Blog

March 31st, 2015

Raj_Goel_headshot (1)

The IT Support/MSP game has changed.  Clients are no longer satisfied with just getting their desktops managed and servers supported.

Almost every industry has customer privacy and security compliance regulations – and clients are looking at us, their IT providers and business confidantes, to help them become and remain compliant.

So what do you need to know about compliance?

First – determine what industry or vertical you will tackle, then dive into it.

In my experience, clients do not want a generalist firm that says we provide HIPAA/HITECH/PCI-DSS/Sarbanes-Oxley/GLBA/SEC Cybersecurity /  [insert acronym here] compliance. More and more, savvy buyers want MSPs that focus on their vertical.

If you’re tackling healthcare, you must deep-dive into HIPAA/HITECH, FTC Health Breach, State Records Retention, SEC Cybersecurity guidance and State Privacy Laws.  If medium-to-large retailers ($10M-$4B) are your targets, then a thorough understanding of PCI-DSS and State Privacy Breach Laws is required.  If banking and finance is your focus, then GLBA, SOX-404, State Privacy Breach, FINRA regulations, PATRIOT ACT and FFIEC compliance knowledge is a must.

Underpinning all these regulations, standards and statutes are 3 simple truths:

  1. Every regulation or standard requires good, tested, verifiable backups
  2. Use of strong passwords and tested security configurations is a must
  3. Encrypting data in-motion, and data-at-rest is a very, very, good idea.

As you start your journey towards becoming a compliance-oriented MSP, I can offer you a few resources for HIPAA/HITECH, PCI-DSS, SEC Cybersecurity and PRIVACY LAW compliance.

HIPAA/HITECH Compliance: Email me and request the

  • WHAT DO MSPS NEED TO KNOW ABOUT HIPAA/HITECH slides
  • HIPAA Compliance Checklist
  • Articles and newsletters regarding trends in HIPAA enforcement and compliance

PCI-DSS and STATE PRIVACY LAW Compliance

  • Overview of the state privacy breach laws
  • Trends in Financial Crimes
  • Lessons Learned from Superstorm Sandy

SEC Cybersecurity Compliance

  • Overview of SEC Requirements
  • Trends in Financial Crimes
  • Lessons Learned from Superstorm Sandy
  • Challenges endemic to the financial sector

As always, if you have questions regarding security, privacy or compliance, feel free to contact me at raj@brainlink.com.

Latest articles, blog posts, presentations and webinars are available at www.RajGoel.com

Come meet Raj in person and hear him present on “What MSPs Need to Know About Compliance” at the Datto Partner Conference.

Topic Articles, Events, News
March 11th, 2015

Right now the IT industry is what the shoe industry was in the 1500’s. Back then, if you went from village to village, each cobbler made a different sized shoe. You could not buy a shoe in a different town without getting a different shoe. This bespoke process can be a painful one, and there’s no need for that. At Brainlink we’ve standardized our practices so that we can deliver a more consistent product and a more consistent service to our clients. We want to be the Starbucks of IT, instead of the hit-or-miss local diner.

One way we’ve accomplished this is through our standardized ticketing process. Prior to using it, we did not have a consistent way of tracking what needed to be done for our clients. A tech might have promised to do something, for example, and we would have no idea. Now all of our clients know to email support@brainlink.com. They get a ticket, we follow up, and that has made a dramatic difference in our business.

Whether you own a restaurant, run an IT firm, host a radio show, etc., your business can be improved by delivering more consistent results. SOPs are the way that you, too, can track what works, document it, and make it available to everyone in your business.

