The best data protection advice you’re not taking – Part 3.

Why your corporate data protection should start in the DMZ.

dave_h_colourBy David Hone, Security Specialist, Netutils

Views expressed in this post are original thoughts posted by David Hone. These views are his own and in no way do they represent the views of the company.

With reference to part one of my three part blogging series, there’s a lot of data out there being created and shared and in amongst all that data are huge volumes of valuable personal and corporate information. By valuable I mean hackers want to nick it, sell it and exploit it.

Also, the potential cost to your company of a data breach should not be underestimated. 2014’s Ponemon institute report shows that the risk and cost of data breaches continues to grow. The average cost of a corporate data breach is estimated at $3.5 million – 15% more than in 2013.

Part 3 of this blogging series looks at ways to protect company data in transit & at rest and attempts to answer why your corporate data protection should start in the DMZ.

Most companies when asked how they currently share data with contractors and suppliers most often describe using email or if files are too large for email they describe placing files on a SFTP server, most often located in their DMZ. This diagram illustrates the process where Company A employee shares a document with Company B employee:

DH_Blog_Pic_1

Whilst a number of different security elements can be applied to this method of data transfer such as secure SFTP and locking down access based on the source IP, the fact still remains that documents can potentially lay at rest in two DMZ zones, and more often than not there are no policies and procedures around how long the documents reside there and if they ever get deleted or encrypted whilst being held in the DMZ. Having files lingering around the DMZ poses a security risk. Often the DMZ is the first place hackers look in order to collect the additional information necessary to launch the next phase of an attack. The DMZ is often open to incoming service data, and any open service port is potentially a route in for a hacker.

How to limit data leakage from the DMZ

Removing the risk of data leakage from the DMZ requires a new focus and approach around how your organisation shares data with trusted suppliers and customers. There are however issues around this:

  1. Individuals or organisations outside of your company or domain cannot normally share data because they are not trusted by your network
  2. There are many data sources within an organisation and various ways in which that data is moved and accessed by trusted suppliers and customers
  3. Managing the availability of data with customers and suppliers. All too often data is placed in a SFTP server located in a DMZ which has no managed policies around it, meaning that there is no stipulation around how it is accessed, how it is secured, who has access rights to it and how long it remains available, and, when that data is delivered to the endpoint, there is no control around the document and how it is distributed, copied and managed.

One approach to this dilemma would be to remove the DMZ completely; this sounds somewhat radical as it means that for all its faults you have somewhat removed your first line of defence against attacks against your internal network. If however you could remove the need to have the SFTP located in the DMZ then this would be a step forward as it would reduce the risk of having data lingering around the DMZ. This would work reasonably well when used in connection with Cloud based file sharing systems, however the main draw back here is that the data has already left your organisation and in many cases is not protected whilst in transit or at rest in the cloud.

An alternative solution to the problem can be illustrated below using ‘Secure Managed File Transfer’ from Safe-T. Safe-T is a secure email and data exchange solution. Illustrated below is a typical set-up of secure data that needs to be shared with a third party in this case an insurance broker. The data starts by being held in the IBM document management system inside the corporate LAN, the challenge is how to securely share information with the agent outside the trusted environment and not release any information until the endpoint has been properly identified and verified.

DH_Blog_Pic_2

The process starts by the IBM system signalling that there is a new document available that needs to be securely delivered by the Safe-T server also located in the secure LAN environment (shown in blue with a safe dial), the document is then collected and secured using encryption into the Safe-T server, policies are put into place around the document that define how long the document should be stored, types of availability and access required and to whom it must be delivered. Safe-T then optionally signs the document, looks up the customer credentials and then sends out a verification notice and link by way of using two factor authentication to the target. Once the target correctly identifies themselves the document is securely delivered to the target by way of an SSL secure link, once the document is delivered optional security features control how the long the document can be viewed, distributed or even printed.

One of the key elements of this type of solution is that the document doesn’t leave the sender’s organisation until the target has correctly identified themselves. Additionally the document is not held in the DMZ, and attackers cannot launch an attack from the DMZ to the LAN environment. Why? Because there are no incoming holes into the LAN from the DMZ. All incoming HTTPS requests are held in a queue in the “Subscriber” until the “Publisher” pulls the requests back by making a call from the LAN to the DMZ. One word of caution though, this type of solution is however susceptible to layer 7 attacks and therefore it’s important that all data held on the server is encrypted and that the encryption keys are not held on the same server.

