Author Archives: Cian Allner
Author Archives: Cian Allner
If you’re not using two-factor authentication for cloud applications in your organization in the UK, you may be risking a fine.
See my 'No two-factor authentication is like asking to be hacked?' post for further insights on securing cloud apps, especially using Multi-factor authentication (MFA).
The ICO revised their ‘A Practical Guide to IT Security' document while aimed at small businesses the advice is really universal.
The ICO have provided this guidance with “10 practical ways to keep your IT systems safe and secure”.
A reminder of the ICO’s authority and reach with these matters:
Breaches of data protection legislation could lead to your business incurring a fine – up to £500,000 in serious cases. The reputation of your business could also be damaged if inadequate security contributes to high profile incidents of data loss or theft.
Most businesses are using cloud applications in some capacity or are considering doing so with services like Microsoft Office 365 or Salesforce being very popular. The ICO have a section on “Secure your data in the cloud” with guidance on how to protect these systems.
There are a wide range of online services, many incorporated within today’s smartphones and tablets that require users to transfer data to remote computing facilities – commonly known as the cloud.
Processing data in the cloud represents a risk because the personal data for which you are responsible will leave your network and be processed in those systems managed by your cloud provider. You therefore need to assess the security measures that the cloud provider has in place to ensure that they are appropriate.
While I think however simplified, most of us would agree with this assertion as well as what the ICO suggest businesses can do about this:
Make sure you know what data is being stored in the cloud as modern computing devices, especially those targeted at consumers, can have cloud backup or sync services switched on by default. Consider the use of two-factor authentication especially for remote access to your data in the cloud.
The last sentence is what sparked my interest, bear in mind this is advice for small businesses, which typically comprise of 50 staff or less.
The ICO are effectively recommending two-factor authentication even for these small entities. That being the case, surely bigger enterprises must seriously consider two-factor authentication for cloud applications as well.
Without getting into the finer points of the Data Protection Act organizations have to have an appropriate level of security for the type of personal information they hold. Principle 7 is all about security.
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Two-factor authentication is an entirely proportionate security measure, that is well placed to protect access to cloud-based applications.
The ICO will rarely dictate all the security measures you have to have in place, that's your job! You as an organization and a data controller must put in the right measures to mitigate potential data breaches.
With daily news of fresh data beaches, isn't it time you secure your cloud applications and enable your staff the ability to truly work from anywhere securely?
See the ICO - A Practical Guide to IT Security document for more top tips on security.
Image credits: ICO ‘A Practical Guide to IT Security’ cover & '8 data protection principles' postcard
Here you will see how to control the Office 365 ProPlus Update Channels. These were called branches previously but are now known as channels. Let's go through how you can control these channels.
With this, you can manage how you receive feature updates in Office 365 ProPlus across your organization.
For additional information check out my "Office 2016 Deferred Channel Released for Business" post.
Note much of Microsoft's documentation and settings still refer to branches, which will change over time to match the rebranding.
Here are the five options to manage Office 365 ProPlus Update Channels.
Set the Click-to-Run configuration.xml file, which is used to manage a deployment. Use the 'Branch' option. To download or install for example, in this case with the deferred channel, use Branch=“Business” setting.
Here are the valid settings you can use:
xml branch setting
First Release for Deferred Channel
First Release for Current Channel
See my "How to download Deferred Channel Office 365 ProPlus" post to see this in much more detail.
Again edit the Click-to-Run configuration.xml file, use the 'Updates' element to specify which channel to use. Use the same settings available in Option 1, refer to the table above.
This changes the update branch for an already installed product like Office 365 ProPlus. You can switch an Office 365 ProPlus installation from one update branch to another this way.
<Updates Enabled="TRUE" Deadline="02/26/2016, 00:00" Branch="DeferredChannel" UpdatePath="\\Server\Share"/>
If you allow your Office 365 end users to download Office 365 ProPlus from the User Software Page, you now have more options.
In the 'User software' section of the admin portal, with the introduction of the deferred channel, there are now some enhanced admin controls.
Starting today, IT admins also have the ability to further customize the User Software page. Admins now have the option to select the Office version and update channel (for 2016 apps only) a user can see and download directly from the Office 365 User Software Page. The changes IT admins make on the Admin Center will go into effect on February 23, 2016, giving admins the opportunity to change the default update channel and decide which install links to expose to their users.
Here you can select the default channel, with the deferred channel selected but the current channel is also an option:
Note if you previously disallowed users to download Office, these new settings in the admin portal may have overridden that preference, which you may need to revisit.
With the Office 2016 Administrative Templates in Group Policy, you can set the Office 365 ProPlus channel. With this it's possible to override the channel from what was installed originally.
Start by download the "Office 2016 Administrative Template files (ADMX/ADML)" and install these as usual.
