Filter: Data Security

mobile workforce

How to Successfully Secure Your Mobile Workforce

Maintaining Security for a Mobile World Part 2:

Security in the mobile workforce is now a top priority for every business with increasing mobile device threats that can result in data loss, security breaches and regulatory compliance violations. You can take a number of steps to keep your data assets secure and to reduce the risks posed by mobility, while addressing related legal, privacy, and security requirements associated with mobile devices. Implementation of robust policy creation, communication about the implication of faulty mobile security practices, risk assessment, use of mobile enterprise technology, and continuous monitoring can help meet the security challenges associated with use of diverse mobile devices. In this article we help you understand how your business can efficiently manage your data in today’s mobile environment and apply rigorous security standards to minimize risks, while ensuring agility, and productivity.

Help Employees Secure Mobile Data

There should be proper documentation, security protocols, and best practices in place for your employees to ensure your mobile data is protected at all times. Every company should have a full policy with regard to usage of mobile devices for work and it should be updated and shared regularly with your staff. Employees need to be educated about the necessity of strong passwords and multilevel access control. All employee smartphones or tablets should be protected with a PIN or access code. Do not allow apps to save passwords, store sensitive information, or use automatic logins. Wherever possible, do add a security layer to the app process, such as two-factor authentication for added account protection, or else you will have to take measures to double up on document protection. It should be mandatory for any device connecting to or holding company data to be encrypted at the disk level. Make your system secure by setting up automatic lock screens for all your mobile devices when it remains idle for a few minutes. Users should download apps only from an authorized app store. All updates should be downloaded as soon as they are available as they often contain security patches.

Protect the Mobile Enterprise

Every new employee-owned device being introduced to the organization gives hackers an easy access route to classified information so direct steps have to be taken to secure the mobile enterprise.  Choosing the right tools for the job is of utmost importance and here are some of the major technologies available in the marketplace to implement BYOD (bring your own device).

  • Enterprise Mobile Device Management (MDM) Systems

Mobile Device Management (MDM) allows you to take control of data in a BYOD environment. make it possible to install remote updates and take remote control over mobile devices, including the ability to wipe a mobile device that is stolen. MDM software automates the policy enforcement of network attached mobile devices that operate inside and outside the firewall and it also supports remote data backup for easy recovery of data in case a device is lost or stolen.

  • Endpoint Mobile Security Solutions

Viruses that spread on mobile devices are a real threat to your sensitive company data. While employees can be educated not to download suspicious software, apps, documents or even click on malicious links, it is critical to install security suites, including antivirus, anti-spyware,  and malware security solutions across all mobile devices. There are intrusion detection and prevention systems, vulnerability scanning and application blocking and data loss prevention software that can be used to protect multiple mobile devices. Enable automatic updates of the software so that the security software remains current on every device to defend against the latest security risks.

  • Network Access Control

NAC tools can inspect mobile devices connected to the network to make sure they are up to date with the latest security patches and download updates automatically, before allowing the device to connect. It is necessary for organizations to track and keep tabs on the locations of all outdated devices that may still have access to data. NAC is important in the onboarding and offboarding of devices from wireless and wired corporate networks. All mobile devices should be wiped clean before donating or getting rid of them.

  • Endpoint Virtualization

It is possible to use a single console to deploy and manage endpoint virtualization solutions for complete separation of personal and work computing on the same device by placing each in its own virtual machine.

  • Enterprise-level Mobile Content Management (MC)

MCM and collaboration solutions help IT staff secure and manage mobile access to an organization’s files and data. An on-premises file synchronization solution can provide users with the ability to share and access company information on the road, while enabling administrative control, and security necessary to keep data assets safe. There should be security protocols for file transfer mechanisms to ensure data is being moved into and outside of the organization securely. Mobile- and web-based transfer tools can help IT departments in enterprises have oversight of data while achieving enhanced productivity.

  • Remote Security Services

Many organizations hire remote security and outside services to support mobile workforce and to facilitate system security, including mobile data access. Remote monitoring services can watch mobile data traffic being delivered through the cloud and guard for suspicious activity or indicators that a handheld device has been hacked or stolen so that intruders can be shut out before they can do real harm.

  • Cloud Technology

The challenge of distribution and perceived lack of control over data stored across multiple mobile devices can be directly addressed by cloud technology. Cloud computing provides enterprises with the capability to store disparate data in a centralized service location while enabling tight security control. Users can leverage any mobile device to access and process their data or perform work on a series of cloud services that have control of the data. A cloud security gateway can enforce corporate policy in cloud applications and data. Check out scalable or private cloud hosting plans from Lunarpages.

Mind Your Future

Supporting a mobile workforce can be a real challenge especially with threats from malware, cloud service attacks, and phishing on the rise but the flexibility and productivity benefits of a mobile workforce far outweigh the security risks. Keep to these best practices to ensure a free, flexible, and secure mobile workforce. Mobile engagement is necessary for the future success of organizations, as is taking steps to protect & manage data for users across heterogeneous devices.

security threats

5 Major Security Threats of a Mobile Workforce

Maintaining Security for a Mobile World Part 1:

The new tech-savvy generation currently live an extremely connected life and vulnerable to security threats and thus have introduced new approaches to work including mobile and email which have become an integral part of everyday work. Mobile computing and the ability to access email and business documents ‘anytime anywhere’ is now essential for all business. This 24/7 BYOD (Bring Your Own Device) workplace trend is not going to change because it increases employee productivity and gives businesses a competitive edge. According to a report published by IDC, the U.S. mobile workforce will surpass 105 million by 2020, which is about 72.3% of the U.S. workforce. According to Citrix research, companies urgently need to make provisions for the ever increasing mobile workforce as the average employee uses over three or more mobile devices for work activities and nearly 61% of employees spend some time working outside the office. With employees, vendors, and partners file sharing and collaborating on multiple mobile devices, ensuring the security and confidentiality of company data has become a nightmare.

The diversified way of working and proliferation of mobile devices and cloud services has made secure backup, quick recovery, sharing of data, and an effective breach response more difficult.  Security analysts have predicted that by 2018 nearly 25% of corporate data will completely evade perimeter security and move directly from mobile devices to the cloud. The reputational damage from a data breach for a business can be massive, especially if the public perceive it as a preventable data breach. Companies find it hard to repair their reputation, recover their sales or even attract new customers. In this article we help you identify areas of security risk associated with diverse mobile devices.

Security Risks Of Mobility

According to Gartner, the focus of endpoint breeches will shift to tablets and smartphones by 2017. The ratio of attacks of mobile devices to desktop attacks is already 3 to 1. The major security threat and attack vectors for mobile devices can be categorized into five broad areas.

  1. Physical access

The portability and size of mobile devices make them ideal to carry around and it also makes them easy to steal or leave behind in airports, cafes or taxicabs. Theft or loss of smartphones is the biggest security risk for any business. Having physical access to a mobile device makes it easy for a criminal with malicious intent to circumvent the cleverest intrusion-detection system and also to access encrypted data.  It is possible to recover data from mobile devices even when it has been manually deleted or undergone a full factory reset using forensic data retrieval software. Having some sort of password protection can limit the damage and cost of losing a phone so all staff should ensure that their mobile device has password protection and they should also have further passwords for access to important applications. Companies should also use remote control software to delete files or even disable the phone permanently in case of loss or theft.

  1. Malware

Mobile malware Trojans are being designed to harvest passwords, steal sensitive data, and other important financial information over the mobile phone network or any connected Wi-Fi network. These are spread through bad links in SMS’s and by way of applications, where they are then free to spread to other devices.  Mobile malware security threats are generally socially engineered to trick the user into clicking on malicious links with infected malware through email, on social networking sites, and rogue applications. Even mobile ads or ‘malvertising’ and suspicious downloads are increasingly being used as part of many attacks to spread viruses. There has also been an increase in browser-based attacks, distributed denial of service, and buffer overflow exploitations to gain control of the mobile device to access data.

  1. Infected Apps

Employees often download and use apps to help with business tasks but most of them often do not even meet minimum security requirements. Developers are concerned with the functionality of the applications but not the application security. Therefore cybercriminals find unsecured apps an easy attack vector to breach mobile devices and to access enterprise assets.  Gartner found out that by 2017 nearly 75% of security breaches will be the result of mis-configured apps.

  1. Interception On Unsecured Networks

Smartphones are susceptible to Wi-Fi hacking and man-in-the-middle (MITM) attacks. Hackers can easily set up rogue Wi-Fi networks to trap people logging onto them to intercept, redirect, and even decrypt cellular data transmission.  Weaknesses in Wi-Fi hot spot services and mobile data protocols are being used regularly to hijack users’ sessions for online services, including web-based email. Employees logging on to enterprise systems from these unsecured networks may be giving hackers access to the entire corporate database. Wi-Fi access should be used with caution by all staff.  To avoid this potential risk enterprises could invest in unlimited data contracts for their staff so that they never have to use any open access points.

  1. Insider Security Threats

Company data is even at risk through employees and other malicious insiders. They can use mobile devices to misuse or misappropriate data by downloading sensitive corporate information to the device’s flash memory card, or by using email services to transmit data to external accounts and even by eluding data loss prevention (DLP) technologies. Anyone with criminal intent can also misuse personal cloud services through mobile applications to transfer enterprise data leading to data leaks that the enterprise may be totally unaware of.

Meeting the Mobility Challenge

Managing this increased risk from different security threat vectors, while empowering employees and respecting their privacy can be a daunting challenge. In the next blog article, we will share with you simple measures your organization can take to successfully secure your mobile workforce, protect your enterprise network and corporate data.

Ransomware

Protect Your Systems Against the Real Threat of Ransomware

The threat of  ransomware is real businesses and enterprises across multiple industries face daily challenges from external threats such as computer viruses and emerging malware and spyware – any one of which can potentially wreak havoc on their internet-technology systems.

No One Is Safe

Are you aware of the most recent multi-million-dollar crime extortion malware vexing everyone from hospitals to banks, police departments to even Congress?

It is ransomware and it is the latest type of malware developed by hackers to lock the system, compromise sensitive data on hard drives through encryption or prevent the computer from booting up at all.  The hackers do this with one goal in mind.  To extract money from unsuspecting victims. These victims get locked out of their computer making it incredibly difficult to gain access to all the files and other sensitive business data without the encryption key. Usually the ransom has to be paid in newer electronic payment methods such as Bitcoin and Ukash so that it cannot be traced back to the culprits. Moreover, businesses can potentially suffer a full scale data breach from ransomware infections resulting in huge fines and loss of consumer trust.

Evolution of Ransomware

Yesterday’s annoying viruses have now evolved into terminal malwares designed to steal money from its victims.

Though ransomware first came into circulation on a widespread scale in Russia between 2005 and2006, it has begun making regular headlines since 2013 with the arrival of CryptoLocker and its many variants like CryptoWall and TorrentLocker. This type of ransomware was created to encrypt files on the infected machine and to identify the country from its IP address so that the extortion message to buy the decryption key could be delivered in the local language.
With technological advances and the rise of ‘Ransomware as a Service’, hackers have progressed from targeting home users to much more sophisticated attacks on SMB’s and enterprise networks. Cyber attackers have built robust platform infrastructures using Domain Generated Algorithms and assets in Top Level Domains, Generic Top Level Domains and Country Code Top Level Domains. According to a recent report by Intel Security, the ransomware industry has grown exponentially by over 3,000% since 2012, with new threats being discovered every year.

Some of the new varieties of ransomware holding businesses to financial ransom over their data, such as Petya, Dogspectus, Ransom.Win32.Xpan and Princess Locker, display potency across infection vectors and have selective encryption and target-awareness capabilities.

Before learning how to protect your business from these dangers, you must first understand how ransomware infects computers as well as the mode of infection.  Also, become familiar with what steps your company must take to prevent, track and respond to ransomware attacks.

How Can Ransomware Get on My Computer?

Ransomware attackers utilize a number of techniques to infect users, from spear-phishing campaigns, email lures, and exploit kits, and other infections such as Angler.
Users can accidently infect their own computers with Ransomware through one of many seemingly-innocuous actions, such as inadvertently opening an infected email attachment, clicking on a malicious link or malvertisement or even visiting a compromised site.

Attackers find it much easier to gain entrance through existing browser or OS program vulnerabilities – caused by irregular updates – or weaknesses caused by previous machine malware infections.
Malware can also spread through infected removable drives including USBs and portable hard drives, and by application downloads with infected software bundles such as browser toolbars, instant messenger apps, third-party .exe files or software key generators.

Defensive Strategies to Protect Against Ransomware

No company should be without a strategy to prevent, detect, and respond to ransomware attacks as they can make your data inaccessible and grind your business to a jarring halt. While there may be no magic bullet to keep your organization’s data safe from ransomware, there are a number of steps every business should take to drastically reduce their chances of infection.

  • Educate end users about ransomware: As they say, the best offense is a good defense.  And, the first line of defense against ransomware is user awareness and education. You can block malware considerably by training employees through a variety of security awareness programs. Employees can be taught to recognize the potential dangers of opening attachments from unknown people, or clicking on suspicious links.
  • Learn about social engineering: Understanding how resourceful hackers use social engineering and clickbait techniques to spread infection can help end-users avoid those pitfalls. Periodic training sessions through interactive discussions can help employees remain alert to potential security threats they may encounter in cyberspace.
  • Authenticate incoming mail through scanning and enable filtering on your mail servers: All inbound emails should be scanned for known threats to block any suspicious attachments. Most email servers enable flagging of incoming mail that does not pass tests such as reverse IP lookup, SPF and DKIM records to filter potentially dangerous emails. Email servers can also be configured to automatically disallow any executable file with an EXE, COM or SCR extension. These preventative measures work well to stop ransomware distribution through emails.
  • Protect your system using mitigation strategies: It is possible for SMBs to protect against ransomware through controls such as application whitelisting, ensuring proper patch management for applications and operating systems (OSes), and by minimizing administrative privileges. Knowledgeable administrators can enlist whitelisting techniques to allow only secure and legitimate applications to run on your machine, thus preventing download and installation of any other executable malware on it.
  • Desktop security: With such high stakes, businesses should not skimp on the deployment of a proper, commercial desktop security suite. Further, they should layer that security with managed endpoint solutions.
  • Patch management: Because there are no infallible security products, companies should adopt an aggressive patch management on all programs to drastically increase AV effectiveness. As mentioned, malware developers try to exploit vulnerabilities in the OS, applications and even web browsers. That is why it is important to plug security holes once they have been discovered by regularly patching software and installing critical updates as soon as they become available.
  • Limit system permissions: Ransomware usually run the execution chain from temp folder so restricting program execution from temp folders can stop malware infections from spreading further. Network administrators should also limit systems’ permissions to prevent the unauthorized installation of malware on systems without an administrator’s password. The spread of malware infection can also be limited by segmenting sharing and access rights to critical data using redundant servers.
  • Be prepared with a comprehensive data backup strategy: It is absolutely vital to establish a robust backup regime in preparation for a ransomware attack. Comprehensive backup solutions for all critical business data assets can ensure the continuity of your business in case of a successful ransomware attack by restoring local and server apps and data to its pre-infection status.
  • Get to the Cloud: Ransomware works by causing disruption to your business. You can take steps to ensure business continuity by moving to the cloud, which offers a greater level of protection and overall security to a SMB. Cloud providers bundle multiple security controls like malware scanning, enhanced authentication, data loss prevention strategies and various other protections into the service to minimize the chance of a ransomware attack.  Cloud services also offer additional protection as add-ons, such as traffic scanning and site reputation checks to counter the threat of ransomware. With your data in the cloud, it should not be a major headache if your local machine becomes infected with a ransomware.

As you can see, ransomware is a very real threat. If you do not want your business to fall victim to this menace, simply follow the best practices outlined here to prepare and to protect against your well-prepared adversaries.

Protect Your Server Environment From Potential Threats

Web security and downtime are critical issues for any business that operates online. Web servers are often targets for hacking attacks by malicious cybercriminals because of the sensitive data they generally host. Attackers can exploit neglected user accounts, or an overlooked port to surreptitiously get past your server defenses.  Sometimes common administrator mistakes like badly configured virtual directories or even a forgotten share can also lead to unauthorized access. Some of the major threats to your Web server come from denial of service, unauthorized access, profiling, random code execution, privilege misuse and viruses, worms, and Trojans. So how can your business defend against various online threats while continuing to function normally?  What must you do to ensure the security of your website, web applications, network and also the web server? After all, a secure and correctly configured web server provides a protected foundation for hosting your Web applications.

Checklist For Securing Your Web Server
You may be doing most of the system administrator tasks to upkeep the server but unknowingly skipping some essential best practices. The real challenge of securing your web server is applying the right configuration settings while keeping with your security goals. Below are rough guidelines which should be a good starting point for getting your server configuration to be more secure, while ensuring convenience in your day-to-day server operations.

1. Stay On Top Of Updates

Outdated systems and applications are one of the most persistent threats in the server environment. Most security breaches and hacks are via security holes in old versions of web applications being used in forums and blogs. You must maintain a routine system upgrade for all tools and apps your business uses, both on the server-side and client-side. Pay close attention to security advisories to ensure all security flaws are patched. In rare cases where no patch has been made public for an existing vulnerability, make sure you disable the service until a patch is made available in order to remain secure.

2. Perform Regular Audits

Examine network services running on your server and look at updates from your intrusion detection system to find out if everything internally is working fine internally, such as server configurations implemented, active services, security protocols, applications running on your server and so on. Audit and monitor website access logs, operating system logs, and database server logs for abnormal log entries or strange activities to detect a successful attack or even an attempt of one. The logs should ideally be present in an isolated area of the web server to prevent any tampering.

3. Proper Firewall Configuration And Intrusion Detection

All business networks ideally need comprehensive protection in the form of firewalls, authentication, and an intrusion monitoring system. Restricting traffic to and from your server through a firewall may be a good way of limiting access others have to your server. Firewall and properly applied security protocols are a primary requirement of ensuring a secure server environment. Since most workplaces have remote workers or employees working from home, adopting VPN solutions make it possible to effectively manage their devices while enabling secure access to corporate resources and business data.

4. Eliminate Unnecessary Services

Running default operating system configurations is not secure, especially since many pre-defined modules or network services get installed, such as remote registry services, internet information services, print server service, and more. The more unnecessary services you have running on your operating system, the greater the risk of leaving more ports open to abuse from outside connections. Manage startup scripts to switch off or disable all unnecessary services from running automatically at boot-up. This helps make your attack surface smaller and also improves server performances by freeing up hardware resources.

5. Disable Unused User Accounts

User accounts are often created during software installations on the operating system. Any such unused default user accounts created should be checked properly and permissions have to be changed as required. To find out if an account is active, you can search for files owned by that user and check their last modified date before removing a user from your system. If you do not want to delete user accounts, you should disable shell access. Every administrator with access to the web server should ideally have his or her own user account set up with the correct privileges.

6. Protect Databases

Failure to protect your database (e.g. Microsoft SQL Server, MySQL, Oracle) can lead to potential loss of private sensitive information such as usernames, email addresses, etc, and it allows an attacker to add entries that may create spam or malware links on your site. You should also consider how they are accessed for routine maintenance.

7. Restrict Remote Access

Where absolutely necessary, remote access to web servers can be allowed but it should be secured properly using tunneling and encryption protocols. To ensure security of your web server, do restrict remote access to a specific number of IP’s and to specific accounts only.

8. Setup Permissions And Privileges

Anyone with malicious intent can compromise your web server security through poor file and network services permissions to carry out tasks, like executing specific harmful files. The rule of thumb is to always assign the least privileges needed for a specific network service to run, such as web server software. Also ensure that you allocate absolutely minimum privileges to the anonymous user for accessing the website, web application files, and backend data.

9. Use Security Scanners

Hackers constantly scan your server for open ports and other vulnerabilities to exploit and so should you. You should be using security scanners to automatically monitor and run advanced security checks for open ports, network services, configuration problems, and other vulnerabilities in your web server and web applications. Security scanners ensure website and server security by checking for password strength on authentication pages, cross site scripting, SQL Injections and more. It also audits shopping carts, forms, dynamic Web 2.0 content and other web applications for vulnerabilities.

Establish A Secure Server
The real challenge of managing web servers is in ensuring that they function optimally and smoothly. You can enforce the measures discussed in this article to avoid technical complexities within the hosting environment. You can continue to function normally by maintaining due diligence on server security. Know that it is an ongoing process and not something you have to do once. For business owners who want to focus on growing their business without worrying about managing their site, Lunarpages offers Managed Hosting Services with extra security features, administration and technical support.

5 Things Businesses Can Do Today to Protect Against Hackers

Every business and individual should be vigilant about online security.  Businesses are especially vulnerable because they store an ever-increasing volume of user data on their servers.  Small to medium businesses are as likely as large enterprises to suffer from data breaches. While bigger organizations have the financial muscle, resources and skill to overcome setbacks from a cyber attack, small businesses often lack the security personnel and expertise needed to protect sensitive data in the first place or to recover from any breach should they be targeted.  Sadly, regardless of size, every business will suffer a consumer trust set-back as the result of a cyber hack. The good news is that there are simple measures that can be undertaken by any business owner to protect data from being compromised and to thwart attacks.  

1. Apply Encryption Software
Today, encrypting your own confidential information and your customers’ sensitive data files is an important step to protecting against theft or hacking. In fact, in order to be in compliance with various federal and state laws, businesses must encrypt confidential data to protect their customers. Modern encryption software uses algorithms to create nearly uncrackable ciphers of unintelligible, encoded characters, so that the data being transferred online is hidden.  There are many encryption software applications available for businesses.  Ideally these solutions should feature 256 bit AES (Advanced Encryption Standard) encryption algorithm, on-­the-­fly encryption to enable easy working with encrypted files such as plain text files, easy cloud backup for multiple encrypted files to allow secure storage, keylogger protection for access to safes/vault container files with passwords, and a easily navigable user-friendly interface to make encoding confidential files an intuitive exercise. Online businesses should consider adding an extra layer of security through HTTPS and if using FTP software, it is advisable to switch to SFTP. Webmail service should have SSL encryption on login pages for clients entering user names and passwords, to prevent easy access by third party interceptors to login details. Even email should be sent via SSL encryption, especially if it contains sensitive information.

2. Use A Password Manager
Research shows that 80% of stolen or compromised user credentials are from weak passwords and over 55% of people use one password for all logins. Cybercrooks use phishing, malware and social engineering to capture usernames and passwords. Small to medium sized businesses need comprehensive protection using password managers, such as enterprise version of LastPass, to securely store and enter encrypted account login details. It may be better to use password managers to set up an encrypted and secure master password or passphrases for protecting the list of passwords saved. Password managers enable setting minimum password standards across your company accounts to meet your policy requirements, or allowing restricted access to specific devices or groups and real-time syncing across devices.

3. Ensure Proper Backup
There has been a 30% increase in denial of service attacks in the past year. These attacks take up bandwidth and tend to last longer. With hackers designing breaches to destroy or modify files on the server, and with the rise of ransomware, you can protect your business information by creating an immediate backup.  If the computer where data is stored gets lost, stolen or hacked you will need to fall back on the backup copies for uninterrupted business. According to data privacy laws, your customers have the right to request access to personal information stored about them but if the original data gets compromised in a breach, you will not be able to comply with this legal requirement if you do not have a backup copy of your customer data. For improved productivity, better security and for legal compliance, it is critical for businesses to have backup copies of their own and their customers’ confidential files.

4. Protect Your Network
Businesses have to pay special attention when securing their network.  This means taking small but significant steps such as installing antivirus software, applying OS and application updates regularly, and controlling user access to a given system or data on a ‘need to know’ basis. Employees and users are often a weak link as they inadvertently provide an easy access route to your website servers. By lowering the number of people who have access to your data, you reduce the risk of a hacker using them to steal it. Some things you can do today to help protect your network include employ strong passwords, change them frequently, have logins expire after a brief period of inactivity, and thoroughly scan all devices plugged into the network for malware. Additionally, security audits or vulnerability scans can help prevent online threats and malicious cyber attacks by monitoring the integrity of your network solutions, examining ports, firewall policies, processes and software updates. Vulnerability scans minimize any risk of downtime, prevent unauthorized access, and address urgent risks to safeguard your brand image.

5. Check Security Measures for Third-Party Providers
The Ponemon Institute lists third party providers, such as web hosts, payment processors, and call centers as security risks to businesses—especially with regards to data protection. There should be rigorous checks in place for all third party vendors to ensure they have adequate and up-to-date security measures and practices. It is absolutely vital for businesses to vet all new providers, including software providers, for security best practice compliance like the Payment Card Industry’s Data Security Standard (PCI-DSS) and cloud-security certification SSAE16. Even cloud software vendors should be asked about their certifications and security management measures before working with them. Partnering with reputable vendors and using the right tools act as a safeguard for businesses to reduce the risk of security threats. Don’t overlook this.

Protect Your Business, Your Brand and Your Customers
Today the risk of data breach is a greater challenge than ever for large, medium, and small businesses alike. For the reputation of your business and the safety of your customers, it’s important to take the necessary steps to improve your business’s data privacy and follow comprehensive security practices for critical applications & data.

Bursting Some Popular Cloud Myths

The word “Cloud” still causes a lot of confusion among people, many of whom are left wondering what it actually is. When opting for cloud hosting, businesses are renting virtual server space rather than renting or purchasing physical servers. When virtual server space is rented, it is often paid for by the hour, depending on the capacity required at any particular time. These virtualized dedicated cloud servers have gained in popularity globally, because of their enormous shared computing power.  Even core products from Microsoft to Adobe such as Office 365 and Creative Cloud use data that’s stored on remote servers. There are, however, many myths about cloud hosting that seem to worry customers’ minds when considering a cloud-hosting provider. Let’s burst some myths to get to the truth about cloud server hosting.

Myths and Truths About Cloud Server Hosting

Myth #1: Cloud Hosting is Not Secure
Fact: Cloud hosting providers are continuously improving on their best practices and compliance levels for securing critical data and applications. Nonetheless, it comes down to choosing a leading cloud hosting company with good credentials and service level agreements. The company you choose should also offer the highest levels of security with fully managed firewall protection. Cloud hosting environments ensure 100% uptime with an SOC2/SSAE16 data center, high availability server architecture with multiple servers, 256-bit encryption, automatic off site backups, firewalls, routers, uninterrupted power supply, load balancers, switches mirror disks, RAID implementation, and 24/7 onsite monitoring. Additionally, software updates, including security patches, are applied to all customers simultaneously in the multitenant system. Most hosts treat cloud security very seriously and implement the latest technology and resources to protect the cloud environment, because if the cloud were to be proven unsafe then cloud companies would lose millions in sales.  Security in the cloud, even in large cloud environments, has so far been stellar. There have been very few security breaches in the public cloud, as compared to on-premises data center environments.

Myth #2: Cloud Services Are Complicated
Fact: Cloud hosting may seem confusing with its many variations of public cloud, private cloud, hybrid cloud and even community cloud, but cloud servers are no more complex than dedicated servers or VPS. Cloud hosting actually simplifies the job of an IT manager or CTO because of its easy setup, instant provisioning through an online control panel, utilization on-demand and customization. The online control panel in cloud storage handles all the tough work; making cloud storage as easy as dragging a file to an icon.

Myth #3:  Cloud Hosting Is Expensive
Fact: Cloud hosting helps businesses save considerable financial resources and offers flexibility and adaptability for both the short and long term. It is a much cheaper alternative to shared or dedicated servers, though cost comparison may prove to be tricky. With cloud hosting you only have to pay for data storage resources you use, so it works out much cheaper than other hosting services. The cost for what you use on the cloud depends on a few factors.  These include the number of users, data size, customized backups, applications used and exchange services.  Cloud computing replaces the need for installing local servers, network equipment, power conditioning, software and antivirus software, backup solutions, dedicated server rooms, along with reducing the cost of IT staff, user support and maintenance.

Myth #4 – Cloud Performance Is Not Reliable 
Fact: In the early days of cloud computing, there may have been some performance issues. However, these problems have been attended to by the leading cloud service providers who offer unique and work-specific solutions for high powered & high speed storage with guaranteed IOPS, along with other improvements. Cloud providers have made their systems resilient to avoid outages. No system is perfect and the cloud can fail too, but the fact is that those failures are fewer and far between as compared to other alternatives. The cloud environment can be engineered to adapt to strenuous workloads and high availability requirements that avoid any performance or failure issues.

Myth #5 – There Is Only One Cloud
Fact: There are hosting providers offering cloud services from the small business to the enterprise level and there is actually more than one type of cloud—a Public Cloud, a Private Cloud and a Hybrid Cloud. A Public Cloud shares network infrastructure which is accessible from an off-site Internet source. While it is easier to share files on a Public Cloud, a Private Cloud has advanced security features and guaranteed high quality maintenance on software and infrastructure. The third type of cloud is a Hybrid Cloud, which combines aspects of a Private and a Public Cloud. For example, businesses can keep their data and applications for QuickBooks or financial software hosting on a Private Cloud and less sensitive documents can be stored on a Public Cloud.

The Bottom Line
When considering cloud hosting, it all comes down to finding a hosting provider with a proven track record.  Try looking up comparison charts to find hosts with the most resources, an appropriate array of hosting products and excellent customer support to win your business. Cloud services have moved from being a second thought to being top of mind for businesses of all sizes. Amazon and Salesforce are just a couple of companies that are shining examples of the utility of Saas platforms in the cloud revolution. But cloud computing is not just for large enterprises, it offers greater IT efficiency and capabilities for all businesses from small to medium-sized.  Smart businesses should be ready to switch to the cloud in the future to leverage cloud technology or risk being left behind by their competitors who are already taking advantage of the value and benefits of cloud computing.

Cisco’s Managed Threat Defense: A New Era for Data Security Analytics?

IT security is no laughing matter, and organizations of all sizes and in all industries can’t afford to ignore it.

As CNN reports, Target CEO Gregg Steinhafel tendered his resignation after “extensive discussions” with the board of directors. Why? Because Steinhafel was in charge when company networks were hacked in December 2013, leading to the theft of 40 million credit card numbers. Unhappy consumers prompted a 46 percent drop in Target’s profit, and the retailer is now spending $100 million to upgrade its point-of-sale (POS) technology. But as a recent Sydney Morning Herald article points out, even if new POS terminals had been installed before the breach Steinhafel couldn’t have prevented the breach from happening.

Network giant Cisco thinks it has the answer to this cycle of security failure and executive blame: Managed Threat Defense. Is this the dawn of a new era for security analytics?

Changing the Locks on IT Security

In an ideal world, network security breaches wouldn’t happen. Defenses would outpace attacks, and security vendors could say with absolute certainty that attacks were impossible. Unfortunately, the opposite is true. As noted in Cisco’s Annual Security Report, 100 percent of companies admitted that some traffic coming from their networks headed straight for malware-laden websites.

Cisco’s Managed Threat Defense solution gives security analysts a “single pane of glass” to help identify suspicious activity, according to the company’s Data Sheet. In addition, the solution offers real-time predictive analytics powered by Hadoop 2.0, which can detect anomalous network patterns, zero in on “unknown” attacks and track emerging incidents.

Cisco’s offering is a combination of on-premises hardware and software — all incoming and outgoing data is monitored 24/7 by Cisco’s security operation centers, which can respond instantly in the event of a threat.

Seeing the Future of Data Protection

The Global Security Analytics Market 2014–2018 report from Research and Markets predicts a compound annual growth rate of 10.61 percent for security analytics through 2018. And while it sounds like smoke and mirrors, predictive analytics offers tangible benefits as the enterprise market shifts from reliance on local resources to as-a-service alternatives.

Creative malware developers and virus authors are taking full advantage of security gaps to write code that alters its structure with each execution. In response, security vendors have shifted away from walling off networks, because it’s all too easy to sneak through the gate; the new goal is to predict what a program will do before it has a chance to execute.

A recent IT-Director article talks about the need for security intelligence before, during and after an incident. The idea actually comes from Cisco’s Sourcefire and dovetails perfectly with the manifesto of Managed Threat Detection: end-to-end protection.

Current solutions focus on what happens before attacks by using blacklists of email addresses, applications and websites. After is also well populated by companies that can assess the extent of damage and help enterprises get back on their feet. During is when most solutions can’t perform. Managed Threat aims to close this gap by monitoring user environments in real-time for behaviors that may be the precursors of an attack. Instead of looking for a specific code or host, the solution uses streaming telemetry to evaluate network traffic on a moment-by-moment basis, in effect predicting the future.

A Three-Sided Defense or a Single Shield?

Not all companies agree with Cisco’s model — IBM, for example, believes end-point protection is still the first line of defense against malware and other cyberthreats. But it’s hard to argue with the idea that attacks are better handled on three fronts rather than one: Defend where possible, detect when able and destroy as necessary.

[image: voyager624/iStock/ThinkStockPhotos]

Data Security and BYOD: The IT Odd Couple?

For enterprise IT professionals, there’s no avoiding the bring-your-own-device (BYOD) trend. According to a Staples Advantage survey, 93 percent of employees say the kind of telecommuting programs made possible by BYOD are beneficial, while 53 percent of business decision-makers say allowing employees to access corporate networks with personal devices increases productivity.

But as IT admins have discovered, easy access increases the risk of a data security breach. Is this an all-or-nothing proposition?

The Great Divide Between IT and Staff

Employees expect access. A recent article from HealthITSecurity notes that physicians often carry tech devices, such as tablets or smartphones, and expect immediate access to hospital networks. IT departments are told to “make things work” but struggle to manage certificates and access keys across a broad range of devices.

This can lead to a lockdown mentality on the part of IT: Users must either agree to install security-monitoring apps or restrict themselves to devices approved by IT admins. The problem? According to Harmon.ie, 41 percent of users circumvent these security measures, leaving corporate networks compromised and IT professionals in the dark.

Employees Don’t Feel Responsible for Security

When it comes to security, many employees take a  “not my problem” attitude, according to Centrify survey results discussed in a recent FierceCIO article.

Fifteen percent of survey respondents said their responsibility for protecting corporate information on their personal devices was “none to minimal”; 10 percent were still using devices without passwords or PINs. And although 45 percent of respondents said they understood the need for data diligence in BYOD, 43 percent admitted to accessing corporate services over insecure public networks. In other words, even employees with the best intentions put company data at risk.

Tech Republic, meanwhile, offers some specific examples. After granting “select executives” access to company networks using their iPads and smarthphones, a European firm found 10 times as many employees using the network without permission. A health and wellness company, meanwhile, discovered employees using public email services to send sensitive consumer data, such as credit card numbers and banking details.

Never the Twain Shall Meet?

Is it possible for BYOD and data security to coexist in the enterprise environment, or are IT professionals doomed to play catch-up and patch any holes left by well-meaning or overzealous employees?

One option is biometric mobile security, which includes the use of fingerprint, voice or iris identification, typically in combination with a password, to create a form of two-factor authentication.

News24 discusses this emerging technology and its possible benefits: For users, biometric options “feel” more secure and can seem less invasive than security apps. In addition, the use of a biometric service means authentication data is stored outside the mobile device; even in the event of a loss or theft, the phone or tablet itself can’t be mined for bio-identification data.

Forbes, meanwhile, offers companies more timely advice: Create backup plans. Start by making the data, not the user or the device, the priority. This means developing identity-management and remote-wiping protocols so admins always know who’s using a device and can cut off data access as needed.

It’s also important to engage employees and — given the power of social media — marketing departments. Education about device best practices, such as not using common passwords or relying on social media networks to transmit company data, is crucial. Ask employees what they expect from network access and get their input on mobile security; the democratization of technological power means IT staff must discuss rather than demand.

Data security and BYOD will never see eye to eye, but it is possible to maximize both access and authority with the right mix of technological forethought, backup planning and employee engagement.

[image: marinhristov/iStock/ThinkStockPhotos]

Fixing Heartbleed in All the Right Places

The OpenSSL vulnerability responsible for April’s Heartbleed bug has been patched — version 1.01g fixes the problem permanently. But for IT professionals, patching OpenSSL is just the beginning: Heartbleed hides in the most unlikely places.

First Steps to Stop the Bleeding

Clearing out Heartbleed starts with patching every version of OpenSSL a company uses. The problem is that this encryption technology is used by a host of internal and third-party web-facing processes. According to Forbes, enterprises need to make sure every website they operate has been properly patched; it’s worth checking with your web host to ensure that they’ve patched things on their end as well.

What’s more, you need to make sure any partner sites are similarly clean. If not, information securely entered internally can become compromised when it leaves corporate networks and ends up in the memory buffer of a Heartbleed-vulnerable website.

Refresh Your Keys and Certificates

Although patching OpenSSL means there won’t be any new information leaks, it doesn’t prevent malicious actors from causing trouble with data they’ve already obtained. As ReadWrite points out, it’s critical to generate new public–private encryption keys for every system on the network and to revoke old SSL certificates and generate new ones to verify the identity of other servers.

This prevents “certificate spoofing,” in which hackers use stolen SSL or private encryption-key data to set up dummy sites that appear legitimate but are in fact copycat versions intended to steal user information. Google recommends that its Compute Engine customers generate new keys, and certificate authorities like Symantec and GoDaddy are offering updated certificates for free.

CSO Online, meanwhile, reports that many security companies are also offering Heartbleed scanner tools for free, helping IT professionals track down this bug in hard-to-reach places. Newer versions are designed to scan Intranet websites, VPNs, FTP servers, databases, email servers, printers and smartphones. It’s worthwhile using more than one tool, however, since some released just after the bug was discovered were shown to report inaccurate results.

Heartbleed’s Impact on Mobile

In addition to websites and servers, it’s also possible for mobile devices to carry the Heartbleed bug. According to a recent Business Insider article, millions of Android users are potentially affected; any user running Jelly Bean 4.1.1 is a candidate for Heartbleed.

Google doesn’t release data for specific sub-version adoption, but over 34 percent of users worldwide are still running Jelly Bean 4.1, and security experts warn that “millions” of devices rely on 4.1.1.

This may seem like a distant threat for IT professionals, since this version of Jelly Bean rolled out in 2012. But for any organization that does business with individual subcontractors or has offices overseas, the mobile vulnerability represents a very real problem. The good news? This is the perfect opportunity to draft solid companywide mobile-use standards; there should be no problem getting C-suite approval to protect networks from leftover Heartbleeds.

A New SSL?

According to Theo de Raadt, founder of OpenBSD, OpenSSL isn’t worth fixing. As a result, his team has forked the code to create LibreSSL, which should deal with what de Raadt calls OpenSSL’s “discarded leftovers.” In an email to Ars Technica, he said that his group “removed half of the OpenSSL source tree in a week.” Even with such extensive pruning, the fork still compiles with no problems. Currently, LibreSSL is designed to run only as part of OpenBSD, although the group is taking donations and hopes to release a standalone version in the future.

Heartbleed has been bandaged; it hasn’t been eradicated. IT professionals need to patch every website, make sure mobile devices are secure and consider the possibility that OpenSSL may have outlived its usefulness.

[image: Adrian Vamanu/Hemera/ThinkStockPhotos]

Websense Threat Report 2014: Biggest Cyberattack Threats Exposed

According to network giant Cisco, 100 percent of enterprises unknowingly host malware. But as a recent Websense Security Labs report revealed, threats like exploit kits and redirect attacks are also on the rise. Here’s what companies need to know.

Crimes of Opportunity

A CSO Online article from April 7 discusses the Websense Security Labs 2014 threat report, which states that cybercriminals’ attack methodologies are becoming more sophisticated.

Charles Renert, vice president of security research at Websense, noted that “while the determined, persistent attackers continue to have success in advanced, strategic attacks using zero-day exploits and advanced malware, there has also been a boom in cyber criminal activity on a massive scale.”

Perhaps the best examples of this burgeoning criminal economy come from exploit kits. Designed to take advantage of vulnerabilities in web browsers, the kits can compromise legitimate websites and send users to fake landing pages hosted by malicious servers. The end result? Malware infections.

The most popular kit used in recent years was called “Blackhole,” created by a hacker known as Paunch. Paunch was arrested in October 2013; without his expertise, Blackhole attacks became less frequent, thanks to an odd facet of the malware market: Just like their counterparts in web security, malware creators must provide a level of customer service to anyone who purchases their exploit kits. Bereft of Paunch’s “customer care,” his kit fell into disuse.

Other kits, including Neutrino and Magnitude, have stepped up to take Blackhole’s place.

Neutrino uses two Java vulnerabilities to perform a drive-by download attack and infect computers. For example, CVE-2013-0431 allowed Java applets created by Neutrino to bypass the Java 7 update 11 using a malicious serialized file.

Meanwhile, Magnitude (once known as Popads), relies in part on CVE-2013-2463 and the Click2Play bypass.

The market for both kits remains strong: After Paunch’s arrest, the cost to rent a Neutrino-enabled personal server in Eastern Europe jumped to over $10,000 a month. More recently, Neutrino’s creator indicated he was willing to sell his code for $34,000.

Crimes of Direction

Redirection was another major threat over the last year, according to Websense. On average, compromised websites sent users through four redirects before landing on a malicious page, but the security company found that some exploits used up to 20 redirects to confuse browsers and obfuscate their trails.

A recent IT Business.ca article points out that redirects may become even more popular with the release of new generic top-level domains (gTLDs). It works like this: Many IT professionals choose to assign names ­— “conference.room1.network” for example — to networked computers rather than IP addresses.

Before the release of new gTLDs, accidental requests for this address outside a local network went nowhere. But now it’s possible for attackers to register *.network addresses and redirect traffic to malicious websites. According to OpenDNS, thousands of “misfired” queries have already been sent by home routers.

Possible Protection?

Bottom line? The Websense report puts it best: “85 percent of malicious links used in web or email attacks were located on compromised legitimate websites.”

For enterprises, protection against this kind of misuse starts with a reputable web host — one that offers next-gen security plug-ins in addition to basic threat detection. Companies are also well served by investments in real-time, behaviorally based threat-detection programs.

Security company Kaspersky recently released a real-time threat map that shows the number and type of infections occurring worldwide; businesses must be ready to respond in kind.

Exploit kits and redirect attacks are more popular than ever — companies need to know how to spot these threats and, more importantly, be prepared to take action.

[image: PashaIgnatov/iStock/ThinkStockPhotos ]

The Next Online Crime: DDoS Extortion

Imagine you work at a company that does all of its business on the phone. Now imagine you receive a letter that says, “Pay us a bunch of money or we will overload your phone system so that you can’t get any calls.”

Since your company has a policy not to negotiate with “cyber terrorists,” you decide not to pay the extortion money. As a result, your phone bank is bombarded with robocalls that tie up your phone lines and prevent you from doing business.

The equivalent of this extortion process is happening online, with hackers using Distributed Denial of Service (DDoS) attacks as a means of bringing online companies to their knees.

Two high profile companies recently hit by DDoS extortion are Basecamp and Meetup.com. Both companies refused to negotiate with the extortionists and, as a consequence, were crippled by DDoS attacks that prevented customers from accessing the companies’ services for several hours.

The need to prevent or slow down DDoS attacks is particularly important to Software-as-a-Service (SaaS) companies like Basecamp or Meetup.com. These SaaS companies don’t have physical products, so service failures mean a loss of revenue for the companies, not to mention very unhappy customers.

What Is a DDoS Attack?

There is a distinction between a Denial of Service (DoS), which typically comes from a single computer, person or bot, and a Distributed Denial of Service (DDoS), which comes from several computers, people or bots.

There are many different ways that DDoS attacks happen. The most common is when the remote attackers overload a web server or infrastructure with a series of requests. To go back to the example at the beginning of this article, think of the phone line being so overloaded with inbound phone calls that legitimate customers get nothing but busy signals.

Denying various critical resources is a primary characteristic of a DDoS attack. They can manifest in various ways, including the following:

  • Consuming bandwidth, memory, processor resources or hard-drive space
  • Disrupting routing or other configuration information
  • Overloading physical network resources
  • Resetting TCP sessions

Some common methods include the following:

  • Internet Control Message Protocol (ICMP) floods, otherwise known as the “ping of death” or a “ping flood”
  • SYN flood, in which fake connection requests create half-open connections, causing the server to wait for the remaining part of the request
  • Teardrop attacks, in which oversized and fragmented requests can crash operating systems
  • Peer-to-peer attacks, in which peer-to-peer sharing hubs are redirected against a particular websites

The scary thing is, the sophistication of DDoS attacks is increasing, making it more difficult to mitigate, thwart and overcome new attacks.

What Happened to Basecamp and Meetup.com?

At the beginning of this year, Basecamp and Meetup.com, as well as some other web properties, received an email threatening a DDoS attack if the hackers did not receive a $300 payment. According to the meetup.com blog, the email stated:

Date: Thu, Feb 27, 2014 at 10:26 AM
Subject: DDoS attack, warning

A competitor asked me to perform a DDoS attack on your website. I can stop the attack for $300 USD. Let me know if you are interested in my offer.

A DDoS attack started around the same time, bringing down Meetup.com. The site helps local groups organize via a variety of online services, such as online meeting invites and event planning.

Meetup.com’s services were offline for a period of 24 hours while employees worked to recover from the attack. As recovery was under way, Meetup.com was hit with another attack a few days later; a third attack occurred shortly thereafter.

As stated in a blog post, Scott Heiferman, co-founder and CEO of Meetup.com, decided not to pay the “ransom,” because his company does not negotiate with criminals. And although the dollar amount was low, the attack itself was fairly sophisticated.

Heiferman believed that paying the ransom would set a standard for future extortion of other companies in the space, and he thought Meetup.com could recover from future attacks of this nature. The service outage was carefully updated and documented on the Meetup.com blog.

Basecamp experienced a similar DDoS extortion. Basecamp is a project-management tool that is delivered as an online service. As explained by David Heinemeier Hansson, Basecamp founder and CTO, the site was flooded by bogus requests, preventing legitimate traffic from getting through. The company received an email, just as Meetup.com had, asking for payment to stop the attack.

Hansson says that the attack was up to 20 GBps, which saturated the Basecamp network. As is typical with recovery from these types of attacks, network issues remained after the attack was thwarted, which involved manually blocking the IP addresses of the attack’s sources.

How Can You Prevent DDoS Attacks?

As mentioned, DDoS attacks are evolving and becoming more sophisticated. While there is no 100 percent foolproof way to prevent your site or business from being victimized, there are several actions you can take to lessen the possibility of being fully shut down by an attack.

Some things to consider:

  • Set up firewalls to block or drop incoming traffic from attackers.
  • Use “stateful firewalls” that validate traffic requests instead of letting everything through.
  • Use attack detection and mitigation services.
  • Use properly configured switches and routers for rate limiting, which can slow down attacks to the network.
  • Talk to your hosting provider about the DDoS prevention and mitigation services they offer.

If your company does receive a DDoS extortion email, be prepared for a subsequent attack. It’s important not to negotiate with the extortionist, because it sets a precedent for other hackers or cybercriminals.

Remember, under most circumstances, your company can recover from a DDoS attack. It can take quite a bit of work, so it may be helpful to have a technical partner to guide you through an incident.

Unfortunately, these types of issues are a part of doing business on the Internet, so be sure to plan for the unexpected.

[image: daoleduc/iStock/ThinkStockPhotos ]