So to recap; here’s why your corporate data protection should start in the DMZ:

  • Imagine what one wrong send could do to your organisation?
  • The DMZ is a potential route in for a hacker
  • Safe-T Secure Managed File Transfer allows you to easily exchange secure emails and attachments

Want to know more? Please get in touch by emailing us on info@netutils.com

Missed parts 1 & 2? – visit them here:
http://netutilsblog.com/2014/11/17/the-best-data-protection-advice-youre-not-taking-part-1/http://netutilsblog.com/2014/12/10/the-best-data-protection-advice-youre-not-taking-part-2/

About David.
As one of our Security Consultants at Netutils, David consults and advises on specialist IT Networking & Security requirements.

 

“Pan” (Palo Alto Networks Parody of “Her”) – Too Good Not to Share!

We love this video from our partners at Palo Alto Networks. A lot of love here for Palo Alto’s enterprise security :)

Our 2014 in review

The WordPress.com stats helper monkeys prepared a 2014 annual report for this blog.

Here’s an excerpt:

A New York City subway train holds 1,200 people. This blog was viewed about 4,400 times in 2014. If it were a NYC subway train, it would take about 4 trips to carry that many people.

Click here to see the complete report.

Video: The Exinda Technical Boot Camp

What’s Your Biggest Networking Challenge?
Are your applications spinning out of control? Is social media chewing up all your bandwidth? Is BYOD causing problems on your network? Do you have visibility of all the applications on your network?

Watch our video from our latest event with Exinda at The National Space Centre in Leicester where our technical specialists shared knowledge and expertise to help customers with their biggest networking challenges.

Got a question or need advice on how to tackle your networking challenges? Please get in touch at info@netutils.com or visit www.netutils.com/exinda.php for more on Exinda’s Wan Orchestration.

The best data protection advice you’re not taking – Part 2.

Don’t get caught out by Phishing attacks

dave_h_colourBy David Hone, Security Specialist, Netutils

Views expressed in this post are original thoughts posted by David Hone. These views are his own and in no way do they represent the views of the company.

So part 2 is really pretty simple. Some tips on how to avoid becoming the latest headline grabbing victim of a Phishing attack. Phishing attacks can emulate from many different sources such as email, web and even phone calls. Typically phishing perpetrators are after one thing – your personal and/or corporate data.

Phishing attacks are getting ever more sophisticated from email and telephone scams to text scams and dodgy links on websites. However it is generally accepted that by far the greatest risk to the security of your corporate data are your employees themselves who may unwittingly and easily fall victim to phishing attacks.

According to industry figures 60% of UK office workers receive a Phishing email at least once a day.

This is where end user training is key. However this training needs to make a real difference. Hackers and scammers are ever more inventive so organisations cannot simply rely on a single awareness session for their staff in the hope that that will be enough to counteract the problem. Although phishing attacks follow a similar pattern the mechanisms for send will often change and staff will need to be made aware of these changes on a regular basis or any training deployed will only be effective until the next phishing attack in unleashed.

Check out PhishAware for an example of dynamic and proactive user security training. You could also take a peek at our phishing blog here for some more thoughts.

If you have any concerns about the impact of Phishing in your business then do please contact a solutions expert from our team on:

t: 020 8783 3800
e: info@netutils.com

 

The Best Data Protection Advice You’re Not Taking – Part 1

dave_h_colourBy David Hone, Security Specialist, Netutils

Views expressed in this post are original thoughts posted by David Hone. These views are his own and in no way do they represent the views of the company.

Some mind boggling stats for you.

There’s a lot of data out there being created and shared and in amongst all that data are huge volumes of valuable personal and corporate information. By valuable I mean hackers want to nick it, sell it and exploit it.

Let’s take a second to think about the widespread proliferation of our personal data. Consider this. In the past the typical household bill cycle would start by a gas/electric representative knocking at the door to read the meters, 2 weeks later a bill would arrive directly from the supplier on the doorstep, typically that bill would be paid with a cheque in the post direct to the supplier or in cash at the local post office, both methods being secure in so far as a very limited amount of personal data was collected, processed or stored.

Roll forward to today’s Software as a Service (SaaS) dominated world and we have a very different picture. No-longer are our meters read by official employees of the gas or electric companies. Most likely the person reading the meter is subcontracted and employed by a different company. This instantly means a certain amount of your data is already being shared and these organisations are likely to have your account reference, house number, address and postcode. While this may appear a trivial amount of data it’s probably enough for someone to match this up with the electoral role to acquire your household name in order to request a copy of your electricity bill. Armed with a copy of your bill they could easily apply for some instant shop credit in your name. Scary stuff.

