Career – Technology News and Information by SeniorDBA

5 Tips to Secure Digital Devices in High-Risk Situations

Traveling to a high-risk area can expose your electronic devices to hacking or data theft risks. Here are five recommended steps to secure your devices and protect your sensitive information.

Back up your data before you travel – Make sure you have a copy of your important files and documents in a secure cloud service or an external hard drive. Don’t bring the backup to the risky area, which will help preserve a copy of critical data if your data so you can restore your data if your device is lost, stolen, or compromised.
Encrypt your devices and use strong passwords – Encryption is a process that scrambles your data and makes it unreadable without a key or a password. You can encrypt your entire device or specific folders and files. Use a strong password that is hard to guess and different for each device and account. You can also use a password manager to store and generate passwords securely.
Disable or remove unnecessary features and apps – Some features and apps on your devices can make you more vulnerable to hacking or data theft. For example, Bluetooth, Wi-Fi, GPS, and NFC can be used to track your location or access your data without your permission. Disable or remove these features and apps when you are not using them or when you are in a public place.
Use a VPN and avoid public Wi-Fi networks – A VPN (virtual private network) is a service that creates a secure connection between your device and the internet. It encrypts your data and hides your IP address, making it harder for hackers or third parties to intercept or monitor your online activity. Avoid using public Wi-Fi networks, such as those in hotels, airports, or cafes, as they are often unsecured and can expose your data to hackers or malicious software.
Be vigilant and cautious – The most important step to secure your devices is to be aware of the potential risks and take precautions to avoid them. Do not leave your devices unattended or lend them to strangers. Do not open suspicious emails or attachments or click on unknown links. Do not download or install software from untrusted sources. Do not enter sensitive information on websites that are not secure (look for the padlock icon and https in the address bar). If you notice any signs of hacking or data theft, such as unusual activity, pop-ups, or messages, disconnect from the internet and scan your device for malware.

Technical Interview Questions

Technical interviews are an attempt by a hiring team to ask the correct questions of a candidate to determine if they would be a good technical fit for the open position.

These questions can sometimes uncover missing segments of knowledge that might identify opportunities for the candidate, or even disqualify the candidate for the open position. That is good information to know before you initiate the hiring process, but it can also help identify specific talents or abilities in a candidate that are above and beyond the minimum knowledge expected.

One of the obvious pitfalls of the technical interview is if the questioning turns into more of a trivia contest than a verification of expected knowledge.

One way to determine if a candidate knows how to solve a problem is to give them a problem and ask them to solve that problem during the interview. Sometimes the problem can be a specific technical issue, or a theoretical problem that is just to see if they can determine a simple solution using just the facts presented.

I have asked a simple question to candidates in the past that doesn’t really apply to the job opening they are applying for, but does provide insight into how they identify the issue, think through the possible answers, and provide them an opportunity to present their ideas.

Why is a manhole cover round?

You may never have thought of this question before, but why is a manhole cover round? You want the candidate to consider the possibilities and try to provide possible reasons for this design choice. It has nothing to do with the position they have applied for, but it will give a hiring manager an idea of how this person will respond to a problem that seems to come out of left field.

Do they think though the question or just respond with “I don’t know.” and quit? Have them speak about what they think about the question. Do they have an opinion about why they aren’t square, hexagon, or even oval in shape? Have they seen a manhole or know what they are used for in everyday life? Why do they think some manholes covers are not round?

Hopefully they can speak to possible reasons, which gives you the opportunity to ask how they would find a suitable response. If they just want to Google the answer, maybe ask them what else you might do to get a suitable answer if there isn’t a consensus on Google.

The possible correct answers are:

Manhole covers are round because it is the best shape to resist the compression of the surrounding soil.
Round manhole covers are easier to manufacture, move, and place than square or rectangular ones. The heavy covers can be easily rolled into position.
Manhole cover the size to fit the opening cannot fall through the circular opening, unlike other shapes. No one wants a 100-pound manhole cover dropping onto their head.
The cover doesn’t have to be aligned in any specific angle to be placed back onto the exposed manhole. Other shapes would require precise alignment.

Years ago, there was a candidate that guessed the covers are round because the men accessing the opening are also round. While this is funny, I don’t think that was a design consideration.

I hate interviews that turn into trivia contests, so I’d much rather be asked a tough question that allows me to show my ability to use my brain to find solutions instead of just demonstrating my ability to memorize technical trivia that anyone could easily look up.

Sources:
(1) Why Are Manhole Covers Round? | Mental Floss. https://www.mentalfloss.com/article/60929/why-are-manhole-covers-round.
(2) Why are manhole covers round? | Live Science. https://www.livescience.com/32441-why-are-manhole-covers-round.html.
(3) Why Are Manhole Covers Round? – ScienceABC. https://www.scienceabc.com/eyeopeners/why-manhole-covers-circular-not-triangular-square-rectangular.html.
(4) The Surprisingly Technical Reason That Manhole Covers Are Round. https://www.envirodesignproducts.com/blogs/news/the-surprisingly-technical-reason-that-manhole-covers-are-round.

5 Common Types of Cyber Attacks

Cybersecurity is a crucial aspect of any organization that relies on digital systems and networks. Cyberattacks can cause significant damage to the reputation, operations, and finances of a business, as well as compromise the privacy and security of its customers and employees. Therefore, it is important to understand the different types of cybersecurity attacks, how they are used, and how they can be prevented.

In this blog post, we will discuss 5 common types of cybersecurity attacks that every organization should be aware of and prepared to remediate.

Types of Attacks

1. Malware
Malware is a term that encompasses various types of malicious software, such as viruses, worms, trojans, ransomware, spyware, adware, and more. Malware can infect a computer or device through phishing emails, malicious links, downloads, or removable media. Malware can perform various harmful actions, such as deleting or encrypting data, stealing information, spying on user activity, displaying unwanted ads, or hijacking system resources.

To prevent malware attacks, organizations should use antivirus software and firewalls, update their systems and applications regularly, avoid opening suspicious attachments or links, and educate their employees on how to recognize and avoid phishing emails.

Continue reading “5 Common Types of Cyber Attacks”

IT Security Manager Responsibilities

What are the day-to-day responsibilities of an IT Security Manager?

