My Tech Field Day Experience

Recently, I was invited to a unique experience called Tech Field Day. I really had a good time while given a great learning experience. This is something I can recommend to others – I really hope that I get the opportunity to do it again.

What is Tech Field Day?

It is a one-of-a-kind service offered by Gestalt IT ( They bring together a small group of people in the technology field, that they call delegates. The delegates interact with different companies in a presentation style event. It is both live-streamed and recorded for later viewing. The companies that come to the event are the ones paying since they can use it as a marketing tool. However, the delegates are not paid by the companies as that keeps them independent. I put out less than $100 total for my time, which was for food outside of the event (really during travel time) and parking at the airport – everything else was picked up by Gestalt IT.

What happened before?

I was offered the opportunity less than two months before the event. At that point, all I knew was that I was going and Gestalt IT would be paying for the “flight and hotel and a drink or two along the way.” Shortly afterwards, I get an email that gave me the overall description of the event time. It included a link to an online form that asked questions about my professional life. This included my Twitter handle, Web Site, LinkedIn URL, and a professional/personal description. This was used to create web pages that they could use to advertise the delegates. Mine can be found at

A few days later, I received another email with a link to answer some questions. These questions were about both professional and personal information. It is the same questions for all the delegates and they use it to create web pages that offer further details. Mine can be found at This is where creativity helps. Answers should be a little complex; definitely more than a simple yes or no. I really liked the question on ice cream since it offers a quick viewpoint of the person.

Not too long after that, their travel agency reached out to me to setup my travel. The actual presentations were three days but they wanted me to travel the day before and allowed me to travel back the day after. That makes 5 days that were mostly paid for by Gestalt IT. The hotel is the same for everyone because most of the presentations are there. There is no direct flight for me to San Jose, CA, so I booked a flight to San Francisco and they took care of getting me down to the event hotel. With travel arranged, I waited patiently, although anxiously, for my next communication. In the meantime, I could go to and see each delegate that was getting added.

About 3 weeks before the event was when I received the next email. It was addressed to a mailing list that included all of the delegates for my event. The email described that it was a closed mailing list and it should be used for us to communicate with each other for non-public communication like asking questions to the other delegates. Gestalt IT made it clear that any discussion about presenters or event content should be done in public as they would prefer the transparency. They made it clear that we should remain independent of the companies and that included negative comments when they are deserved. Also, the email included links to the delegate pages for the group – this allowed me to see what the other delegates wrote about themselves. Ok – so now it is getting real but still a few weeks to go.

The week before the event was the next email. It provided a list of the companies presenting, with links to their web sites, and a detailed agenda of when each presentation occurs and where. Remember I wrote that most of the presentations are at the hotel? Well, a couple may be at offsite locations. For instance, we were traveling to Palo Alto Networks on Wednesday and VMWare on Thursday. One thing I noticed was how busy the agenda felt – we were starting at 7AM each day and there did not seem to be any time to rest till after dinner. Another thing mentioned was the meals plus a comment that we needed to bring a gift (about $30-$50) for a swap during our first dinner. Personally, I went to Amazon and searched for “geek gifts” until I found one I liked. With gift in hand, I packed Tuesday morning and got on the plane to start my adventure.

What about during the event?

I was lucky enough to ride down from San Francisco with another delegate so we talked about different things, which made the ride go quicker. We checked into the hotel and got ready for dinner. Before dinner, each of us was given a welcome bag with different snacks and some drinks like water, soda, and Red Bulls. However, there was a hidden agenda with the bags. They told us that they were forced to use the hotel food service for any food and that it was not cheap. However, they could not stop delegates from bringing in food.

Dinner that night was really nice – I had a great steak with a fried egg on top. In addition to drinks, appetizers, and desert, we got to know each other using the gift swap. There was even a round of stealing gifts before they were opened – each gift was wrapped differently so it was interesting to see why some were stolen. After a couple of hours of getting to know each other, we went back to the hotel to get a good night’s rest.

My meal at Farmer’s Union

Wednesday was three presentations with one being off-site. There was a get-together that night that included some of the vendors (including ones yet to present) and some friends from the area. Thursday started with an offsite presentation and then another back at the hotel. Since we arrived back at the hotel with some time before the last presentation, I was able to be part of a podcast panel. This was something that gets recorded and we discuss a topic – my topic was if security was improved as companies move to the cloud. We were able to do two of these during the week but they will not get posted till sometime after the event.

