24 Apr 2014

How many licks does it take to get to your data

Is your network protected?

When I talk to many of our prospects, and even some of our existing clients about security, most of them think they have protected their networks completely.

They have installed and even updated their desktop AV, they have a firewall at the network perimeter, and even do their windows updates. They feel safe because they are being ‘pro-active’ with patching and endpoint security and their firewall is keeping all the bad things on the internet out. The truth is they are
not safe. Basic patching and endpoint protection with a standard perimeter firewall no longer offers the protection required. Security holes exist in every software application, some of the latest threats to emerge exploit Adobe Flash and Java, software that exists on every corporate network and in many cases is required to do business. Not only is the focus of attacks moving away from the OS but the number of zero-day attacks is increasing and spreading even faster through the internet.

Most of these attacks and exploits are used as footholds to injects other malicious software into the machine and in most cases the goal is to extract information. At the end of 2013 a slew of Crypto locker attacks generated an estimated 27M$ for the attackers. The attackers made millions of dollars by holding personal and corporate data hostage, forcing people to pay to get their data back. A single unpatched or infected machine on your network could turn all your corporate data to useless ones and zeroes, hopelessly encrypted and inaccessible unless you paid the ransom, which many people did. The success of these attackers has only emboldened others to come up with new ways to infect and disrupt corporate and personal machines.

How many licks does it take to get to the center?

tootsie_pop_layers_of_securityUsing a layered security model is a best practice, I like to use the Tootsie Pop as an analogy for this security model because it immediately makes me think of the commercial “how many licks does it take to get to the center of a Tootsie Pop”. This is how businesses have to think about security too. Create multiple layers of security to protect corporate data and make it difficult for attackers. Layers of security can be added at the corporate firewall, endpoints (mobile and workstations), servers, and even the physical network. The corporate firewall is one of the easiest and best places to add security layers, as this is the chokepoint for traffic entering and leaving the corporate network, so it becomes a great spot to filter and block traffic. Most firewalls today support the addition of services that will scan traffic for viruses, malware, spyware and known attacks. SonicWALL appliances call these types of services UTM or Unified Threat Management, which uses packet scanning technology to identify threats at the gateway as they pass through the firewall. SonicWALL bundles these services into their Comprehensive Gateway Security Suite or CGSS as a yearly subscription.

How does an extra service like CGSS create a new protective layer?

With recent threats like the Heartbleed flaw, SonicWALL released a new signature they day it was announced that picked up and blocked the activity generated by an attacker exploiting the flaw. This means that even if your server or application was vulnerable, the SonicWALL Intrusion Prevention Services were able to block the traffic and prevent the attack. Another example is the Crypto viruses and their variants, they require access to a certificate server where they can download a certificate to use in encrypting data. Even though the virus might bypass the desktop anti-virus and infect the system, a packet scanning service like SonicWALL IPS can prevent the virus from completing the process and essentially neutralize it. Utilizing the chokepoint of the network to scan for and block attacks, as they enter and leave the company creates a new checkpoint in the network that will augment the basic protection that is offered by a desktop anti-virus. These services are automatically updated and maintained by the manufacturer so the intervention required is minimal.

Adding this service layer at the firewall is by no means the only spot where additional protective layers can be added but it is probably the easiest and most cost effective. I always recommend to our clients that they add these services, some agree and others don’t, but clients that do have the services active have seen the benefits.

So I ask you this question. How many licks does it take?

Share this
15 Apr 2014

Sécurité électronique et les mots de passe

Avec l’envol du commerce électronique au cours des dernières années, les demandes en ce qui concerne la sécurité des informations personnelles ont augmenté aussi. En toute honnêteté, la sécurité de nos renseignements personnels dépend de l’expertise des autres.

Étude décourageante en Angleterre et aux États Unis sur le niveau de sécurité des mots de passe des sites de commerce électronique élaborée par Dashlane.