An IT Security Manager is a technology professional who oversees the security of an organization’s information systems and networks. They are responsible for planning, implementing, and monitoring security policies and procedures to protect the organization from cyber threats and ensure compliance with relevant regulations and standards.

An IT Security Manager requires a combination of technical skills, such as knowledge of network security, encryption, firewalls, antivirus software, etc., and soft skills, such as communication, leadership, problem-solving, teamwork, etc. An IT Security Manager typically has a bachelor’s degree in computer science, information technology, cybersecurity or equivalent business experience. They may also have relevant certifications (CISSP, CISM, Security+, CASP+, CEH, etc.) to demonstrate specific skills and knowledge. An IT Security Manager may work for various types of organizations, such as government agencies, corporations, nonprofits, educational institutions, etc., depending on their industry and size.

Continue reading “IT Security Manager Responsibilities”

Top 10 Cybersecurity Team Effectiveness Metrics

What are the top 10 metrics used to measure cybersecurity team effectiveness?

Cybersecurity is a vital aspect of any organization that relies on digital systems and networks. However, measuring the effectiveness of a cybersecurity team can be challenging, as there are many factors and variables involved. In this blog post, we will explore some of the most common and useful metrics that can help assess how well a cybersecurity team is performing and where they can improve.

1. Mean time to detect (MTTD) – This metric measures how quickly a cybersecurity team can identify a potential threat or incident. The lower the MTTD, the better, as it means that the team can respond faster and minimize the damage.
2. Mean time to respond (MTTR) – This metric measures how quickly a cybersecurity team can contain and resolve a threat or incident. The lower the MTTR, the better, as it means that the team can restore normal operations and reduce the impact.
3. Mean time to recover (MTTR) – This metric measures how quickly a cybersecurity team can restore the affected systems and data after a threat or incident. The lower the MTTR, the better, as it means that the team can resume business continuity and reduce the downtime.
4. Number of incidents – This metric measures how many threats or incidents a cybersecurity team has to deal with in a given period. The lower the number of incidents, the better, as it means that the team has a strong security posture and can prevent most attacks.
5. Severity of incidents – This metric measures how serious or damaging a threat or incident is for an organization. The lower the severity of incidents, the better, as it means that the team can mitigate most risks and protect the most critical assets.
6. Incident response rate – This metric measures how many threats or incidents a cybersecurity team can successfully handle in a given period. The higher the incident response rate, the better, as it means that the team has enough resources and capabilities to deal with all challenges.
7. Incident resolution rate – This metric measures how many threats or incidents a cybersecurity team can successfully resolve in a given period. The higher the incident resolution rate, the better, as it means that the team has effective processes and tools to eliminate all threats.
8. Cost of incidents – This metric measures how much money an organization loses due to threats or incidents in a given period. The lower the cost of incidents, the better, as it means that the team can minimize the financial losses and optimize the security budget.
9. Customer satisfaction – This metric measures how satisfied an organization’s customers are with its security performance and service quality. The higher the level of customer satisfaction, the better, as it means that the team can meet or exceed customer expectations and build trust and loyalty.
10. Employee satisfaction – This metric measures how satisfied an organization’s employees are with its security culture and environment. The higher the employee satisfaction, the better, as it means that the team can foster a positive and collaborative atmosphere and retain talent.

These are some of the most common and useful metrics that can help measure cybersecurity team effectiveness. However, they are not exhaustive or definitive, and each organization may have different goals and priorities when it comes to security. Therefore, it is important to customize and adapt these metrics according to each organization’s specific needs and context.

TIOBE Index for May 2023 – Which Programming Language is Most Popular?

Have you seen the latest TIOBE rankings report?

The TIOBE Programming Community index is an indicator of the popularity of programming languages. The index is updated once a month. The ratings are based on the number of skilled engineers world-wide, courses and third-party vendors. Popular search engines such as Google, Bing, Yahoo!, Wikipedia, Amazon, YouTube and Baidu are used to calculate the ratings. Observe that the TIOBE index is not about the best programming language or the language in which most lines of code have been written.

It has been stated before, programming language popularity is rather stable. If we look at the first 10 programming languages in the TIOBE index, then C# is the youngest of them all. C# started in 2000. That is 23 years ago! Almost every day a new programming language is born, but hardly any of them enter the top 100. At least not in their first 10 years. The only languages younger than 10 years in the current top 100 are: Swift (#14), Rust (#17), Crystal (#48), Solidity (#59), Pony (#71), Raku (#72), Zig (#88) and Hack (#92). None of them are less than 5 years old. In other words, it is almost impossible to hit the charts as a newbie. On the contrary, we see that golden oldies revive. Take for instance Fortran, which is back in the top 20 thanks to the growing demand for numerical computational power. So, if you have just invented a brand new language, please have some patience! — Paul Jansen CEO TIOBE Software

You can read the details of how and why languages are popular at the TIOBE website. If you are a developer, you will find this information interesting.

Continue reading “TIOBE Index for May 2023 – Which Programming Language is Most Popular?”

Starting Your Cybersecurity Career

Cybersecurity as part of an overall Information Systems environment has existed for many years, but recent cyber-attacks have forced companies of all sizes to focus on cybersecurity to enhance security, protect sensitive customer and employee data, and to prevent damage to their corporate brand. Maybe you are looking to jump into a cybersecurity career? I have some basic tips to help you make the leap to a rewarding career in cybersecurity.