After that, we went to a fun dinner and then a team building experience. They told us that they have had different experiences in the past such as laser tag and bowling. They chose an escape room for us. I was on the team with the CEO, Stephen Foskett. He is a really nice guy but competitive – he named us the Winning Team before we even arrived. Unfortunately, we had the hardest room and did not finish in time; however, we all agreed that we had a fun time, even Stephen. It was a good way to recharge our brains for the last day.

The “Winners Team”

Friday was another two presentations in the morning. Once they were done, our responsibilities were over but Gestalt IT was not done with us. We had some time to discuss the presentations before getting whisked away to the Apple campus. After spending some time there, we came back to the hotel and had an informal dinner. We then said goodbyes and left on different planes to rejoin our normal lives.


For starters, go to to learn more. If you would like to be a delegate, find an event that you think you would be good fit and there should be a link to apply. Here are some other tips if you go:

  • Do some research before you go. The Tech Field Day site has videos for all the previous events. Review some to see how they go but realize that there are other things happening.
  • Check out the blogs and postings about the other attendees. It helps to see how their viewpoints can add to the conversations. People are different.
  • Realize that you may not be the smartest person in the room but that is not what they are looking for – they want people that can add value. If you have a question during a recording, there is a good probability that someone else is curious. Ask the question.
  • Sometimes a vendor shows up and acts like it is just another presentation. Do not be rude to the vendor!! It is better to ask questions to try to help them. If it gets too bad, someone from Gestalt IT will handle it.
  • There is a private Slack room setup for the event. Use it during the presentations to talk to other delegates. Do NOT actually talk to other delegates as it will get picked up by the microphones.
  • Tom Hollingsworth (@NetworkingNerd) will probably be your emcee and main point of contact. He is a CCIE and runs a lot of the event – kind of an important guy. However, during the filming he will act as a gopher so if you need anything just reach out using Slack. You want coffee? He will get you a coffee. You want tea? He will get you a tea. You want a mocha cappuccino frappe with a half twist of non-fat soy milk? He will get you a coffee. You just have to ask.

I recommend this experience highly. If you have any other questions about it, please feel free to reach out to me about my time doing Security Field Day. Also, check out #XFD2 on Twitter to see our tweets during the event.

***Disclaimer – Gestalt IT paid for my airfare, hotel, and most of my meals. Some of the vendors gave me some small gifts like t-shirts, pens, and a solar charger. I was not paid to write this post and it was based completely on my experiences during the event.

Posted in Security Field Day | Tagged , , | Leave a comment

CiscoLive and Security Field Day

This past week was Cisco’s yearly conference that they do in the US: CiscoLive, also known as CLUS. This is a conference that I like to go to but have not been able to for the last two years. Last year was due to my previous employer and changes that occurred when a new C-level manager came in. This was one of the reasons that I left. If you want to hear more, find me and we can discuss but it is not something I want to write about here.

While I did not get to go, I did try to stay involved over social media and watch the conference from a far. It is not the same as being there but at least I did not have to fill out an expense report. I guess my social media interaction was plenty because I was named best remote attendee for a second year in a row. It is a pretty cool honor to be named the best. Next year will be different as I have already discussed going with my new company. I am looking forward to seeing all my friends that I have not been able to see in person for 2 years.

While I had to miss CLUS, next week I get to go on a brand new adventure. I have been invited to Security Tech Field Day, or XFD2. This is an event hosted by Gestalt IT and brings together some tech companies, like VMWare and and Palo Alto, together with independent technical influencers (like me). The event I am going to is specific to security, which is my IT specialty. There is going to be some technical presentations from each of the vendors and they will be interactive. These will be recorded and anyone can watch. For further information, head over to to see more details. While you are there, you can look at past videos of the events. Also, tune in next week to see me in the security videos.

Posted in CiscoLive, Security Field Day | Tagged , , , | Leave a comment

Management and why we need it

Management can be considered the hierarchy in a company. Everyone in a company has some form of manager. Even a CEO answers to someone. Ultimately, it is the people that purchase a company’s product that manages where that company is going because those people are the ones that deliver the sales. Without sales, the company is destined for failure.

Some people need more management than others, not that there is anything wrong with that. As we progress up the proverbial corporate ladder, there is an expectation that we need less hands on management. For the few that make it to the C-level, management is more around reading the corporate tea leaves and steering the company accordingly.

But what does it mean to manage people correctly? A good manager will communicate with reports (in both directions) and understand how much management downward reports actually need. It is extremely important to give people some level of freedom as micro-management rarely ever works. Alternatively, people need direction and understanding how much direction is one of the keys of managing appropriately.