Then in your Group Policy Object navigate to the setting:
The name of the Group Policy setting is Update Branch. You can find this policy setting under Computer ConfigurationAdministrative TemplatesMicrosoftOffice 2016 (Machine)Updates. The relevant choices when you enable the Group Policy setting are Current, Business, and Validation.
Remember 'Current' is the Current Channel, 'Business' is the Deferred Channel, while 'Validation' is First Release for Deferred Channel.
You can also use First release for select people. This then allows access to the First Release for Deferred Channel on the software download page. First release allows administrators to designate particular users to try out features in advance:
You can also provide users with First Release for Current Branch for Business by selecting them for the First Release program for Office 365. If you do this, those users can install First Release for Current Branch for Business directly from the Software page in the Office 365 portal.
There is an important note if Visio or Project for Office 365 is installed alongside Office 2016, that's a bit of a gotcha.
If you have Visio Pro for Office 365 or Project Pro for Office 365 installed on the same computer as Office 365 ProPlus, they all must use the same update branch. You can't have a mix of update branches on the same computer.
The effects of this are quite pronounced according to reports I have read. Say you're using the current channel with Office 2016, you later install Visio Click-to-Run. The Visio installation will change your Office channel to the Deferred Channel, so it matches with Visio.
Here is how you can download the new deferred channel of Office 365 ProPlus, which I talked about yesterday.
Download the Office 2016 Deployment Tool, the current version being 16.0.6612.6353.
Run the file you just downloaded, in my example 'officedeploymenttool_6612-6353.exe' or whatever the latest version is called.
Accept the prompts and chose where to extract the files. With this complete you will have a setup.exe and configuration.xml file in your chosen folder.
Leave configuration.xml as it is and create a new xml file in notepad called 'download_deferred.xml'
Here is the contents for 'download_deferred.xml', change the SourcePath to a folder on your PC
<Add SourcePath="C:\\ODT Latest\\Deferred" OfficeClientEdition="32" Branch="Business">
<Language ID="en-us" />
We are specifying the 'Business Branch" in the xml file, which is now known as the Deferred Channel. Here are the other valid settings.
xml branch setting
First Release for Deferred Channel
First Release for Current Channel
Now lets download the deferred channel of Office 365 ProPlus
setup /download download_deferred.xml
You should then see the Deferred folder appear almost immediately, as all the files are downloaded. This amounts to around 1.13 GB of data, which could take a while depending on your internet speed to download. It took a solid 20-25 minutes for me.
Today Microsoft announced the deferred channel for Office 2016. This helps Office 365 customers better manage the pace of change with Office 365 ProPlus updates.
It helps by making Office 365 ProPlus updates more predictable. You can plan ahead and test updates in advance. Read on to learn how this works.
The chart below shows what Office 365 ProPlus change management looked like originally with update branches. The idea being you could decouple new features from monthly security updates, giving you more choice in deployment.
New features are beneficial but they can sometimes be disruptive in the impact they have on staff. Also new features may break compatibility with third party software that integrates with Microsoft Office. Microsoft elaborates further on this type of situation:
For the Office 2016 software, you must choose how often you want users to get feature updates. Which frequency you choose depends on several factors, including how many line-of-business applications, add-ins, or macros that you need to test any time that there are feature updates to Office, Project, or Visio. For example, if you use specialized Excel workbooks in your business, you may want to get feature updates only every four months. This gives you time to test that your Excel workbooks work with the new features that Microsoft releases.
You want a way of deploying regular security updates, without changing anything else that could impair support.
The first point to note is no more branches. Branches were used to describe the frequency new features would be pushed out. Here are what it looks like now:
Microsoft announced this change as a refinement on what had been announced last year:
Since then, customers have expressed appreciation for the ability to have greater control over the frequency of feature changes and have more time for validation. Today, we are further refining that update model and—based on feedback—are renaming service “Branches” to “Channels.”
Here are the details with update branches being renamed to channels:
Monthly feature and security updates
Monthly security updates with feature changes every four months
First Release for Deferred Channel
Early access to the next Deferred Channel
First Release for Current Channel
Office Insider program
Microsoft hopes this change makes things clearer and I think it does to some extent:
While this naming change may seem small, we believe it will make a big difference in helping customers understand the purpose and cadence of the different delivery vehicles.
The initial release for the deferred channel is now available, it is version 16.0.6001.1061. It can be downloaded directly from the Office CDN, using the Office 2016 Deployment Tool (ODT). From Feb
The next First Release for Deferred Channel build has been released - check 'Office 365 users can now download Office 2016' post for key dates. This is "fully supported production quality build for testing". Microsoft is targeting to release this in June 2016 as a standard build in the Deferred Channel.