Skills – A company only wants to hire the best employees, usually for the lowest wage possible. Your salary is usually based on your skills, experience, and the local market. If you haven’t got any relevant experience, and you can’t demonstrate relevant skills, you may never get a cybersecurity job and you’ll definitely be underpaid if you do get a job. The best way to demonstrate skills without experience is an industry recognized certification. While having a degree in cybersecurity will open some doors, an EC-Council Certified Ethical Hacker (CEH), CompTIA Security+, or many other certifications will help demonstrate you have the knowledge and skills to tackle the complexities of cybersecurity. Look at job postings to see what types of certifications are needed or common for the type of job you want to pursue. You can get a free certification called Certified in Cybersecurity from (ISC)², the same cybersecurity professional organization known for the popular CISSP certification. Just sign up as an (ISC)² Candidate. When you’re ready to sit for the exam, you can find your exam promo code on the Candidates benefits page. Please note that you may only use the exam promo code once. To register for your exam at a Pearson VUE test center, visit https://www.isc2.org/Register-for-Exam
Experience – This can be the most difficult thing for a beginner to accomplish. How can you be expected to gain experience if you can’t get a job without experience? You can try internships, a part-time job, freelancing for a few friends or associates, volunteering at a local non-profit, or complete Capture-the-Flag (CTF) challenges. These are all great ways to gain hands-on experience in cybersecurity, maybe without giving up your normal job. These initial experiences will not only help you determine if this career is right for your personality and lifestyle, but it will also build your skills and experience to enhance your resume.
Awareness – Most of what is happening in cybersecurity isn’t mainstream news. You need to follow some basic industry news sites (securityweek.com, thehackernews.com, bleepingcomputer.com, etc.) to learn about new attack methods, attend cybersecurity conferences to listen to experts and vendors, participate in free webinars to learn new skills, and join online or local communities to meet your future coworkers. These relationships and information are usually free (or low-cost) ways to stay informed about emerging threats, hacking tools, and industry best practices in the field. Being a well-informed cybersecurity professional adds value to your portfolio and can attract interest from an organization during an interview.
Relationships – By networking and building professional relationships, you can create a strong professional network that can possibly offer you mentorships, job referrals, information about recent job posting, or just someone to talk to when you need a pep talk.
Attitude – You’ll probably meet a few people who still think of security professionals as teenagers living in their parent’s basement trying to hack into the Pentagon or the local video game store. You’ll need to demonstrate your professionalism in actions and appearance. Cybersecurity professionals have access to critical and sensitive business information, so you’ll need to demonstrate you can handle that responsibility with the highest standards of conduct, ethical behavior, and professional demeanor. This includes while at a job interview, attending a conference, and while talking to colleagues or friends. Don’t give anyone a reason to second-guess the opportunity to recommend you for a job.
Focus – Learn everything you can and stay focused on the prize. Don’t take half steps toward getting that dream job in cybersecurity. There are entry-level jobs out there, you just need to be persistent and patient to find the hiring manager willing to give you a chance. The more you know, the more you’ll find out how much you don’t know about cybersecurity. Accept your limitations and lean into finding an entry-level position. Stay curious and accept you have a ton to learn, but demonstrate a willingness and ability to learn.

These are the basic building blocks to finding a rewarding career in cybersecurity. Some people find it easy and get an entry-level job a few weeks into their job search, while others can spend months without any luck. It doesn’t mean you are doing something wrong. Stay positive and focused and you’ll eventually find success.

TIOBE Index for January 2023 – Which Language is Most Popular?

Have you seen the latest TIOBE rankings report?

Scripting language Lua is back in the top 20 of the TIOBE index. In its heyday in 2011, Lua briefly touched a top 10 position. Whether this is going to happen again is unknown. But it is clear that Lua is catching up in the game development market: easy to learn, fast to execute, and simple to interface with C. This makes Lua a perfect candidate for this job. One of the drivers behind the recent success of Lua is the very popular gaming platform Roblox, which uses Lua as its main programming language. –Paul Jansen CEO TIOBE Software

TIOBE also announced that C++ is the programming language of 2022. You can read the details of how and why at the TIOBE website, as well as see the runners up (C and Python). If you are a developer, you will find this information interesting.

Continue reading “TIOBE Index for January 2023 – Which Language is Most Popular?”

What is an Enterprise Architect?

Wikipedia defines an Enterprise Architect (EA) as is “a well-defined practice for conducting enterprise analysis, design, planning, and implementation, using a holistic approach at all times, for the successful development and execution of strategy. Enterprise architecture applies architecture principles and practices to guide organizations through the business, information, process, and technology changes necessary to execute their strategies. These practices utilize the various aspects of an enterprise to identify, motivate, and achieve these changes.”

On a daily basis, an EA’s activities can change quickly and dramatically. I won’t go into organizational models of enterprise architecture organizations. but we’ll explore the role and responsibilities of an EA. Understanding the role of an EA will help us understand the typical daily challenges.

Skills

Technology expertise is an obvious skill required for a true EA, but technology skills are not the only skills you will need. There are other essential skills:

Motivational – EAs must be able to motivate and inspire. A large part of the job is to influence or evangelize ideas.
Negotiation – There will be times at meetings when an EA must negotiate to get things accomplished.
Critical Thinking – Being able to think quickly and see the “big picture” is essential
Problem Solving – EAs must be able to evaluate and solve problems
Big Thinking – An EA must avoid tunnel vision and being able to look at a problem from multiple angles
Business savvy – To really understand how technology will affect the business
Process Orientation – Thinking in terms of process is essential for an EA
People Skills – An EA’s job requires interacting with people constantly

Challenges

There are impacts to multiple areas, each of which has its own unique set of challenges. The three major areas that should be considered are:

Production Processes – These processes support the promotion of software to production environments, change management, and support of solutions after they are in production.
Production Systems – Systems that are in the production environment are often not isolated; they are deployed and configured into environments that have dependencies and restrictions.
Production Teams – Teams that support and deploy these solutions have unique processes and procedures. There is both a process and an organizational perspective on this.

Production Processes

EAs should be mindful of production processes because they affect the cost, quality, and resiliency of software. EAs can have a positive impact on these processes by being involved in the following core production processes:

Configuration Management – EAs can optimize these efforts, both in the design of the architecture and in providing insight into the rest of the organization, possibly standardizing this process.
Change Management – EAs are typically not involved in this process, but they need to be mindful of the impacts to solutions since they could have many different relationships with other solutions and altering a solution could create downstream challenges.
Incident Management – EAs do not generally engage in this process either, but they need to be mindful of it because incident management data can be of great value. The data collected here can correlate with other data to help EAs gauge how much an architecture costs.

Production Systems

EAs perform a set of activities that involve existing production systems quite often. By doing so, they serve multiple roles, both in participation and leadership for the following activities:

FutureState Architecture – When EAs determine a direction for a set of business problems, a solutions road map and architecture envisioning occurs.
CurrentState Review – This process involves an EA engaging with a LOB owner or post-production maintenance teams.
Strategic Initiatives – EAs can shape strategic initiatives that result when other forces besides a formal planning process trigger evaluation of current solution architectures.

