It’s time to rethink cybersecurity.

For many years, organizations have focused their security efforts on endpoint protection. Firewalls, antivirus software, intrusion detection and anti-spyware tools are all effective to a point, but they are failing to stop the vast majority of threats.

A recent ServiceNow survey of 300 chief information security officers found that 81% are highly concerned that breaches are going unaddressed and 78% are worried about their ability to detect breaches in the first place. IBM’s 2017 X-Force Threat Intelligence Index reported a 566% increase in the number of compromised records in 2016 compared to the previous year. FireEye reported that the average time it takes an organization to detect an intrusion is over 200 days.

Endpoint security measures will only become less effective as the number of endpoints proliferates. Smart phones introduced a whole new class of threats, and the internet of things (IoT) will add billions of endpoint devices to networks over the next few years, many of which have weak or no security.

That’s why cybersecurity, in the words of Cisco CEO Chuck Robbins, “needs to start in the network.” The approach that Cisco is championing recognizes the reality that breaches today are inevitable but that they needn’t be debilitating. The increasing popularity of security operations centers shows that IT organizations are shifting their attention to creating an integrated view of all the activity on their networks – including applications, databases, servers and endpoints – and adopting tools that can identify patterns that indicate a breach. For example, multiple access attempts from a certain IP address or large outbound file transfers may indicate an intrusion, and that activity can be stopped before much damage is done.

Fortunately, technology is evolving to support the network-centric approach. Big data platforms like Hadoop have made it practical and affordable for organizations to store large amounts of data for analysis. Streaming platforms like Apache Spark and Kafka can capture and analyze data in near real-time. Machine learning programs, when applied to large data stores like Hadoop, can continuously sort through network and server logs to find anomalies, becoming “smarter” as they go.

And the cloud presents new deployment options. That’s why security is rapidly migrating from dedicated hardware to cloud-based solutions using a software-as-a-service model. Grandview Research estimates that the managed security services market was worth more than $17.5 billion in 2015, and that it will grow to more than $40 billion in 2021. As organizations increasingly virtualize their networks, these services will become integrated into basic network services. That means no more firmware upgrades, no more site visits to fix balky firewalls and no more anti-malware signature updates.

It’s too early to say that the tide has turned favorably in the fight with cyber-criminals, but the signs are at least promising. It’s heartening to see Cisco making security such important centerpiece of its strategy. Two recent acquisitions – Jasper and Lancope – give the company a prominent presence in cloud-based IoT security and deep learning capabilities for network and threat analysis. The company has said that security will be integrated into every new product it produces going forward. Perhaps that’s why Robbins has called his company, “the only $2 billion security business that is growing at double digits.”

Denial of service attacks – understanding and avoiding them

In October, a cyber attack on Internet provider Dyn made many web services and sites inaccessible, including several newscasters (Fox News, HBO, CNN, Weather Channel, etc.) and world-class sites Netflix, Paypal, Yelp, Starbucks, just to name a few.

This attack is considered the largest denial of service attack ever made. In order to better understand what happened, we will first of all recall some basic notions of Internet communications. We will continue by talking about botnets and their evolution, before we see the specifics of this recent attack. Finally, we will see how we can guard against such attacks.

Internet Communication Basics

Most Internet communications are of the client-server type. The Internet browser is often used as a “client” and sends requests to the server, asking it to display a Youtube video, for example.

Each server has its own IP address. When navigating on Google, for instance, the server that responds to our request may be different depending on our geographical location. This is made possible by using a Domain Name System (DNS).

These DNS servers will translate an address with the words “www.google.com” into an IP address. This notion is important for understanding the attack that targeted Dyn.

History of botnets

A “botnet” (combination of robot and network) is a network of computers infected by a virus, which turns them into passive entities that remain listening to future instructions. The person controlling the botnet can then send commands to his army of infected computers. For example, ask his robots to send spam or launch distributed denial of service attacks (DDoS). The distributed nature of this architecture makes detection of DDoS attacks difficult.

With the miniaturization and ever-decreasing cost of computing devices, more and more objects become “connected”. This creates an ever-growing network of printers, IP cameras and all kinds of objects that are connected to the web. All these devices are ultimately small computers, and like all computers, they are vulnerable to attacks.

Moreover, since few people take the time to configure these connected objects, most of them are configured with default passwords, making it even simpler for an attacker to compromise and infect them viruses.

We find ourselves in a situation where many objects connected to the Internet are infected by a virus. And these devices, like IP cameras, are constantly on, unlike our computers. During the most recent DDoS attack, this botnet managed to generate up to 1.2 Tb of data per second! This is a data rate equivalent to nearly 2,000 DVD-quality movies sent per second!

