CloudOgre

844-OGRE-NOW

FBI says VPNFilter fix Reset Router is still a Cyber Security Threat

by

The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices.

The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices.

The F.B.I. Public Service Announcementon May 25thasking citizens to reset their home and small office routers due to a cybersecurity threat called VPNFilter created by a group called Fancy Bear. Unfortunately, resetting your router or NAS device won’t be enough to eliminate the VPNFilter cyber threat. Yes, storage devices were impacted as well. You’ll need to follow the steps laid out below.

Step1:

Check out the list of devices effected by VPNFilter, as per Symantec. If you have one of these routers, you’ll want to reset your router immediately.

  • Linksys E1200
  • Linksys E2500
  • Linksys WRVS4400N
  • Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
  • Netgear DGN2200
  • Netgear R6400
  • Netgear R7000
  • Netgear R8000
  • Netgear WNR1000
  • Netgear WNR2000
  • QNAP TS251
  • QNAP TS439 Pro
  • Other QNAP NAS devices running QTS software
  • TP-Link R600VPN

Step 2:

Once you’ve identified the router you have and have reset it, you’ll want to update your firmware to the latest version. Going the extra mile to confirm that the update contained a fix for the VPNFilter is essential, as is, making sure the firmware was successfully updated. VPN is a Virtual Private Network or an encrypted tunnel that runs over the public internet to allow for secure communication between two devices.

Step 3:

Since the malware is persistent you’ll want to monitor your system to ensure phases 2 and 3 aren’t completed. To do that you’ll want to change passwords and monitor outgoing activities from any critical systems. That means your social media, VoIP system, banking or email. Essentially, anything that can be accessed via a web browser.

Step 4:

Buy a new router because sometimes if you buy cheap you buy twice. Here is a good example. Out of the millions of routers out there its estimated that 500k to one million routers have been affected. From an IT professional’s perspective, none of those are awesome routers and there are many other more secure options. The CloudOgre network hardware pageis a good resource to learn more.

Step 5:

If you’re running a growing business that relies on VPN capabilities for site to site connectivity, you may want to consider moving to layer 2 connectivity. Layer 2 connectivity like point to point connections, Ethernet private lines, mesh networks, etc. are typically less expensive from carriers because they don’t have to pay switching costs. Basically, site to site connectivity is cheaper for carriers to deploy so it’s less expensive as a monthly cost, more secure since it’s happening at the data link layer, and much easier to manage. Looking for additional detail on best practices for your wide area network?

Our question to ponder here is, as threats continue to develop on the internet so does reliance on its ubiquitous nature so how does this impact the end-user’s expectation? Furthermore, how does this impact the perception of SD-WAN and similar technologies that shape and secure traffic over the public internet? If you’re interested in keeping the conversation going just follow us on Facebook,LinkedIn, and Twitter.

 

 

 

Hurricane Season 2018 – The Role of the Data Center in Keeping Your Job – Failure to execute proper IT strategy & CIO has shortest C-Suite Executive Tenure

by

CloudOgre

Execute your plan for the 2018 Hurricane Season now

         Mother Nature is not a force to contend with. With hurricane season 2018 fast approaching, companies need to revisit their business continuity and disaster recovery strategies.  For those that may not know what that means, its basically making sure that the business continues to remain as operational as possible during the worst circumstances.

            Where is the brain of your organization? Some companies rely solely on the cloud for all off their applications whether email, website, phones, or CRM like Zoho and Salesforce. Others that want more control and additional security of their company’s resources and intellectual property want to keep those applications running on servers they own rather than in the cloud.

2018 US FarmersAlmanac Summer Weather Map

2018 US FarmersAlmanac Summer Weather Map – Hurricane

            I’ve seen too many organizations that house their data in their own facility in closets with fans, under water pipes, on lower levels susceptible to flood damage, and many other simply bad IT business practices. Not long ago I visited a CIO who bragged that he fought internally to secure space in their company’s new building in the basement… near a river prone to flooding. Needless to say our strategy did not align and we did not take them on as a client.