Respecting people is incredibly important. When management does not respect staff then they tend to not want to work as much. If there is someone that does the bare minimum of work, then that is usually a person that does not feel respected. The ones that go above and beyond are the ones that feel worthiness in their roles. They feel that their actions help the company and will want to work harder to see the company succeed. Therefore, one sign of good management is when there are valued employees that work hard and are willing to do more than their regular job duties.

How does management get to a point in which employees want to work harder? Having one-on-one conversations is a great way to hear what employees have to say. These should be on-going meetings where the employees should feel empowered to discuss the good, bad, and ugly about their jobs. Management should listen and offer constructive criticism where appropriate – never berate an employee during these meetings. Another way is to show the value of the employees. Management will need to learn what motivates each person and it is not always financial. For instance, calling out the positive actions of employees (giving kudos) can cost no money. It is an illustration that their actions are seen and respected.

People want some level of structure and this is where management needs to step in. Listen to the employees and try to understand how much structure each one needs to be given. The more senior employees will want to understand the overall direction of the company so there can be a conversation around projects that can help the success of that direction. Management should meet with the senior employees regularly to discuss their work so that it aligns with the overall direction. A horrible feeling is to spend a lot of time on a project only to be told that it does not align with the overall direction – all that work is considered worthless.

Overall, it is work by employees that allow a company to move forward. Employees that feel valued will want to work harder. Management has a responsibility to show that employees’ work is valued. This will help a company to excel. I wrote this because of my own experiences with both good and bad management. I have left a few roles due specifically to some bad managers. If you have had any experiences that you want to share, please let me know.

Posted in Work | Tagged | Comments Off on Management and why we need it

Catalyst 9600 Inside Scoop

Not too long ago, Cisco invited me to San Jose to get an early review of some pretty cool new products. The main products they showcased were wireless related including some new access points to coincide with a Wifi6 product launch. However, I was more interested in their new switch: the Catalyst 9606. One of my experiences was a roundtable discussion on the Catalyst 9600 with Shawn Wargo. Below is a picture I took with Shawn and the switch – the one on the left is a display model and is not for sale.

Shawn Wargo and the new Catalyst 9600

Cisco has a great modular switch with the Catalyst 6500 series, but it is now around 20 years old. I have been running this switch for a while and I can tell you it is a true workhorse. However, it is limited by internal bandwidth. With some companies using 10, 25, 40, and even 100Gb network connections, the 2Tb bandwidth limit on the 6500 becomes a bottleneck. Now, the 6500 is still orderable as there are some features (mainly for service providers) that are available on the 6500. However, as someone that works for an enterprise, I can tell you that these features are not what I am looking for.

So, what do companies do when they want a modular corporate switch that can handle those higher speed connections to the access switches? Cisco now has that answer in the new Catalyst 9600 series. This is not an upgraded 6500; it is truly a full redesign. For instance, in the 6500 each line card has processing capabilities to offload from the supervisor card. Alternatively, the 9600 has three processors on the supervisor card. This means that the supervisor card is pushing the traffic with an added bonus that the line cards are cheaper, relatively speaking. Additionally, the 9600 supervisor has an X86 processor, RAM, and an SD hard drive so it can run a virtual machine. Theoretically, it could run a virtual Viptela SD-WAN router or support servers like an AD controller for a branch site.

The physical features of the 9600 really show the design process that went into the switch. Anyone that has installed a 6500 into a rack knows how hard the task is, partially due to the small, metal handles on each side that can dig into your hands while two (or more) people try to get it loaded into the rack. The 9600 has four beefy handles that retract into the top of the switch. The eject handles on the line cards are definitely better than the 6500 – I cannot count how many times I have pulled on the eject arms accidentally. The 9600 line cards have solid handles that have a button on the inside to initiate the ejection process. I really do not see how anyone could accidentally start the ejection process on these new line cards. Finally, the 9600 has a bunch of fans that are all located on a single fan module. This module can be installed in either direction – eject out the front or back of the chassis. You just have to move the fan backplane module to change the eject direction. If you have to replace this module, you have about 2 minutes before you start getting thermal degradation.

Above is the video of the roundtable that I mentioned previously. In this video, we discussed some of the features in the Catalyst 9600. Hopefully, it gives you some idea on why this new switch is a great one to look into. Also, you get to see me in action so let me know if I am ready for Hollywood.

Posted in Cisco | Comments Off on Catalyst 9600 Inside Scoop

MS Intune Security Migration

I have been to a few Microsoft events that highlight how to secure company date on mobile devices. For Android devices, Android for Work allows you to segment company data while allowing the phone OS to interact with the data. For iOS devices, you can access company data through applications like Outlook but can still configure those same applications to access personal data, if you wish. The best part, is that when the company is done with the device (such as employees leaves and the devices go with them) then the company can retire them, which removes company data while keeping personal data (pictures, notes, their Angry Birds app, etc.) intact. It all looks and sounds great during those demos at Microsoft.

