Strategy

The Importance of Using Secure DNS Servers

All good IT administrators know that maintaining a secure, productive and supportable computing environment means considering (and implementing) security at many levels. There is a whole load more to it than just installing a virus scanner on all your computers (though deploying a good antivirus and anti-malware solution is of course one element in this). Ideally you'll have Endpoint protection for AV and Malware on all desktops, laptops and servers (Onega tend to recommend and use Kaspersky, AVG and MalwareBytes depending on use case), but also a secure firewall (e.g. a good Watchguard XTM or similar unit) and external cloud based email filtering to reduce the risk of anything untoward getting into your network in the first place.

One thing we are also now recommending (aside from reminding people about limiting use of full admin rights to a PC - see http://www.onega.net/blog/2015/6/4/are-you-logged-in-with-admin-level-credentials-on-your-computer-right-now ) is to set your external DNS servers to be secure servers.

In QA format - here you are:

Q. What is the difference between Secure and Non-Secure DNS Servers?
A. In this context, the answer is that a standard or non-secure DNS server does a good job of DNS resolution and turning your request for http://www.randomwebsite.com/ into the IP address (143.95.83.184 in IPV4 Land as I type) that hosts the site for your web browser to connect to or your email to be delivered to etc.  The resolution process is simple, fast and robotic and the DNS server will cache entries for fast response or look them up for you recursively from first principles and the Root DNS Servers. When the server has the result then it gives it to you.  A secure DNS Server adds an extra level of security to this process. It will lookup websites and Internet addresses, but before giving you the result, it will check that the IP address is of known good or known bad reputation (or check it with a virus scanner first); such that if the site is deemed clean then your computer is given the IP address in the blink of an eye. If the site is one that you'd probably be glad not to be visiting, then the DNS server will redirect you to a harmless web page which will let you know why you are there.

Q. Put simply, what is the benefit of secure DNS?
A. It helps reduce this risk of accidentally browsing to an undesirable website that might otherwise have tried to install malware or other junk on your computer. Thus you are very likely to save hard money through reduced downtime and lost productivity and also less time to fix (and cost of fix) on a machine otherwise.

Q. Which Secure DNS Servers to we recommend?
A. The two main contenders at the moment for secure DNS are:

Comodo Secure DNS: 8.26.56.26 and 8.20.247.20
(See https://www.comodo.com/secure-dns/index.html )

OpenDNS: 208.67.222.222 and 208.67.220.220 (others are available on premium packages - these are free for public use)
(See https://www.opendns.com/ )

Q. How to we implement Secure DNS?
A. Make note of the DNS server addresses above, and either set these individually on a PC / laptop (if not in an office environment) or else set these servers as the DNS Forwarding servers on a Linux / Windows / Mac Server DNS server in an office environment. DHCP should give out DNS servers that relate to these (or actually give the addresses out if you don't have an Active Directory environment).
.. or just ask Onega of course and we can help configure these for you quickly.

Q. Is there a Cost?
A. If you are a business then it is of benefit to subscribe to one of the premium services which has a modest charge but this is of relatively trivial level and soon, anecdotally, pays for itself. The premium services also give you the confidence of an SLA as well as extra features. On the setup / installation / configuration of secure DNS in your environment, Onega would do this for you, either free if you are under a proactive maintenance agreement with us, or based on our standard PAYG time charges (it would normally take no more than an hour on the average client network servers and firewalls, unless you have a really big system).

Q. What about Google's DNS - is that Service Secure? (8.8.8.8 and 8.8.4.4)
A. No, not in the sense being discussed here. Google being Google, that is likely to change over time.

 

Are you logged in with admin level credentials on your computer right now?

If you are reading this then there is a fair chance that you're categorised as a 'power user' or a full administrator on your IT systems. There is also a fair chance that right now, you may be logged in with an account that has admin rights to your local machine.

If you ask someone: 'Do you need admin rights on your computer?'; the answer, 90% of the time, is: 'Yes, I could not work without this'. Psychologically, we all like to have the power of full admin control to our own computers all the time. If you are used to having full admin rights to a local machine then this is hard to give up, and giving this up can be akin to giving up smoking, gambling, etc. Admin rights are addictive!

There is a strong case for best practice (basically not disputed) for having permissions set on the basis of least required permissions. Part of this is making sure that you only use the login / admin / access rights that you need at the time. For normal day to day use, we should only be logging into a computer with 'user level' access.

