IT Security Methods by Industry

After years (okay, decades,… okay, okay, centuries…..  damn it… alright! alright already, eons… are you happy now?  yes.  I’m THAT freaking old.  I still remember coal-fired computers and horse-drawn airplanes and shit.  My birthday cake is a slice of tree trunk of matching rings, but the table can’t hold the weight anymore.  sheesh!)

What was I saying?  …. (eyes wandering left and right…. … . . .          …  .         …. . .      .   .  )

oh yeah!  I’ve amassed a data set that accurately summarizes the predominant security practices or strategic “methods” leveraged by each major US industry. I warn you: this is highly scientific information.  It may require additional consumption of various questionable substances just to remain conscious while trying to read it all. Here goes.

Idiocracy-LB-1

Banking

Method: Place sufficient restrictions on the adoption of new technologies, so as to (A) mitigate unknown vulnerabilities and exploits, (B) insure that those with knowledge of older, proven exploits have died from old age, and (C) keep certain aging consultants employed (because they’re married into your family).  And besides, what’s wrong with COBOL?

Insurance

Method:  Never leave important IT decisions up to any one person, ever.  In fact, the more people involved, the greater insurance that the decision will eventually be reliable, maybe.  Larger companies focus on perfecting multi-role hyper-proliferated subterfuge logic branching and coalescing processes.  In layman’s terms: they foster greater variety among responses to decision inquiries.  Many have invested heavily in processes which depend entirely on custom hand-stitched, stone-carved, natural leather encased software, usually written by someone who left or died long ago.

Defense Manufacturing

Method: Implement dozens of stop-gap procedures to insure every motion of IT is slowed to the lowest possible, almost un-measurable, velocity.  Think of a Japanese rock garden, only slower.  Where the sand is executive processes and the stones are IT staff, now simply add quick-set cement to the sand mix and sprinkle some water on it.  This insures that even the bad stuff will take forever to make headway, and by that time, the entire system will have been eventually decommissioned.  Forget penetration attempts, even social engineering-based, because they’re often project-oriented, not departmental, so most people have no clue what that next cube is working on.  In fact, they probably don’t use the same network, computers or operating systems.

Legal

Method: Relegate “IT” to whomever answers the Craig’s List ad for an “IT Expert”.  Critical skills include: printer management, thumb drives, recovering lost files and emails, and using Excel databases” (that’s not a typo).  Must also have experience with Macs and Windows XP, particularly with kids games.

If they have any in-house “IT” capacity at all, it’s often enough shock to send a consultant into cardiac arrest.  Due to possible legal implications, it’s best to never change passwords for critical user accounts and never, I mean NEVER, delete anything.  Keep everything forever, or as long as you can afford somewhere to store it.

Travel

Method:  Agents need to be flexible and mobile.  Everything is done on laptops.  Everything remains on laptops.  No time for that silly, trendy, cloud stuff.  No backups, no cloud sync, but OMFG do NOT let anything happen to that precious data on those roaming laptops!  Thumb drives are forgotten like Matt Damon in Interstellar, waiting for someone to give them a hug, only to have their face shield cracked open and their chip tossed away.  Shit.  Did I give away the plot?

Advertising / Marketing

Method: Hire someone quick, and get back to the conference before the food runs out.

Transportation

If it’s airlines, use railroad standards.  If railroads, use airlines standards.  Either way, the older the technology the better.  It’s like a cast-iron frying pan, after years of seasoning, or a vintage wine.

 

Municipal

Method: Deny all requests for pay increases for five (5) years, reduce promotions from once every five (5) years to once every ten (10) years, discontinue any training programs, and for God’s sake: deny all requests for stupid things like newer software and hardware  It worked in 1995, so it should still work!  Hire a consultant to blame internal staff for every deficiency, terminate and reassign to avoid audit trails and blame the contractor afterwards.

Federal Agencies

Method: Same as municipal, but on a much larger scale.  Every four (4) years, change direction from in-sourcing to out-sourcing, and blame the opposite for any failures that remain.  If conservatives win, out-source to private contractors, where expertise and trust are premium values, after all, when has anyone ever heard of a private contractor doing something wrong in a government position?  Then blame liberals.  If liberals win, open up the job requisition flood gates and hire at will.  However, keep GS-rating pay scales at 1995 levels to avoid asking for tax increases.  This helps insure only the highest-quality employees are onboarded from their previous positions as private contractors or foreign exchange students.  Then blame conservatives for any failures.  Think of it as seasonable employment.