            Today, a hybrid strategy is a best practice combining the strengths of both the physical data center and the cloud to maximize an organization’s ability to stay open in the most dire circumstances. The right data center colocation space is important. During Superstorm Sandy many data centers in lower Manhattan were down hard with no access to additional fuel for their generators. Most of those that housed the essential switching for the public switched telephone network or PSTN and Internet stayed up and running with diesel being flown in via helicopter to power the rooftop generators while average citizens couldn’t even get gas for their car. I’d much rather my company be in that data center with the gas fueling generators on the roof than the one whose generators were under water.

            These days I tend to rely more on farmers than meteorologists for my weather. Patterns in nature can be examined via satellite but those with their hands in the dirt, in my opinion, are more credible. This Spring in Polk County NC has been tough with mudslides and heavy rain the cost the lives of our neighborsand even reportersthat came to see the devastation. It’s a small rural county of just over 20,000 covering almost 240 square miles, so it may not have made the news where you are but it was a reminder of the power of mother nature. We easily forget the past because of optimism in our everyday lives however that amnesia can be dangerous. These type of events in more densely populated areas like South Florida, New York City, or any other major city causes a major disruption to business, some of whom end up going out of business.

BY WEATHERBOY TEAM METEOROLOGIST – APRIL 5, 2018 The initial outlook for the 2018 is an active one with 14 named storms, 7 hurricanes, and 3 major hurricanes expected; an average season typically includes 12 named storms, 6.5 hurricanes, and 2 major hurricanes.

            Data Centers not only protect from natural disasters, they also add a layer of security to your company infrastructure. If your data center is in your closet with a fan on it than anyone who can get into your office can do your organization serious harm. That can be an internal employee or someone from outside the organization. Data Centers are equipped with biometric scanners and armed security guards. These centers hold very sensitive equipment and information for some of the most important organizations in the world.

            Those in the know are always looking to budget for data center space because they understand how important it is to the organization. IT executives sleep better at night when they’re collocating in a facility because they know they have everything on lock down! If a server needs to be reset they can call in remote hands to reset the server on camera by a qualified technician. If their office is flooded they can use the data center to hot desk for mission essential functions. Ever have to print payroll in a data center because your office was flooded? Trust me, its a great feeling to know you can still pay your employees especially since their families are dealing with the same disaster.

            Back to security, a physical security is a costly expense but very valuable when you’re talking about guarding the brains of your organization. It’ll certainly cost more than $1,000/month which is basically the cost of a full rack in a top tier data center with power (electric) and ping (internet access). FYI-There’s multiple security guards at these facilities. That combined with the cameras and biometrics makes it not only cost effective, but a wise decision. Your security needs are centralized and much easier to manage. Private lines or point to points are typically less expensive than internet access and though SD-WAN is all the rage, its still layer 3 or best effort over the internet, not a physical layer 2 connection which adds security to an organization’s infrastructure.

            As a business executive or IT professional, if you’ve never toured a data center facility I suggest you do so and have a conversation internally about your business security including protection from natural disasters and other force majeur. That in combination with the right hybrid cloud approach can keep your business functional no matter what.

Courtesy ZDNet By Natalie Gagliordi for Between the Lines

            High Availability for mission essentials functions are a top priority. If it’s not being discussed at your company push for it. The CIO’s average tenure is five years, the shortest of all C-Level executives. Target’s Beth Jacob resigned after their data breach but do we know if the conversation was had and budget not allocated. “CIOs already know that situations like this are a possibility, because virtually every aspect of the business these days is run on systems. When systems fail, even if the wrongdoing originates in business operations, the CIO is still a “best bet” lightening rod to attract the blame.”, says Mary Shacklett of TeachRepublic back in 2014.

            Doing what’s best for the organization is not always easy. Getting your agenda funded and other’s buying into the importance can be a tough road to travel given internal politics. Not fighting for the right resources could have you tuning up your resume sooner than should be the case.

Security Awareness Training

by

 

Security Awareness Training is the first step in preventing a data breach.