Why did this attack hurt so badly?

Denial of service attacks have traditionally targeted servers or websites of companies that are chosen either for activism (or hacktivism) reasons, or for the purpose of extorting money.

The reasons for this attack are not yet known, but what differs from previous ones is the target. For the first time, it was not site servers that were targeted, but the DNS servers of the Dyn company.

The sites of Twitter, Paypal and Netflix, for example, were fully functional. But by preventing us from knowing the address of the servers to connect, this attack made all these sites inaccessible.

How to defend against these attacks?

DDoS attacks often follow a well-established pattern. A first way to protect oneself therefore is to use systems that will detect the signatures of these attacks.

Another way to prevent is to implement redundancy on servers. By using load balancers, you can intelligently route traffic to multiple servers, improving the system’s resilience to high traffic flows.

But that’s not all! We also need to guard against infections, to prevent one of our systems from becoming a botnet member. To do this, you must first protect computers with antivirus software.

However, many connected devices are too simple to install an antivirus. It is therefore essential to analyze the inbound network traffic in your corporate network, both to detect known threats and zero-day vulnerabilities.

It is possible to further minimize the risk of infection of your systems by correlating and monitoring event logs, such as continuous network and systems monitoring, which is part of the services offered by ESI Technologies.

Finally, remember to keep systems updated, in order to mitigate the risk that known vulnerabilities can be exploited and use unique and complex passwords. Password management software exist to make your life easier.

A specialized information security firm such as ESI Technologies will be able to assist you in analyzing your needs and selecting the most effective and efficient solutions to mitigate the risks of botnet attacks on your systems.

Tommy Koorevaar, Security Advisor – ESI Technologies

What’s the link between coaching youth hockey and managing end users?

In the summer, I enjoy doing volunteer work as a soccer coach for kids and teenagers. I do the same in the winter when hockey season begins. I find it challenging to bring different personalities to work as a group towards achieving common goals as a team. Being a coach doesn’t come without training however. And I remember one trainer commenting on being a coach as he said “if a given player isn’t doing what you asked him to, the first question you need to ask is: did I tell him? The second question is: did the player understand? The third: did I explain it well?” He ended up by saying “if your answer is yes to all three questions, then repeat as often as necessary”.

When I found myself with a client’s network manager talking about how sophisticated phishing campaigns have become, I remembered this wise comment about that coach trainer. This network administrator in particular admitted than even his seasoned team of network managers came close to being caught in one of these sophisticated phishing campaigns. It was a well-designed one using their GoDaddy account. It’s only when someone took the time to check the links that they noticed something fishy. The average user might very well have fallen victim of this. With regards to end users, ask yourself: “if a given user isn’t doing what you asked him to with regards to suspicious emails, the first question you need to ask is did I tell him? The second question is did the user understand the potential consequences? Thirdly, did I explain it in terms the average user understands?”  I end up by saying “if your answer is yes to all three questions, then keep repeating as users will forget over time and new users become part of your community”.

Charles Tremblay, Account Manager

Got your head in the cloud? Keep your feet on the ground!

A couple of weeks ago, ESI in partnership with NetApp, hosted a very special event on cloud computing & associated data privacy legal issues. Guest speaker for this event was non-other than Ms. Sheila FitzPatrick who is recognized by data protection authorities worldwide as one of the world’s leading experts on data protection legislation and the compliance process.
I had the chance to be briefed on this presentation by peers at ESI at which some of our clients were conveyed and one thing really hit me in the same way it hit all the participants at this event:
The most important thing to remember with cloud services is that your company and you as a manager of that company will be held accountable for any data privacy issues of the cloud service provider you signed on with.

There you have it. You remain the owner and the person responsible for that data even though you no longer have control over it.

cloud-key

Given that there is no transfer of legal responsibility from you to the cloud provider with regards to data, a long checkup list ensued that included questions such as: how does the cloud provider separate my data from other clients’ data? Where is it stored (under which jurisdiction)? How strong is encryption? How does it get moved to the cloud provider? Where are located my backups? How secure is data transfer?… This is only a very small sample of that checklist.
A local presence by a cloud provider doesn’t mean your data is entirely local. Often your backups are sent offshore in another country governed by different laws and in some cases this goes against the legislation to which your company must comply.
In short, cloud technology is much less about technology than it is about legal compliance, SLAs and contract management. Of course, there is still obviously a strong technology component to it. At ESI, and its network of partners like that of Ms. Sheila FitzPatrick from NetApp, we can help companies navigate through this to set their cloud strategy in motion in full understanding of what is at stake, since it all comes down to a question of risk management: what to move into a public cloud, what to keep in a private one.