The reasons for this are many and whilst you probably already know these, the key ones are worth reiterating:

1) Reduced Malware Surface and Risk - By using a user level permission account in day to day use, you minimise the impact of any malware that you may inadvertently come across while browsing the web etc. Whilst there may be some malware that can very cleverly bypass permissions on a computer, or exploit zero day flaws, assuming your computer is up to date, then you reduce the attack surface (and hence risk of contracting malware, Viruses and APTs (Advanced Persistent Threats) on your computer by about 95% by using user level rights most of the time.

2) Regulatory Compliance- Nearly every IT security and relevant industry regulation standard specifies that organisations should adopt the principle of 'Least Privilege' . This includes UK PCI DSS standards, ISO27001, Sarbanes Oxley, UK Financial Conduct Authority (FCA was FSA) etc. This covers not only compliance from the security stand point, but also in compliance with company IT policies - for example, with company software licencing and authorised software. If a user does not have admin rights then they can't install a bit of software which is not approved or licenced. Thus, administrators and company managers can be confident that there are not any hidden liabilities around and that change control is maintained. We've seen many occasions when a user might install a piece of software that either 1) has a hidden (and very undesirable payload) or 2) causes unexpected repercussions if, for example, it installs DLLs that then cause other software to run less reliably - which may not be easy to diagnose as the problems might not appear straight away and sometimes are only cured by a restore from image backup or at worst require complete PC rebuild.

3) Evidence Proves the Point - Analysts such as Gartner have proven that statistically, if you remove admin rights from most users, then you reduce security breach incidences, but also save money and wasted time in IT support. Having least privilege makes for a more supportable, reliable, productive and hassle free environment, and with lower support cost through both reduction in direct support costs, and lost time in productivity if a user is unable to work for a while..

If you want a second, third or fourth opinion on this, Google 'IT security best practice for least permission' or look at other blog entries like http://blogs.gartner.com/neil_macdonald/2011/08/23/the-single-most-important-way-to-improve-endpoint-security/  - who make the point well also.

So how do we address this practically?

The first thing is to admit that we have a problem and accept that you may be an 'adminrightsoholic' personally or indeed even suffer from endemic CEPS - Corporate Elevated Permission Syndrome to coin a phrase or two.  You know you have admin rights, that others have full admin rights, and that you should give these up in every day use - you could give them up but you choose not to. Maybe you should stand up right now and state to the office that 'I'm an adminrightsoholic and I'm admitting this as the first step to changing my ways. I know it is not going to be easy and I'm going to ask for your support as trusted colleagues in getting through this tough time for the benefit of myself and the company. Will you join with me in this righteous journey?'

The key is to take things one step at a time, and learn to live with user permissions one day at a time.

The first steps:

We can address this personally and across a company. In taking Gandhi's words to heart that you should 'be the change you want to happen' the first place to start is on your own desktop or laptop computer.

If you are an administrator in a company, or genuinely (in this word is a world of debate and access to regression) need access to admin functions on your computer, then the best thing will be to create (if you don't have one already) a separate local admin account on your computer e.g. if you are BobP and this is your normal login, then you could perhaps create an account called 'bobpadmin' or suchlike. Both your new and normal accounts should have secure (complex passwords which are not easy to guess or Password123 etc.). Give the new admin account full local machine admin rights. Then log out of your normal account and log in with the admin account. Remove admin rights from your normal user account (on the local machine, such that you are only a User (or any other special groups you need). Then log out of the admin account and back in with your now only regular user level account. Congratulations; you just went cold turkey on desktop admin access on your Windows PC. Continue to work as normal and you can feel smug that you've given up your full admin permissions in day to day use. If and when you need to install software on your machine then you can;  but run the installer as your admin account.

You'll find that actually everything works fine. In reality we don't install software very often so you'll only rarely need to enter the higher level account details for elevated permissions. If you're still considering all this, ask yourself when you (knowingly) last installed a piece of software on your computer.

As I type this I can admit that 'I used to be an adminrightsoholic' and now I've turned a leaf. It was hard to do it but now I'm glad I have and like many things, this is something I should have done long ago. I can now be the most annoying type of reformed addict who can evangelise to the world about the benefits of giving up.

At the wider corporate level though, it is important that users and rights are documented and set on the principle of least permission. Some users may genuinely need admin rights but best if the dual account method is used here to minimise use of elevated rights, which includes for very senior network admins who should likely also have both a user level and an admin account so that things are done the right way and in the right place. If you are an Onega client then you'll have access to our Policies and Procedures Wiki Site where you can see formal policies for some of these. see http://intwiki.onega.net and the relevant section on this. If you don't have access to this and are a current client then feel free to contact us by any means at http://www.onega.net/contact.  If you're not a current client, we'd love to chew the fat and talk IT and about you becoming one :-)

Some advanced solutions exist to manage elevated permissions and remove various back door risks and human risks including  Avecto and  ViewFinity. However, beginning with the simple steps above is a good start. If there is enough demand, we'd be happy to run support group sessions for recovering adminrightoholics where you'll be amongst friends.