Medical/Dental Practices

Method: Hire the first contracting IT firm that actually shows up.  If they wear those spiffy-looking polo shirts with a slick company logo, they might be too expensive.  Ask if your cousin’s friend graduated tech school yet.  You know, the one who puked all over your sofa when he brought her to crash in your apartment while you were out of town.  That one.  If she’s not available, what about that kid that asked you about spark plugs while you were trying to inflate your car tires that day.

 

Summary

See if you can guess which of these most closely matches the photo above.

Expert Tips for SCCM Log Analysis

1wearandtear

1. Locate cmtrace.exe (or another suitable “active” log viewer)
2. Open cmtrace.exe and click “yes” to register it as default log viewer
3. Consume precisely 5 quarts of a strong, caffeinated liquid substance
4. Browse to location (folder) with log files and double-click desired log file
5. Rub eyelids approximately 12 times, make sure to yawn fully and loud
6. Stare at log details and look for any lines colored in red.
7. Ignore red lines which do not actually display an error, but are instead mentioning that they’re looking for an error
8. Ignore yellow lines which do not actually display a warning, but instead show mention of looking for warnings
9. Rub eyelids 12 more times.
10. Announce to whomever interrupts that you’re busy reviewing log files (the louder the better)
11. Open another log file (selected at random)
12. Stare intently at one line, without scrolling
13. Rub chin, squint, and nod slightly. You may also say “hmmmm”
14. Scroll and repeat step 12
15. Repeat steps 10 through 13, approximately 5 more times.
16. Open browser and begin searching for fragments of error messages along with “sccm error log…”
17. Inhale deeply, exhale loudly.
18. Consume more caffeinated liquids
19. Rub eyes some more
20. Lunch break.

5 Myths of Modern IT

hqdefault

These are just five (5) of the most common statements/assertions/quotes I’ve overheard over the years while working in IT.  Every time I hear them, I have to take a deep breath and suppress my inner angst (to put it mildly).  This post isn’t all that funny actually, but I ran out of coffee and it’s too late for bourbon on a weeknight.  So I attached my custom-fit tin-foil hat and henceforth pontificate…

“The goal of Automation is that it frees up employees to focus on other important tasks”

Conceptually, this is plausible.  But, and this is a big BUT (and I cannot lie, all you other brothers can’t, oh never mind…), it depends on the source.  ‘Who’ initiates the push towards automation is what determines the validity of this statement the most.  If the premium placed on automation is cultivated in the ranks, this statement can be, and often is, very real.  However, when it’s initiated from the “top” (usually business, rather than technical ranks) it’s almost always (okay, 99.999999999999999999999999999999999999999999999999999999999% of the time) aimed at reducing staff and employee costs.

I’ve seen various spins and flavors of this, depending upon business culture.  The “reduction” can range from departmental shifts, to demotions, contracting-out, layoffs, and outright terminations (depending upon applicable labor laws).  Indeed, as much as I love (and earn a handsome living on) business process automation, using IT resources, I never allow myself to forget the ultimate goal: to reduce human labor demand.  The more I spend time with non-IT management, the more I see evidence to prove this assertion every day.

With that said, if your particular automation incentives are derived internally, push onward and upward.  Don’t let me talk you out of that (why would I?)

“The value of the cloud is that it enables on-prem expansion with fewer constraints”

This is a contextual statement.  Meaning, taken out of context, it is indeed a valid statement.  However, when inserted into standard sales talk (also commonly and scientifically referred to as “talking shit”) it’s often sold as being the premium value in the over-arching model.  In reality, I have seen only two (2) cases, and only heard of two (2) others, out of dozens of cases, where an infinite hybrid model was the ultimate goal of a cloud implementation project.