The problem I found is that my deployment was not as easy as advertised. Microsoft has documentation but I found it to be lacking. So, I am going to document my configuration to help someone else get it done quickly. There are some things to know before starting. People will need to use the Microsoft approved apps for accessing company data – you can find the list at For iOS, the built-in apps cannot be used as they copy data to the device – disabling the user account would mean only new data would not be accessible and that is not good enough. Because of this, contact sync needs to be handled by Outlook, which is a one-way sync so any contact updates have to be handled within Outlook. One thing to note is that this breaks the security rules as contacts are copied to the local phone store; however, this needs to be done if you want to see names instead of numbers when getting a call or text. I have worked directly with Microsoft on this and could not find a way around it. Also to note is that the iOS device needs to be on version 12 or later but this should already be the case as there are other security reasons to be on the latest code.

There are two places this configuration was performed: Intune and Azure Conditional Access (CA). Let’s start with the CA policies as a few are needed.

Custom Configuration Policies
  • Create a new policy and give it a name – this one is for enforcing the modern authentication apps and Intune. I applied this to a specific group as not all of my users are allowed to enroll mobile devices.
    • Cloud Apps: choose Office 365 Exchange Online and Office 365 SharePoint Online – you should see notes on the bottom that this will include other apps once those are chosen.
    • Conditions: choose Android and iOS under device platforms and Modern Authentication Clients under Client Apps.
    • Access Controls: choose Grant Access and check both “Require device to be marked as complaint” and “Require approved client app.” Make sure to choose “Require all the selected controls.”
  • Create a new policy and give it a name – this one is for blocking any ActiveSync clients as these copy data to the device. Assign it to the same users. This needs to be a separate policy or it will not work as expected.
    • Cloud Apps: choose Office365 Exchange Online.
    • Conditions: choose Android and iOS under device platforms and Exchange ActiveSync Clients under Client Apps.
    • Access Controls: Block Access
  • Create a new policy and give it a name – this one is for blocking any other applications. Assign it to the same users. Once again, this needs to be a separate policy or it will not work as expected.
    • Cloud Apps: choose Office 365 Exchange Online and Office 365 SharePoint Online.
    • Conditions: choose Android and iOS under device platforms and Other Clients under Client Apps.
    • Access Controls: Block Access.

These have to be three different rules because Azure conditional access policies do not work well when trying to be combined. From a logical standpoint, this does not make sense to me other than to say that you need to keep your policies simple. Of course, I have a concern that too many policies will eventually cause issues but that is a different topic.

Let’s move on to the Intune configuration. I am going to assume that you already have the basic configuration completed and can register your mobile devices as that would take up too much space. The first configuration policy needed is for the device restrictions.

iOS Device Configuration Policies
  • Create a Device Restrictions policy for Android Enterprise. Give it a name and assign it to the same users as before.
    • Work Profile Settings: Block copy and paste between work and personal profiles. Under Data Sharing Between Work and Personal Profiles, choose Apps in work profile can handle sharing requests from personal profile.
    • Device Password: these settings should coincide with your company’s configuration. My preference is to use a minimum 6 character password and 10 failed attempts before wiping devices.
  • Create a Device Restrictions policy for iOS devices. Give it a name and assign it to the same users as before.
    • Password: these settings should match the Android Enterprise one you just created. However, there are some extra settings so take a look.
    • App Store, Doc Viewing, Gaming: set Viewing corporate documents in unmanaged apps to Block.
    • Cloud and Storage: set Managed Apps Sync to Cloud to Block.
  • Create a Custom policy for iOS. Give it a name and assign it to the same users as before.
    • You will need to create an Intune Custom Profile Settings XML file to upload to this policy. See below on how to do this.

Refer to on how to create the Profile Settings XML. Here is a picture of mine – notice the highlighted line where you should enter the company name.

Custom Configuration XML

Make sure you have your compliance policies setup. I am not including this configuration as it is part of the basic setup. There are still a couple of items left. First is the App Protection Policy that you can find under Client Apps.

