From Re-Active to Pro-Active
Many businesses today continue to use the reactive model and handle IT issues as they arise.
Our managed services program provides you ease of mind knowing someone is always looking over your network. We monitor your workstations and servers 24/7 and automatically fix issues we detect.
We proactively patch servers and workstations, defrag hard drives, restart services, and keep an eye on it for you. Major issues are escalated to a network engineer.
All this is done behind the scenes so you can focus on your core functions.
Not all IT issues can be fixed automatically.
Layered approach to security is essential
Business disruption is a revenue killer. By implementing layers of security, businesses owners can reduce costly security-related issues and ensure smooth business operations. With the increase of disruptive cyberattacks, and the expense of cleaning up those attacks, especially from ransomware, all businesses can benefit from implementing multiple layers of defense.
A history of hacks
Why you need to take security seriously
Every month, the headlines are filled with stories of data breaches, detailing how yet another company or organization has lost customer records, suffered embarrassment and sustained a financial loss, thanks to a cybersecurity incident. The following section provides some examples, along with the weaknesses in corporate infrastructure, that allowed them to happen. These are particularly instructive when building a security solution designed to protect clients.
Hackers Are Holding an LA Hospital's Computers Hostage
The latest notable ransomware victim of Feb 2016 is Hollywood Presbyterian Medical Center in Los Angeles, whose computers have been offline for over a week.
Hollywood Presbyterian has regained access to its systems after paying the hackers a sum of $17,000 in bitcoins, a significantly smaller sum than the over $3 million initially reported by local television news outlets. According to the Times it also paid the sum before contacting authorities.
In early 2015, health insurance provider Anthem lost the personal information of around 80 million customers, including social security numbers, birthdays, street addresses, and phone numbers. Attackers set up a malicious domain, which hosted malware. Employees at Anthem were tempted to visit the site by targeted phishing emails with embedded links.
- Attack vectors:
- Phishing Email
- Drive-by Download
Australian Broadcasting Corporation
The Australian Broadcasting Corporation was hit with a ransomware attack that disrupted its 24-hour news programming. Attackers sent staff at the TV network attachments infected with malware, via emails that appeared to be from the Australian Post. When staffers opened the emails, they were informed that a package had not been delivered. When they opened the attachment to find out more, they were infected by ransomware.
Crypto-ransomware is an increasingly pernicious threat to corporations. This malware category encrypts victims’ files, only decrypting them upon payment, typically via bitcoin. While it is still relatively rare compared to other kinds of malware, it is growing quickly. According to Symantec’s 2015 Internet Security Threat report, crypto-ransomware was infecting around 1,000 computers each day at the end of 2014. That number will have grown since then.
- Attack vectors:
- Email with ransomware payload attached
Drupal 7 web hack
On October 2014, attackers found and exploited a bug in Drupal 7, a popular content management system. Attackers were able to send specially crafted requests resulting in arbitrary SQL execution, compromising the hosted site. The bug could be used to take control of a server hosting a Drupal-powered site, downloading all the data stored there, and also using the site to deliver malware to visitors. During the attack, infected Drupal servers were forced to work as part of a ‘bot army’. Visitors to the sites were infected with a malicious software script that used them to try and find other vulnerable Drupal servers, thereby infecting even more websites.
All of this was avoidable because the software developers behind Drupal had already fixed the bug. The problem was that many site administrators hadn’t loaded the patch.
- Attack vectors:
- Unpatched software
- SQL injection attack
- Automated exploitation
- Drive-by Download site
Making systems hard to hack
Critical systems need to be heavily protected with more layers than general computing systems. Furthermore, there are opportunities to establish protection at all phases of an attack: before, during, and after.
Before an attack, the focus is on hardening IT infrastructure and enforcing solid security policies. An appropriate set of tools should be implemented – and staff trained – to protect business against potential threats. The critical task here is to establish a robust local and cloud-based backup. Removal of local administrative privileges and keeping systems patched and up-to-date are easy wins against common attacks.
Hardening a system against attack won’t prevent online criminals from trying their best to penetrate business systems and access their data. MSPs must be able to detect an attack as it is happening, block it from doing any damage to targeted systems, and finally, defend against any further intrusion by the attacker. Egress firewall rules, which will help catch workstations and servers doing unusual things, and event logging are key to detecting malicious activity. On top of this, antivirus, email filtering, and web protection are all active technologies that help defeat and contain cyberattacks.