EAs encounter both technology and operational aspects when reviewing and re-architecting solutions. It’s important to keep in mind that these concerns are not just related to software, but can include a mix of hardware, communications, and software aspects. These aspects stem from a set of enterprise functions, which include:

Shared Services – EAs consider whether or not particular solutions should use shared services.
Solution Dependencies – Solutions often communicate with other solutions for additional functionality. Unless the current state architecture is fully mapped, there is a seemingly endless amount of interdependencies throughout enterprises.
Environments – EAs often consider unified management and consolidation of platform environments.
Constraints – EAs take in limitations or constraints to architectures for various reasons. Some COTS-based solutions limit the API usage, for example, while other custom-developed solutions are built not to be extensible.

Production Teams

Various post-production maintenance teams are required to do most work on existing architectures, because design documents are created during the SDLC process that can quickly become outdated. Unless the architecture is fully documented through the post-production life cycle, EAs rely on these teams. Teams that are engaged usually consist of:

Maintenance Team
Operations Team
User Support Team

These teams offer perspective into multiple domains of consideration when making architecture decisions.

You can find more information on EAs here.

How to Spot a Bad Boss During an Interview

In a Harvard Business Review article by Sara Stibitz, she outlines how to spot a terrible boss during the interview process. The process is a fairly well-known list of items to watch for during an interview, but it doesn’t hurt to remind you of those items you should be aware of during this important process.

You should know what kind of person you respond well to, and make sure your new boss meets those requirements. You might not have a choice when looking for that new job, but if you do have a choice, you should also interview that new boss to make sure he or she is someone you can spend a lot of time with.

You should also trust your instincts to make sure if it feels wrong, abort the process and look elsewhere for an open position. The interview process is a lot like dating in that everyone is on their best behavior during the interview process. People dress up and at least act like they care about you and the company. If you can’t stand them or if they appear to have habits that seem annoying or unprofessional, it probably won’t get better after the job starts.

Ask a few well-crafted questions to determine how the day-to-day assignments are handled and whether the overall management style will fit with your work style and personality. If you like a little extra flexibility in how to complete tasks and the description from your prospective manager indicates they like to exert a lot of strict controls, you might not be a good fit for this position.

Always do your research before you appear for your scheduled interview. Check for specific comments about the company or department, and also see what you can find out about the prospective manager. Most people start with LinkedIn and Facebook, then go to sites like Glassdoor to get the details on complaints or former employee reviews. If you have doubts about someone or a company, it doesn’t hurt to start asking questions to anyone who might have some answers.

Principles to Remember

Do:

Pay attention to how the manager treats you throughout the interview process
Research the manager, and if possible, find former employees to ask for their perspective
Request to spend a half-day at the organization so you can interact with your potential colleagues and boss

Don’t:

Ignore your gut instincts about the manager as you go through the interview process.
Ask direct questions about leadership style — you’re unlikely to get an honest answer, and they might signal with their response that you don’t want the job. Feel out their style using simple questions to determine if they manage or lead their team.
Neglect to look up your potential boss’s social media profiles.

Privileged Access Management is Important for Critical Environments

Ransomware attacks, like the one against the Colonial Pipeline in 2021, have shown how a cyber-attack can impact the entire country. Colonial Pipeline supplied around 45% of the fuel for East Coast customers, and when the ransomware attack caused a shutdown, the outage caused a major disruption of transportation in the United States. It cost Colonial Pipeline 75 bitcoin (about $4.5 million) to recover their data.

While President Biden immediately signed an Executive Order requiring companies to strengthen their cybersecurity stance to make the next successful attack less likely, this doesn’t force many specific changes to most companies. Many companies have plenty of work to do before they can protect themselves, and that includes strong identity protection for all user accounts and protecting privileged access rights.

To prevent attacks like the Colonial Pipeline breach, many organizations are implementing simple strategies that help protect user accounts with Identity & Access Management (IAM) solutions. An IAM strategy can be a great foundation for a strong identity-centric security solution, but it will not prevent attackers from moving laterally through your network. The attackers can use compromised accounts to attack your environment to gain additional privileges and increase their potential damage.

Privileged Account Management

To help reduce this type of damage, a dedicated Privileged Account Management (PAM) solution is required. A PAM allows you to provide a simple least-privilege user account to everyone, and as users need additional permissions, they must request temporary elevated permissions. Ideally those elevated permissions are only effective for a short period of time.

If a User Administrator (as one simple example) needs to add some new user accounts, they would request permission to access the systems required to create those new user accounts. The automated system would grant the authorized user elevated permissions for a short period of time (usually just a couple of hours), then the elevated permissions are automatically removed. If they need continued access, they must make a new access request.

Why grant someone 24×7 elevated permissions when they rarely need permission for more than 8 hours per day, and never for the entire day? If the user account is compromised, the malicious attacker would only gain access to a “normal” user account. They would need to request access to gain elevated permissions, and the request could be denied if the request is detected to be coming for an unusual location or without the normal multi-factor authentication (MFA) response.

This simple process helps ensure that even if an attacker gains access to a user’s account that sometimes performs elevated functions, the actual damage the attacker can cause is limited by the current “normal” privileges of that user.

Other Recommendations

When selecting your PAM solution, you need to look for a solution that fits your basic requirements and environment. There are a few features you may want to consider as you work to improve the security of your environment.

Those systems that require the most security, such as domain controllers, are often referred to as Tier 0 or Tier 1 resources. You’ll want to select a solution that allows you to identify these sensitive systems and configure additional protections, like granting privileged access to those extra-sensitive systems from a special isolated environment and allowing you to configure robust MFA as extra security.
You don’t want to forget your SaaS systems, so make sure your PAM solution allows for strict requirements when accessing the admin-level and privileged users on those systems.
You’ll want to make sure the PAM system allows you to store critical credentials for infrastructure accounts, DevOps accounts, SSH key pairs, and other information shared by admin-level users so they can be checked out and shared from a secure vault.
To ensure compliance you’ll need enhanced auditing and reporting features.