  • Create a policy for Android and name it. Target all app types and assign to the same users as before.
    • Target Apps: Check all the apps your company uses. If you are unsure then check the app – better to be safe than sorry.
    • Properties
      • Data Protections: Block Backing Org Data to Android Backup Services. Choose Policy Managed Apps for Send Org Data to other apps. Choose All Apps for Receive Data from other apps (unless you want to block this). Block Save Copies of Org Data. Choose Policy managed apps with past in for Restrict, Cut, Copy and Paste between apps. Disable Screen capture and Google Assistant. Require Encrypt Org Data and Encrypt Org Data on Enrolled Devices. Enable App Sync with Native Contact App. Set any other settings that you like.
      • Conditional Launch: Block access to Jailbroken Devices. Set the minimum OS version to 8.0 (or later if preferred). Change your offline grace period if you like.
  • Create a policy for iOS and name it. Target all app types and assign to the same users as before.
    • Target Apps: Check all the apps your company uses. If you are unsure then check the app – better to be safe than sorry.
    • Properties
      • Data Protection: Block Backup Org Data to iTunes and iCloud Backup. Choose Policy Managed Apps with OS sharing for Send Org Data to other apps. Choose All Apps for Receive Data from other apps (unless you want to block this). Block Save Copies of Org Data. Choose Policy managed apps with past in for Restrict, Cut, Copy and Paste between apps. Require Encrypt Org Data. Enable Sync App with Native Contacts App. Set any other settings that you like.
      • Conditional Launch: Block access to Jailbroken Devices. Set the minimum OS version to 12.0 (or later if preferred). Change your offline grace period if you like.

The last thing you will need is an Application Configuration Policy. Assign this to the same users as before and target the Outlook application. Make the following settings under Configuration. Spelling is key for these entries so it is easy so feel free to copy from this table (Note: a couple of lines wrapped here but they should not in your configuration):

Name Value
IntuneMAMUPN {{UserPrincipalName}}
IntuneMAMAllowedAccountsOnly Enabled {{userprincipalname}} True False

Now, go ahead and enroll devices. Use the Microsoft apps so your users can access company data while you feel a little more secure that the same data is secured better.

Posted in Microsoft | Comments Off on MS Intune Security Migration

Daylight Saving Time (DST) in 2019

It has been a couple of weeks since we sprung forward in time. On March 10, 2019, we “lost” one hour of sleep because at 2:00am on that day we moved our clocks forward 1 hour – it suddenly became 3:00am. This was the start of Daylight Saving Time (DST) for 2019.

Why do we have Daylight Saving Time? I have heard different reasons for this. The one story that stands out the most is that it was an attempt to “shift” time so that there would be less need for gas during the first World War. By shifting time towards daylight, there would be less need for artificial light. This first happened in Germany but it followed quickly in other countries. The US started using DST only a couple of years after Germany. The second story I heard is that Ben Franklin suggested it as a way to get more daylight for farming but there is no real history of the use of DST prior to the first World War.

Less than a year after it was introduced here in the US, it was repealed. Some cities continued to use it but the official US policy was that it was no longer in use. During World War II, DST was re-introduced for the same reason as before – to shift time so there would be less need for artificial light. But there was no established rules around the use of DST. This changed later under the Uniform Time Act of 1966. It established a framework for DST with a uniform, synchronized schedule across the US. It set the last Sunday of April as the start of DST and the last Sunday of October as the end. More recently, the US passed the Energy Policy Act of 2005. This moved the start time up three weeks and the end time back one week.

While I was not around for most of the history of DST, I was working in IT during this last change to DST from the Energy Policy Act. While this Act seemed simple, it added a lot of work to implement on systems. Any new system tended to just need a patch installed to make that change. But the older systems had to have code created to make the change. For instance, at that time I still had some NT 4.0 servers – we were trying hard to get rid of them but most IT people understand that it takes time to do so. Of course, Microsoft was no longer supporting that operating system by then. When we asked Microsoft, they offered to write the code change for us for a very large fee – it started at $40k but went down to $10k. Personally, I found this to be outrageous so I created my own change. It worked but still had to be installed manually on all the NT 4.0 servers.

So, why did I write about this history? The week after the start of DST this year (especially on Monday), I heard a lot of opinions asking why we are still changing time. The recommendation from a lot of people was to just stay with the DST time year round. One thing I found in common with most of the people that had this opinion was that they did not like losing that hour of sleep. However, this is not a good reason to change time.

Personally, I say do not make any changes to DST and here are my reasons. For starters, the same people that were complaining about losing that hour of sleep have already recovered and probably have forgotten their opinion. Secondly, I remember the work I had to do last time DST was changed and I really do not want to go through it again. However, my biggest reason is the domino effect from switching to DST time year round. It would start in the US and have to work its way around the world as the US only governs time for itself. Plus, places like Arizona would either need to change or remain aligned with another time zone.

It would be easiest to just leave time alone and deal with the short time of losing that one hour. Agree with me? Let me know. Think I am absolutely wrong? Go ahead and tell me why. 