Charles Tremblay, ESI Account Manager

A brief review of the Telecom 2015 Event

Many ESI representatives in sales and technology attended the event of April 21 that was intended for the industry. We noticed that a new trend is becoming increasingly predominant  among the subjects of different speakers; that is cloud solutions. Indeed, several  presentations focused on the subject; whether with IP telephony solutions,  Microsoft Lync or unified communications, participants could attend some very good sessions. ESI was also among the presenters at the event, where we discussed the challenges of securing enterprise data with the increasing usage of mobile devices.

We also noticed that this year, contrary to previous editions, no presentation used the expression “BYOD”, which does not mean the subject was not discussed. Presenters are now instead referring to the concept using the term “mobility”.

Although topics were not identified with the “security” tag, almost all presentations dealt with IT security in the solutions or business cases presented. Security is a must, it is an integral part of all business solutions, and customers and presenters are all aware of it! Convergence, unified communications and hybrid networks were also some of the topics discussed during the 2015 edition of this Telecom Event.

Roger Courchesne, Director – Internetworking & Security Practice

Advisory from Nutanix – Metro Availability Data Protection

Nutanix Engineering has discovered a rare condition that can potentially cause data integrity issues for containers using the Nutanix Metro Availability Data Protection feature for all versions of NOS 4.1 prior to 4.1.2. This condition can occur in environments that have experienced aborted operations during failover instances between Metro Availability sites.

Note: This issue does not affect customers that are using the Nutanix Async DR Data-Protection feature.

If you are using Nutanix, it is important to perform the following check to determine if your cluster is using this feature. In the Prism web console, navigate to Home > Data Protection > Overview, where the “Data Protection Summary” box will display a protection domain count.

  • A value of 1 or greater for “Metro Availability” indicates that the feature is enabled and this field advisory is applicable to your cluster.
  • A value of 0 indicates that you are not using the Metro Availability feature and can safely ignore this Field Advisory.

There is no workaround to this condition. This issue is fixed in NOS 4.1.2. All customers that are using the Metro Availability Data Protection feature MUST upgrade to NOS 4.1.2 to prevent this issue. Nutanix intends to release NOS 4.1.2 on or before April 17th, 5PM PST. Nutanix will send an update to this field advisory if NOS 4.1.2 is delayed beyond this date.

Please contact your ESI representative if you wish to validate with one of our experts.

Data Loss Prevention – a business challenge

Confidential, intellectual and sensitive data are the core of businesses. Some organizations have to comply to conformity regulations with their data and must find solutions to better manage their usage. Data loss, whether intentional or accidental, can have disastrous impacts and are becoming more frequent with the massive use of email, public storage solutions like Dropbox or even a simple USB key.
Coffre-fort
Some statistics:
•    64% of business data is lost intentionally
•    50% of employees leave with corporate data
•    35% of data loss is due to negligence
•    29% of data loss is due to system glitches
•    The loss of a single data costs an average of $200

By implementing a document management policy that rests on protection practices inspired by established norms, and by introducing a proven DLP solution, organizations can block undesirable data transfer, warn users and organization of the failed attempts and ensure data encryption when necessary.
You have obligations: you must protect confidential data which you are responsible. And… warn the authorities in case of loss!

Roger Courchesne, Director – Internetworking & Security practice

Is ransomware a myth?

Ransomware-Featured

A couple of weeks ago I was enjoying a business breakfast with a client when things turned bad for him. It seems it was a bad omen to talk about the challenges he was facing with regards to I.T. security since as we were talking, he received a text message from his staff informing him that they were hit with “CryptoLocker”. CryptoLocker encrypts a victim’s documents and demands a ransom for the decryption key usually paid in Bitcoins. In its Internet Security Threat Report 2014, Symantec “…noticed a significant upsurge in the number of ransomware attacks during 2013. During January Symantec stopped over 100,000 infection attempts. By December that number had risen more than six-fold.”
Not only it is it not a myth, it has become so widespread that according to the same report, “attackers have concluded that US$100 to $400 is the optimum ransom amount, and they will move to adjust their demand to avoid pricing themselves out of the market” and so my client was asked a 500$ ransom. Luckily for him he chose not to pay and opted for backups and cleanups as our friends from SourceFire has let us know that once you pay, you are being put on a list of people that are nice enough to pay the ransom, and therefore become subjected to further attacks.
Even though ransomware does not make up a huge percentage of overall threats, it is not a myth as my personal experience shows; and despite working for a company that has the expertise to help with the cleanup operations it is not in such circumstances that I enjoy being introduced the new clients.

Charles Tremblay, ESI Account manager