Dans une étude auprès d’une centaine des sites populaires de commerce électronique, Dashlane a regardé 24 critères différents; si le site rejette les mots de passe simples, bloque les tentatives de connexion après un certain nombre de connexions incorrectes, ou s’il affiche le niveau de complexité du mot de passe utilisé pour donner un retour immédiat sur son niveau de sécurité.

dashlane-q1-study

 

 

Selon Dashlane, environ 62% des sites enquêtés ne requièrent pas aux utilisateurs la sélection d’un mot de passe qui utilise des chiffres et des lettres, et 73% permettent des mots de passe qui ont moins de six caractères facilitant ainsi le travail des voleurs d’identité.

Utiliser une plateforme qui génère des mots de passe et les essayer pour trouver le bon est toujours la méthode la plus utilisée par les hackers. De leur côté, les sites de commerce électronique se doivent de limiter les tentatives d’enregistrement échouées. Dashlane a constaté que plusieurs sites majeurs, y compris Amazon et Dell, permettent des tentatives de connexion, même après 10 tentatives manquées. Best Buy, Macy, Williams-Sonoma, HSN, LL Bean, Toys R Us, Overstock.com, et Vistaprint arrondirent le reste des 10 premiers distributeurs qui n’ont pas verrouillé les comptes après quatre mots de passe incorrects.

De plus, huit sites, dont Toys R Us, J Crew, et le 1-800-Flowers, envoient des mots de passe en texte clair par courriel. Cela signifie que les détaillants stockent les mots de passe tels quels, sans les chiffrer, dans leurs bases de données.

415128-dashlane-q1-2014-study

 

Mot de passe facile à retenir ou protection accrue de votre identité?

Nous sommes souvent tentés de sélectionner des mots de passe simples pour les rendre plus faciles à retenir. Mais les sites qui n’empêchent pas les utilisateurs de choisir des mots de passe couramment utilisés ne font pas de faveurs à leurs usagers. La majorité (55 %), des sites acceptent les mots de passe ridiculement faibles tels que “123456”, “111111” et “password”. Environ 70% des sites ont permis aux usagers d’utiliser “abc123” comme mot de passe.

Pour la sécurité des comptes, c’est très important d’intégrer différents éléments de sécurité. Mettre ensemble des lettres, majuscules et minuscules, avec des symboles spéciaux et des chiffres, augmente grandement l’efficacité des mots de passe. Plusieurs sites web sont disponibles pour la création des mots de passe hautement sécurisés et difficiles à deviner comme Norton ou Strog Password Generator.

 Que disent les spécialistes?

Les spécialistes en sécurité informatique recommandent de bloquer les comptes après quatre tentatives de connexion incorrectes, d’adopter des règles de sécurité de mots de passe minimaux, et de fournir des suggestions pour aider les utilisateurs à choisir de meilleurs mots de passe.

Tout cela est bien beau, mais qu’en est-il de la multiplication des mots de passe complexes et des mots de passe que nous utilisons au bureau pour protéger nos données d’entreprise?
Il existe évidemment des systèmes comme l’authentification à deux facteurs, les outils de sign-in individuel avec cryptage intégré, mais évidemment, il faut que ces systèmes soient connus et utilisés.

BANG peut vous aider à trouver une solution adaptée aux besoins de sécurité de votre entreprise. Avec les solutions CONTINUIT®, SIMPLICIT® ou PRODUCTIVIT, nos spécialistes sauront vous offrir une solution adaptée à votre budget et convenant à vos besoins.

Cette étude vous incite à en savoir plus sur la sécurité informatique?

Avez-vous vécu quelque chose de semblable?

Faites-nous part de vos expériences en utilisant la rubrique des commentaires

Veillez-vous nous suivre @IndustriesBANG sur Twitter pour les dernières nouvelles de l’industrie.

Déjà client Bang? Appréciez-vous nos services? Vous pouvez les recommander à vos amis et partenaires via LinkedIn.

 

Sources : https://www.dashlane.com/blog/, http://securitywatch.pcmag.com/apps-and-websites/320073-apple-com-tops-password-security-toys-r-us-amazon-walmart-among-the-wors

 

Share this
11 Apr 2014

The Achilles’ heel of OpenSSL

achiles-heel-OpenSSLA hot topic these days is the Heartbleed bug, which could potentially be a gateway to leak massive amounts of personal information. Since the beginning of the week, big players like Yahoo, Canada Revenue Agency, Dell are shutting down parts of their website in order to allow their people to update with the required security patches.

Two years ago a programming flaw was introduced into OpenSSL and since a lot of websites use OpenSSL to achieve security it has exposed a much larger segment than usual.

A bug in the Heartbeat verification protocol inside SSL facilitates the attack, basically all information, usernames, passwords, addresses, credit card numbers, which would normally be protected by SSL Encryption can be decrypted and read. More importantly, since the encryption key can be exposed,

Any protection given by the encryption and the signatures in the X.509 certificates can be bypassed

and an attacker can use the keys to decrypt all past and future encrypted data transfers between the client and the server. Unfortunately, even with all the security patches updated, the traffic intercepted by the attacker in the past will still be vulnerable.

According to heartbleed.com, given that OpenSSL is the most popular open source cryptographic library, a large majority of sites on the web have used it. Popular social sites, company’s sites, e-commerce sites, hobby sites, sites for software, or even sites run by governments are using the vulnerable OpenSSL. Popular email servers (SMTP, POP and IMAP protocols), chat servers (XMPP protocol), VPN appliances (SSL-VPN), firewall and network appliances, and a wide variety of client-side software are also protected by OpenSSL.

Fortunately, it can be fixed, the OpenSSL team has already released a fixed version, and it is important to note that not all versions of OpenSSL are vulnerable. Validate if your version is affected on heartbleed.com and you can take the necessary steps to patch or update your systems.

Some firewall vendors, like Dell SonicWALL, are able to protect vulnerable servers with built-in scanning signatures. Dell SonicWALL appliances with active Intrusion Prevention Services will protect devices and servers that are behind the firewall as of April 8th when Dell SonicWALL released a signature update for the service.

Also, take a look to see popular sites that have already patched the Heartbleed bug and change your credentials.

References:

The New York Times
Heartbleed
CNet

Share this
09 Apr 2014

Microsoft Silver Hosting Competency

 

For Release, April 9th, 2014

BANG Achieves Microsoft Silver Hosting Competency

BANG earns distinction through demonstrated technology success and customer commitment.

Competency Press Release Announcement

 

LAVAL, Québec, Canada — March, 15th, 2014 BANG, today announced it has achieved the Silver Hosting Competency, demonstrating its ability to meet Microsoft’s customers evolving needs in today’s dynamic business environment. To earn a Microsoft silver competency, partners must successfully demonstrate expertise through exams and certifications, and to ensure the quality of services, Microsoft requires customer references of successful implementation to the customer’s satisfaction.

BANG is a managed services provider offering a wide range of professional services from basic installation and setup of your equipment to the complete design of your internal and external IT infrastructure. Specializing in VMware and virtualization services, BANG offers customized cloud-based solutions for the small-medium business market.

“This Microsoft Silver Hosting competency showcases our expertise in today’s technology market and demonstrates our knowledge of Microsoft and its products,” said Robert Helie, president at BANG. “Our plan is to accelerate our customer’s success by serving as technology advisors for their business needs. We believe the BANG community is governed by our strong reputation. This is the primary asset of any business. We have gained our reputation by not only serving our customers but by bringing something else to our clients – solid corporate values.”

“By achieving a silver competency, organizations have proven their expertise in specific technology areas, placing them among the top 5 percent of Microsoft partners worldwide,” said Phil Sorgen, corporate vice president, Worldwide Partner Group at Microsoft Corp. “When customers look for an IT partner to meet their business challenges, choosing a company that has attained Microsoft competencies is a smart move. These are highly qualified professionals with access to Microsoft technical support and product teams.”

Microsoft Silver Hosting Competency

The Microsoft Partner Network helps partners strengthen their capabilities to showcase leadership in the marketplace on the latest technology, to better serve customers and to easily connect with one of the most active, diverse networks in the world.

For more information, press only:

 

Robert HELIE, Bang, (514) 949-2336, robert@bang.ca

Shane MONTY, Bang, (514) 949-2336, shane@bang.ca


 

Share this

© 2016 Industries Bang Inc. All rights reserved.

Click Me