Posted in Patching, Time | Tagged , , | Comments Off on Daylight Saving Time (DST) in 2019

Why I became a Cisco Champion

Cisco is a great company – they have many wonderful products and services plus the company seems to treat its employees like family. It also knows that customers are what keeps it in business because without paying customers you do not have a revenue stream. Plus, Cisco realizes that customers sometimes know a thing or two about products and technologies. This is one of the reasons that the Cisco Champion program is so awesome. It is a way for Cisco to recognize individuals that do not work for Cisco but still share a passion for technical products and technologies.

A lot of Cisco Champions have written about why they decided to join the pgroam. My story may be a little different. I feel that it started in 2015 at CiscoLive in San Diego. This was the first year I went to CiscoLive by myself. Because I had been on Twitter for about a year at that time, I was already familiar with the CiscoLive social media team. This led me to the tweetup on Sunday. Almost immediately, I met quite a few interesting people that I ended up hanging out with that week. The following year, I followed the same course of action in Las Vegas. But that year one of the Cisco staff thought I was in the Cisco Champion program for a brief second – this was the first I had ever heard of the program so I looked into it. Of course, when I read that it was for technical evangelists (and I knew some of the people in the program were a lot more technical than I) I immediately assumed that I was not Champion material. Trying to compare myself to some Champions that are Cisco Press authors is kind of daunting.

At CiscoLive in 2017, one person in particular (Kim Austin @ciscokima) “harassed” me all week about being in the program. She learned some things about me through my time at CiscoLive. She knew I had a good understanding of the technology and that I enjoyed learning new concepts. Plus, that was the year I was asked to speak at the New to CiscoLive session hosted by Cisco for first timers. So, after I got back from CiscoLive and I saw the posts about joining the program, I decided to give it a shot. What was the worst thing that could happen? I would get rejected but I would still go on with my life.

Well, I did get in and let me tell you that I am so glad that I did. Over this past year, I have gotten some pre-briefings on future products, interacted with some of Cisco’s technical and managerial staff, and met some really wonderful people from across the globe (at least virtually). Cisco hosts some private chat rooms (through Cisco Webex Teams, of course) where we discuss interesting topics and get some technical insight from other smart people. Of course, it is not always technical stuff we discuss. Among other topics, I have discussed and seen pictures of kids, pets, and food – who knew that some of these incredibly technical people had many other talents? Plus, the snark is strong with many of them.

So, if you are even somewhat knowledgeable about technology, take a look at the program. A good post about the program can be found at Take a look at eligibility requirements – it does not state that you are an “expert at technology” but rather describes that you are a technical evangelist. Really, it is about wanting to inform others about what you know technically – wanting to teach. I got into writing this blog to help others. Sometimes my topics come from having to do too much research. I can put my experiences down here for others to review. That is being a Champion – wanting to better others when it comes to technology.

I am proud to call myself a Cisco Champion.

Posted in Cisco Champion, CiscoLive | Tagged | Comments Off on Why I became a Cisco Champion

Phishing Campaign

October is Cybersecurity awareness month, which is a time to educate people on good security practices. Unfortunately, the users that really need the training are usually the ones that ignore the training opportunities. How do you get these people to actually take cybersecurity seriously? You trick them.

Ok – I know that sounds bad and I am not suggesting being a bad guy. What I did was launch a phishing campaign against the entire office part of my organization. That is roughly 5000 people globally. I really did not know what to expect when I started the campaign. I was hoping for better results but, regardless of the outcome, it was a really interesting project. At my level of involvement, I was privy to a lot of details that I cannot divulge even to other people in my organization. However, I can help you understand why this is a really good tool to help with the training effort.

Let’s discuss data privacy which can be a dreaded topic for international companies. Workers in the US should not expect data privacy, which means there are things that can be performed easier for security staff. However, there are laws and regulations in other countries that take data privacy seriously – just look up the EU data privacy laws (especially GDPR) to get an understanding of what I am referring to. This is why you need to get Legal and HR buy-in before moving forward with phishing your users. I think the important concept that helped my efforts was making sure I was not collecting any IDs and Passwords AND (this one may be more important) names will not get divulged under any circumstances. It is OK that IT Security knows these details because that is part of the job – how can you collect information without knowing the details? The important part is that IT Security will only be divulging statistical details – the percentages of users doing something. Statistics should be divulged to everyone including senior management but names should not be divulged to anyone under any circumstance.

Another important thing to mention is to inform users that give their credentials but, more importantly, do not make them feel dumb about it. Yes, they just did a really stupid thing but let them know why it was stupid. The message should not be “hey, you are stupid” but rather “oops, you fell for a phishing email – good news it was fake this time.” Also, add details around the campaign such as why it is being performed. Let the users know that there is a good reason for this and it is to help them be better with cybersecurity awareness. This is a good time to point out any tools that you have to help identify bad emails.