Once you have implemented these new tools and procedures, you’ll want to test the system and procedures with a penetration testing effort to verify it is as secure as you think. Look for reporting and oversight to help management verify users are using the system in compliance with policies and guidelines.

Solution Options

There are several well-known companies that offer these types of PAM solutions:

JumpCloud Directory Platform
ARCON Privileged Access Management
BeyondTrust Privileged Remote Access
Broadcom Symantec Privileged Access Management (PAM)
CyberArk Core Privileged Access Security
Delinea Secret Server
Foxpass Privileged Access Management
Hitachi ID Systems Bravura Privilege
Microsoft Privileged Access Management
One Identity Safeguard
WALLIX Bastion

You may want to evaluate a couple of solutions in a lab environment before you deploy a solution into your production environment. This will give you an opportunity to verify the product features match your business requirements while also allowing you to determine configuration requirements before moving into production. You may need to consider engaging a consultant to assist in the product configuration and rollout, and you may need to hire a dedicated employee to manage day-to-day management of the system, particularly in a large environment.

Summary

Once you understand the primary target of attackers are your privileged accounts, you’ll better understand why privileged accounts require special attention and controls to protect those special accounts. A Privileged Access Management (PAM) program will help ensure that users are always granted a minimum level of privileges for their specific tasks and a security structure is in place to force additional protection like Multi-Factor Authentication, strong Password Management, Secure Storage Vaults for critical shared information, and even conditional access around user location.

Common Database Design Mistakes

When creating a new database instance, people will often make mistakes. While I can’t list all the mistakes that people can or will make, I hope this brief list will help you know what mistakes are possible, and help guide you to not making as many mistakes. Sometimes we attack a design problem with the idea that we will just get the work done, but most times it is better to take the extra time to do it right.

I’m not perfect, and I have made these (and many other) mistakes in database design. I’m not trying to tell you what to do or even how to do it. I’m just trying to take my lessons learned and provide a simple list so that you might not make the same mistakes. I also want to point out that no list will ever be the only way to do anything. With database design questions, the best answer is usually “it depends”. When considering the many variables that make up your environment, you will need to make many decisions that help your database instance work best in your unique environment. You have to take into account the personnel you are working with, the limits of your hardware, company policies, etc.

Database design and implementation is the cornerstone of any database related project and should be treated will the importance that deserves. If you do your job really well, people will tend to minimize how important your job is in getting their projects completed. Like a police department that does a good job catching and locking up criminals, people start wondering why they need so many policemen when the crime rate goes down. People might start asking why they need your help in getting good database design, but it will only take a few failed projects for them to come back to you for your professional help.

Continue reading “Common Database Design Mistakes”

TIOBE Index for March 2022 – Which Language is Most Popular?

Have you seen the latest TIOBE rankings report?

You’ll also notice Python has moved to the top, and Java has lost some popularity and is down to 3th.

Continue reading “TIOBE Index for March 2022 – Which Language is Most Popular?”

Don’t be Stupid

Are you a man in IT that thinks a women can’t do your job? Do you think that what you do (writing software code, creating database objects, or managing a project) is just too hard for a woman? Yes, there are still people who believe this and they are also stupid and sexist. This interesting article explains why this outdated thinking is stupid, and where this type of thinking it still exists today.

This is “Amazing” Grace Hopper. She took leave from Vassar to join the Navy, where she invented or helped invent the entirety of all modern computer science, including nearly every wimpy-ass tool your wimpy ass laughingly refers to as “coding.” Compared to her, you’re nothing but a little kid playing with Tinker toys. Tinker toys she invented, by the way.

You want to see hardcore programming? I’ll show you hardcore programming:

This is what real hardcore coders do. No compilers, no syntax checkers, just a teletype machine and a bunch of fucking switches that change the computer’s memory and registers directly.

And you know what? For her, that was luxury. She and all the other early computer programmers–almost all of whom were women, by the way–started out programming by plugging patch cords into plugboards, because that’s how they rolled.

Women have a long and important history with technology, and your time would be better spent on improving technology instead of wasting time thinking men are better than women.

TIOBE Index for January 2022 – Which Language is Most Popular?

Have you seen the latest TIOBE rankings report?

Python started at position #3 of the TIOBE index at the beginning of 2021 and left both Java and C behind to become the number one of the TIOBE index. But Python’s popularity didn’t stop there. It is currently more than 1 percent ahead of the rest. Java’s all-time record of 26.49% ratings in 2001 is still far away, but Python has it all to become the de facto standard programming language for many domains. There are no signs that Python’s triumphal march will stop soon.– Paul Jansen CEO TIOBE Software

Continue reading “TIOBE Index for January 2022 – Which Language is Most Popular?”

How to Be More Productive

Wake Up With More Energy

Many people feel tired in the morning not because they didn’t sleep enough but because they have low blood sugar. Stabilize you blood sugar and get more/better sleep. Right away, a lot of people will go from feeling groggy to feeling alert when they wake up.

Double Your Reading Speed in Five Minutes

Write down a sentence, any sentence that has eight to 12 words and fills a single line on a page or screen. If you read it by starting your fixation on the first word of the line and ending on the last word, you’re wasting about 50 percent of your peripheral vision on margins. Instead, simply make your starting point two or three words in from the left side and your ending point two or three words in from the right side; you will double your reading speed. You can try this by underlining that portion of the sentence as a guide. You still see the edges of the text, but you’ve eliminated the margins. Continue reading “How to Be More Productive”

How to Take Good Notes

Photo by Startup Stock Photos on Pexels.com

It is important that you can review what you’ve been told as quickly as possible, particularly in a technical position where things can get very complicated. You might be tempted to memorize a list of requests or even recall a technical discussion from memory, but I’m going to tell you right now that you will not always be successful.

I have been in the IT field for many years, and I’ve seen too many people rely on memory to recall technical details and they are just never 100% accurate. You need to write down everything, and even that will not be 100% successful, but your success rate will be higher than using just your memory. It is also helpful in disputes about what was actually said during a meeting. You say they asked you to do “x”, and they say that they told you to do “y”. If you pull out your written notes and they say “x”, you will probably win that argument.