Key benefits for our clients:

  • They no longer have a “favorite” tech – all techs are their favorites
  • They don’t have to worry about losing quality or service when we replace or move techs
  • They give me feedback faster when a tech drops the ball
  • They get ALL their SOPs in printed runbooks annually – they don’t have to worry about us holding them hostage

 

Key Benefits for Brainlink:

  • Lowered hiring & training costs
  • Consistency of Service
  • Scalability
  • Level1 techs can do 90% of Level3 work using SOPs

 

Learn More:

Sweet process Interview

Client Runbooks

MSPDOJO – Your Business CAN Run without You: SOPs are the Answer

MSPDOJO – How SOPs can Increase Profitability

March 11th, 2015

To someone unfamiliar with Standard Operating Procedures, having SOPs may not seem necessary or applicable. Increased profitability, on the other hand, is something sought by all business owners. Have you considered that SOPs offer you just that?

Before we used SOPs regularly at Brainlink, I had a tech employee that had a recurring problem with one of his clients. I suggested that he SOP the problem, but he was skeptical. Finally, I made a bet with him: I told him to write down his process when troubleshooting for this client, and if he never used that SOP again, I would give a hundred dollars. However, if he did use it again, he would own me an apology. The employee took my bet, and one week later he came back to me and apologized. The SOP he had written had saved him four hours of frustration; the same client had the same issue, but because he had written down the process and taken screenshots, he was able to resolve the problem in 15 minutes.

That was the beginning of much more efficient problem-solving in our business. No long ago we on-boarded a client with 10 servers and it took my lead engineer 24 man hours to do it. Before that we were spending 16 hours a server. We did more work in less time because we had planned things out, we have SOP’s, and we’d systemized our business.  We have seen our time to diagnose and solve issues drop by 30%, and that reduction is growing. Through SOPs, we have saved countless hours and dollars, while simultaneously making our clients happier.

Learn More:

Sweet process Interview

Client Runbooks

MSPDOJO – Your Business CAN Run without You: SOPs are the Answer

March 11th, 2015

As a small business owner, I’ve learned that running a business comes with three main struggles: not having enough clients, not having enough revenue, and being “held hostage” by my employees. For many years, I was unable to take a vacation, or even travel for business, without a constant worry that something would go wrong at the office. On the flip side, if one of my employees were absent – whether they were out sick or had quit – I was left scrambling to maintain continuity with that employee’s clients. This method resulted in a lot of stress and not much efficiency.

But that is not the case today. Last year I spent 62 business days out of the office, speaking at conferences around the world. My business not only ran, it grew without me. How did I accomplish this? By using Standard Operating Procedures (SOPs). My job is no longer worrying about how to get something done.  Once a process for completing a task is documented, somebody else can do it.

By having this standardized, systematized business, I am free from being held hostage by any single employee. Employees can fall sick, they can get married, they can have a sick parent, and that’s okay, life happens. By systematizing our business we’ve been able to move techs from client A to client B without interruption of service. I’m really proud to say that new hires now do more in 6 weeks than a tech used to do for us in 6 months. All of this has come about because we’ve made SOPs an integral part of our business environment.

Learn More:

Sweet process Interview

Client Runbooks

November 16th, 2014


Raj Goel, CISSP
Raj Goel 
Security & Compliance Consulting Practice
www.rajgoel.com
raj@rajgoel.com
917-685-7731

Raj’s LinkedIn profile

This article was originally published in INFOSECURITY PROFESSIONAL Magazine July/August 2014 issue.
To read full article, click here: INFOSECURITY PROFESSIONAL Magazine July/August 2014

Magazine article says parents destroying infant privacy at birth

 

Noted Internet security expert Raj Goel said well-meaning parents are ruining any privacy their children may have, starting at birth. He reports on this in the August-September edition of InfoSecurity Magazine in the article “Life Of A Child (2014).”

 

Mr. Goel is not referring to children at risk of dropping out of school, rather, children at risk of having someone steal their identity and create lifelong problems with that. He points out a set of very basic information is all that’s needed to impersonate someone online or over the phone:

 

  • Mother’s maiden name
  • Date of birth
  • City of birth
  • Name
  • Phone

 

“The problem is this is what people consider to be basic information when making a birth announcement. People look at this as sharing information,” he said. “New parents are justifiably proud about a new baby and they want to share the good news. Unfortunately, these well-meaning and well-intended parents are setting their children up for a lifetime of stolen identity problems.”

