The Shellshock Bug – Hype or Reality?

By David Hone, Security Specialist, Netutils

dave_h_colourViews expressed in this post are original thoughts posted by David Hone. These views are his own and in no way do they represent the views of the company.

So what exactly is Shellshock (CVE-2014-6271) aka the ‘Bash Bug’ and should you believe the hype?

You may not believe that your organisation will be affected by this security flaw because you don’t run Linux, Solaris or Unix systems, but you may want to reconsider.

Let’s cut through the hype and consider exactly what Bash is and what functions it provides in a computer.

Bash stands for Bourne-Again Shell. In essence the Bash function provides the interface between the user and the computer. Its core function is to interpret what you type and allows the computer system to action these commands.

Bash also provides the ability to script commands, scripting being used to automate a number of steps. For example you could command a Bash shell which creates a script to discover all your database files and then copy them to a database located somewhere else in the world.

The key part to understand is that as the Bash shell is text-based the commands could be initiated from a remote computer and doesn’t necessarily have to be connected to a local keyboard. This allows IT departments / individuals to action commands from anywhere in the world. While Bash is interpreting the physical commands inputted by a user the final point to highlight (and this is one that most people overlook or simply do not consider for any number of reasons) is that as individuals, consumers and businesses we are surrounded by computers of all types (commonly referred to as ‘the Internet of things’) that are often connected to the Internet undertaking activities and processes of which we often have little understanding or knowledge.

The Bash Bug vulnerability allows an attacker to remotely execute commands, attacking scripts which have been written in Bash.

For more see

How can you identify which of your devices are vulnerable to this type of attack, the impact, and what you should do to protect your business and private data?

If you have not done so already you should start by implementing a full audit of all devices connected to your network. This should include everything from the routers provided by your internet service provider to any device that your users attach to the network.  It is common practice for manufactures to build ‘the internet of things’ with open source software, so almost any device from the modern fridge, to the ISP’s router, or indeed the core routers and switches in your network are all likely to have a custom built Linux/Unix  operating system derived from a common open source technology which includes the Bash application and therefore all these devices are potentially vulnerable to this attack and are targets for attackers to hijack for any number of illegal activities. 

So how can Netutils help? We specialise in providing networking, security solutions and consultancy and pride ourselves on providing our customers with the highest quality of immediate actionable independent advice and solutions to solve current business security needs. If you have any concerns about the impact of the Bash Bug in your organisation we urge you to get in touch, we are very happy to discuss possible fixes for you and your organisation.

Phishing- Are you ready to be caught out?

By Anthony Mortimer, Account Manager, Netutils

AnthonyMortimerViews expressed in this post are original thoughts posted by Anthony Mortimer. These views are his own and in no way do they represent the views of the company.

In the age of commercialised hacking, organisations are experiencing greater frequency and sophistication of attacks than ever before, this is driven simply by the commercial value corporate data represents to criminals. According to Trend Micro 90% of all known successful data breaches in 2012/2013 were attributed to Phishing attacks.

At Netutils we see and talk to a broad range of organisations all with very different views to the risk these threats pose. For many smaller organisations the presence of a firewall and basic security is seen as sufficient; but here’s why these smaller businesses should be concerned.

For a start criminals are now regularly targeting suppliers or customers of big organisations as the staging point to attack the bigger network. More importantly we are seeing a trend for large businesses to dictate security policy to their suppliers for them to continue to trade with them or to win new contracts.

A significant growth area is in the use of targeted Phishing emails and more focussed spear phishing attacks tailored to specific individuals based on pharmed data. These types of attacks are becoming more difficult to mitigate against putting significant stresses on IT department’s budgets.

We have witnessed organisations handling these threats with 2 broad methodologies:

  • Deployment of technology to counteract attacks
  • End user training

It is generally accepted that by far the greatest risk to the security of your corporate data are your employees themselves who may unwittingly fall victim to phishing attacks. According to industry figures 60% of UK office workers receive a Phishing email at least once a day. In addition the greatest issue with regards to end user training is that for most organisations it is difficult to deliver such a course in a way that will make a real difference. Businesses will often run a single awareness session and hope that will mitigate the risk. Unfortunately Phishing attacks are dynamic, although they follow a similar pattern the content and mechanisms change, unless staff are made aware of these on a regular basis the training deployed may only have value for a few weeks after delivery until a new form of attack is devised.

The second method of combating these threats is via the deployment of technology, this poses real issues to businesses and it can be argued many traditional signature based solutions offer little real protection. This is essentially because they rely on a known database of attack signatures to spot and block an attack. However with the rise in commercial hacking activities self-service malware portals can provide the enterprising hacker with a unique piece of malware for as little as $100 that can sit undetected on corporate machines, up until it is discovered and the signature published.

At Netutils we believe that effective mitigation requires a layered approach to handling these issues. At the heart of our solution set are 2 key elements: ongoing security training via our interactive training platform (PhishAware) and cutting edge signature less technology.

If you have any concerns about the impact of Phishing in your business then do please contact a solutions expert from our team on:

t: 020 8783 3800




Exinda: The Business Case for WAN Orchestration

Do you need improved visibility & control of your WAN traffic to maximise user experience & network performance? Watch our short video blog on the key features of Exinda’s WAN Orchestration. The webinar referenced in this video will be available on this blog shortly.

