Control Your Spam!

It is presumed that nearly 2/3rds of email traffic is spam even though spamming is technically considered illegal by the federal US Government; the Federal CAN-SPAM (Controlling the Assault of Non-Solicited Pornography And Marketing) Act of 2003 has been largely unenforceable. It’s not just an annoyance though: spam is increasingly responsible for transmitting malware that can harm your computer, convince users to accidentally share private information, or – worse yet – turn your machine into a mindless spamming zombie.

Spam filtering and the response small business has to spam is therefore largely in the hands of individual users. Here are a couple of good ideas for approaching spam.

1. Create an internal email Acceptable Use Policy (AUP).

Demonstrate that the company is serious about controlling spam by creating email acceptable use policies. Policies reflect management intent – if management doesn’t set policy, management never intended to implement a control. Therefore, small business should officially encourage employees to avoid using their work email address for any unofficial purpose.

2. Install Technical Controls that inact the AUP.

Administrators responsible for the networks of small business should enable Technical Controls that reinforce the AUP and support best practices. These controls should regularly update anti-spyware, anti-spam, and anti-virus protections on workstations and server computers, and a regular patching process for operating systems. It also should involve auditing and compliance verification.

3. Email aliases should not be simple names.

Names like “Jack@” or “Mark@” are easily guessed by spam automation systems. Administrators for small business should create more random aliases like “mark.hayes@” or “mhayes@” to make it more difficult to guess at potential email addresses.

4. A number of reasonable precautions should be taken on the client workstation:

a. Turn off automatic acceptance of meeting requests. Automatic acceptance allows the spammer to know that they hit a live, working email address.

b. Turn off read-receipts. When a read-receipt is generated, this also notifies the spammer that the email address is valid and will target more mail to it.

c. Turn off HTML rendering in preview screens. When a client reaches out to a graphic to display in an email, the act of downloading the image notifies the spammer’s server that a human potentially read the message, thus allowing them to target more effectively.

5. A number of reasonable precautions should be taken by end-users:

a. Do not open spam. Delete it immediately from your inbox.

b. Buy nothing from spammers. Buying only once will subscribe you to additional lists.

c. Never reply to spam and never unsubscribe from a list; this will only get you on another list.

d. Never provide personal private information (PPI) in email for any reason. Not only is email insecure, but no respectful company will ask you for PPI in email.

e. Never click on a hyperlink delivered in an email from somebody you do not know or trust.

f. Do not forward chain emails or letters. This only copies the email address of everyone you forward them to on to spam lists. Never broadcast bulk emails with public email addresses in TO:’s or CC:’s because all you’re doing is providing the spammer with more email addresses to spam to. Bottom line: don’t spam others.

g. Never contribute to a charity via email. This would more likely be a phishing attack.

6. And finally, some best practices for everyone:

a. Be conscious of where you post your email address. Never post your email address in a public space like forums, community groups, websites, blogs, IM’s, or in picture or video descriptions. Your email should always be obscured through the use of scripts and other technologies that prevent them from being “scraped” off the Internet.

b. Read the Terms and Conditions of the sites you submit your email to. Read the Privacy Policy. Know where you are submitting your PPI to and what they intend to use it for. Don’t subscribe to news or mail lists that don’t publish a privacy policy.

c. Do set up a spam email address separate from your normal email address. Use the spam address for public content and keep your private email address a secret. Use Google and it’s automatic, free anti-spam utilities for your spam email address. It’s free and simple.

d. Watch out for the little check boxes at the end of subscription processes that encourage your being contacted by third parties. 

Spam, in some degree, is an unavoidable part of modern computing. Absolutely, though, is there a direct correlation between the volume of spam received and the behaviors of managers, technology administrators, and end-users alike. Management should consider spam as a form of Denial of Service attack that takes resources away from the vital processing of legitimate email and can harm brand and reputation; technology administrators need to be more proactive in installing and monitoring defense safeguards; end-users must take on more personal responsibility for not sharing email addresses with others. Together, all of these parties can work towards a better, more constructive business solution.

R

New Microlecture – Information Systems

I’ve posted a new microlecture to my online content: Information Systems. This microlecture attempts to briefly define Information Systems and explain how IT relates to strategic business planning.

R

Google Profiles Become Relevant!

Google Profiles allow a person to construct a lightweight introduction to their habits, style, and work history, and for well over a year now, the information captured in Google Profiles haven’t been introduced into Google’s search engine results. You’re able to plug in your name, interests, blog or website, and some instant messaging information. Well,  as of last week, though, that changed.