Steps to Note Taking

Buy a notebook – No matter how you want to store your notes, you need a notebook. Even if you plan to electronically store your notes for easy searches and printing, you want to start with a paper notebook. This will give you a platform for quick notes, drawing diagrams, etc. Never cross your personal notes and business notes. One notebook for work, and if it isn’t related to work it doesn’t go into that notebook. This can be a simple composition notebook, spiral notebook, cheap ruled pad of paper, etc.
Blog your notes – Once you have completed the work day, or even the next morning, copy your notes to a private blog site. You want this private blog to be blocked from public access, but this blog will allow you to easily search through your notes and find keywords. This is also the perfect time to clean up your notes and add details you might not have thought important during the actual meeting. You want to do this while the events are still relatively fresh in your mind.
Structure – As the meeting starts, you need to be prepared for the meeting by having turned to a blank page in your notebook. Write the subject of the meeting at the top of the page, along with the date and time of the meeting. Note who is attending the meeting, including people connected remotely. Take notes about questions asked, answers provided, and action items assigned to each person. Take notes like you might be asked to recreate the meeting by a police investigator a year from now. You want to take enough notes that you can speak intelligently about what was discussed, who was asked to do which tasks after the meeting, the names of everyone attending, and any unresolved items from the discussion. Never assume you will remember all these items 1 week later, much less a year from now.
Listening – By listening to everyone else in the meeting, you should be able to pick up on important items for that person. If it seems important to them, maybe because they are stressing the item, you should probably write it down for your notes. Even if nothing important is discussed, your notes should say that.
Write Neatly – You will probably need to read these notes again really soon, especially if you later move them into an electronic format, so make sure you write in a way that you can read the notes at a later time. When possible, write in complete sentences and use bullets and numbers to note important items. Don’t be afraid to underline important notes, using stars to point out assigned tasks or questions that you need to answer later. Use diagrams or sketches to illustrate important concepts or to copy whiteboard discussion notes.

Once you get into the habit of taking useful notes, you will develop a system that works best for you and the way your brain works. As your responsibilities grow and you are expected to manage more complex and expensive projects you will want to have already developed the skills to keep track of those projects without getting lost in the details. Start early and develop a system now that allows you to record all the important information, and it won’t be so difficult later. People will quickly lose confidence in your abilities if you forget assigned tasks from your meetings, can’t remember what was discussed from week to week, or can’t remember who made important decisions from 5 meetings ago.

Biggest Security Concerns Facing Your Business

You should be concerned about the security risks facing your company. Most business leaders seem to have decided to approach the risk of a breach by basically acknowledging that they will be eventually breached, so let’s just try everything we can to reduce the risk and how we will deal with the PR issues when it happens. Your business needs to acknowledge the need for an information security program, so you can significantly reduce the risk of a successful attack. You should also begin deciding how you will respond to an attack.

You need to understand what your business stands to lose in the event of a successful attack. Depending on the scale of the breach and the size of your business, the impact could be catastrophic. What is a risk from a successful attack?

Data Compromise – Loss of customer or vendor data crucial to your business operations.
Loss of intellectual property – You might have unique business data or knowledge that makes your business unique in your market segment, and that edge would be lost if the data is published on the internet.
Government or Regulator Fines – Breaches could lead to massive fines from business regulators and the government.
Lawsuits – Lawsuits from clients or business partners could lead to an unrecoverable financial situation.
Brand Identity – if people can’t trust your business to protect their data, they may move their business to your competitor.

If a hacker gains unrestricted access to your entire business infrastructure, you could experience some or all of these issues and it could take months (or years) to fully recover. It is also possible that the financial impact will be so severe that your business will never recover from a breach. As the risks to business security grow more sophisticated, the need for your business to be at the forefront of security initiatives is even more important. Continue reading “Biggest Security Concerns Facing Your Business”

Eight Years Later

It has been over eight full years since I started this technology blog. I originally created this blog as an easy to search reference for SQL Server information, really for my own personal use. This started as a place to store example scripts, techniques, and information about SQL Server. It has now grown to include information about many of the subjects I deal with in my professional life. These subjects include programming, cybersecurity, certification, and project management.

Here are some basic facts to entertain you on this historic occasion:

This site has been in place for eight years, and I have posted over 1500 individual posts.
I was posting at least one post for each calendar day for the first three years, but now I try to post each Monday morning.
The site now gets about 1500 visitors per week (more than 200 visitors per day), with about 250 page views per weekday. There doesn’t seem to be as much interest on the weekend.
When this blog started on December 8, 2013, I was getting an average of 4 visitors per day.
The top 5 counties that have visited this site is the USA, India, United Kingdom, Canada, and Germany.
Someone from over 150 counties has visited this site in the last 12 months, with over 75,000 individual page visits.

I hope you continue to visit this site and you should encourage your friends to visit as well. I really appreciate your support. Thanks.

6 Ways Employees Bypass Security Policies

As an Information Technology professional, one of the things you will find yourself doing is creating and enforcing security policies. You will need to support good technology security by creating policies at outline the things a good employee must do to support good corporate security. All the other employees are hired for what they are good at doing, and that usually means finding ways to get the job done, regardless of your security requirements. That means good employees may be your biggest security threat.

You can hopefully understand the reason for this effort to ignore the tedious security requirements published by various technology professionals. The average person has to now memorize numerous user accounts, understand document transfer policies, deal with applications with missing or buggy functions, and work with web site filtering that may block access to important data. They must deal with all your security controls and rules while trying to get their job done, and they know there is a “better” way. So, what are some of the most common workarounds used by your company employees?

