December 13, 2016
by sjvn01
0 comments

Locking Down WordPress

What’s the single most popular Website content management system (CMS) of them all? If you said, WordPress, you’d be right. Today, WordPress runs 27.2% of all Websites. It’s easy to see why. WordPress is easy to install and it’s easier still to deploy Websites on it. Securing it though, that’s another kettle of fish.

WordPress is aware of this and they’re taking steps to make sure that WordPress out-of-the-box is as secure as possible. For example, Matt Mullenweg, WordPress’s founder, recently announced that in 2017 WordPress servers must be running HTTPS.

The easiest and cheapest way to do that is to use Let’s Encrypt. This Linux Foundation project operates as a certificate authority (CA). It provides free digital certificates to enable HTTPS (SSL/TLS) for your Website. For its part, Linode provides easy how-to documentation, so you can lock your site down.

Because it’s so popular, WordPress installations are often attacked. My own site averages several dozen attacks a day. That’s why, more so than most programs, you must update it frequently. It’s best to set your server to automatically update WordPress and your other security-critical programs.

You should also only use themes and plugins from trusted sources. Personally, unless I’m working directly with a developer, I wouldn’t use any theme or plugin that isn’t part of the official WordPress system.

If you get them from other sources, odds are they’ll have malware hidden within them. Never forget that both are programs. Themes are written in PHP, HTML and WordPress template tags, while plugins are written in PHP. In both cases, there’s plenty of room for a malicious programmer to hide nasty traps for the unwary.

That’s also why you must — I repeat, MUST! — update your themes and plugins as well. Again, they’re not simple webpages and functions, they’re code and they can have holes in them like any other program.

You should also harden every WordPress website using tools outside of WordPress proper. For example, you should password protect your directories.

In WordPress’s case, you’ll always want to lock down the /wp-admin/ folder. An easy way to do that, if you’re using Apache, is to use HTTP Authentication. You can use similar methods to protect directories under NGINX.

Another easy way to protect your WordPress installation is to disable PHP execution in your /wp-includes/ folder and /wp-content/uploads/ folders. Hackers love to plant corrupt PHP files in these directories. To prevent such attacks from taking hold, simply place a .htaccess file in each directory, which contains the following code:

<Files *.php>deny from all</Files>

That’s all there is to it.

You should also avoid using WordPress’ default administrator user-name “admin.” That’s because if you do, you’re just making life easier for any would be hacker. That is, they already know the root user-name, now all they need to do is work out your password.

Consequently, you must also use a strong password. There are WordPress brute-force passwords out there that can crack common English word passwords in less time than it takes you to get up and get a cup of coffee.

What makes a good password? Well, it’s not a random combination of numbers and mixed-case letters between 14 and 19 characters and includes a food emoji. You’ll never remember that!

Instead, I’m fond of using nonsense phrases that are human readable, but unlikely to be guessed. For example, “Cubs4theWinter!Cardinals?Lusers!” Or “Volt!Amp!Tesla!Edison?” are easy for me to recall and are unlikely to be broken.

These basic security methods are a good start, but you need to more. That’s where the plugins come in. Many of these duplicate each other’s functionality so you won’t need more than one or two of them. I’ve used all of these at one time or another and I’ve done well by them.

My favorite is the the ever-popular WordFence. This easy-to-use program scans all your core, theme and plugins files for malware and supplies a wide-variety of other security features.

Perhaps the best of these is an application firewall, which automatically updates its rules to address the latest threats. It also includes simple, Distributed Denial of Service (DDoS) attack mediation tools and traffic monitoring tools.

The premium version of WordFence costs, at most, $8.25 per month with significant discounts on multiyear and multilicense purchases. If you wanted to get just one WordPress security program, WordFence is the one.

Similar programs worth checking out include Ithemes Security, This program, formerly WP Security, is another do-it-all WordPress security plugin. Sucuri Security is also excellent and comes backed by a security company, Sucuri, that can help you bring dead websites back to life. It also has excellent log-analysis features. Prices vary, but they’re all in the same ballpark.

Finally, if you allow comments on your site, you must use Akismet. This is the best anti-spam comment program out there. And, since spam can often conceal links to malware, I consider it to be a security must.

So, armed with this information, you should now be ready to set up your WordPress site, or defend your live one, with an excellent chance of keeping it safe from attackers. Good luck!

Locking Down WordPress. More>

November 28, 2016
by sjvn01
0 comments

Locking Down Your Linux Server

No matter what your Linux, you need to protect it with an iptables-based firewall.