Profiles can now appear in a separate section at the bottom of the natural relevance response, demonstrating a link, subtext, and a thumbnail picture of the matching profiles. This is a little like LinkedIn except incorporated into Google’s user interface. Complete profiles, it seems, takes precidence in appearing in this section of Google’s search results; incomplete profiles are excluded from the result.

If you’re looking for a quick and easy way to help build up your SEO, this is probably a reasonable and inexpensive direction.

R

PPI Risks on the Rise – Should the Feds Intervine?

Recently, the Identity Theft Resource Center (ITRC) reported that more than 35 million data records were breached in the United States in 2008, covering 656 breaches from well-known US firms and government agencies who lost documents and data that were neither encrypted or password-protected. That’s a 47-percent increase from 2007; the ITRC Report underscores both the increasing risk and the difficulty in managing personal private information (PPI).

Further, earlier this year, IBM reported that many corporations aren’t taking reasonable precautions to protect their consumer visitors from becoming victims of malware attacks. Poorly-secured websites are increasingly a concern to IBM’s customers and second-tier providers. And compounding this, yesterday, researchers found a massive botnet of 1.9 million infected computers belonging to consumer and government entities in the Ukraine.

Truly, consumer PPI is at increasing levels of risk yet – as a society – we’ve been very slow to take the threat of data compromise in a digital economy seriously. The federal government has historically been slow to respond forcing states to take up their own legislation on PPI breach: approximately 31 states have data breach notification laws and those requirements vary by state, and there isn’t a comprehensive dialog on government-mandated security precautions to be placed over the private sector. HIPAA, for example, classifies protected health information and dictates required security precautions under threat of civil and criminal penalty – aside from education records, the PPI of the federally-employed, consumer financial records, and the PPI of children under the age of 13, there are no other mandated forms of electronic security protection over PPI. That “due care” obligation is left to the expertise and foresight of the business owner which is often, sadly, incomplete.

The risk is great. All it takes is a mom-and-pop store to swipe a credit card to an insecure PC or wireless network, and the consumer’s PPI is at risk for potentially years – so long as that hard drive is online. My question is: given the dependency we have on e-commerce, should the federal government create a required guideline (like HIPAA’s Security Ruling) that mandates base-level security precautions for all businesses and their use of consumer PPI? What do you think – a practical approach to an increasing problem or just another big-government, unfunded mandate? Go ahead and reply tothe blog – I’d love to hear your comments.

In the meantime, while you’re pondering that, a bit of advice. If you have a network server in your office running Microsoft Windows, take a few minutes to download Microsoft’s Baseline Security Analyzer and run it against the machine. This is a handy utility that inspects your system for known vulnerabilities and recommends courses of action to secure the server. Further, the MBSA tool can also be ran against WindowsXP and Windows Vista to identify similar vulnerabilities.  Also, if you own a PC that doesn’t have access to professional management, read my tips on troubleshooting PC performance for suspected malware.  Both of these steps are practical ideas you can take now to limit your risk of PPI theft.

R

The Website Gets a Face Lift

The astute will notice that the website got a once-over. Isn’t it great?! Isn’t it cool?! I so love it!

I must offer many kudos to my web developer, Workshed, for their time and attention to the design – a perfectly painless experience even given my unique requirements.

Now primarily its modifications will allow me to host the content that I’ve always wanted to provide: blog, forums, documents, online seminars, classes, and videos… everything under one roof.  There’s still a lot more work to do but getting the site up today falls right into Q2 goals for me.

Coming soon: more content, better ideas, and a more collaborative approach to education and managing technology. Thanks, yall, to everyone, for your time and attention, and please feel free to join me in the new Forums for an ongoing discussion….

R

Response to a Survey

What follows is my response to a survey presented by a student for his networking class. I thought it’d be useful to share.

Hello Michael -

Just to cap: I’ve been in the technology industry for 14 years and have served many roles ranging from Analyst and Network Engineer to VP Information Technology. I’ve earned my CISSP and MCSE. These days, I’m a private technology consultant serving small to mid-range businesses.

1. What are the events of your typical work day?

Well, specifically related to network engineering, I support and administer 24 servers and their client networks, and, hosted terminal servers that are hosted by my firm. Every morning, I receive status emails from these servers letting me know their backup statuses and event log summaries. If the servers are experiencing a failure, or a critical problem, I intervene by logging into the system remotely to correct the problem. After correcting a situation, I let my client know of my status. I do preventative maintenance every month after Microsoft releases its patches (usually after the 10^th).  I also handle spot issues regarding user account maintenance, end-user support to the desktop, or application management (like database issues, configuration requirements, new installs, etc.). As I’m big on preventative care, I spend a lot of my time preventing problems before they happen.  Sometimes, I have to do site visits to correct problems, but these are rare circumstances.

