Anti-Virus – Cisco AMP

February 16, 2016

Why traditional antivirus isn’t enough anymore—and how to think beyond it.

In 2013, Chinese hackers conducted a four-month cyberattack on the New York Times. Despite having an antivirus system on its network, the newspaper missed 44 out of the 45 pieces of custom malware installed by the attackers.

http://money.cnn.com/2013/01/31/technology/security/antivirus/

Here we are in 2016, and the incidents of security breaches are steadily on the rise for companies and organizations large and small. CNN Money estimates that nearly 1 million new malware are issued every day, and cybercriminals are becoming more sophisticated and cagier than ever. http://money.cnn.com/2015/04/14/technology/security/cyber-attack-hacks-security/

What was true three years ago is even truer today: While antivirus technology is still an important basic precaution, it’s just that—basic protection. It’s simply not sufficient to prevent hackers from infiltrating your network.

So what exactly are the limitations?

Traditional antivirus technology, which consists of a firewall, file scanner and removal tools, is designed for blacklisting—identifying bad files and known malware and stopping them. However, this technology is not designed to address the customized malware that accounts for most data breaches nowadays. Sophisticated hackers, like those that infiltrated the New York Times network, wrote new exploit code that no antivirus product had seen before.

Social media and cloud complicate security matters.

Even if antivirus software could detect and deter every virus, individuals and companies still would remain vulnerable to the growing number of attacks targeting social media accounts, cloud services and mobile devices. These attacks often involve cybercriminals hijacking a social media profile in order to send out spam advertisements or links to dangerous websites—and the actions are often carried out entirely on a web browser, not by viruses installed on a computer. With cloud computing, the data stored in the cloud resides outside the protection of a company’s antivirus software.

When an attack happens, you need to be ready.

If you’re concerned about the growing incidence of cybercrime and the security of your IT infrastructure, you should strongly consider advanced malware protection (AMP) like the solutions offered by Cisco.

Built on a wealth of real-time threat intelligence and dynamic malware analytics, Cisco AMP is designed to protect your IT infrastructure (Windows operating systems, Macs, Linux, mobile devices and virtual environments) at all times—before, during and after an attack.

  • Before an attack, Cisco AMP uses the best global threat intelligence to strengthen your defenses.
  • During an attack, AMP uses this threat intelligence and file analysis technology to block malware that’s trying to infiltrate your IT environment.
  • After an attack, AMP monitors all files and network activity to catch malware that may have evaded initial detection and provides the visibility and control to rapidly remediate it.

Cisco AMP is reactive and proactive.

It not only prevents security breaches from happening, but it also rapidly detects, contains and remediates threats if they evade front-line defenses—cost effectively and without interfering with the efficiency of your operation.

Thanks to ongoing intelligence 24/7, Cisco AMP gives you the benefit of 1.1 million incoming malware samples per day from 1.6 million global sensors. These samples are analyzed against more than 400 behavioral indicators to help the Cisco security team prioritize responses. So you have experts working behind the scenes to help ensure the security of your IT infrastructure.

Ready to take the next step?

If this sounds like the kind of cyber protection you’re looking for, let’s talk. As the old adage goes, an ounce of prevention is worth a pound of cure.


Next Dimension Security Advisory – Cryptolocker Malware Family

November 19, 2015

As an IT Managed Services Provider, Next Dimension is constantly keeping monitoring our client’s systems, and we’ve seen a resurgence of the Cryptolocker family of malware lately.

This family of malware silently encrypts your business’s digital data, rendering your files useless to you unless you pay up or can recover from Backup or DR Systems.

How does it work?

In a nutshell, a typical Cryptolocker attack follows five key steps:

Infection

Whether by malicious web content, or more generally through an email attachment, or even infected media such as a USB stick, the Cryptolocker software silently installs on a client computer.

Defensive Tools: Endpoint/Server Security, Web and Email Filter, User Education.

“Phone-Home”

The nefarious software silently checks in with a Command and Control center to receive current ‘instructions’ and register itself.

Defensive Tools: Stateful Network Inspection (“Next-Gen” Firewall or equivalent), Firewall Rules, Block known bad IP ranges.

Synchronization and Crypto Key Generation

Now that the rogue agent software is in your systems, it generates cryptographic keys – one stored on your system, the other with the command and control center.  Without both keys, decryption of your data is essentially impossible.

Defensive Tools: Endpoint/Server Security, Process Monitoring, File-level monitoring.

Encryption of your Data

When the keys are generated and exchanged, the malware quietly begins encrypting your files – almost any type of file is susceptible – without any outward sign of activity.  These files – Excel files, Word files, JPGs, your critical business data – become useless to you.

Defensive Tools: Endpoint/Server Security, Process Monitoring, File-level monitoring.