Wishing you happy and safe computing but bear in mind that, just like all the best fictional characters, IT superheroes should remember that whilst it is great to have superpowers, you should: only use them when you really need to, only use them for good and keep them hidden at all other times.

How many IP Addresses? Onega say hello to IPV6

Internet Standards are evolving all the time, but the fundamental addressing mechanism that allows one computer to talk to another on the Internet has been in place since 1981. Called IPV4, it allows for 4 billion network notes on the Internet which seems a lot and, back when initially only tens and then hundreds of computers were connected to the Internet, would have seemed a huge number at the time in the same way that Bill Gates was once quoted as saying that '640K was more memory than anyone would ever need'. Over time these have all been used up and allocated such that there are, in the great scheme of things, very few left. If you've come across addresses like 192.168.X.X on your network computers or 89.106.X.X for other machines etc. then these are the IPV4 addresses.

The next generation of Internet is being built on IPV6 and this will allow for a world where everything from your socks to kettle are likely to have an IP address. It will not be long before it, by necessity, becomes mainstream and in use daily. Google, Facebook and other big websites are already IPV6 enabled and everyone else is gearing up. If you have a Windows 7, Windows 8 or Windows 10 PC or laptop and/ or Windows Server 2008 or 2012 then you are most likely already using IPV6 without realising it (if you like to tinker and want to see this in action try disabling IPV6 on a Windows Server and see what happens - actually on second thoughts don't, as things stop working without IPV6 enabled internally on your network).

Onega's core service network is no supporting IPV6, and we have a new allocation of IP Addresses from RIPE (the European coordinator of IP addresses) as Onega are a Local Internet Registry. For IPV4 we have an allocation of a /21 network which gives us 2,046= hosts / networks (and we have to be careful to conserve these). Our new IPV6 allocation is: 2a04:cf00::/29 - this does not look much but actually represents a significant increase.

In numbers, this is  633,825,300,114,114,700,748,351,602,688 addresses.

In Words this is: six hundred thirty-three octillion, eight hundred twenty-five septillion, three hundred sextillion, one hundred fourteen quintillion, one hundred fourteen quadrillion, seven hundred trillion, seven hundred forty-eight billion, three hundred fifty-one million, six hundred two thousand, six hundred eighty-eight.

Yes, that's a big number and we're still getting our heads around it!

Usefully, the RIPE website has a button to 'apply for more IPV6 address ' but we suspect that this will not be called for very often. Maybe in 2050 there might be another iteration needed but right now it is hard to think of how all these addresses can be used up; even if you really do have lot of socks.

More seriously though, here at Onega we are aware that change is coming and consider this on behalf of our clients. Any new equipment we buy is considered for IPV6 compatibility, and you should avoid anything that is not IPV6 compatible as this would thus be pre-obsolete.

IPV6 as a topic is something that is currently coming up to the boil, and when it gets there it will be a very big thing. We predict it will be a salesman's dream to replace anything that is not compatible with new models that are when the time comes. By thinking about this early you can ensure a smooth transition for your networks.

Interestingly geopolitics or geotechnocratics comes into play here. Historically America had (and still has) the biggest allocation of IPV addresses whereas countries like China had a virtually nil (or very much smaller) allocation, befitting their IP addressing needs at the time (China in the early 1980's was not big on the Internet). Thus countries like China are actually way ahead of the USA now on IPV6 adoption, through the simple necessity of pressure their IP V4 allocations caused - so we see vendors like Huawei (if you've never heard of them they are a hard competitor to Cisco and have over 100,000 members of staff making all sorts of computer and communications equipment and selling all over the world including to BT) competing hard with Cisco and ahead on IPV6 support where some American companies feel like they are dragging their heels somewhat and still selling yesterday's solutions. That will change soon enough though.

This article has been written mainly for interest and a little education perhaps, and also to demonstrate that here at Onega a big part of our work is looking forward, anticipating needs of the future as much as those immediate ones of today so that we are ready to help architect transitions to the core topology that will see them through the next decades.

If you have any questions or comments on this or other issues, please don't hesitate to get in touch - we like talking tech and this is certainly something you want to 'have a strategy' on.  http://www.onega.net/contact .