The majority of enterprise cloud projects are aimed at reducing on-prem datacenters, often to the point of complete elimination.  There’s nothing inherently wrong with that; it makes good business sense.  But selling it under a false pretense is just wrong.  Indeed, of the last five (5) cloud migration projects I’ve been involved with, the customer stated something akin to “I want to get rid of our datacenters” or “I want all data centers gone“.  The latter quote came from a Fortune 100 company CIO, with a lot of datacenters and employees.

“Who needs sleep?”

Don’t fall victim to this utter bullshit.  If you believe you only need a “reboot” as often as your servers do, you’re putting your own life at a lower value than common hardware.  If you’re a “night owl”, that’s fine, but only as long as you adjust your wake-up time to suit.  Always ask yourself where this inclination to never sleep starts.  Is it coming from management?  From your peers?  From personal habit?  If it’s coming from management, move on to a better workplace.  If it’s coming from your peers, you need to expand your network.  If it’s coming from personal habit, fix it.

A few years ago, I fell into the habit of working myself almost (literally) to death.  Mostly from what I call “code immersion”.  That urge to “get one more line done” and then another, and it never ends.  I was averaging 2-3 hours of sleep over the course of a year.  It finally caught up to me in a very bad way.  I’ve since taken action to prevent that from happening again.  I’ve seen way too many people die from not taking care of themselves.  Way too many.  Don’t be another statistic.

“This is cutting edge”

I have another quote (and I’m still trying to identify the true source of it), that runs counter to that: “We live in ancient times“.

Everything we do in IT, and I mean EVERYTHING, will be gone from this Earth long before most of the furniture in your house.  Long before your house is gone.  Statistically speaking, this is a valid statement.  Information Technology is a process, not an end result.  It’s a process of optimizing information access and accuracy, which evolves over time.  The tools and technologies employed to that purpose also evolve.

“The customer is always right”

If they were, then why do they need you?  And more importantly, why are they paying you to help them?  That said, the customer holds the purse strings, and the promise of future work, so don’t ever charge out of the gate with a smug demeanor.  Every new customer engagement should start off deferential.  It should then evolve and progress based on circumstances and communication.   However, anyone who works in IT and insists that the customer is “always right” is misguided or just stupid AF.

Honorable mentions (phrases that annoy the $%^&* out of me)

  • “You can’t afford NOT to!”
  • Excessive use of buzzwords like “holistically”, “literally” and “ummm”
  • “It pays for itself!”
  • “It’s the next ______, only better!”
  • “Why? Because ours is a better solution”
  • “The Cloud is a fad”

Summary

Everything you read above could, quite possibly, be entirely rubbish.  After all, I’m a nobody.  I just call it as I see it.

Top 10 Reasons Your Job Might be Automated

10. Machines don’t give a shit about your favorite sports team, movie, TV or streaming series, cars, food, drinks, types of women or men, tasteless jokes, what you did last night or over the weekend, or what programming language you think is the best.
9. Machines don’t need restroom, smoke, vape, or lunch breaks
8. Machines don’t need to get their kid from the school nurse
7. Machines don’t ask for a raise or better benefits
6. Machines don’t need to rest
5. Machines work faster than you
4. Machines can do the work of more than one of you
3. Machines are better at analytical processes than you’ll ever be
2. Machines don’t horde information about their job
1. Machines don’t sue their employer

Even funnier, is that most people are convinced that THEIR job could never be automated.  No matter what profession they’re in.  Let’s list off some of the folks who were convinced of this as well:

  • Telephone operators
  • Mail sorters
  • Grocery store clerks (in many places)
  • Surveillance aircraft pilots
  • Security guards
  • Punch card handlers
  • Carpet weavers
  • Stock market traders
  • Food and drink vendors
  • Waiters (in many places)
  • Newspaper deliverers
  • Gas station attendants (in most places)
  • Librarians (in most places)
  • Milk delivery (in most places)
  • Movie set demolition experts
  • Camera Film Developers
  • Data center rack engineers (I already hear that giant sucking sound Mr. Perot mentioned)

SCCM and Chocolatey

browsers

Trying to leverage goodness from various mixtures of Chocolatey with SCCM is definitely not new. Others have been playing around with it for quite some time. However, I wanted to pause from a month of mind-numbing work-related things to jot down some thoughts, realizations, pontifications, gyrations and abbreviations on this.

