just your password being stolen.

Oh, and using the remember password feature in browsers? Totally fine. Use it all you like. Just be careful about where you’re syncing that data. I’m looking at you, Google Chrome.

“Okay, so, how do I remember my obnoxiously long password for my password manager?” My hypothetical reader asks.

I’m just going to link to this XKCD comic that I feel explains it best.

But, to summarize in case XKCD is blocked at your work place (why?), pick any 4 given common words, smush them together into one string (WITH SPACES!). The example given is “correct horse battery staple”. Now come up with some cute mnemonic to remember this for yourself, which you almost already did, most likely, and now you have a strong, human readable, human memorable, password.

This should be the only password you have like this. The rest are machine generated and meant to take until the heat death of the universe to brute force via machine guessing.

Well, unless you have to log into the IRS website… which disallows the use of password managers and copy/paste functionality in its password field. For reasons. None of them well explained.

Listen, the IRS is still running the entire tax system off of a program written in COBOL that has caused an estimated billion dollars in technical debt to get out from under into something more modern. We’re going to guess their problems go far and beyond their strange password policies.

Sometimes it really is the service’s fault when you get hacked. But you can do your best to avoid it in the meantime.

Stay safe online, and in the wide world.

If you have questions, you can contact me at my Harmony Group email address: AJ@HarmonyGroupATL.com

~AJ

Security: Praxis

What’s that word? You might not have seen it before. Why is it in a blog post about security?

Let’s start with just pasting in the definition from googling “Praxis Definition”.

prax·is/ˈpraksəs/

nounFORMAL

practice, as distinguished from theory.

“the gap between theory and praxis, text and world”

accepted practice or custom.

“patterns of Christian praxis in church and society”

This post, as a summary, will be about making a total life change to be about being secure. It’s a change in perception and action that requires time and effort but can (usually) be for the better.

As an example of security culture, imagine you are a political activist. It doesn’t matter what you’re an activist for, in this case. You have acquaintances and friends who are also activists, one would hope.

One day, you start a conversation with one of them. Midway through the conversation, they say, “Well, at the last protest I….” This is your time to hold up a hand and say, “Stop. I don’t want to know.”

Not because you genuinely don’t want to know. It’s probably a good story. But for your own safety and security, you shouldn’t know. Because if you know, you then have to, should that action be illegal, either A) lie to the police if or when you’re asked about it, or B) exercise your 5th amendment rights (supposing you’re in the USA). Neither of these are good options.

For IT professionals, we’re often trusted with information we, frankly, should never have known in the first place. Our time to hold up a hand and say, ” Stop. I don’t want to know.” is when anyone starts to recite a password to any system we do not directly have administrative rights to, or any system we do not absolutely require access to.

I have actually had people start to tell me their bank passwords. No thank you.

Should something happen, and it has, the first stop on anyone’s mental check list of “Who Done It?!” is going to be people they’ve given the password. And trusted individuals are given a pass, ex: Spouses. If I’m on the list, and not a trusted individual (and we’re never going to assume this), I will be receiving a call from the police.

I do not want a call from the police.

Even if I’ve done nothing wrong. Especially if I’ve done nothing wrong.

There’s a different topic in that, but it’s not for this blog on this website.

On the opposite side of this praxis (that is, opposite to ensuring you only know what you need to know), there is ensuring that others only know what they need to know, and do not know what they don’t need to know.

There are basic things, like: Don’t keep a physical record of your passwords, don’t say them out loud while typing, etc.

But further than that, there’s keeping logs.

System administrators already know this well. Logs are your friend. They prove who did what and where and when they did it. Anything you use that keeps logs, pay attention to them.

My bank, for example, sends me an email any time I login from any application or device, complete with that device’s ID and approximate location. I love this. But I’ve heard people complain about the constant emails associated with logging like this.

Until they get one when they haven’t logged in. Logs are your friend.

And, the final step in total praxis of security, is this: Shut your mouth(s).

That sounds really simple, but it’s that “(s)” part that’s important. You have more than one mouth. Or do you not also have a Facebook, YouTube, Twitter, LinkedIn, Instagram, Snapchat, Google Account, NewestSocialMediaPlatformHere, etc.?

I’ll give you a big hint about these services. The farm is free for the cows.

Did you know you can go into your Google account page and not only see a complete log of any voice command you’ve ever given your device, BUT LISTEN TO A COMPELTE RECORDING OF IT?

This applies to Amazon Alexa, too. Does this implicate Amazon or Google in some nefarious plot? Not really. Practically speaking, there’s no way for anyone (human) to listen to all of those voices, and there is, at best, an algorithm that listens for when someone cusses at their Alexa or Google home because it didn’t hear a command right, and tries to learn from that for better voice recognition.

But this does highlight something. As a culture, we’ve decided to just give away private information. We decided that’s an okay thing to do and haven’t considered the ramifications of it.

Twitter, for example, has a very powerful search API. If you don’t remember that terrible thing you said in September of 2010, but someone else sort of does, and wants to find it, and use it, well, it’s as easy as bringing up the helpful knowledge base article on the API, and then away they go!

Also, turn off location on your posts. C’mon, that’s just creepy, and it’s been discussed as an avenue for people wanting to break into your house to abuse.

Should you stop using social media? No. It’s actually an incredibly powerful and useful tool for interconnecting with everyone around you.

Should you be more aware of what you’re saying, or more importantly, giving away? Absolutely.

There’s even more to say on this topic, but that’s not necessarily for this blog, or this website. This post is more about the idea of engaging yourself in security culture and exercising good praxis of the ideas it presents.

This is a process. No one changes their habits overnight. But if you take your personal security seriously, you may find that you, at the very least, feel safer, though if I stopped you from being the sort of person who puts their phone number on Facebook publicly, I’ll count that a victory.

Stay safe online, and in the wide world.

~AJ

Let’s Talk About Security

So Harmony has a blog now. And guess who got pegged to write about security topics?

The self proclaimed security enthusiast. That’s who.

This post is more of an introduction to the topic. We’re going to discuss the what, why, and how of security stuff, and how important and frankly out there some of the things can be.

It’s a hugely evolving landscape, too. Just recently, Microsoft stopped recommending that you force a password change every x months. Wrap your head around that!

It’s that and a whole lot of other stuff that we’ll be talking about in my section of the blog.

I also do a lot of web development, and specifically in WordPress. And will be speaking about security and its application to WordPress in June 2019. You can find the Kennesaw WordPress meetup group here.

Stay safe online, and the wide world.

~AJ