Onega provide subsidised Internet connections with Connection Vouchers

Onega Ltd are fully registered as an accredited supplier for the UK Government's SuperConnected Cities Connection Voucher Scheme. This allows us to provide (for qualifying companies) free fibre and other fast business grade broadband service installations. The subsidy here covers up to £3,000 of install costs and is designed to help kick-start the next phase of the UK's digital economy.

Having enjoyed 100Mbps and gigabit Internet speeds here at Trinity Buoy Wharf for the last couple of years, we can attest to the benefits of very high speed broadband. The Internet just works and downloads, video calls etc. are all smooth and seamless which is how they are meant to be. If you are currently on ADSL, ADSL 2+ etc. then you'll benefit from a big improvement here.

If you are located in London or Docklands and want to experience how Gigabit Internet feels, then bring a laptop and visit us and we can plug you in :-) The SuperConnected cities project now includes areas in the UK from Newcastle-upon-Tyne to Chelmsford and Southend (and many other cities).

It is important to remember that the subsidy is only on the install costs and that you have to pay for ongoing costs, but you also reap the benefits at the same time.

Based on a postcode and phone number, we can check quickly which providers cover your area, and what the best deals are based on your requirements. Please do thus contact us for a quote with no obligation.

To further reduce the costs, if you have some neighbours who are also interested, you can split the costs and the benefits with them, so that you only pay for a portion of the ongoing costs but benefit from all the speed available. We've done this a number of times and can help to broker 'good neighbour' agreements on the lines. Sharing an Internet connection is still secure as you'll have your own firewall (something else we can help with if needs be).

See https://www.connectionvouchers.co.uk/cities/ for details of the cities that are covered. We can help you get quotes and fill in the paperwork (all electronic forms now) to apply for your voucher. Then call us on 020 7536 6350 to see how we can help or drop us a line via http://www.onega.net/contact .

Insource, OutSource, Co-Source or Tomato Sauce?

When it comes to managing IT in a small to medium (or even large for that matter) organisation; there can sometimes seem to be too many choices as to how to do things.

The tough job of the IT Director (or board level member or team) is to work out which is the best path for a given company. There are many conflicting options and vendor advice is often tainted by sales pitch and ulterior motive.

Before any decisions can be made, it makes sense to think about what decision is to be taken and why this is to be taken. Here some impartial outside advice can help. At Onega, we like to be highly ethical and recognise that if we are asked to help in these strategy decisions, there may be a conflict of interest given that we are a provider of IT services ourselves. To be blunt, we'd obviously stand to gain much more if a company was to choose to outsource all their IT to us than if they chose to manage it all in house. However, we also know that what is in the client's best interests is also in our own best interest in the long run and the most efficient mutual engagement will also be the one that endures the longest as it will be most advantageous all-round.

Onega are also willing to exclude ourselves from an Outsourcing tendering competition if it would mean a conflict of interest at the consultancy level. There is a lot of value in having an impartial partner on board to 'keep the other guys straight' and ensure you are getting what you pay for in service.

So do you insource, outsource or do things jointly. Here are some bits of advice we have and factors to consider in deciding what is right for your organisation:

  • How much resilience do you need in a service? - i.e. do you need a team to cover a role to allow for peaks in demand or would it not matter so much if a service was not provided for a particular period of time.  For example,  if only a single member of staff knows a particular process, then there may be problems if they go on holiday or are ill etc. A team may also be better able to spread the load when everything happens at once which it invariably does from time to time where a single person only has so much resource and capacity.
  • How much is absolute lowest cost an issue vs greatest value? As a rule, if you have enough work to keep a directly employed individual productively engaged the whole time, then this will be best done with direct employment. An outsourced provider and direct employer would (all things being equal) offer the staff member a competitive market salary, pension, taxes, benefits etc. However an outsourced provider also has to make some profit from the arrangement and contribute towards their operational overheads (rent, admin expenses etc.) where a larger organisation would also have to pay these but is already likely committed to paying the rent and HR etc. in any case. 
  • Do you need to formalise processes? In a small internal IT organisation, it can be a perennial problem to instill the discipline to implement full management reporting, job ticketing, ITIL processes (or subsets) etc. Internally this will always be hard as when the phones are ringing (or email pinging in) the urgent matter of helping people with problems will always trump the not so glamorous formal process of documentation and formal process.   Adding an element of external support can help to embed some formal process as it becomes an inherent part of communications with and inside a client where the inside and partner organisations need to collaborate on matters. This can help get to optimal process adoption efficiency.