Yes! You’ve just set up your first Linux server and you’re ready to rock and roll! Right? Uh, no.

By default, your Linux box is not secure against attackers. Oh sure, it’s more secure than Windows XP, but that’s not saying much.

To really nail down your Linux system you need to follow the instructions in Linode’s Securing your Server guide.

To summarize, you must?—?first?—?turn off the services you don’t need. Of course to do that, you need to know what network services you’re running in the first place.

Locking Down Your Linux Server. More>

November 10, 2016
by sjvn01
0 comments

Set up OpenVPN on Ubuntu 16.04?—?For Safety’s Sake!

Want to know a really scary IT statistic? Xirrus, a leading Wi-Fi company, recently polled more than 2,000 executives and IT professionals. They found that while 91 percent of respondents know public Wi-Fi is insecure… 89 percent go ahead and use it anyway.

Whoops!

One thing you can do to help clean up this security mess is to provide a virtual private network (VPN) so that your users’ traffic gets protected before hackers can get their digital mitts on it. There are many VPN servers, but OpenVPN is my VPN server of choice because it’s very popular, easy to use, and widely supported. When integrated with OpenSSL, OpenVPN can encrypt all VPN traffic to provide a secure connection between machines.

Set up OpenVPN on Ubuntu 16.04?—?For Safety’s Sake! More>

October 20, 2016
by sjvn01
0 comments

Clueless CIO cloud confusion continues

You have got to be kidding me. At the Gartner Symposium/ITxpo, the research company’s annual enterprise IT conference, Gartner vice president David Mitchell Smith said, “In many ways we’re nowhere nearer understanding what cloud is.” Oh, come on!

The year is 2016, but Smith continued, “There are still a lot of gray areas and blurriness in the cloud business.” He thinks 80% of vendors’ “private clouds” aren’t strictly speaking cloud, along with 30% of public cloud services.

Listen, if you’re a CIO and you don’t know what a cloud really is by now, then you should be fired.

Unlike what Gartner said, most of you do seem to get it. A recent Uptime Institute survey of 1,000 IT executives found that 50% of senior enterprise IT executives expect most IT workloads to be running on the cloud soon. Of the respondents, 23% expect the shift to happen next year, and 70% expect it to occur within the next four years.

What is going on, and does confuse things if you’re not paying attention, is that many vendors just stick a cloud label on their old offering and expect you to buy their “new” service. This is called cloud-washing. Companies slap a new coat of cloud paint on any old program or service, add 10% to the price, and call themselves a cloud company. I’m looking at you, Oracle.

But Oracle isn’t alone. For example, Adobe Creative Cloud isn’t a cloud. It’s a software rental licensing business model. True, you can share files with its infrastructure-as-a-service (IaaS) storage, but you could always do that with network file sharing or third-party cloud services such as Dropbox.

If you think there’s a Photoshop in the cloud, you’re wrong. To use Creative Cloud, you download a fat client to use it. Despite the name, this is not a software-as-a-service (SaaS) play.

If you’re a system admin who’s nervous about losing his or her job, I can understand pointing out such examples as proof that cloud computing is just marketing hype. I expect better from CIOs.

I mean, the National Institute of Standards and Technology (NIST) defined cloud computing for us in 2011.

Doesn’t ring a bell? OK, here’s a refresher.

NIST tells us: “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

NIST continued to say that a cloud must have five essential characteristics: On-demand self-service, broad network access, resource pooling, rapid elasticity or expansion, and measured service.

Let’s look closer. With on-demand self-service, users can unilaterally provision or access computing resources as needed. Usually, but not always, you do this with a web browser. Users spinning up a service with ordinary provisioning shouldn’t require any technical support handholding. If a technician has to manually spin up a server for you, you’re not using cloud computing. If you need to call the vendor to get a server instance up, you’re not on the cloud.

By broad network access, NIST doesn’t just mean that that cloud services must be available over the internet. It’s just that the cloud resources must be made available over the network for all devices, from PCs to smartphones, using open standard protocols such as TCP/IP, HTTP, HTML, XML, Java and SOAP. If it needs proprietary network standards or clients, you’re moving away from the standard open cloud to a proprietary solution.

With resource pooling, according to NIST, “The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, and network bandwidth.”

Ignore the jargon. It means the cloud could be next door, or it might be in the next country. With a hybrid cloud, which uses both private and public cloud resources, it may be both. IT should know the specifics of what’s where. For the ordinary Joes and Janes in accounting, the resources are just in the cloud. From their seats, the cloud is just at their fingertips, the same way the internet is.

Rapid elasticity and expansion are vital. In a cloud, you don’t ask for five more servers; you go out and get them. Your computing resources are dynamically assigned, released and reassigned at your request. In the best clouds, users don’t even know they’re asking for more resources. They just get on with their job, and if their work requires more resources, the cloud simply provides them.

So, for example, if you suddenly need two dozen extra processors to handle an unexpected job, the cloud can deliver those compute resources to your application without any manual intervention. Then, when the job is done, those resources should automatically be returned to the cloud. No fuss, no muss.

Finally, just as with any ordinary utility, such as your electricity, on a cloud you must be able to monitor your cloud systems usage and be billed for it according to your use of the “service.” The only difference is that instead of kilowatt hours, you’re billed for storage, processing and bandwidth usage, and possibly for active user accounts.

If your cloud service doesn’t provide all of these features, what you’re using may not be a cloud.

That may not be a problem. It may still work perfectly well for you. There’s nothing inherently wonderful about a service just because it’s offered over a cloud. But you may want to take a close look at your services. After all, from a practical viewpoint, the big differences between cloud services and other models is that the cloud tends to be cheaper and far more expandable and flexible.

And surely you, as a CIO, already know all that. Right?

This story was first published in ComputerWorld.

May 16, 2016
by sjvn01
0 comments

5 Project Management Fundamentals Learned the Hard Way (So You Don’t Have To)

Having trouble getting your project done on time and under budget? You’re not alone. Experienced project managers share suggestions about getting the work done without losing your mind.

Frederick Brooks’ classic book, The Mythical Man-Month, tells the tale of how everything that could go wrong did go wrong with the development of the IBM System/360 computer family. He walked away from the experience with realizations about the core problems with traditional project management. More than 40 years later, we are still trying to solve them.

How many of these issues plague the projects you’ve been involved with? Brooks wrote: “More software projects have gone awry for lack of calendar time than for all other causes combined.” Then there’s the “unvoiced assumption which is quite untrue, i.e., that all will go well.” Or, “Our estimating techniques fallaciously confuse effort with progress;” and, last, but never least, “When schedule slippage is recognized, the natural (and traditional) response is to add manpower. Like dousing a fire with gasoline, this makes matters worse, much worse.”

While project hiccups and failures are always a danger, in the intervening years the business community has learned to avoid many of them. Fortunately, we have found ways to deal with these fundamental problems. One of them is sharing information about what works and what doesn’t – as these experienced project managers do here.

Know what you’re trying to accomplish.

First and foremost, you need to know what you’re actually trying to do with your project. “Consistently ask this one question: ‘Whom are we targeting with this project and what problems are we solving for them?’” says Spencer X. Smith, former VP of sales at a Fortune 100 company turned consultant “This may sound obvious, but oftentimes—especially after a project has been underway for a while—we neglect whom we’re trying to serve.”

Once you know not just what you’re trying to do, but whom you’re doing for, you’ll be a lot better off.

Avoid scope creep.

Kenneth Ashe, PMP and project manager at Prudential Financial, suggests that an important way to make projects finish on time and within budget is to avoid scope creep. “Scope creep is added changes that can occur once the project already started (an increase in project scope),” Ashe explains. “If you don’t consciously look for and prevent scope creep, it’s easy for projects to grow in size and blow through timelines and budgets.”

To avoid scope creep, says Ashe, “Create a well-defined scope at the start of a project that the project’s sponsor and/or customer formally approved (a signed document). Any additional items that are requested outside of the original scope would be considered a change to the project, and their impact to the entire project must be considered. You should assess how these changes will affect the timeline, costs, quality, and resources assigned to the project.”

That’s easy to say. It’s not so easy to do. Especially since few project managers define the project well in the first place, says Kevin Archbold, PMP and consulting manager of Key Consulting. “This is normally done using a project charter. I consider this like putting the first tile in place in a tile floor: Mess the first one up, and everything from here on will be a problem.”

Practice Agile.

Once you have a plan, and everyone’s on board with it, your focus should move to keeping the project on track. Use Agile techniques, urges says Cord Silverstein, acting VP of marketing at Samanage, a Software-as-a-Service (SaaS) company. While Agile is often used in software development projects, it can also be used in other projects.