One example of how to defeat a zero-day attack would be to build event log checks that are looking for suspicious activity inside the business' network. A specific check could watch machines on the network for Acrobat.exe or Flash.exe generating a general protection fault. If Adobe Reader stops working when a client opens a PDF, or clicks on an online video, that could indicate that something serious has occurred at the software level, and could be a zero-day attack.
Should an MSP detect other suspicious activity, such as antivirus triggers, strange firewall log entries, or perhaps an increase in HTTP traffic from the same client computer — especially after business hours — that may present even more evidence of a compromised machine. Failure of Antivirus software, slow performance, system lockups and the inability to patch the machine are all subtle indicators something is not right with the workstation. By understanding business’ normal activities and interactions, MSPs can protect them better, while also offering a more premium security service.
An MSP may see many attacks over the course of a single year. Understanding what to do after an attack is finished – and how to best learn from it – is an important part of the process. Once an attack has been successfully repelled, MSP understand its scope, contain any damage so that no other systems are affected, and then remediate the damage that has already been done. In most cases this includes restoration of data and/or a system re-image. Providing business resiliency is a no-fail task for an MSP.
Finally, harvest any evidence from the affected systems and use knowledge of the attack as intelligence to further hardening business systems. Technological solution is not always the only answer; sometimes attacks are mitigated by removing the offending software (such as Adobe Flash) or executing privileges on downloaded software. Simply removing the ability of users to install software mitigates many of the common cyberattacks.
Layered approach to security
Underpinning this entire security process is the concept of a layered approach to security. This is an approach that uses multiple lines of defense to repel potential attacks, and is based on the principle that no one single form of protection is enough to stop a determined cybercriminal.
One way to understand a layered approach to defense is to think of IT systems as a house. Inside your house are your valuables. You could quite easily install a simple bolt inside your door to keep people out while you are asleep. But that wouldn’t help you to lock your door when you went out, so you’d use a deadbolt on the door.
That still leaves the windows, which are easily breakable, and low to the ground. Installing iron bars would better protect those, but to be sure, you might install a burglar alarm, just in case someone still found a way. Finally, installing security lights at the back of the house would stop people lurking in the dark, further discouraging intruders. At this point, a burglar is likely to simply choose another house with fewer defenses.
Like burglars, many hackers are opportunistic and follow the path of least resistance. Applying multiple defenses can discourage digital intruders, but analysing the weak spots in an IT system can be more challenging than understanding likely points of entry into your house. This is where the layered approach comes in.
There are five elements to an effective layered defense strategy. Each of them work together, forming a mesh of protection around your business systems.
Defining a layered security approach
A popular technique among cyberattackers is to target software that has not yet been updated to protect it from known vulnerabilities. Many attacks exploit unpatched software, even when the flaws in the software are well known. Software flaws are catalogued in the Common Exposures and Vulnerabilities (CVE) database operated by MITRE Corp. According to Verizon, 99.99% of exploits used in 2014 took advantage of vulnerabilities that had been given a CVE number at least a year prior.
In fact, things were even worse than that. Verizon’s report found that over 30 exploits responsible for data breaches in 2014 stemmed from CVES first issued in 1999. That’s right – companies are still losing data to hackers using security flaws reported before the ILOVEYOU virus was born. Such is the importance of software patching that the Australian Signals Directorate lists it as a mandatory requirement to mitigate cyber intrusion.
If system patches had been properly applied by many of the Drupal 7 operators mentioned earlier, their websites would not have been compromised and their visitors would have remained uninfected. But their attackers, who had designed an attack to exploit a known bug in Drupal, relied on many operators failing to update their software to eliminate the bug.
Once a flaw has been detected in a particular piece of software (whether that be an operating system, database engine, application framework, or software application), cyber criminals can easily write scripts to search the Internet for running versions of the software, and simply attempt to compromise them. Attack toolkits, designed for cybersecurity research, contain regularly updated catalogues of these flaws, along with code designed to exploit them, providing unscrupulous users with ready-made cyber-weapons.
Patch management is ‘low hanging fruit’ for IT administrators, who can automate the patching of this software to a certain extent using scripting tools, or more sophisticated systems that document, download, test, and administer patches from multiple software vendors.