When performing these types of campaigns, you should not be looking to trick your users. The actual bad players are getting better but they do make mistakes The emails I used were (to me) obvious fakes. For starters, there was some tools already implemented to help the users. First, I had previously implemented a simple tag in the emails by prepending the email subject line showing that external emails were external. So, when the users receive an email from the “CEO” and the subject says it is external, they may do a better job realizing it is not really the CEO. I made sure all of my phishing emails included this tag. Some of the phishing emails purported to come from one of the executives so having that tag should have been an obvious sign (or at least I thought). Second is to use different but similar domains since this does happen in the wild. Finally, I made sure there was some spelling and grammar mistakes in the email body – nothing too crazy but a few here and there. Another tool I had already deployed was branding our Office365 login – the company logo and a photo inside one of my locations was added. One of my phishing emails claimed to be from IT asking to change their Office 365 password but I used the same screen that Microsoft uses as a default. I thought that not seeing the company logo would be a good sign that it was fake.

One thing to note is that the IT staff that deals with end users will get very anxious during the campaign. Their usual reaction to a major incident like a global phishing campaign is to notify users to be aware of it. This is where management needs to walk the tightrope by not allowing them to send out that notification. In addition, they need to be given some information about what is happening but not all of it as they should be part of the test. Besides, the more people that know about the campaign means the more risk that information will get out sooner.

The final part of my campaign was to inform all of the users about what happened. At this point, the people that gave over their credentials knew about the campaign and I am willing to bet that they shared that information with some others. However, there were people that still did not know. Most importantly is to share the information that you can. This is when the statistical findings should be shared so everyone can understand what happened. This should be done in a forum where the most people will hear. I was able to get the word out during my company’s quarterly employee forum and was able to include some details around the correct way to report bad emails. There were some interesting responses as to what happened but most were positive.

So what can I share about my campaign? Roughly 15% of the users gave their credentials willingly and roughly the same amount reported the attempts IT Security the way they were told to. There were a few users (roughly 2%) that reported it but not in a way that helps – if these were real phishes, IT would be forced to follow up with these users for further information. Of course, that means there was over 60% of the users that were unaccounted for. I can only assume that these people either deleted the email without notifying anyone or may have just not read the email, yet. Either way, it is a big number of people that did not do anything to help the situation. Unfortunately, these are probably the same people that tend to ignore cybersecurity training.

Even with those numbers, I think the campaign was a success. Why am I claiming this? Because there has been a genuine uptick in phishing reports since the campaign ended. Unfortunately, there has been an uptick in false reports, too. Roughly 35% of the email reports since the campaign are legitimate emails including some internal ones. I guess a future follow up training may include how to spot fake emails (and that some emails are SPAM, not phishing). Regardless, it is an improvement and I think my users are genuinely questioning emails more. I would recommend performing a phishing campaign to any company.

Posted in Phishing | Tagged , , | Comments Off on Phishing Campaign

Umbrella Migration

Not too long ago, we switched to a new Internet security solution. Our previous solution was a Cisco product called Cisco Web Security, or CWS. This was a cloud proxy solution and it worked well. But, being a proxy, it had its short comings with a big one being that it would rewrite all the web pages – of course, that is the nature of using a proxy-based solution. Secure sites (HTTPS) were even worse since CWS could not secure them unless it was allowed to perform man-in-the-middle style of rewriting the web page. This was an ok way of securing these sites as it would not always work well.

I am pretty sure that Cisco recognized these shortcomings since they purchased a company to replace CWS. They bought OpenDNS which had a unique solution to Internet security. One of the key components of the Internet is Domain Name Servers, or DNS. DNS is why you can use a URL (like and not have to know the IP address. Rather than looking at the content of the site, OpenDNS would categorize the site itself. When you request an approved site you would get the address for the site AND you would go directly to the site – no rewriting of the web page. However, when you went to a site that was either blocked by policy or identified as malicious you would not get the site’s address. Rather, you would get the address for an OpenDNS server to explain why you cannot get to the bad site. This was a really good product and Cisco made it even better by augmenting it with other solutions including some of the CWS features. They even changed the name to Cisco Umbrella since it covers more features (umbrella, get it?).

If you have ever had the chance to migrate a company’s Internet security solution then you know it is not a fun project and has really bad outcomes when things go wrong. When someone cannot get to the company’s ERP system, they just open an incident – no real complaining since they cannot work. Alternatively, if someone cannot get to their news site or watch videos on YouTube, they can get really cranky. If it is because you messed up the Internet migration, watch out for the pitchforks. Well, this was not the case for me with Umbrella.