 

Mr. Goel said this is not limited to online and social media. He said parents often turn in birth announcements to the original social media, newspapers. Identity thieves are known to scour newspapers for birth announcements and obituaries. They harvest this information and set up fraudulent accounts based on the name and information gathered.

 

“We are happy to join you in celebrating the birth of a child, but please, be careful about what information you choose to share,” Mr. Goel said.

 

Schools are also a major risk. He writes of a technology called InBloom. In short, it collate student data and then makes that data available for purchase by private companies.

 

“The technology, which as of last year was adopted in nine states, creates a centralized database where student records, from attendance to disciplinary to special needs, are stored,” he wrote. “Civil rights groups took immediate legal action to try and prevent the practice of disseminating student data—a practice that also had been taking place in Colorado, Delaware, Georgia, Illinois, Kentucky, North Carolina, Massachusetts, and Louisiana by the time the New York uproar began.”

 

Read more at http://www.brainlink.com/2014/08/14/life_of_a_child/

 

Raj Goel is a well-known IT Expert, Author, Keynote Conference Speaker, TV Guru,HIPAA, PCI, SEC Compliance expert and Cyber Civil Rights Advocate. He regularly gives presentations around the world at the leading global conferences. For more information about Mr. Goel and his work, please visit www.RajGoel.com

September 6th, 2014

As I read about the HOME DEPOT breach, follow the commentaries on the TARGET breach and other breaches, it’s clear to me that we need to have a more mature conversation about breaches.
We don’t blame the home owner when a burglary occurs.

We don’t blame patients for getting infected with AIDS, Ebola or becoming afflicted with Cancer, ALS, heart disease.

Even when the cause may be user behavior (smoking, excessive drinking, etc), we have sympathy for the patients.

So, why are we blaming companies, hospitals and other victims of cyber crimes?

 

Yes, Target, Home Depot, Blue Cross Blue Shield of Tennessee and others could have done better job of protecting their networks.  But you know what, no one’s perfect.

 

And I assert that the victims were NOT solely responsible for the failures.

 

IMHO software vendors shoulder at least 50% of the blame.

1) We are working with a client subject to PCI-DSS and their POS vendor requires DISABLING UAC and giving users ADMINISTRATOR privileges.

2) We’re working with construction firms, and a very well known package requires giving all users full administrative rights on the application install and database directories.

3) A leading manufacturer of label printers requires that users have LOCAL ADMINSTRATOR rights just to print labels.

(I have purposefully omitted names of vendors, because they are representative of the norm.  Ignoring the SANS20 Controlled Use Of Administrative Privileges seems to be a job-requirement for commercial developers).

I agree with Dan Geer and other luminaries:

A) We need a CDC or a NTSB for the internet.  We need a dispassionate, independent federal investigator that is authorized and empowered to investigate breaches, determine root causes and make recommendations to fix the infrastructure.  The NTSB has saved millions of lives by investigating each airplane crash, determining flaws or breakdowns in the process and improving manufacturing, maintenance and flight operations.

 

B) We need a LEMON LAW for software.  Software vendors need to be held liable for shipping shoddy, insecure products.

 

Finally, I think Microsoft should step up and hold ADOBE and ORACLE accountable for the flaws in Adobe Flash, Adobe Reader and Java.  Wouldn’t it be great if Satya Nadella had a Steve Jobs moment and he banned Flash & Java from Windows?

What are your thoughts?  Let me know.

 

Topic Articles, CISSP
April 28th, 2014

Seems like the NSA has competition (or is that a friendly rivalry)?

 

Russian law gives Russia’s security service, the FSB, the authority to use SORM “System for Operative Investigative Activities” to collect, analyze and store all data that transmitted or received on Russian networks, including calls, email, website visits and credit card transactions.

SORM has been in use since 1990 and collects both metadata and content.

SORM-1 collects mobile and landline telephone calls.

SORM-2 collects internet traffic.

SORM-3 collects from all media including Wi-Fi and social networks and stores data for three years.