Offline Bypass – Many security features are only enabled while the device is online. In one case, users were blocked from attaching USB devices to their computer or laptop. The software was only able to alert the security team if the device was connected to the corporate network. The users simply disconnected the device from the network when they wanted to connect their USB hard drive or cellphone to copy files from their local PC to the external device. Make sure your controls work as expected.
Bypass Session Time-out – Most systems and applications have automatic session time-out features, based on a defined idle period. Vendors will also employ utilities to make connections seem used, even if the vendor isn’t using the connection, so they don’t have to restart VPN connections.
Simple Passwords – The average person today has scores of personal and professional accounts. Changing 30 or 40 passwords every ninety days (what is commonly recommended) results in creating and recalling more than 100 passwords each year. It’s understandable that people use easy-to-remember passwords, but simple passwords neutralize much of the security benefit of password-based authentication. Studies have shown people are horrible at selecting secure passwords. And beware of the clever users that bypass the password-reset problem altogether by calling the help desk claiming to have forgotten their password. Administrators will often reset problem user’s passwords by bypassing the regular password reset requirements. Some people may use various bypass methods to keep the same password for several years.
Post-It Notes – One survey found that many people record their passwords somewhere, sometimes in a spreadsheet or text files, but usually on simple post-it note. This means someone with access to the device probably has access to the post-it with the user’s login information written down for them to use without delay.
Internet Document Storage – You have strict security settings on network shares and documents stored on your network. You may think you have met corporate requirements on who gets access to specific data and information, but you probably don’t have any idea of the volume of data transferred outside the corporate network. Users will find ways to get the data to their coworkers, and that probably means storing the files on the internet. The mobile workforce demands anytime-anywhere access to their documents and data. Many mobile workers aim to streamline their productivity by circumventing your security protocols: emailing sensitive documents to themselves, storing files in a personal Dropbox account or other public cloud, and even taking photos/screenshots with a smartphone and texting those images to friends or vendors.
Disabling Security – One of the most popular security workarounds is simply turning off security features that hinder your productivity. With the growth of BYOD environments, where employees have greater control over the enabled security features, it is common to find even the most basic security features disabled.

As an IT professional you need to assist the hard-working and well-intentioned employee get their job done without putting the network at risk. Your security policies should avoid restrictions without any explanation, leaving the end user with productivity loss and no apparent improvement to their lives. Your organizations should implement security training for all employees, showing your team specifically how security protocols protect against data leakage, data breaches, and other threats while highlighting how workarounds put data (and their jobs) at risk. This will help the typical employee keeping security top-of-mind with regular communications and meetings with staff.

10 Ways to make the Wrong Impression on Your First Day

Congratulations, you finally landed a new job as technology, like database administrator, cybersecurity analyst, etc. It can be easy to make the wrong impression on your first day. Now all you have to do it survive your first day at work, without doing just about everything the wrong way. If this is your first real job, or your first new job in a long time, you might need a few pointers to prevent your first day from being a disaster.

By avoiding these 10 annoying behaviors, you get start your new job without sticking out or making enemies.

1. Know It All – You might be the smartest person you know, but you probably don’t know everything about your new company on the first day. There might be plenty of things you will see and hear that sound like they are doing it wrong, but they have been doing it that way before you got there. The key is to absorb the information and take plenty of notes. Once you have been there for a while, you can start making recommendations on process improvements. Telling people that they are doing something wrong on your first day is not the best way to make friends or impress your co-workers.

2. Fatigue – Make sure you are fully rested and on time for your first day. First impressions are important, so it is better to be early than late. You want to be fully rested and ready to spend the entire day working hard and learning everything you can about how your company does what it does. Don’t expect a long lunch and don’t even think about leaving early.

3. Dress Code – One of the things you want to get straight before you arrive on your first day is what you are expected to wear. As you attend your interviews or if you make visits to the office, note the what everyone else is wearing. If you are given conflicting messages or aren’t sure what to wear, over dress. It is better to be known as the guy who showed up on their first day in a suit when everyone else is wearing jeans, than the guy who showed up in shorts and a tee shirt when everyone else is wearing a suit. You can be prepared to change your clothes if you need to dress down a little as the day goes on. You can always remove a jacket and tie, pull on a sweater, or even change shoes, if required. People judge books by their covers and you by your first-day attire.

4. TMI – Too Much Information (TMI) is a nail in the coffin of a first-day employee. People are going to want to get to know you a little so they will ask you questions about your personal life or previous employers. Keep the stories short and without very much depth. People don’t want to hear all about your romantic relationships and previous bosses. Once you get to know your co-workers a little better, you will also get to know more about who you can trust or who is the office gossip.

5. Romance – I don’t care how interesting or attractive a co-worker is, you must keep your distance on the first day. Be polite and warm, but avoid any appearance of flirting or romantic attraction to anyone and everyone. While office romances are a bad idea in general, you definitely don’t want to be doing anything that looks like an office romance on our first day. You want the first-day reputation as that smart new person, not the jerk who kept flirting with Pat in accounting.

6. Complaints – There will be issues the first day. You might be given assignments that seem too simple for your level of training or experience. You might have trouble getting your lunch break or finding the bathrooms. Keep everything negative to yourself. Don’t be seen as someone who complains about anything. Anything. You are the person that solves problems and never complains about anything. You will gain the immediate respect of your coworkers and supervisors. Later, after they get to know you little, you can start complaining and standing your ground.

7. Social Invitations – Your co-workers may ask you to go to lunch with them or ask if you want to stop by the local bar for a drink after work. If you say no you might be branded the person who doesn’t want to spend time with your co-workers. Do you think you are too good to spend time with them? Try to accept a reasonable invitation (safety first), but also control yourself. Even if you are buying your own lunch, keep the order to a reasonable quantity. If your boss or co-worker is paying, order something simple and inexpensive. Even if everyone else is drinking alcohol, you need to stick to soft drinks or water. You want to be seen as that great new employee, not that new drunk.

8. Comparisons – You might be willing to make comparisons to how you used to do things at you last job or what you were told in a college class. Unless you are asked, you keep that information to yourself. Things are done a certain way at your new job, and you just keep your mouth shut. You might have some great ideas on ways to do things better, faster, or easier but you just need to make good notes and keep your mouth shut. No one wants to hear the new guy tell them all the things they are doing the wrong way. All your ideas can come out after a day or two of gainful employment.

9. Excitement – You are going to be a little confused and lost your first day, but don’t forget this job is what you wanted. This should be a happy day, full of wonder and excitement. Don’t be afraid to let people know you are glad you took the job offer, how you are happy to be there, and how you are excited to begin this next step in your career. This will remind them that you are willing to learn anything they want to show you, you are capable of being a valuable member of the team, and that you have a contagious level of excitement. You co-workers may have forgotten why working for this great company is so great, and you are there to remind them how lucky they are for working there.

10. Thank You – Training a new employee takes a lot of time and effort. These people are taking time out of their normal assignments to train you on the mundane tasks that make up their daily activities. Even if you already know how to do the task or you only spent two minutes talking to them, always make sure they understand you appreciate their time and always say “Thank You”.