But it doesn’t stop there. The gas/electric company want to save money by making you read your meters directly for them and by paying your bills directly online. So they commission a company to design, build and manage a site to aid this process. You are then encouraged / forced to use the new service and more importantly are required to identify yourself and signup to the process, in doing so your personal data has the potential of being exposed in a myriad of different ways:

  • Direct breaches of data by the employees of the companies involved in managing the online platform.
  • Without the right level of anti-virus, anti-malware and phishing awareness protection your personal data could be stolen at source when you sign-up for the SaaS without the gas/electric company knowing or even caring!
  • Call centres and data centres reside offshore, in places which likely do not have the same personal data protection regulations in place or enforced as we have here in the UK

So with the new age of SaaS we can clearly see that we, as individuals, can quickly lose control of our personal data and the possibilities of this data being leaked, lost or duplicated and then used for financial gain starts to become infinite. Multiply this by the number of SaaS platforms that you are compelled to subscribe to and use and you can quickly see that the potential for your personal data being leaked, lost or abused is extremely high.

Worried yet? Then think how easy it is for your personal information to end up in the wrong hands. For example simply typing the wrong email address could result in your email being sent to a number of unintended recipients across the world. If a cybercriminal setup a domain such as “HSCB” the chances are they could easily capture a certain amount of traffic intended for HSBC, such correspondence are likely to contain information cybercriminals would otherwise not know.

Here’s 4 simple tips to help protect your personal data both at home and in the office:

  1. Two (or more) steps are better than one

Protecting your data with just a password? Stop! The danger here is that a single password can easily be guessed. Most secure systems deploy 2 factor authentication. This involves a password that only you/ your employees should know and a token element that typically changes with time. The other weak area of any of these systems is the mechanism linked to single sign on and the use of the same email address with these single sign on systems. Single sign-on typically allows you to use one account (for example your Facebook account) to login to other services such as Amazon. The weak link being the interception of a live session for any of these services, this allows the hacker to change the account email address by spoofing the live session. Having changed the email address the hacker simply requests a password reset which is then sent to the new email address provided by the hacker, from this point onwards the hacker has complete control of all your accounts and personal data all linked to the same single sign-on information. Don’t link social media sign-on details with confidential services like online banking. Also consider keeping services separate by having a number of different email addresses linked to these services that are only used in isolation, for example myname-mytax@{yourdomain.com}, or myname-goingout@{mydomain.com}, by doing this you are limiting the damage that can be caused should any one service be compromised. Finally (and many of us are guilty of doing this) never use the same password for all services; this I know is difficult to do and remembering all the usernames/passwords can be a real challenge, so read on….

  1. One size should not fit all

It’s frustrating when you can’t remember your passwords. Let’s face it life is busy enough. However there are a number of solutions out there that can help. Most of these solutions take the pain out of trying to invent new passwords and then trying to remember them at a later date. Typically these systems store all your passwords in one centrally managed place. However there are some security issues with this you should be aware of. Maybe you’ve lost your device for example, and this contains all your passwords. You can protect against this by using the device’s own password access systems before the key password application can be accessed. What you are buying here is time to react and the ability to generate longer random password seeds that should be harder to crack, difficult to remember but easy to manage and use. Check out http://lifehacker.com/tag/password-managers for ideas.

  1. Clean up after yourself

You know that website you used to make a random purchase? They made you sign up for an account right? Delete it! You have no idea what these companies are doing with your data or how well they are protecting it. I refer to my point above on SaaS. With the proliferation of SaaS, we as individuals can quickly lose control of our personal data and the possibilities of this data being leaked, lost or duplicated and then used for financial gain starts to become infinite. Delete those dormant accounts.

  1. Run and hide (well not literally, you’ll see what I mean below)

So why did Facebook recently purchase WhatsApp? Our data, what we do, where we go, what we purchase, when we purchase it, what groups we belong too and our buying power is all information with a commercial value. By signing up and agreeing to use certain services we are agreeing to allow these companies to own our data. In some instances access our photos and know our locations. Is this really information you want corporations to have about you? Consider this; you don’t have to fill in your real name and address when signing up for these services, or you could encrypt the data you sign up with. One solution that can hide our surfing habits is a solution called TOR from the TOR-Project .The browser bundle provides a clean browser (i.e. free of any tracking cookies and plugins) that connects by way of a VPN connected network of global hosts, your traffic is routed through the global hosts and exits at different places at different times, thereby obscuring and masking who you are, where you are and what you are visiting.

Keep an eye out for part 2 of our blogging series on the ‘best data protection advice you’re not taking’ which will provide you with hints and tips on educating your employees on the dangers of phishing attacks.