Much of this idiotic rambling that ensues hereinafter is based on the free version of Chocolatey.  There is also a “Business” version that offers many automation niceties which you might prefer.  There’s a lot more to this Chocolatey thing than I can possibly blabber out in one blog post (even for yappy little old me), such as the Agent Service features, packaging, and so more.  Visit http://chocolatey.org for more.

1 – Is it “Better”?

No.  It’s just different.  But, regardless of whether if “fits” a particular need or environment, it’s often nice to know there’s another option available “just in case”.

2 – Who might this be of use to?

I can’t list every possible scenario, but I would say that if the potential benefits are lined up it kind of points to remote users without the use of a public-facing (or VPN-exposed) distribution point resource.  It also somewhat negates the need for any distribution resource, even cloud based (Azure, AWS), since there’s no need for staging content unless you want to do so.

3 – How does SCCM fit?

At this point (build 1703) it’s best suited for use as a Package object, since there’s no real need for a detection method, or making install/uninstall deployment types.  A Program for installation, and another for uninstallation, are pretty much all that’s needed.

4 – How does an Install or Uninstall work via SCCM?

As an example, to install Git, you would make a Package, with no source content, and then create one Program as (for example only) “Install Git” using command “choco install git -y”, and another as “Uninstall Git” using “choco uninstall git -y”.  (Caveat: some packages incur dependencies, which may throw a prompt during an uninstall.  For those you can add -x before the -y, but refer to the Chocolately documentation for more details)

5 – How do you push updates to Chocolatey apps via SCCM?

You can use the above construct with a third Program named “Update Git” (for example) with command “choco upgrade git -y”.  Another option (and my preference) is to deploy a scheduled task that runs as the local System account, to run “choco upgrade all -y” at a preferred time or event (startup, login, etc.).  And, as you might have guessed by now (if you haven’t fallen asleep and face-planted into your cold pizza), someone has done this for you.

6 – Can you “bundle” apps with Chocolatey with or without SCCM?

Absolutely.  There’s a bazillion examples on the Internet, but here’s one I cobbled together for a quick lab demo a while back.  This one feeds a list of package names from a text file. You can also hard-code the list, or pull it from anywhere that PowerShell can reach it (and not just PowerShell, but any script that you can run on the intended Windows device).

7 – What about MDT?

Here’s a twist, you can deploy Chocolatey packages using MDT, or deploy MDT using Chocolatey.  How freaking cool is that?  If you sniff enough glue, you might even construct a Rube Goldberg system that deploys itself and opens a wormhole to another dimension.  By the time you find your way back, America will be a subsidiary of McDonald’s and we have real hoverboards.

8 – What about applying this to Windows Server builds?

You can.  I’d also recommend taking a look at BoxStarter, and Terraform.  I built a few BoxStarter scripts using Github Gists for demos a while back.  Here’s one example for building and SCCM primary site server, but it’s in need of dusting off and a tune up.  You can chop this up and do things all kinds of different (and probably better) ways than this.

The list of automation tools for building and configuring Windows computers is growing by the day.  By the time you read this sentence, there’s probably a few more.  Hold on, there’s another one.

PS – If you get really, really, reeeeeeally bored, and need something to either laugh at, ridicule or mock, you can poke around the rest of my Github mess.  I don’t care as long as you put the seat back down after flushing.

Interview: Mike Terrill

Introduction

Each “interview” I’ve done has been a wildly different experience. This one was impacted by logistics and direction changes.  By that, I mean both Mike and I were in the midst of major scheduling demands, however, Mike is also navigating a job change, which is always a tough thing to try to insert extracurricular activities (like half-brained bloggers nagging people with questions).

Mike is one of my short-list, go-to people for information about things related to deploying and managing Windows devices via System Center technologies.  I’m not implying that’s all he’s good for, but that’s how I discovered his blog and Twitter feed. Mike is also one of several people I tried (and failed) to meet in person during Microsoft Ignite 2016 in Atlanta, due to crazy schedules, navigational challenges, and caffeine shortage.  I’m planning to be at Ignite 2017, so I’m going to be more diligent in meeting people (those that want to meet me in person, that is).