There were two main phases to the migration: network and client. The network migration took all of 1 hour – actually it took a lot less but I had to wait for my testers and that always starts with some initial banter. All we had to do was repoint our DNS servers to the OpenDNS IP addresses for recursive lookups. Seriously, that was it. Once that was done, all DNS lookups for Internet sites went through Umbrella. The second phase was the clients. When people are remote (and not on VPN) they are secured through the use of a module on the AnyConnect client. We used our SCCM system to upgrade the client, remove the CWS module, and add the Umbrella module. Of course, this took longer than the network migration but it was facilitated by SCCM so we could monitor the progress.

There are some other features with Umbrella to allow for securing sites based on user ID’s (like Active Directory) but we did not deploy these. The main reason for this was EU data privacy regulations. If we did not know the user ID’s that accessed websites then we would not know what users were going to which websites. As a security person, I was not fond with the loss of data but the EU Works Councils did not care about my feelings. As the person responsible for getting us to Umbrella, this actually made the migration quicker. To get Active Directory integration working we would have had to deploy appliances within the network to point computers to (instead of our existing DNS servers) and add an AD connector. This migration could be done by altering DHCP but that means someone has to hit every DHCP scope. For a global company, that is a good amount of manual labor.

What did I learn about Umbrella during this migration? For starters, Cisco is still working to better the product, which includes more integrations such as with their Cloudlock service (CASB). I am planning to research these other product integrations when I get some more personal bandwidth. Additionally, using our DNS servers made the migration really easy. One thing I would mention is that you want each DNS server to point to the OpenDNS servers – do not point all the internal DNS servers to one specific internal DNS server and have it go outside. There really is no need to do this and it allows for Internet breakouts to be wherever (as long as the Internet provider allows you to use any DNS server). Finally, unlike CWS, Umbrella is able to secure more than web surfing since DNS is used for more than just the Internet. For instance, malware can utilize DNS to communicate back to a control system – unless Umbrella is there to respond with a different address. In conclusion, Umbrella is a product that works great. Your users will not thank you for switching to it but they will not grab the pitchforks either.

Posted in Cisco, Umbrella | Tagged , , , | Comments Off on Umbrella Migration

Are passwords enough?

The traditional method of securing data for many years has been through a user ID and password. Over the years, the recommendations around passwords has changed. Password length has always been important. Adding a single character (i.e. changing from 6 characters to 7) will make it exponentially harder to brute force crack. Using more than the simple 26 characters of the alphabet makes it even harder so it is best to use upper and lower case and special characters to make it take even longer.

It is now 2018 and brute force password cracking is not what any bad guy really wants to do anymore. While it is still a threat, is it as much of a concern as before? A lot of malicious parties have changed their methods. For instance, it is easier to send a specially crafted email that look like it comes from someone you know and it contains a link to a document. The receiving party clicks on the link and it looks like Office 365 login – the person enters his/her credentials to see the document and now the attacker does not need to do a brute force hack.

So what can the IT Security team do if the end users are just going to give up credentials? For starters, make changes to login screens. By using branding, your users can see when they are at their Office 365 login. If there is no branding then the users should question the login. Users are both gullible and smart at the same time. Give them the tools to make better decisions. But is that enough?

The ID and password combination is no longer enough. Multi-factor authentication (MFA) gives the end users another factor in the login process. After users enters their ID and password, they get a notification on their mobile phone to approve the login. MFA is not new and it has been getting better but, as Stephen Hawking said, nothing is fool-proof to a sufficiently talented fool. If they get an authentication request on their phone and did not enter credentials, this could mean that someone else is attempting to login as them. But remember when I said users can be dumb? Too many MFA requests could mean that the end users could approve requests even when it was not from them.

User and entity behavior analytics (UEBA) is the next method to safeguard company assets. By analyzing what end users are doing – how they are logging in normally – IT Security can get notifications when something out of the ordinary occurs. Also, it can lower the number of events for the IT Security teams to analyze. When a user performs a login in New York and ten minutes later attempts a login from Russia, there is a very good chance that someone else got the user’s password as this is an impossible travel situation. It is not always a hack attempt – for instance, a VPN connection can make it look like an impossible travel situation but IT Security should be able to differentiate a VPN connection.

EUBA is something that I am starting to look into for my company. As I research the different products, I will post some more on the topic. Till then, keep safe and remind users to stay diligent.

Posted in Passwords | Tagged , , | Comments Off on Are passwords enough?