Antivirus services should be a key part of any business system arsenal. While not sufficient on its own to stop attacks, antivirus provides a useful line of defense against malicious software that can be used by attackers to gain a foothold in corporate systems. All the best practice guidance and compliance requirements demand malware defenses. Cybercriminals frequently use “known” Trojans and malware against targets. So, up-to-date antivirus can consistently detect and remove Trojans and malware providing it has the most recent definitions.
Antivirus technology has evolved in recent times, and now features heuristic and other advanced capabilities, that can help it to detect hitherto unknown virus and Trojan software. Cloud-based signature updates also mean that security vendors can protect businesses against new malware strains as they become available. With antivirus vendors detecting 200,000 new malware strains each day on average, real-time updates are an important part of the antivirus landscape.
With so many attacks using malware as an entry point into enterprise networks, antivirus software is not optional – it’s mandatory.
Antivirus technology isn’t perfect. It may identify a malware signature, or it may not. It may detect suspicious behaviour by an application, or it may go unnoticed. Given that many malware strains are delivered via a browser, web protection is another important part of a layered defense strategy.
Businesses can use this technology to detect where employees are surfing (or where infected machines are visiting online without their permission). Like antivirus software, web protection services receive regular updates of domain names and IP addresses associated with malicious behaviour, and can be used to block visits from corporate networks.
Web protection services also offer other added value to businesses. It can be used as a detection mechanism to spot suspicious surfing activity that could indicate an attack. And it can also be used to block employees from visiting legitimate but undesirable sites, such as sports and entertainment destinations online. This enables business sustain employee productivity.
According to the Verizon Data Breach Incident Report (DBIR), 54% of malware infections are due to interaction with the web. Browsers interact with computers far more than email programs do, and users frequently populate them with a variety of third-party plug-ins to add extra functionality. This creates a broader attack surface for the browser, making it a particularly appealing target.
As one of the single most important tools for a business, email is still a primary means of delivery for attackers. Hackers can send links to malicious websites, or malware-infected attachments directly to employees. E-mails are a potential vehicle for social engineering, meaning that attackers can increase their chance of success by studying a company and including pertinent details in an email.
Aside from simply making business owners feel safer, providing email security services to clients enables MSPs to offer their customers some significant advantages. Looking for patterns in large volumes of spam can give the service provider valuable intelligence about the kinds of attacks being directed at customers. They may be able to deduce, for example, that significant numbers of emails are being sent to particular employees as part of a targeted campaign.
MSPs can also improve network performance and potentially lower bandwidth costs by offering businesses a cloud-based email protection service because the service provider will be collating and cleansing email streams before sending them on to the company. This can help to prevent customer networks from being clogged with junk traffic. The network can also be configured to only accept email from the MSP’s cloud-based service, further protecting them from attack.
According to the Verizon Data Breach Incident Report (DBIR), 77% of malware infections are due to users receiving a malicious email with an attachment or web link. A robust cloud-based email protection service offering will provide a solid additional layer of defense.
Effective backup is the final linchpin and the critical service in a layered strategy. Protecting business from attack might offer them peace of mind from a security standpoint, but cybersecurity is not a zero-sum game; even the best type of protection systems can be compromised. The threat of attack, along with the threat of physical data loss, makes backup a critical part of any cybersecurity service.
MSPs should ensure that they have a tried and tested backup service. Frequent, incremental cloud-based backup services will be easier to test and guarantee for customers, and the lack of physical backup media will reduce the risk of backup data corruption, loss, or theft.
You can never be two diligent with backup. Due to the outbreak of ransomware-style attacks, your businesses need both a local backup and a cloud-based backup. Not only does having a cloud-based backup meet compliance and best practice requirement for daily offsite backup, the technology used frequently can not be accessed by ransomware. This allows you to restore files in the event of an outbreak of something that makes it past your defenses.
Local backup provides quicker restoration of large files or large number of files. It’s nice to have local and cloud redundancy in backup to take the stress off of incident response. Knowing the backup is good gives an MSP a solid incident response capability to get the customer back up and running.
The threat from cybercriminals is persistent; from the simple brute force attacks against VPN, RDP, Outlook Web Access, and any other exposed service, to sophisticated Spear Phishing attacks. The business should employ as many security services as they cost-effectively can to reduce the chances of a disruptive security incident.
In the market place today, the Security as a Service model is really taking off according to Gartner and other analyst firms. Security software sold as a subscription is the most cost-effective way to reduce security incidents at your company. Make no mistake, security incidents can be expensive and damage your reputation.