Name: Mike Terrill

Job Title: OS Engineer

1. Describe what you do for a living – to someone who has no idea what it means.

Architect systems to deploy and manage Windows devices electronically without touching them.

2. How did you get into this type of work?

I have always been interested in computers since the day when I got my first computer – C64. I was big into cars during high school and college, and I wanted to work on automotive computer systems when I graduated. I ended up getting into systems management instead.

3. What area or aspect of technology are you most excited about?

Self-driving cars and connected cars – people are idiot drivers and half of them should not be behind the wheel. It is exciting to see the progress in this area. The Systems and Industrial Engineering Department at the University of Arizona is one of the leaders in this space and have been ever since I was there in the 90s.

4. What gives you the most satisfaction today?

Family vacations, cart racing and Megadeth concerts.

5. Name the 3 most inspiring people in your life or career?

My parents and my wife. My parents taught me how to work hard to meet my goals. My wife has helped me make my career decisions, including my recent one (but she still thinks it is called SMS since I gave up talking to her about it a long time ago).

6. If I hadn’t gone into this field, I’d probably be…

an automotive engineer with an emphasis on engine (computer) management systems. I had a Mustang GT 5.0 growing up that I not only turbocharged, but I replaced the Ford computer system with a fully programmable after market computer system that provided engine management.

7. Favorite place to travel?

Hawaii (second to that would be Mars with skatterbrainz of course).

[edit: oh, this poor guy]

8. What 3 books, movies or other works have influenced you most in life?

Millionaire Next Door, Smart Couples Finish Rich, and of course one of Kent Agerlund’s books. The first two teach basic common financial sense and these concepts should be taught in high school. Kent’s books teach Configuration Manager common sense.

9. There’s never enough …

time in the day (or money).

10. There’s way too much …

hatred (and big government).

11. What’s your favorite sound?

Dave Mustaine’s guitar.

12. What would you say to those who insist that technology has only made life worse?

I would say “What about all of the technology that is now making things possible for disabled people that previously were only a dream?” Technology has made life better, not worse. Sometimes people use technology for bad things (like the recent WannaCry ransomware), but that is a people problem, not a technology problem.

13. How do you feel about the importance of college degrees, and certifications as it pertains to IT careers?

Do those credentials mean as much, or more, than they use to? Yes and no. There is still a need for advanced education. Formal college degrees and certifications show one’s desire and persistence to complete a goal (and hopefully learn in the process). However, there are plenty smart individuals out there that do not have formal education. As for IT, it is a mixed bag. Some people happened to fall in to IT as a career and probably should be in a completely different field (skatterbrainz knows what I am talking about – just read his tweets from his projects).

[edit: omg – I promise I did not bribe anyone for that mention]

14. You’ve crashed on a remote island along with 4 other engineers, and 5 sales people. There’s only enough food for five people total to last a week. What do you do?

The 5 sales people will end drowning since they believe they can walk on water. That will leave enough time for the engineers to come up with a plan and get off the island.

[edit: there is an alternate theory that the sales people will ultimately survive by way of verbally ‘synergistically envisioning’ the engineers to death]

15. If you could go back in time and change one piece of technology to end up better today, what would it be, and why?

Hmm…this is a tough one, but it would probably be with something that helps people or saves lives.

More about Mike

Mike’s twitter profile

Mike’s blog

Arizona Systems Management Users Group

 

SCCM Collection Queries by Server Role

MFfn7

Rather than spew forth a bunch of sample queries, I’ll just hand you a virtual fishing rod, a case of imaginary beer, and point you to the make-believe boat.  This little procedure came in handy today with a customer I was helping.  I hope it helps you as well…

  • Device Collections
    • Create Device Collection
      • Name: Servers – WDS Servers (example)
        • Limiting collection: (whatever has servers with clients)
        • Use incremental updates for this collection (check)
        • Add Rule > Query-Rule
          • Name: 1 (or whatever you want, I’m lazy)
          • Edit Query Statement:
            • Omit duplicate rows (check)
            • Criteria tab
              • “Select” button (click it)
              • Class = Server Feature
              • Attribute = Name (click OK)
                • Is Equal To (leave as-is)
              • Click the “Value” button
                • Select an appropriate Feature Name
                • Enjoy a cold one!