These are just a few factors. While the fashion is to outsource, it can be smart to do this selectively for projects and services that are outside the normal skill base of internal staff but to keep core resources in-house. There is also the motivation and allegiance of a member of staff to consider.  If an individual is working directly for an employer, then their allegiance will be to themselves, their family and then their employer; whereas an outsourced worker will have allegiance to themselves, their family, their direct employer and then their client, although as the outsourced services provider succeeds when the client is happy, this should be aligned. In some cases this might not be such a clear line.

Onega work in multiple forms of engagement with clients depending on what their needs are and what is right in the circumstances. If and where it is right though, we've had a number of successful and fruitful long term engagements with clients where our IT service desk staff augment the client's in-house resources. This can include providing overflow when it is very busy, an ear to sound ideas off (chances are that we'll already have done and learned lessons from a project you might be considering) and to provide cover when someone is off. By having the skills and engagement from a couple of Onega team members at a client site, the costs for the client are minimal (typically a reasonable minimal number of committed engagement hours per month may be agreed and beyond this we are available flexibly for your service.). This approach typically works for in-house IT staff as well as for company Finance as this helps with keeping the balance of cost / benefit without the need for drastic offshoring which a company may come to regret.

If such an arrangement might work for you then please do feel free to give us a call and we'll be happy to meet and discuss.

Title image kindly from https://www.flickr.com/photos/calliope/439238208

A Visit to Bletchley Park

The National Museum of Computing, located at Bletchley Park, is an independent charity housing the largest collection of functional historic computers in Europe, including a rebuilt Colossus, the world’s first electronic computer and the WITCH, the world's oldest working digital computer. The Museum enables visitors to follow the development of computing from the ultra-secret pioneering efforts of the 1940s through the large systems and mainframes of the 1950s, 60s and 70s to the rise of personal computing in the 1980s and beyond.

Funders of the museum include Bletchley Park Capital Partners, CreateOnline, Ceravision, InsightSoftware.com, Google UK, PGP Corporation, IBM, NPL, HP Labs, BCS, the Drapers' Foundation, Black Marble, and the School of Computer Science at the University of Hertfordshire.

The museum is currently open to the public on Thursdays, Saturdays and Sundays from 1pm and on summer Bank Holidays. Guided tours are also available at 2.30pm on Tuesdays. There are often additional opening times for the public; see the website or the iPhone app for updates. Educational and corporate groups are very welcome and may be on any day or evening by prior arrangement.

For more information, see www.tnmoc.org (link is external) and follow @tnmoc on Twitter and The National Museum of Computing on Facebook and Google+. A TNMOC iPhone App is also now available from the iPhone App Store.

Be Strong, Stay Strong.

'Those that cannot remember the past are condemned to repeat it' - Paraphrased from George Santayana (1863 - 1952).

This is sometimes attributed to Winston Churchill, who had many wise words to say about many subjects. One of his related statements is at the bottom of this post for reinforcement of the point.

As with New Year's resolutions, everything starts off with good intentions; what happens after this makes the difference.

With IT, this is the same and experience has reminded me of this recently in no small way.

In life, do you prefer:
a) The gym (or your choice of exercise)?
b) The doctors (and not your choice of illness)?

Equally, do you like to:                                                                                                                                    a) Maintain and service your car to keep it in good order (or take it to the garage to do this for you)?                                                                                                                                                              b) Wait until something breaks then fix it?

Hopefully the answer to both questions is A - put in the effort and enjoy the reward. This is not always possible and this can be and needs to be understood if the alternative of managed decay is selected. If you don't maintain yourself or your car (there are many other examples but, hopefully these are easy to relate to), then you increase the risk of unexpected break down. Fixes are usually possible (in both example cases sometimes things are not and terminal), but you suffer inconvenience at least and delay, cost and suffering at worst.

An example of managed decay would be if you have a car that you enjoy but is not essential for travel, such as in a city where many options exist. You may not have the means to maintain the car in optimum order, or otherwise choose not to and accept that if the car fails as a result, you are inconvenienced but find the risk or cost-benefit acceptable (if you have a choice).

Now we must relate these general points to more specific IT issues which are in our professional remit and focus here at Onega and relating to client systems. 

Churchill's statement from the House of Commons records, on 2nd May 1935 related to the outcome of a conference between the UK, France and Italy on the subject of preserving Austria's independence was:

“When the situation was manageable it was neglected and now that it is thoroughly out of hand we apply too late the remedies which then might have effected a cure. There is nothing new in the story. It is as old as the Sibylline books. It falls into that long, dismal catalogue of the fruitlessness of experience and the confirmed unteachability of mankind. Want of foresight, unwillingness to act when action would be simple and effective, lack of clear thinking, confusion of counsel until the emergency comes, until self-preservation strikes its jarring gong – these are the features which constitute the endless repetition of history.”