Russian law requires all internet service providers to install an FSB monitoring device called “Punkt Upravlenia” on their networks that allows the direct collection of traffic without the knowledge or cooperation of the service provider. The providers must pay for the device and the cost of installation.Collection requires a court order, but these are secret and not shown to the service provider. According to the data published by Russia’s Supreme Court, almost 540,000 intercepts of phone and internet traffic were authorized in 2012. While the FSB is the principle agency responsible for communications surveillance, seven other Russian security agencies can have access to SORM data on demand. SORM is routinely used against political opponents and human rights activists to monitor them and to collect information to use against them in “dirty tricks” campaigns. Russian courts have upheld the FSB’s authority to surveil political opponents even if they have committed no crime. Russia used SORM during the Olympics to monitor athletes, coaches, journalists, spectators, and the Olympic Committee, publicly explaining this was necessary to protect against terrorism. The system was an improved version of SORM that can combine video surveillance with communications intercepts.

via Schneier on Security: Info on Russian Bulk Surveillance.

Topic Articles, CISSP, News
March 14th, 2014

NEW YORK (PIX11) – But revelation that two Iranian passengers on the flight were able to board using stolen passports – has not eased concerns about what appear to be gaping holes in the international security net that we all rely on once we leave America’s sphere of influence.

As more information pours in regarding the two passengers in question investigators are now slowly turning away from any terror link.

Interpol currently maintains a database that contains millions of lost and stolen passports.

Only three countries – the United States, United Arab Emirates, and the U.K. run travelers’ information against that database.

Sal Lifrieri is a terror and security analyst who tells PIX11, “So if you’re flying through a country, and that’s what we see with this particular case, you can fly into this country, and have a very minimal passport check – and move on to the next country.”

So how can you protect your passport – especially if you’re traveling internationally?

Technology consultant Raj Goel says the answer involves treating biometric, high-tech passports like cash.

“Correct. It’s the same exact concept, except you use slightly thicker plastic. So that somebody walking by can’t just do a brush pass and do RFID cloning of my passport, driver’s license, credit cards – or whatever have you. It takes a few seconds,” said Goel.

Keep it close, and remember that a criminal doesn’t even have to physically snatch your passport if it’s made with something called RFID technology in order to steal the information embedded in it.

Read more: http://pix11.com/2014/03/11/how-to-protect-yourself-against-high-tech-passport-thieves/#ixzz2vvrEsqat

Topic Articles
February 5th, 2014

Article by Raj Goel

I read a moving article on CNN.com about modern day slavery in Mauritania (see http://www.cnn.com/interactive/2012/03/world/mauritania.slaverys.last.stronghold/index.html/ ).

Yes, slavery still exists and 10-20% of the Mauritanian population is currently enslaved. What really hit me hard is that unlike traditional slavery involving chains and physical restraints, modern slavery is primarily mental. The hereditary slaves are born as slaves; they live in villages that have ceremonial fences. Anyone can walk away or run away, and yet very few do. They are so enmeshed in the culture that the thought of walking away doesn’t occur to them.

To quote from the article:

Fences that surround these circular villages are often made of long twigs, stuck vertically into the ground so that they look like the horns of enormous bulls submerged in the sand.
Nothing ties these skeletal posts together. Nothing stops people from running.
But they rarely do.

And a similar form of mental servitude exists in (anti-) social media today. This month, the world celebrates the 10th anniversary of Facebook. What we’re really cerebrating is 10 years of ceaseless onslaught against freedom of speech, freedom of thought and freedom against self-incrimination – also known as the 1st, 4th and 5th amendments of the US constitution.

You could say that I am being hyperbolic in my characterization of Facebook as digital slavery, or that I’m taking poetic license and it’s not really fair to those who suffered, and still suffer, from the shackles of physical and financial servitude. Fair enough.

That said; let’s consider that in traditional slavery, the slave owner claimed ownership over the physical bodies and the output of physical labor from their slaves. Slaves grew cotton, sugarcane, raised cattle, etc and the masters took control of it.