2. How did this line of work interest you and how do you get started?

Technology was always something that appealed to me. Around 2003, I was tired of working for other people who weren’t innovating any longer with technology. The one segment of the market that is innovating with tech is the small to mid-range business; enterprise is just in cost-containment mode right now and will be into the foreseeable future.  I got started by developing a business strategy, accumulating some start-up capital, and just jumping into it.

3. What job experiences led you to this job path?

I managed IT departments for around eight years, mostly over the Internet boom years. Fun times! I guess that I would have to say that came to managing networks because it’s a valuable service and there’s a niche that I could be successful in. My approach is a little different than most IT professionals, so I like being a wildcard in what I do (grin). I also like working for myself which came from working for others over my career.

4. Can you suggest a way a student could obtain this necessary experience?

What’s amazing about this day and age is that nearly all production applications can be downloaded for trial. In being able to use the products hands-on, and learning from that experience, that’s just an extraordinary opportunity that simply didn’t exist when I was starting out. Combine that with all of the knowledge immediately available on the Internet, and a self-directed person can do quite well learning from their informal trial and error experience. Formal education, of course, is critical, more so just to pre-qualify for positions and pass the prerequisite hurdles to be considered. Vendor certification is also useful if you wish to specialize your knowledge to a specific vendor/solution, then market yourself within that niche. Job experience, like anything, involves somebody taking a risk on you. That means that you have to bring something else to the table besides your technical knowledge – maybe it’s personality, your understanding of the business, your ability to interface with customers and other staff, perhaps your ambition… whatever it is, you have to look at the “chicken and egg” problem from the perspective of the employer: why should I take a risk on you? Usually the answer to that question goes beyond your formal and informal training and certs. This is one element that’s critical to understand in an age of abundance. There’s fewer and fewer positions available and many applicants competing for those positions, both foreign and domestic. What extra value – not just your expertise or product knowledge – do you bring that somebody else can’t, or, won’t? Understanding that element is what will make you stand out.

5. What things did you do before starting in this field and what was the most helpful to starting out?

I tried. And failed. Tried, and failed. Every time there was a new technology, I downloaded the updates and tried using them. Ultimately I had to niche myself in those technologies that I feel comfortable with – you realize quickly that you can’t be an expert in everything, and admitting that to yourself will be helpful, but specializing in a niche is useful. I guess I was never very fearful of tech. I tried using new solutions whenever they came available to me.

I did the certs and got the formal education. These things are somewhat required. They’ll also condition your thought processes around solving problems instead of emotionally responding to problems. That will also separate you from others in the field.

I also networked a lot. Made contacts and friends who could pitch me when I wasn’t around. Helped out people and shared information at no cost whenever I could. Especially today: sharing information is just as valuable as knowing it and getting paid for it. I’d tell anyone today that social media of all sorts is your friend – leverage the heck out of it!

6. What are various job opportunities through your within you business?

I do a lot of 1099 work with tech professionals in areas of microcomputer support and programming (ASP, .NET, VB/Access). I do not hire employees, and that’s just the nature of the gig these days – talent can be requested on-demand, and I don’t need nor pay for the overhead of having a full-time staff. I employ people who stage and maintain microcomputers, help me support them/migrate user data and settings, reinstall applications. In terms of development, we do everything from thick-client applications to web-based solutions and custom data transformations/interfaces.

7. What do you like most about your career?

Flexibility. Relevance. Although, times are changing right now. The need for in-house IT staff is diminishing, and cloud computing is on the horizon. Fewer and fewer opportunities for technology professionals will be around. Instead, what we do see growing is technology professions using computers as a media, or, for art (digital entertainment, movies, games). These fields are growing. IT as a support mechanism is becoming more of a utility, and within ten years, what remains will be outsourced abroad at much lower costs than what can be supported by domestic US labor, or, it’ll become centralized to a vendor. So, I like my career, it’s constantly evolving, but if I’m not careful, I can easily be made irrelevant in the next ten years. So the question I have to ask myself is what differentiates me, and what extra value do I bring to an engagement? And then I must constantly transform myself around that answer. Many people in IT, I suspect, will be unable to make the transition from hard-skills knowledge work to more idea/conceptual-based knowledge work.