Notification / Extortion

After a programmed period of time, or amount of data encrypted, the malware will deliver a pop-up prompt notifying you of the infection and demanding payment (always digital, usually via BitCoin) as ‘ransom’ to decrypt your files.  There is no known alternative to decrypt the files once they’ve been scrambled, short of restoring from backup.

Defensive Tools: Backup / Restore / DR Strategy, Payment.

Next Dimension has helped many clients in their recovery from a Cryptolocker attack, and we’re also experts on laying down the multiple layers of defense that can help to keep Cryptolocker and other infections at bay.  With the right preparation, getting back up and running can be a minor inconvenience resolved by a restore from backup and some infection cleanup, rather than a costly business interruption.  The key is early preparation.

Common Infection Vectors

For all the damage it causes, Cryptolocker follows some fairly typical routes to make its way into your systems.  The most common attack path is via email attachment, often with double extensions (i.e. Filename.PDF.EXE) which may fool some users.

Risk Reduction / Remediation Strategies
Following are some guidelines on ways we can assist you to lock down your network and systems.

User Education

The primary course of action to protect against Cryptolocker and other threats is also the most effective one.  The best bang-for-your-buck return of any security effort comes from educating your users about suspicious email messages, avoiding attachments where not 100% sure of origin, and involving helpdesk / IT resources early and often.  Such communication needs to happen regularly, to keep users aware of typical threats that are circulating.

That communication should work both ways – your users need to know who to contact when they have IT questions.  So often, we measure IT Support efficiency by minimizing support tickets, but isn’t it worth it to spend 5 minutes with an end user to avoid a potential costly, prolonged business interruption?

Block attachments in email

While it may not be practical for all businesses, an email attachment can’t attack your business if it doesn’t arrive in a user’s mailbox.  With most modern email platforms, it’s easy to configure the mail servers to drop attachments entirely.  Consider an alternate method of file delivery, if necessary: cloud-synced file repositories, web-based file exchange systems, etc.

Backups

On a long enough time frame, every business suffers a catastrophe.  What will you do to recover?  A regularly reviewed, tested and redundant backup is the insurance policy to provide your business the continuity it needs to weather the storm.  Have a plan in place for file-level restores as well as organizational reconstruction (“bare-metal” recovery).   Recovery Point Objectives (RPOs) for your backups must be sufficiently long for your backups to extend back far enough to restore unencrypted files – your system may continue happily backing up encrypted data with you none the wiser.

We’ve assisted many businesses with Cryptolocker recovery, and a proper backup is the only alternative to ransom payments to get your files back.  The right backup strategy should be application-aware, block-level, with an off-site copy of the data

Web filter, Email Filter

Whether it be a physical appliance in your environment, a virtual appliance on your hypervisor, or a cloud-based service, you have a wealth of options to scan Web and Email traffic in real time.  The best solutions will continually update on known bad IP addresses, attachment types, virus definitions, etc.

Double Filtering

While any filtering is better than none, no system will catch 100% of security threats – particularly in this time of “0-day” threats, where security vendors and criminal actors are caught in a back and forth race trying to defeat each other’s newest tech.  For this reason, it can make sense to deploy multiple inline filters, to maximize your chances of catching any particular malware.

Multiple file servers (Restrictive File Security)

Containerizing (or ‘silo-ing’) your business data and strictly controlling who has access to it can help to mitigate the spread of Cryptolocker or similar malware.   Consider reviewing your users, groups, and security policies and potentially even segregating data between file servers.

Archiving

It may make sense (for completed projects, or past years’ data) to take data offline.  If you’re keeping gigabytes of old projects or financials around just to have them, consider moving them to offline storage or cloud storage – they’ll still be accessible, but safe from issues that may threaten your primary storage.

Hot Standby

In any disaster, you want your business to be fully functioning again as soon as possible.  Next Dimension can show you how to take your Backup strategy to the next level, leveraging Hot Standby servers that are ready to swap in for compromised servers.  Reduce your RTO (Recovery Time Objective) significantly by immediately restoring data to a swapped-in Hot Standby server, rather than a complete rebuild.

Remember the 4 Qs

Quick – An security event can go from 0-60 very quickly.  Your IT staff (or better, automated systems) need to be vigilant and ready to respond quickly.  Have response processes laid out before they’re needed – you want to know how to use the fire hose *before* the building’s on fire, as they say.

Quiet – Cryptolocker (and many other malware actors) can fly under the radar until it’s too late.  Set up automated processes to review event logs, file system changes, unexpected processes, or other key indicators of a compromise.  Keep your staff educated – and not just the IT staff.