One hallmark of Agile is project status transparency. For example, Silverstein believes that “Everything should be public: The work that needs to be done, our sprint plan, who is assigned to what, what people are working on. Transparency removes many time sucks including unnecessary meetings.”

Schedule for real-world delays.

Help your projects work well by setting an appropriate schedule for the scope of work. But keep in mind, says Larry Putnam, Jr., Co-CEO for Quantitative Software Management, “Nothing goes perfectly. Make sure you include a risk buffer for unexpected adjustments throughout project implementation to ensure you stay on time and on budget.”

Oh, is that all? A radical way to address scheduling concerns, according to Bridget Duffy, EVP of business management at the design and technology firm DUFFY, is to “kill the calendar.” Duffy deplores “that artificially concocted calendar that tells the team what time they are allotted, and doesn’t account for creativity, human interaction, or the chasing of excellence. In fact, it is the calendar itself that keeps design and development projects off track.”

“Estimating time is a crapshoot at best,” Duffy explains. “The reason is simple: Top notch designers and software developers rarely create the same thing twice. A designer may come up with the ideal design solution in half a day. Or it may take 20 times that. Or more. Or less.”

Duffy adds, “Most teams talk about being agile, but in fact stick to a ‘waterfall’ calendar that waits for one task to be complete before starting the next. Waiting is not working.”

That sounds great, but you still need to deliver your project. The answer is in teamwork, Duffy says. Create “a smart, agile team of designers and developers which is, by nature, a small, well-oiled machine.”

Scheduling is essential, says Duffy, but it is a living, breathing, moving thing. “It is not a static calendar. It is a tool to give a little structure to the people doing the work. It does not, and it never will, replace the need to really know your team, to communicate with them to avoid frustrating them with annoying reminders. The closer your teams of inside and outside members can be unified, the better your chances of being on time. And better yet, on budget.”

Focus on internal communication.

To make a team like this you need great communication. Dana LaRieal Morales, PMP and leader of The Happiness Bucket, an organization meant to help people move through life changes, believe you must “Determine how the project team is going to relay information to one another, so no matter who was or wasn’t in a meeting, everyone on the team can go to one point of reference to get caught up.” Use an Excel spreadsheet, wiki, intranet site, etc.: whatever works. “Whatever it is, I would suggest it be something that multiple people can access at the same time. Steer away from email/document-based updates whenever possible, because these often remain unread,” says Morales.

Frequent communication doesn’t mean lots of time spent in a conference room. “Meetings are the enemy,” says Duffy. “Clearly-defined roles make the difference. This, of course, requires knowing the people on the team. This is where generic staffing or outsourcing falls short. You can’t communicate with a revolving door.”

Morales also believes that you must keep your customers in the loop. She says, “Whenever appropriate and possible, create moments where you can show a completed part of your project. This could be the sandbox environment (the system with dummy data) or even a screenshot of the intended environment.” Doing so lets clients or users provide feedback on the project’s direction, and identify areas of concern.

“You can either resolve the concerns in the project itself or manage expectations,” Morales adds. These “moments” help eliminate project tension caused by mistrust or by individuals feeling like they aren’t heard. “By adding these tips it allows for on-demand participation without derailing the project or the team meetings.”

And isn’t reducing tension going to go a long way towards making any project go better, both for the people on the project team and for its stakeholders? I think so.

Will these bits of advice solve all your troubles? Heck no! But it’s amazing how much a little effort in the beginning can prevent big problems from appearing in the end.

5 Project Management Fundamentals Learned the Hard Way (So You Don’t Have To) was originally published in CertWise.

April 12, 2016
by sjvn01
0 comments

The best ways to manage data center airflow

Ask anyone outside the enterprise IT department to identify the greatest data center cost, and they’re apt to say servers. That’s true in some businesses; hardware costs are not trivial. But the truth may be that large organizations are wasting money unnecessarily by literally blowing a lot of hot air because of inefficient data center airflow.

If you’re running your data center inefficiently, as many companies do, the cooling budget can be twice the cost of buying and running the hardware. That’s a lot of cash wasted on heating, ventilation, and air conditioning (HVAC).

A May 2015 IDC data center survey found that up to 24 percent of a data center budget can go to cooling. With a mean data center budget of $1.2 million for IDC’s enterprise clientele, that means that cooling alone costs $300,000 a year.

In a word: Ouch!

The best ways to manage data center airflow. More>

Practical Technology

for practical people.