These behaviors are just recommendations for your first few days. These behaviors are not sound advice for normal corporate life, but are just applicable for your first day or two. Once you get to know everyone and understand what they expect from you, you can open up a little and be a little more casual.

IT Security Job Hunting Overview

While I have met many people interested in joining the fight for cybersecurity in an organization, I haven’t met many people new to the field who have really thought about what that means or how they will fit into an organization. Like many things in life, we have an idea about what we want to do but we don’t always have a plan for how to make it happen, and understanding an organization’s structure could help you get the position you truly desire.

First, not all companies have the same organizational structure. Some companies have an almost flat structure, usually based on the desire to avoid bureaucracy or maybe in an effort to keep the headcount smaller and resemble more of a family. Some organizations are much larger and much more formal, and they will have a much better-defined reporting structure. Knowing where you want to be in that structure will help you make sure you are targeting the correct career position.

I’ll give you a simple example. You want to be a Security Operations Center (SOC) analyst. You like the idea of seeing security events as they happen, you want to help analyze the events and work to determine if the events are indicators of an attempted intrusion into the network, and you want to help figure out ways to prevent or remediate the attack. You can’t always target a “SOC Analyst” role at a company, because they might not call it by that name. Continue reading “IT Security Job Hunting Overview”

TIOBE Index for November 2021

Have you seen the latest TIOBE rankings report?

Since the start of the TIOBE index, more than 20 years ago, PHP has been a permanent top 10 player. Recently, we saw PHP struggling to stay in that top 10. PHP was once the master of web programming, but now it is facing a lot of competition in this field. This is not to say that PHP is dead. There are still a lot of small and medium enterprises relying on PHP. So I expect PHP to decline further but in a very slow pace. Two of PHP’s competitors, Ruby and Groovy, gain both 3 positions this month. Ruby from #16 to #13 and Groovy from #15 to #12. Other interesting moves this month are Lua (from #32 to #26), Dart (from #40 to #31), and Kotlin (from #38 to #33). — Paul Jansen CEO TIOBE Software

Continue reading “TIOBE Index for November 2021”

Lessons Learned by CISM Exam

I decided to take the ISACA Certified Information Security Manager exam earlier this year. I joined ISACA and signed up for the exam. They offered some complimentary group study at my local chapter, and they even sell an exam guide book (“CISM Review Manual” currently priced at $105) to help you study.

What I thought going into this exercise is I have been doing this job for more than 10 years, and I should know everything on the exam without much studying. Once I started studying, I determined there was a few areas that I had an answer, but my answer didn’t always match the answer required to pass the test.

I started studying the material from ISACA to make sure I knew their answers, and after a few months I was ready to take the exam. My real concern is I didn’t want to be over-confident and sit for the exam before I was sure I could easily pass the exam based on the material in the book.

I sat for the exam and I passed! There were a few questions on the exam that I was unable to come up with a good answer for the questions asked, primarily because I just couldn’t connect the question to any one of the answers provided. I eventually decided to pick something for those 8-10 questions and finish the exam. I guess I may never know what the correct answers for those questions might be, and I don’t remember seeing those questions in the CISM manual.

Lessons

You are never as smart as you think you are – That is really the value of certification exams. Having a certification doesn’t mean you are smart; it just means you have studied enough to correctly answer the questions on the exam. It forces you to study material you may not have looked into before, spend time reading that material and committing it to memory, and have enough memory to correctly recall those nuggets of information several months later. I’m not too proud to admit I learned some new ideas and concepts, and I enjoy learning new things.
Experience doesn’t equal expertise – Just because you have been doing something for a long time doesn’t mean you know everything there is to know about a subject. I see it all the time with technical positions were people do the same task the same way for several years and they assume they are experts, and they are unaware that their methods have been replaced with new and better practices many years ago. They have been doing it wrong for years and didn’t know any better, mostly because they have stopped learning. Don’t be that person.
Align Information Security Governance with Business Objectives – I was taught to think of security requirements as something that a business must do to secure their systems, but actually it is just a business concept to help make the business more money. If a security control costs more than the worth perceived by the business, it shouldn’t be implemented. Think of all the businesses that refused to secure their networks and got ransomware. They may have perceived the increased security cost as more than it was worth to the business, or cybersecurity professionals did a poor job of explaining the risk. They probably changed their minds after the breach, but hindsight is 20/20.
Measure Success – How do you know if the network, endpoints, and applications are safer after the change than before you make a security change? You have to measure the before and after security, and determine what measurements make sense to your business so you can continuously measure security. It can be different for each business, but one metric might be how long it takes between the time a vulnerability is detected and when it is remediated. Obviously, the shorter time is better, but you have to measure these relevant values and report to management if the measurements are getting better over time.
Leverage Skill – Knowledge is power, and that can be translated into money. Don’t undervalue your worth and if your company doesn’t acknowledge your worth, find a new job. A CISM certification can help you get that next job at a company that values your knowledge and expertise.

I guess some of these lessons I didn’t have to take a test to learn, but we all learn in our own way.

You can find out more about certifications, including the ISACA CISM, here.

Understanding SQL Server Databases

To manage a database server, you need to understand the types of databases available and the location of those databases. There are two types of databases available in SQL Server:

System Databases
User Databases

System Databases

The system databases are default databases that are created when SQL Server is installed. These databases are used for various operational and management activities for SQL Server, and you have no control over the contents of those databases when they are originally created.

Types of System Databases

There are four system databases in SQL Server:

master
msdb
model
tempdb

There is also a fairly recent addition to the group called the resource database. It is very similar to the standard system databases but you need to know that it is hidden from your traditional view through the SQL Server Management Studio (SSMS) GUI and you have read-only access to the data it contains.

Continue reading “Understanding SQL Server Databases”

Share this:

Like this:

Share this:

Like this:

Types of Attacks

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Skills

Challenges

Production Processes

Production Systems

Production Teams

Share this:

Like this:

Share this:

Like this:

Privileged Account Management

Other Recommendations

Solution Options

Summary

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Steps to Note Taking

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Lessons

Share this:

Like this:

System Databases

Share this:

Like this: