The IT Trench Warfare Blog ...Tips, Tricks, & References to Simplify your life in the IT Trenches

are not dirty words!!

Change Management is one of those phrases that immediately gets a negative reaction.  For many IT professionals change management brings to mind a life-stealing process that turns the simplest little modifications into major pilgrimages that require authorization from every person in the organization, several external entities, and a couple of supreme beings as well. And certainly there are some organizations that have perverted the concepts of change management into some sort of change-denial process in a misguided attempt to achieve stability.

First lets set the record straight, Change Management is not about preventing changes.  The goal of change management is really to promote an environment of controlled (read documented) changes that have undergone review where necessary to ensure that one fix doesn’t break five more things.  It is critical that change management allows needed changes while enforcing accountability, repeatability, and report-ability. The stability, and recoverability of our systems require us to know what changes are being made  or not, and system stability and availability are our primary concern as a system/network administrator.

So how do we design change management processes for our organizations that meet these goals:

• Be Accountable
• Do it the Same Everywhere
• Write that Down

The first goal of change management is increasing accountability and this is easily accomplished by simply put a procedure in place that requires that all changes (no matter how small) must be authorized by someone in a position of authority.  Somebody has to step up ad take the heat or praise for OK’ing the  change.  Now the key to not letting change management run amok is to keep the scope of the changes match the scope of required authority.  In other words, downloading definition updates for the antivirus on a server does not require the authority of the CEO, CFO, COO, or really any member of the executive management team.  The server admin or network manager should be able to make that call.  And by the same token you should not let the server admin authorize an OS upgrade without a change of that scope going through a significant review to discover and mitigate any potential issues prior to the implementation of the change.  Scoping the changes is really key to insuring that small changes are not held up needlessly.  Many organizations have very formalized Change Review Boards or something like them that must meet and review all changes and those formalized processes can work quite well as long as we remember scope and have procedures in place to address when the full board has to review a change and when only certain relevant subsets of the board are required. 

Our second goal is to ensure that changes (like client configuration or security) are repeatable.  Many of the smaller changes that we make regularly are designed to correct application issues, OS hangs, browser security, and the like and it is vital that once we diagnose, implement, and test a solution that we be able to deploy that exact identical change to many other systems.  There are lots of tools to help us repeat those changes in an automated fashion but what we are really concerned most with is not the speed of dissemination but insuring that every system get the same changes.  The slippery slope here is that without automation tools like scripts, the steps of the change may not be replicated identically on each system and is even more likely as the length of the change process increases.  That makes our third goal so important to insure that our changes are standardized and deployed identically.

The third goal of our change management process is designed to insure that all changes are documented.  Documentation provides the the audit record to follow up on accountability and repeatability, and may even be a compliance requirement depending on our organizational needs.  Two of the most important reasons for documentation include recovery operations and emergency changes.  If we need to recovery all or part of our infrastructure, it is vital that we we have up to date information about the state of our systems and that state information may not always be stored in the form a of a backup. Maybe I’m just paranoid but I like to have full written documentation as well as electronic backups when I need to do a recovery so that even if there is a problem with my backup, I can still rebuild the environment. And it would be entirely unrealistic to expect that every change that ever happens will go through the change management or change review process.  Certainly we should always plan to adhere to the change management policy but also plan for those circumstances that will arise where changes made need to be made outside of the standardized process.  These events should be few and far between but it is vital that we have an exceptions process to insure that when an exceptional circumstance does occur that someone is held accountable for having made that decision and that the change that was made is recorded in the event that we need to roll it back.  Lastly we need to have of that information recorded so that problems that might not arise for several days as a result of that change can be tracked back to the change and reversed as necessary.

So you can see that the change management process for your organization will be designed around your culture, size, and business requirements and be entirely unique to your organization.  That being said, while your change management policy will be unique it should be composed of selections of standard components such as change documentation procedures, change review process, exceptions procedures, and change management forms/requests.  Standard elements selected and arranged based on your individual needs.

So change management doesn’t have to be a change killing process but if properly designed and implemented serves as a process to monitor and record change.  Alright now…

Go Out and Make Some Changes.

Microsoft TechNet has a great article on the 10 Immutable Laws of Security and of all the truisms presented there the most important of all of them is briefly mentioned on the 10th Law.

“security is journey, not a destination”

Secure is not some Utopian locale that you can arrive at by implementing security policies and following best practices.  Secure is an unachievable ideal that we must strive for but know that we can never realize. So that leads us to the idea that security is a process, and that process is really Risk Management. The Institute for Security and Open Methodologies (ISECOM) in the OSSTMM 3 defines security as "a form of protection where a separation is created between the assets and the threat. This includes but is not limited to the elimination of either the asset or the threat." and risk management is essentially the process of evaluating and then mitigating the threats to assets.

Now every security professional knows that information security is really an exercise in risk management, but there is a world of difference in knowing and practicing as evidenced by the daily news of security breeches around the globe.  So why is there this disconnect between knowledge and implementation?  I believe that many well meaning non-security IT professionals just plain struggle with putting risk management concepts into actions, and procedures.  Policies are written by the security professionals, but the procedures to carry forward and enforce those policies are often written and managed by system administrators, network administrators, network managers and the like.  So in a blog about making the day-to-day experience of a administrator a little easier, why would I write an entry on security?  It’s simple really, while security issues may not pop-up every day their arrival however infrequent is sure to make your day much longer and more stressful.

So lets look at the risk management process and how it applies to our day-to-day operations.

First we have to figure out what assets we have and what it would cost us to lose them.  Some things like servers, switches, desks, etc. are pretty easy enumerate and assign dollar values but we also have to calculate the value of our data stores and other ethereal resources such reputation and brand value.  There are several ways to establish a valuation chart for our assets but 2 of the most popular are dollar values and relative valuation.  Relative valuation involves assigning values from 1 to 100 or 1000 for assets with the highest valued assets being assigned the highest numbers.  I personally favor a hybrid system utilizing both relative and absolute dollar value buy first ranking assets by relative value and then filling in dollar values for known assets and finally assigning dollar values for the less obvious items based on their relative rank.  We will use these values a little bit later.

Second we have to identify what threats or risks exist to our assets such as losses due to malware infestation, equipment failures, accidents, catastrophes, and even malicious attacks.  This is easily the most involved part of the process as we have to document every potential loss no matter how small or large.  I suggest breaking common threats such as viral infestation into several scoped entries such as Major, Minor, and inconsequential infestations as the potential for loss varies based on the scope of the incident.

The third part of our process is to determine what vulnerabilities might exist in our systems and policies that increase our risk of loss.  Vulnerabilities come in many disguises including mis-configuration, default settings, missing patches, poor policies, and many others. We must also identify exposures to risk such as allowing access to confidential data.  Now obviously we have to be able to use our data but its very availability is a risk to that data.  Now I am not suggesting that we not make data available but merely that we document risk and later will determine which risks we can mitigate and which one we just have to live with and even more importantly how we can potential reduce the surface area of those exposures that we do have to accept.  A great example would be to make the data accessible but control carefully who it should be accessible to an under what circumstances.

Prioritizing threats is our fourth step and where we finally start putting all the pieces together.  In order to recognize which threats represent the greatest risks to our businesses we have to plug all this information that we have gathered into a simple formula:

Single Loss Expectancy (SLE) * Annual Rate of Occurrence (ARO) = Annual Loss Expectancy (ALE)

Single Loss Expectancy represents the potential dollar loss for an incident.  Now most incidents do not result in total loss but rather a partial loss of value or revenue and you doo need to think not just about direct losses but also indirect losses such as lost revenue during a recovery, additional labor cost for said recovery, unrealized revenue, and other associated costs.  You can get some excellent averaged statistics from several sources such as those listed below:

The Internet Crime Complaint Center

The SANS Institute

IBM X-Force Security Research

These same sources will also give you information regarding the Annual Rate of Occurrence of these type of incidents. Note that some of these items will have an ARO of less than one per year and so will be represented by decimal values less than one.

Finally, buy multiplying the SLE and ARO you will arrive at the expected Annual Loss and armed with that information you will be able to prioritize threats and determine the effectiveness of your mitigation efforts.

You are now ready to develop and implement mitigation strategies to reduce your risk of loss. By evaluating the potential for loss versus the cost the reduce or eliminate that potential, you can make informed decisions about how to best allocate your limited resources in IT Security in the most effective applications.  And by repeating this kind of analysis each year you can develop trend data that will show the true effectiveness of your mitigation strategies. 

Proper application of these strategies will show an ROI for your Security Dollars and go a long way in showing that IT can be a profit center for your organization instead of a cost center.  It will also cut down the number of daily fires that you have to deal with and reduce the instance of those major catastrophes that occur in every organization.

So go manage some risks.

In the world of network management, you’ve got to have information.  You have to know how your servers are performing, how traffic is flowing, and keep on top of the ever changing state of application and services availability. Knowing what’s happing will let you discover potential issues before the become trouble tickets and allow you to plan capacity, utilization, and availability appropriately. To that end there exist a horde of cross-network management and monitoring tools from Tivoli, Open View, Microsoft System Center, and many other smaller vendors. Being a huge fan of FOSS (Free and Open Source Software) and always on the look out for simple but effective tools to help make life in the trenches a little easier, I recently happened upon a little known tool called pt360.  “pt360” is the freeware version of Packet Trap Perspective from Quest Software.  Quest makes some really great enterprise software and their free tool is just about as good and well worth the trouble. 

pt360 has most of the tools that you would need to discover and monitor your network as well as a great dashboard feature that I like a lot but rather than describe everything in a 4 page diatribe I think some pictures will do the trick.

Now obviously Quest isn’t going to give away the house but the basic toolset that they do give you is great for smaller organizations that just don’t have the need, IT expertise, or budget for the best tools.  Setup takes just a few minutes and the app is very responsive.  It doesn’t have all the rich integration features of Packet Trap Perspective or similar tools but it also doesn't take 2 days to install, dedicated servers, 3 days to configure, and licensing from hell.  So you be the judge as to whether this little freeware app can work for you. 

Download pt360 here

!

Big changes indeed. New name, address, look, and focus for the blog. New post coming soon too. Look for a few posts on some great tools to make life in the trenches a little easier and a security guide too. I hope you like the changes and visit often. Let me know what you think.

Until next time....Good Day, Good News and Goodnight!

Happy Birthday. Today is the official launch of Windows 7, its day of birth so to speak. I personally have been using Windows 7 since the beta product was made available and then used the release candidate and have been on the official RTM release for about 2 months now and have never been happier with any previous release from Microsoft. My Dell Inspiron 1501 with a Dual Core 64 bit processor and 2 GB of RAM ran Vista Business Edition pretty well. I actually liked Vista and new had some of the problems that others have documented. But the change to Windows 7 was like getting a whole new computer. My laptop gets about 40% more battery life thanks to the improved power management and runs faster than ever. It boots up faster, it transfers files much faster, and in general it just feels zippier all the way around.

The new user interface s so slick and has new features that really make working on Windows 7 so much more efficient and enjoyable that I can't imagine ever going back. The OS is rock solid stable. I have not had one crash or lockup due to Windows 7 even since the beta. I have had a few issues with kernel locks in Internet Explorer 8, but most of those were resolved in the release candidate. It's not perfect but it is pretty close, closer than any Microsoft Operating System has ever been.

But don't take my word for it. I'm including some links to some of the many demos available all over the Internet. Go check it out for yourself.

http://www.microsoft.com/windows/windows-7/videos-tours.aspx

My favorite new features include Aero Snap, Aero Shake, Libraries, Jump Lists, and Federated Search. Check out the excellent video on Federated Search and search connectors below and then go get some here.



Until next time....Good Day, Good News and Goodnight!

The beta test for the new Windows 7 certification will be out soon. The first test released will be 70-680 MCTS: Windows 7, Configuring. The beta information is available here.

On another front…..I was installing and configuring a new Windows Server 2008 Hyper-V server earlier this week and it occurred to me just how used to some of the interface tweaks in Windows 7 I had become. I found myself trying to (Windows Key + Right Arrow) and (Windows Key + Down Arrow) among several other combinations of Aero Snap. I really have come to rely on features like Aero Snap, Aero Shake, and Aero Peek. They may seem like just nifty little its when you read about them, but trust me they really do improve productivity. If you want to find out more about these and other cool Windows 7 features then visit the Windows Supersite. Paul Thurott has the best Windows 7 info on the web and don’t forget the Springboard Series Windows 7 page too.

Until next time....Good Day, Good News and Goodnight!

Last week I took the plunge and installed Windows 7 Beta and I must say that I have been very pleasantly surprised. The clean install to 34 minutes from disk insertion to desktop and most of that time was spent on the full format of 80 GB of space. Windows found a functional driver for all but one device and I was fully installed with apps, driver updates, Windows updates, and utilities in about 2.5 hours. That's a pretty fast install.

But what about the results. Installing is one thing, running it day after day is not one all together. Battery life increased by about 40%, Downloads and file copies about 60% faster, boot up shaved about 10-12 seconds, Wireless reception strength improved. And the UI is very intuitive and not only easier to use for newbies but sure to improve productivity for windows veterans as well. A few days of running and I am ready for the final release and will definitely upgrade ASAP. And I was quite happy with Vista SP1 running on my system and had no troubles with it but the better performance and much improved UI have convinced me.

But don't take my word for it. Download it and try it out for yourself.

Until next time....Good Day, Good News and Goodnight!

What affects knowledge retention?

Your ability to retain and apply all of your knowledge to succeed at certification tests, and at your job is affected greatly by how you learn that material and how well you apply the four cornerstones of knowledge retention. The four cornerstones of knowledge retention are:

Sensory Learning
Mental Acuity
Preparation
Repetition

Sensory Learning

Let’s start with sensory learning. The more senses that you can get involved in learning something, the better you will retain the information. Just reading it or hearing a lecture about it will certainly allow you to remember some of the information but putting both together can roughly double your retention. Below is a chart showing how sensory involvement improves your retention.

Lecture 5%
Reading 10%
Audio/Visual 20%
Demonstration 30%
Discussion 50%
Hands-on Practice 75%
Application 90%

*The numbers used in this chart are not derived scientifically but are anecdotal based upon my many years of experience.

We, as humans, tend to remember the first and last things that we hear and that means that simply hearing a lecture can only allow you to retain a fraction of the information. When we add in reading the material to our learning process, we basically double our retention. Now mix in a healthy dose of audio and visual aids such as charts, graphs, animations, and sound effects and we have nearly quadrupled our retention. Next, I want you to show me and I can up my retention to roughly six times just hearing it.

Up to now, we have just been using our senses of hearing and sight. It’s time to get a little more engaged. Let’s discuss what we just heard, read about, and were shown. Actively participating in the discussion of how this information applies to your job or future job gets your mind to start processing the data and figuring out how to use it and bumps up your retention to almost ten times where we started. We’re not done yet. Now it’s time to practice what you’ve just been shown and get another sense involved. So now we are hearing, reading, seeing, speaking, and touching about this information and our retention is nearing 75%. All that’s left to make us masters of the subject is to really apply it to solving problems and completing tasks.

Since there is such a big jump in retention from Demonstration to Hands-on, there is a dangerous thought that makes us just want to start there, after all I am a Hands-on Learner. Unfortunately there are no shortcuts here, just as there aren’t any in life. The effects are cumulative and build upon each other. And if you want to see the kinds of numbers expressed in the chart, you have to apply the other three cornerstones as well.

Mental Acuity

Mental acuity or sharpness helps us to learn by focusing our faculties on that task or tasks at hand. Mental Acuity is not a matter of how smart or well educated you are it is instead an application of all of your intellectual intelligence, emotional intelligence, and determination to a stated goal. It is being as sharp and focused as you can at each learning opportunity, whether during lecture, reading, demonstrations, or labs. If you apply all of your focus at each of these critical times, then you can begin see really impressive gains in your retention. So remove those distractions or move yourself away from them and really give it all you’ve got.

Preparation

What we do before we hunker down to learn is even more important to our success than what we do to learn new skills. Preparation means getting oneself ready. Ready to learn but ready to learn what? We need to know what we need to know and how much of that do we know. Preparing for class, tests, life is all the same. You have to answer these questions:

What do I really need to know?
How much do I know?
How am I going to bridge that GAP?

Start by getting the details about the class, the test, the task and the conduct an honest assessment of your skills and level of mastery. Once you have identified the gap, then you can start planning how to fill in the holes and that starts with a detailed study plan. We will take more about creating study plans a little bit later. But for now, just know that a well thought out study plan is your roadmap to success.

Repetition

Repetition is pretty self-explanatory. No one had to tell you what they meant on the shampoo bottle when it says “Lather, Rinse, Repeat as Needed”, so I won’t bore you with the details. Suffice it to say that repetition significantly benefits retention.

Until next time....Good Day, Good News and Goodnight!

This is the first in a series of long posts from my recent project on Developing Effictive Study Plans. In this first part we will discuss different learning styles and how know a little about how you learn can help you learn better. Of course all content is the copyrighted and unauthorized use is strictly prohibited by law. And as always, I welcome your comments.

What kind of Learner am I?

Every individual learns most effectively in a slightly different way. Some learners prefer to read books, while other say “just show me” and many learners prefer to just dive in and get their hands dirty. There is no one right way to learn anything and most of us learn different types of skills in different ways as well as combining several learning methods together. The trick, then to effective learning is to figure out how you learn best, and then create a plan that plays to your strengths. So let’s examine the four different kinds of learners and keep in mind that though you may favor one learning method over another, we are all really combinations of all four.

The Academic Learner

Some people seem to be able to just read a book or two and instantly grasp whatever concepts and skills were covered. And they seem to just as easily turn around and then apply those same skills without having had much, if any actual experience or practice.
Those are the hallmarks of the Academic learner. Nearly all of us are Academic Learners when it comes to certain topics. Some subjects just seem much easier to learn academically. But other skills seem much more difficult to us when trying to learn them in this way. Think about some of the subjects that you may have mastered just by reading and studying books or attending classes or lectures. Some topics seem to lend themselves more easily to this learning method than others, but ultimately it really is very personal. You will find some things very easy for you to learn in this way and others will escape you almost completely. And yet someone else might be wired just a little differently.

The Intuitive Learner

Our second kind of learner is the Intuitive Learner and this person just seems to have all come entirely too easily. Weather they read a book, attend a class, watch a demonstration, or get the training in any other way, they just seem to get it. Almost as if they already knew it.
Natural ability, that’s what it is often called. And that’s not too far off. All of us have a natural predisposition to certain subjects, and those things just come to us very easily. So easily, in fact, that often we cannot even explain why. A Part of our predispositions have to do with our own interests and motivations. So take a minute to think about what types of skills have just come to you intuitively.

The Experiential Learner

The third kind of learner is the Experiential Learner, also sometimes referred to as Tactile, Kinesthetic, or just plain “Hands-on” learners. Many people identify with this type of learning and rightfully so as nearly all of us learn some skills best by just “diving-in” and doing it. And many dexterity based skills, and physical activities heavily favor this kind learning.
Experiential Learners prefer to just do it and want to jump right in and begin working as they learn. But just as some skills favor experiential learning, others would be very difficult to learn in this way (e.g. Physics, Math, etc.). Think about what kinds of skills you have learned experientially.

The Visual Learner

The last type of learner that we will discuss is the Visual Learner. Missouri is known as the “Show Me” state and visual learners subscribe to that same mantra. The visual learner wants to be shown how and then let alone to carry out the task. As with all of our previous learning styles, there are some skills that favor the visual method and some that do not. We tend to believe what we see and that makes visual learning very powerful. The visual learner in addition to preferring to be shown also likes to organize information visually using charts, graphics, and eye-catching colorizing schemes. Think about some skills that you have learned by being shown.

But what has all that got to do with me?

As we discussed the four different types of learners, hopefully you were able to think of some skills that you have learned in each way. And have begun to realize that you can and have learned in almost every way and that most of what you have learned was not through just one style or another, but really a combination of several if not all of them. Just imagine trying to become a world-class competitor in any sport by just reading a book about it, or how about learning accounting by just jumping in and doing it. The vast majority of us really aren’t one type of learner or another, but a composition of several types. We all favor certain styles and much of that has to with our prior successes and our level of interest. But you can and have learned different skills through most if not all of the styles and the most effective of all of the styles is a combination all of them.

The more technical a skill, typically the more background knowledge that is required and computer networking, programming, and administration bear this out. To learn this type of skill you need to use several of the learner types. To get the necessary background and theoretical knowledge, you learn academically. To tie all of the concepts together with their actual implementations, you learn visually. And lastly to turn all of that knowledge into something more than just trivia, you need to learn experientially to apply your knowledge to solving problems and carrying out tasks.

Until next time....Good Day, Good News and Goodnight!