8. Do you find your job exciting or boring, and why?

Hmm. Exciting! I work too many hours in the week but I’m never bored. I also own the solutions that I create. When I get a ‘attaboy’ from a client, it’s because of something that I did, and I receive it, and not some other “boss” who clearly didn’t understand the benefit of what I accomplished (grin). I guess owning my own risks and results makes it all worthwhile.

9. What kinds of changes are occurring in your occupation?

Well, I think I addressed some of this already, but generally speaking, IT as a profession is dramatically shifting to a more utilitarian/service model.  Processor, memory, and I/O will soon be handed out for free as a cheap commodity, and you’ll need to be paying for subscription services – like cell phones. Problems with tech will be rendered few and far between, everything will be pretty much automated in terms of setups, and the complex problems will be centralized to professional management organizations (vendors) who manage the data centers for hundreds of companies. Right now, Google has a 18,000 foot facility in The Dalles; Microsoft, they’re building a similar sized facility in Wenachee; Oracle and IBM are already hosting huge applications for companies. All of this defrays risk and initial startup barriers so that firms can capture immediate capability at the lowest price. Because of this, it won’t make sense soon to host your own server internally – the cloud can do it more effectively, securely, and efficiently. This will be a dramatic transition for my niche: small businesses will have no server onsite nor phone system onsite – all of that cost will be transitioned to service-based relationships. That means, well, no need for support, or even some of the applications that I develop. Or everything is offered for free. Watching where the market is going – particularly when it comes to Microsoft and its microcomputer o/s and app rivals – is really big for me right now.

10. What are the skills that are key to advancing in your career?

The ability to communicate (written and oral); the realization that IT isn’t the business, but a business can use IT strategically to its benefit; constant education and re-training – either self-directed or formal; networking and establishing interpersonal relationships with others; reading (books, blogs, white papers). Never stop learning; our generation will always be retraining and retooling until we retire (if we retire, I suppose)….

Best wishes, Michael – hope that helps.
R

Microsoft to Small Businesses: You Pay Now, or, You Pay Later

What’s the Value of an Education Anyway?

The other day, I was lecturing onground and got into the discussion of classroom attendance. Within that discussion, a student communicated that – to him – classroom attendance was entirely arbitrary. “We’re paying for it,” he insisted. He insinuates, of course, that there’s a customer service component to his education and that – as his professor – I’m something of a service provider: a proverbial clerk behind a counter whose purpose it is to hand over his degree and ring up the register.

Fundamentally, I think there’s a clear distinction between education and service-oriented industries beginning with the student isn’t a customer. The student is a student. They’re required to attend to lectures and labs, perform the homework, do the reading assignments, and participate with their teams. I totally reject the argument that student = consumer and can redefine the process because they’re paying for it. That’s crap.

Interestingly enough, I see this attitude in younger students more often than adult learners. Maybe it’s a sense of entitlement, maybe it’s an overblown sense of consumerism, maybe it’s just lazy, but here’s the deal: a purchase was made and the purchase was a process. More mature learners seem to get that point. Education is a process and the process goes like this.

You attend the class; you read the book; you take the notes; you apply in lab and do your best at the lab (instead of rushing through it); you do your research; you master and present the material; you use appropriate methods and academic techniques; you’re quizzed and accountable for what you’ve learned; you participate with others to ensure delivery of your assignments. And that’s the gig.

If you aren’t doing the process, you aren’t getting an education – circumventing the process short-circuits the value of the degree for everyone and damages the reputation of the institution. Aside from that, clearly the process teaches critical thinking; it teaches patience and perseverance; it teaches cooperation and collaboration with your peers; it teaches methods, standards, style; it teaches positive habits for learning and processing information that are invaluable throughout your entire life.

Heck, let’s face it: if you’re not in to doing the process, it’s just a lot faster and cheaper just to get the 2-week degree from the University of Jamaica Online and I’d dare say that process would yield zero-value to your career or future earning potential.

What are you buying when you make an investment in education? You’re not buying the right to a piece of paper and you’re not entitled to it outright. You’re not buying my time as a professor, nor are you entitled to reshape my time and my curriculum to your benefit. Instead, you’re investing in the process that helps hone your thoughts, skills, critical thinking, and confidence, and when you apply for a job with a degree on the resume it’s a demonstration to the reader that you started, financed, and completed that process – demonstrating tenacity, sacrifice, willpower, and an ability to achieve. It’s also a reflection of the process found at a particular institution. That is the true value that arises from education, and there is absolutely no value in ignoring its expectations.

R

How Could Cloud Computing Help Your Company?