Quarantine – Respond immediately to the issue – protect remaining unencrypted data, start planning backup/restore processes, and determine the extent of the compromise – how many client computers, how many network shares, etc.   Mapped network drives (i.e. “H:” for \\COMPANY\Data) are a favourite target for the Crypto family.

Quash – Root out the malware processes, clean infected client computers, stand up new servers where necessary, and restore data from backup.  Perhaps more importantly, learn and improve security processes to keep yourself safe in the future.


Disaster Recovery and Business Continuity

June 1, 2015

Did you know that 46% of businesses who experience a fire, flood or other type of major disaster will never re-open? That’s quite a sobering thought: the odds of your business recovering from a major event like this are essentially 1 in 2. The real tragedy here is that most of the companies who didn’t make it through a crisis could have survived with the right planning and preparation.

We have good backups. Isn’t that sufficient?

By far the most common disaster scenario is equipment failure, so having good backups of your critical applications and data is certainly an important first step. Unfortunately, backups alone won’t help much if the equipment that runs your applications is destroyed or inaccessible. How long will it take to provision replacement equipment, and what happens to your business in the meantime? Furthermore, if backups are stored in the same area as your production systems, as opposed to a safe off-site location, there’s a significant risk of losing these, too.

People, Process and Infrastructure

Most businesses carry insurance to cover losses related to building and equipment damage, but many fail to plan for the operational challenges of getting things back up and running after the dust has settled. A solid disaster recovery and business continuity plan needs to re-align your people, processes and infrastructure quickly after an incident. The specific steps required to make this happen will vary considerably and depend on many different factors, including the kind of business you’re in and the types of risks you are likely to face. Ask yourself the following questions:

  • How will we continue to deliver goods and/or services to our customers?
  • How will we replace damaged inventory or production equipment?
  • How will we get financial and other supporting systems back up and running?
  • How will we make payroll in a timely fashion?
  • What steps will be required to re-establish communications (phones, email)?
  • What are the people and infrastructure dependencies for critical business processes?
  • How will we cope with the possibility that some of our staff may be unable or unwilling to perform their duties?

When is a plan not a plan?

In order for any disaster recovery and business continuity plan to be effective, it needs to be battle ready. This means ensuring that your team is aware of the plan itself, and where to find it in an emergency. It also means reviewing the plan on a regular basis (annually, at a minimum) and readjusting various components to reflect any changes in your people, processes or infrastructure.

The Right Plan

A disaster recovery and business continuity plan can be very simple, or extremely complex. Right-sizing a plan for your organization requires a thorough analysis of the risks, and the potential costs associated with their manifestation. Some risks might be safe to ignore altogether. Others may be too costly to mitigate entirely, requiring some middle ground. With the right planning and preparation, you can ensure that your business doesn’t become another statistic.

This article was originally submitted to the Windsor Essex Chamber of Commerce Newsletter by Adam Davis who is the President and CEO of Next Dimension, a Windsor Ontario based IT Services Organization with offices in Windsor, London, and Waterloo.


Bring Your Own Device

December 31, 2014

BYOD or “Bring Your Own Device” refers to the trend where organizations allow their employees to use personal mobile devices at work and allow those devices to connect to corporate networks and resources.

There are Advantages and Disadvantages to it, and most organizations even without an official BYOD policy are already seeing both, even if they are not aware of it.

The advantages of BYOD is that your user community gets to use the device they are most comfortable with, which generally means they are going to use the device more often which generally leads to more productive workers often doing more work after hours..  It can also mean some cost savings for organizations who don’t have to purchase the devices any longer, but often these costs are outweighed by other costs.

The disadvantages of BYOD is that organizations now have to manage these devices, and monitor what users have access to, and be able to eliminate that access should that device become lost or an employee leaves the organization..  This is where most organizations struggle, they don’t have the monitoring tools in place to monitor how these devices are being used when they are on the corporate network, nor do they have the ability to protect these devices when they are outside the corporate network from being compromised.  These devices often still have access to sensitive corporate information or contain that same information.

Recommendations – Every organization should have a corporate policy on BYOD, including an Acceptable Use Policy so that employee’s understand what they are allowed to do when connected to the corporate network.  Every organization should also be looking at tools to assist your IT Department in managing these devices, giving them the ability to remotely lock these devices, remotely wipe these devices, or in some cases alert the organization when corporate information is sent outside of the corporate network.

It’s also something that younger employees are looking for when they are looking at new employer’s, it’s amazing how this has a pretty big impact on their decision, some people just can’t live without their Apple IOS device, or me personally by Blackberry.

Next Dimension is a leading IT Services Company with offices in Windsor, London and Waterloo, Adam Davis who submitted this article originally for the Chamber of Commerce Newsletter in 2014 is the President, and currently a member of the Chamber’s Board of Directors.


Is it time to check your IT Alignment?