In the modern era, our wealth isn’t generated from our sinews. We don’t break our backs toiling in the fields. Our wealth is intellectual in nature, digital in its form and that is being acquired for free by the lords of the internet.

  • Facebook claims perpetual ownership on your posts, likes, dislikes, photos.
  • Twitter claims perpetual ownership of your tweets, thoughts and stupidities.
  • Instagram, Flickr, etc claim perpetual license on your images.

As Attorney Craig Delsack notes

You grant the social media sites a license to use your photograph anyway they see fit for free AND you grant them the right to let others use you picture as well! This means that not only can Twitter, Twitpic and Facebook make money from the photograph or video (otherwise, a copyright violation), but these sites are making commercial gain by licensing these images, which contains the likeness of the person in the photo or video (otherwise, a violation of their “rights of publicity”).

Amazon controls what you get to read, and has deleted books from kindles remotely. Fittingly enough, the 1st book Amazon stole back from a paying customer was 1984.

Apple claims similar rights on your iPhones, iPads, iTunes and has given itself the right to remotely block or uninstall books, movies, songs, etc.

So what exactly are you buying when you “buy” eBooks from Amazon or Apple? What are you “buying” when you buy songs from Apple, Amazon, and Google? You’re “buying” the temporary right to read that book, watch that movie or listen to that song until the overlords decide that you’ve somehow violated their rights by travelling to a foreign country, visited wrong parts of the internet, etc. And any of these are grounds for them to delete content without reimbursement.

And how does Facebook fit into all of this?

In the 1970s and 1980s, we protested against the Communists and held up East German Stasi as particularly pernicious. At the height of its power, an estimated 10% of the East German population spied on their neighbors.

Today, approximately 128 Million Americans use Facebook.
Every like, dislike, comment is private property of Facebook to be bought and sold like a commodity. Your thoughts, pictures, family photos and privacy are a good sold on the open market.

And what does Facebook provide to its real customers – the corporations and governments?

From https://twitter.com/TheBakeryLDN/status/427531934294880256/photo/1

And that’s just a start…there’s much more that Facebook retains, and makes available to foreign governments.

I hear you. I hear your complaints. Without Facebook, how will you have a social life? How will you go out on dates? Or keep track of family get togethers? Without Facebook, how will you share the family photos?

Scholars find many similarities between modern Mauritanian slavery and that in the United States before the Civil War of the 1800s. But one fundamental difference is this: Slaves in this African nation usually are not held by physical restraints.

Just like the Mauritanian slaves who are held on farms, not by physical shackles, but cultural and mental ones that keep them enslaved. Even though all they have to do is walk away.

No violence, no guns, just put one foot in front of the other.

Will you raise your kids as digital slaves? Or will you walk away…one mouse click at a time?

References:
4th Amendment issues – http://www.businessinsider.com/police-make-fake-facebook-profiles-to-arrest-people-2013-10
1st Amendment Issues – http://www.huffingtonpost.com/tag/facebook-arrest
5th Amendment Issues – http://www.digitaltrends.com/social-media/the-new-inside-source-for-police-forces-social-networks/
1st, 4th, 5th Amendment issues – http://www.nbcnews.com/technology/careful-what-you-tweet-police-schools-tap-social-media-track-4B11215908
http://news.cnet.com/8301-1023_3-57471570-93/facebook-scans-chats-and-posts-for-criminal-activity/
http://arstechnica.com/information-technology/2013/11/staking-out-twitter-and-facebook-new-service-lets-police-poke-perps/
Copyright and IP Ownership – http://www.nyccounsel.com/business-blogs-websites/who-owns-photos-and-videos-posted-on-facebook-or-twitter/
Amazon erases 1984 from Kindle – http://www.nytimes.com/2009/07/18/technology/companies/18amazon.html

Further Reading:
http://www.brainlink.com/2012/10/free-video-protect-your-kids-from-facebook-social-media-threats/
http://www.brainlink.com/2013/10/teach-your-kids-about-the-dangers-of-snapchat/
http://www.brainlink.com/2012/10/prevent-your-kids-from-becoming-accidental-porn-stars/
http://www.brainlink.com/de-volkskrant/
http://www.rajgoel.com/tag/panopticon/

Topic Articles
September 21st, 2013

Below is an excerpt from the Keynote presentation I delivered at GBATA 2013 in Helsinki, Finland. It is based upon my“A Global Overview of Trends in Personal, Corporate and Government Surveillance” presentation.  This article also appeared in the Homeland Security Newswire.