I have just upgraded to Docker 1.10, which is what this site runs under and it seems to have gone well.
Watch this video overview on the new features in version 1.10:
The commands were simple to upgrade the engine to version 1.10 from my Ubuntu box
sudo apt-get update
sudo apt-get upgrade docker-engine
Then after a slight pause my containers were live again and I confirmed the upgrade worked
Then to upgrade compose from version 1.5.2 to 1.6.0
curl -L https://github.com/docker/compose/releases/download/1.6.0/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
Then to check the upgrade succeeded
I hope to explore some of the new features in the coming weeks but it's well worth upgrading today. I'll see if there any gotchas but as far as the upgrade has gone, it been plain sailing so far.
In other news
Even smaller images are welcome, though not exactly the biggest priority
"Alpine Linux is a security-oriented, lightweight Linux distribution based on musl libc and busy box." The latest version of Alpine Linux v3.3 weighs in at a whopping 5MB. Not bad for a full blown Linux OS considering 5MB is same size as the Windows Start button.
With all the images that are downloaded from Docker Hub this well make a difference though
Just downloading the Ubuntu official image from Docker Hub is 188MB and it has been downloaded over 40 Million times which equates to over 7,520 TB of data transfer between Docker Hub and users around the world just for this single image. Multiply this by all the official images and the amount of transfer data is mind boggling.
The rest of the article has more details on this change.
Greenshot is a superb free open source screenshot capture and editing program for Windows PCs. Every IT Pro should have this program installed. Greenshot is like the Snipping Tool built into Windows but on steroids, with almost every imaginable feature.Continue reading
I am a firm believer
If the company you worked for wouldn’t properly protect their cloud-based apps, what would you do?
See my more recent post as well - 'Use Two-Factor Authentication for cloud applications or risk fines and data breaches' for more commentary.Continue reading
Learn what you can do to tackle ransomware and protect your business from this threat. A recent story about an open source ransomware kit illustrates the reach of malware. Here I cover the 'Magic' crime kit and tips on how you can protect your business from this menance.
Ransomware is everywhere, not only hurting consumers but businesses are getting hit hard as well. In the UK according to a recent report, ransomware is responsible for 42% of UK security breaches in 2015. This isn't that surprising, businesses aren’t immune to these threats.
The level of sophistication with ransomware varies with CryptoWall, TeslaCrypt, some of the big hitters in the ‘business’. Then you have more homemade solutions, reusing code or kits, from wherever they can be obtained.
Utku Sen, a Turkish security researcher, released an open source ransomware kit, EDA2, on GitHub. He was hoping it would be “suitable for education and attack simulation for companies” and used for good.
However this wasn’t just a few lines of code, EDA2 came with actual code including instructions on how to customize it. Also included was an admin panel to set up a command and control server (C&C). This is where all the encryption keys were sent, making it a complete crime kit.
What was meant as an educational tool became known as ‘Magic’ ransomware. This was used by criminals, infecting PCs and holding data for ransom. Ultimately Utku Sen
The plot thickened when Utku Sen himself was blackmailed, if he withdrew his other ransomware education project, hidden-tear also on Github, the ransomware operator would provide the Magic encryption keys, so victims could get their data back for free
“After further discussions, the blackmail attempt turned into full-on negotiations, but Utku Sen and the ransomware operator have come to an agreement. Utku will take down the Hidden Tear repository in three days while the author of the Magic ransomware will provide all the encryption keys for free for the next 15 days.”
So a happy ending of sorts but one that illustrates the toxicity of this threat and how pernicious these attacks are.
If as a business you haven’t been attacked, well done. More than likely though, most business will get hit sooner or later. As an IT Pro, there are certain steps you can take to help mitigate ransomware, which I have outlined below:
Ransomware is a menace and evolving rapidly, you can reduce the likelihood of the damage they can inflict on a business by following some of the steps I have outlined above.
Thanks for visiting my site, a big hello if you know me already and if you don't, I hope you stick around for a while. I thought I'd tell you a few things about me and my interests. This will give you some ideas on what you can expect from my site.
I am IT Professional , working for upwards of 15-20 years (gulp!) with computing. I work for a charity, with around 1300 staff and over a hundred offices around England and Scotland.
Now is a good time to say, anything I express on this site is my own opinion and isn't affiliated with my employer or anyone else for that mater.
My current professional interests, which I'll start to post about include, in no particular order:
I am writing from the perspective of an IT Pro for other IT Pros and decision makers, people making a difference with IT delivery. I'll draw upon my experience rather just writing up by the numbers articles. Hopefully, I don't come across too preachy!
This site is experimental, it's running on Docker in a series of containers, which is
Hope you like my site, look out for new articles over the coming weeks. I have already posted my first article about ransomware, which you could check out in the meantime.