Imagine you walk into your doctor’s or dentist’s office and as you sign in you hear the person at the front desk reading a patient’s confidential information aloud for anyone in the general vicinity to hear. What do you do? Cyber Security is a philosophy and not just a practice. That practice stems from the company’s security philosophy and permeates all pieces of the organization. Security Awareness training is of the utmost importance to prevent the negative impacts of a breach.

When this happened to me recently I was shocked. I’m not sure if I was more shocked by the fact that confidential information was being thrown around with no regard for the potential impact or that the patients in the room seemed to not be concerned. My first thoughts were either this person at the desk was malicious or negligent. Had the company provided security awareness training? Their philosophy was clear within the verbiage of their patient paperwork allowing for “the release of health information to banks and financial institutions”

Again, security starts as a philosophy and although there are compliance regulations to govern PCI, HIPAA, SOX, PII, etc., a more general philosophy around protection of key data should be adopted to address breaches proactively. The example above is around personal information however analogous situations exist within the corporate environment. Intellectual property like customer data, CPNI in telecom, pricing, or even properly performed exit interviews can have a negative impact on an organization if not secured properly.SECURITY AWARENESS TRAINING

Security Awareness Training is the first line of defense. If your people don’t know that they need to keep the information secret, they won’t. Fines for data breaches are the least of your worries so you want to explain exactly why data needs to be held so tightly. According to the National Cyber Security Alliance as reported by Entrepreneur Media, 60% of small businesses go out of business six months after an attack. Brand equity and finances suffer, as well as, key people responsible may lose their job. Read more here about what happens when your small business is hacked.

Common sense approaches to security couple devices like door locks with training to remind employees to make sure they don’t allow unauthorized people into a locked facility after opening a door with their key card or ID. Required password changes should be implemented to keep systems safe but it can do more harm than good if employees aren’t trained on how dangerous it can be to leave these passwords on Post-It notes on their desk. Here is a list of the 6 threats to keep an eye out for in 2018 according to MIT Technology Review.

Cyber security concerns are also present within the government sector. When the Sheriff is paying the ransom to get their data back, we have a huge problem. This happens more often than most think. Organizations have to decide if and when they release information about a hack. Equifax didn’t release that data for about six months. Sometimes you can’t immediately release that information since it could cause additional harm. This is part of Security Awareness Training for higher level IT folks within an organization.

The increase in need for Cyber Security professionals, especially the CISO, is indicative that companies know they need to address these issues. Their inability to find the right talent to put in place shows that the philosophy of security doesn’t always make its way to the top. Most know the dangers of cyber security but don’t understand the nuance. A firewall is great but the weak link is people. If a thumb drive is put into your network by an unsuspecting employee, your firewall is useless.

Chief Information Security Officer jobs are on the rise!

There is a shortage of cyber security professionals. There are a predicted 3.5 million cyber security positions that will be open in 2021 according to Cisco. Cross training others within companies will have a big impact on securing data. Security Awareness Training is imperative, across all internal organizations, to make those professional’s jobs easier and keep data secure.

In sum, companies need to train their employees to use common sense approaches to securing confidential data. That person at the front desk obviously needs to be trained not to read confidential information aloud and why. They need to be taught that the patient’s finances could be compromised and the company can be fined. The three things that can be done are simple. Regularly scheduled training and reinforcement is necessary to keep employees aware of their role and the possible negative impacts they can prevent. Looking at security from a high-level as a philosophy is a crucial first step to addressing your company’s security concerns. Throwing money at it isn’t the answer. Finally, risks need to be properly assessed proactively to create a plan of action and limit potential harm to the organization.

For help with these and other issues, contact us here to schedule a discussion.

 

The 7 key elements of a BYOD Policy

by

 

BYOD Policy is a first step to safeguarding your data.

Your BYOD Policy can mitigate risk of loss of IP and other key data.

 

These days all businesses large and small need to have a BYOD Policy in place. A BYOD Policy alone won’t protect your communications, Intellectual Property, or your network but it should outline employee practices that lower the likelihood that a breech will occur.

It’s hard to keep the C-suite from using their iPad Pro for work, especially while traveling. It’s just easier! It’s just as difficult to get a new hire millennial to use a company issued iPhone… God forbid it’s not the latest version and brand new. They make a great point, a newer and fully updated device should be more secure than older devices.

Here are 7 elements that you’ll need to consider when putting together your BYOD policy:

  1. The employee exit – Whether an employee leaves on their own or are asked to leave, you’ll want back whatever info they have about clients and intellectual property. There are ways to simply wipe data with O365 and more comprehensive tools that you can reach out to us to discuss. Either way, you’re going to want to develop a plan starting with the worst in mind (a rogue employee looking to take your data, ideas, and log-ins) and create a plan to protect yourself.
  2. Acceptable devices – Devices aren’t equally effective or secure. Defining a set of parameters for your BYOD policy that speaks towards devices is important. Mobile Device Management platforms like IBM’s MaaS 360 is more flexible on Android devices but more secure on Apple devices. Additionally, you’ll want to define what browser to use e.g. Safari, Internet Explorer, Firefox, or Chrome. Taking advantage of cloud technologies like VDI can create a homogenous platform across your organization. Click here to learn best practices for incorporating cloud services into your BYOD environment. You’ll also want to consider reimbursement policies for employees using their own devices for work.
  3. Firewalls and Antivirus – Employee laptops that have old anti-virus software that hasn’t been upgraded will put your network at risk. Similarly, if you don’t set up your firewall properly you can put your employee’s devices in jeopardy. Network based firewalls are an awesome compliment to traditional premise based firewalls. Assigning quantitative values to potential data breaches will help you define both your BYOD policy and security strategy. How much will it cost you if you can’t log into your network or if an employee steals your customer list? Both employee and employer responsibilities should be defined clearly.
  4. Websites and Applications – Now that you’ve outlined what devices will be interacting with your data over your network, you’ll want to define what applications and websites are cool and which are NSFW. Some apps request information that you may not want your employees sharing, like contacts. The last thing you want is that rogue employee adding a key customer contact to their inappropriate SnapChat or Instagram. With security concerns on the rise from the plethora of recent hacking incidents including banks whose websites have been spoofed, you’ll want to be clear with employees, as well as, with your firewall settings. Should employees save information to their device or do you have a central storage system set up? Click here for more on data storage in a BYOD environment. Ideally, you’ll want to segregate personal and private data as much as possible.
  5. Assigning Permission – Every employee doesn’t need access to all of your information. Defining what team or individual is responsible for and has access to certain data will allow you to manage and mitigate risk. A system of checks and balances should be created so that information isn’t silo’d in one area, and inaccessible to key decision makers. For example, only the network admin should know your firewall password but, in case that person is let go or “gets hit by a bus” (God forbid but it is something to consider), there must be someone else that has that information and can change passwords immediately if necessary. If you’re a sole-proprietor, you’ll want to keep those passwords handy and set up alerts if changes are made.

    Rogue employee taking advantage of lax BYOD Policy

    Are you worried about theft of IP over a BYOD environment you can’t control?

  6. Human Resources – Now that you’ve secured your network and data with tangible steps in your BYOD Policy you’ll need to look at things from less of an IT perspective and more of an HR perspective. How invasive is your monitoring allowed to be? How do you determine if Intellectual Property created by an employee on their device should be company property? How do you handle hourly employees that have second jobs in a similar field where work may overlap? Most device management platforms allow for monitoring tools and storage that can easily keep work-related and personal items distinct.
  7. Legal – Where does the liability lie? We all love our lawyers (Maybe a hint of sarcasm) and here’s where they’ll need to be involved in the process. Earlier I mentioned that there are two pieces to the puzzle. The employer can put an employee at just as much risk as the employer. Think of the incident when an organization’s data isn’t secured allowing hackers to steal employee social security numbers, birth dates, and other key personal information. A BYOD Policy is not effective unless its written down and agreed to, via signature, by both parties. I’d even go as far to say NDAs and non-competes should be incorporated into your company’s BYOD Policy.

 

Today, everyone is vulnerable. The lists of recent attacks are crazy! Dude, HBO Got hacked and they stole the Game of Thrones episode with the Dragons fighting White Walkers! #GOT – The list of hacks also includes the various departments of government, Equifax, Target, Instagram, Red Cross Blood Service, and the list goes on. Check out a cool visual list of the largest data breaches and hacks here. As this is happening, users expect things to work seamlessly, securely, and flexibly to include their devices on your network. How will your BYOD policy be written to make your business less vulnerable to loss of secure data to hackers and employees gone bad?

So now that you know how to put together a BYOD Policy, the questions is, how will you enforce it? Will you be proactive and use the correct tools to keep your company and employees safe from cyberattacks and security breaches? Without the right tools in place you’re really leaving this up to trust and the recourse that law allows. If you need help evaluating what measures you can take using the latest technology, please contact us here.

 

 

Apple Keynote September 2017 and its impact on Cybersecurity

by

https://youtu.be/mW6hFttt_KE

On September 12th Tim Cook took to the stage to deliver the Apple Keynote at the Steve Jobs theater announcing the release of the iPhone 8, 8 Plus, iPhone X, Apple TV, and Apple Watch. Check it out. From a consumer’s perspective, they look really cool with their giant screen and augmented reality capabilities. From a business perspective, nothing was done to address concerns around cybersecurity.

With the recent hack of Equifax and the failure of the company to manage the hack, cybersecurity should be on the forefront of everyone’s mind. We live in an age when the new battleground is digital, when we are worried about our election being hacked by a foreign government. There was a lot of hubbub around Hillary using a private email server but many cybersecurity professionals are saying that was the safest thing to do since the server she was supposed to be using was known to be hacked… I mean cmon there’s a target on that.

Apple itself was recently involved in a security scandal which shed light on its vulnerabilities. No surprise this wasn’t discussed at the Apple Keynote. When the government asked them to open up the phone of the crazy in San Bernadino, Apple refused and the government got in the device anyway. That raised The People’s Eyebrow (channeling my inner Rock).

iPhone is supposed to be wiped after certain number of attempts.

Backdoor into your iPhone?

Back in March, Wikileaks reported that the NSA is using popular devices to spy on people using a backdoor. Same stuff Snowden reported long ago. We’ve heard the concerns with Amazon’s Alexa which you can read about here. These backdoors create huge concerns for the CISO, especially in a BYOD environment. The cool factor will create a vulnerability that can be managed using Mobile Device Management. Check out our post on Enterprise Mobility management here.

The core of CloudOgre’s business is in connectivity and that goes all the way up to the device. It’s easier to secure transmissions over fiber because you own the end device and can manipulate them. The same isn’t true, at least at the consumer level, for Apple phones. Apple is a closed environment which requires an application layered on top of the OS to manage security. For example, IBM MaaS360 or AirWatch.

As a professional in the enterprise technology space, it’s interesting to see how the cool factor has taken precedence over security. Blackberry is struggling to stay alive because their focus was on security. Apple’s focus seems to be around the user making the phone bigger, cooler, easier to use. Without any new mind blowing tech, the wow factor was still the focus of the Apple Keynote.

Even without Steve Jobs’ presence, the Apple Keynote was dynamic. Yes there was a point when the facial recognition didn’t work but that was a good thing since it was actually a protection issue caused by too many folks handling the device. Apple stock dipped which was odd but I’m sure there will be many pre-orders of the iPhone 8, iPhone 8 Plus, iPhone X even with a thousand-dollar price tag (aka a rack, stack, g, or a grand), and the Apple Watch which has cellular built in for greater detail in telemetry and biological inputs like the heart rate monitor… Keyword ‘monitor’.

To conclude, the marketing was great. Looks like they’re trying to create a middle ground by introducing the iPhone X with a higher price tag driving consumer behavior toward the 8s. There are concerns that the OLEP screens may cause a supply issue. My concern, as usual, is around security. Yes you may need to sleep with your girlfriend wearing a mask. Seriously though, when you’re in the chair of a CISO… it’s not so funny. Security first!

Want to talk more about this in your business environment? Contact us here.

 

Want an ogre in your inbox?

1615 S Congress Ave, Suite #103
Delray Beach FL 33445
↑ Top of Page