Those who ask you to choose SECURITY OR PRIVACY and those who VOTE on SECURITY OR PRIVACY are making false choices. That’s like asking AIR OR WATER — which do you choose? You need BOTH to live.

Maslow placed SAFETY (of which security is a subset) as 2nd only to food, water, sex and sleep. As humans we CRAVE safety.

As individuals and societies, BEFORE we answer the question “SECURITY OR PRIVACY”, we first have to ask “SECURITY FROM WHOM and WHAT?” and “PRIVACY FROM WHOM AND FOR WHO”?

Until 1215, every Prince, King, Emperor and Conqueror thought he had divine right and was either a god or a manifestation of god. The MAGNA CARTA, for the 1st time in recorded human history, tripped Kings and Emperors of their divine right. WHY? Because the nobility had enough of the incompetencies and cruelties of the ruling monarch. In 1628, Sir Edward Coke established in English Common Law that “A man’s home is his castle” In 1791, The US Bill of Rights gave us the 4th amendment “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

Each of these articles gave us, the citizens, the commoners, rights that were hardfought by a small-band of revolutionaries.

Franklin, Jefferson, Washington, Madison, Adams and countless others bled so that the masses could watch “Keeping up with the Kardashians” today.

Today, every techno-geek with classified access, every sysadmin, every spymaster and bureaucrat in the information acquisition, analysis and marketing machine presumes that he/she is god.

The internet has become a tool of the despots – and EVERY country and EVERY corporation is becoming THE STASI.

During the cold war, the US & the west demonized the USSR and the communists for denying their subjects/citizens property rights; freedom of speech; freedom of thought; freedom of religion.

Today, US, UK, AU, NZ, CHINA, Russia, India, everyone nation spies on it’s citizens. They all do it in the name of SECURITY and protecting the citizenry from terrorists. I don’t recall the US constitution or ANY other government’s charter that required it to guarantee it’s citizens 100% safety or 100% security. Defense of the common good – yes. Decent infrastructure – yes.

Freedom from crime and terrorism is possible…but only if you live in a jail cell.

Privacy of thought is a basic HUMAN right.

We prized ourselves in the west for fighting for the dissidents such as Solzhenitsyn & Sakharov. We even gave some of them Nobel peace prizes and visas to the West. Today, the US government (and others around the world) jail more dissidents, whistleblowers and freedom fighters than ever before. And corporations such as Amazon, Apple, Google, Adobe, SONY, Disney, etc. deny us basic property rights by “licensing” software and media to us.

Today, every elected politician, president, senator, prime minister and king, sees honest dissent as subversive.

Before you answer the question “SECURITY OR PRIVACY”, ask yourself the question – from whom; for who and for how long.

When Vladimir Putin praises PRISM and the NSA, then I think we have a problem. When Steve Wozniak points out the similarities between our lack of rights in cloud and the communists, I think we have a problem.

In every generation, a new King John; a new Khruschev and a new Solzhenitsyn is born. It’s OUR job as citizens to DEFEND the rights given to us by our respective constitutions and DEMAND that they be conferred on our WEAKEST citizens, not just the strongest or the wealthiest.

Feel free to have a reasonable (or unreasonable, as long as good beer or bourbon are involved) debate with me at ASIS59 in Chicago or wherever you catch me next – Hague, Helsinki, Washington DC, Chicago, Curacao, New Zealand – I will be bringing my opinions and research to a conference near you :-D

Topic Articles, CISSP