Busting The Top Four Myths About Hacking

Vanessa Cardwell:

This blog from our partners at SMS Passcode on ‘Busting The Top Four Myths About Hacking’ is well worth a read. Knowing what’s myth and what’s fact is essential to avoid running unnecessary risks to your business. Myths can lead to false assumptions and thinking that your business is not at risk of being breached by hackers.

Originally posted on The SMS PASSCODE Blog - technology leader in multi-factor authentication:

By Torben Andersen, CCO, SMS PASSCODE

Knowing what’s myth and what’s fact is essential to avoid running unnecessary risks to your business. Myths can lead to false assumptions and thinking that your business is not at risk of being breached by hackers. So let’s take a closer look at some of the most common myths out there.

1# Myth – Hackers only target the big brandsMyth one - hackers only target the big brands

When big brands like Target, eBay, Adobe, and Sony are hacked, it’s big news for business and mainstream publications. Don’t be fooled: big companies aren’t the only ones being targeted. In fact, research shows that 31 percent of all hacking attacks were aimed at businesses with fewer than 250 employees.

2# Myth – You have nothing valuable for hackers to steal

Fair enough. Not everyone is fortunate enough to be storing breakthrough research with the potential to revolutionize your industrythe world if only you can keep…

View original 385 more words

Bye-Bye BYOD … hello Secure Guest Access

By Toby Makepeace, Technical Director, Netutils

Views expressed in this post are original thoughts posted by Toby Makepeace. These views are his own and in no way do they represent the views of the company.

Ok, so we all know the term BYOD has been in the news for a good while now. And I’m still challenging my customers and contacts interested in deploying a BYOD strategy by asking them why? Why are you interested in a BYOD strategy for your organisation?

Personally, I think the concept of a secure network access control (NAC) policy is essential for any network, but when it is solely being linked to BYOD I have to ask the question ‘why?’

In my view the reasons behind a BYOD policy within organisations is normally driven by one of 3 things:

  • The staff are asking for it
  • The senior management team want to use their iPads (happens a lot, believe me!)
  • The organisation sees a business benefit to allowing users to access their own devices at work

If it is the latter, great and I’ll address that further on in this blog.

If the reasons for BYOD are driven by either of the first 2, my suggestion is that you consider (instead of a full-on BYOD strategy) simply deploying a guest network with internet access and ensure all the relevant monitoring and filtering is in place.

In addition make sure you use something to control the traffic usage, and don’t ever just put up an open network for staff to use; you do not want to actively monitor staff, but you do want to deter people from just using a company connection to the internet for personal use. You also need to ensure the company has relevant protection in place to comply with the legal obligations no business should ignore (such as data retention and the Digital Economy Act) to reduce the responsibilities of your IT team in terms of managing and reporting on the data used and accessed by guests using your network.

You’ll probably find that the primary applications your staff wish to access will be (surprise, surprise) Facebook and Twitter and to be honest in most cases my advice would be to allow that. Happy staff work better. What you don’t want to find is a load of BitTorrent data being downloaded, or uploaded over the network, so hence the need for a solid guest access solution. So in this case you are not deploying BYOD you are just being nice to staff by helping them reduce their mobile data costs! And, let’s face it, most of them will be accessing these applications during the day with or without a guest network.

So back to full blown BYOD, I suggest you ask yourself and your organisation the following questions.

  • Which applications do you need to support?
  • What types of devices are you happy to support?
  • Which employees are you happy granting access to?

Once you’ve answered these questions, I suggest you follow this simple process:

  1. Start with the resources
  2. Involve your staff
  3. Deploy a layered approach

Consider which resources you want staff to be able to access. Are you going to do things via Terminal server/Citrix sessions? Or are you going to allow users to actually use their devices to connect? Take each application and think of simple rules, for examples Outlook Web Access / Email are you happy with these being accessible on a personal device? Will the staff be more productive if they are? Ok, then consider do you require full Mobile Device Management or just a simple ActiveSync policy? (This will always come down to the volume of the data in peoples email).

Next, involve your staff. Let them know you are rolling out BYOD, but you are going to do it slowly and ask them to submit their suggestions as to what applications they seek to use and why. This way you can set priorities and assess the level of control you are going to need to be in place. You might find the Remote Access policy you have in place just needs to be tweaked, and a new wireless network that is very similar to the guest network gets created, that has a link through to certain resources like Lync/Citrix and other applications.

Deploy a layered approach. Allow staff to login to the BYOD network using their Active Directory credentials, this way they will be logged onto a secure network but separate from the corporate network. Then to get access to a resource like your CRM for example, you might consider using 2 factor authentication via an SSL portal, which is only available in the office, so you know who is accessing the network, the fact they are present in the building, and they know their 2 factor password.

I hope these tips give you food for thought and help you in your BYOD strategy planning. If you have any question then do feel free drop them to me via Twitter @tmakepeace. Thanks for reading and good luck!

Exinda Video : Troubleshooting Network Problems

When users complain that their apps aren’t performing properly, you need to take action to solve the problem quickly.

ExindaBlogWatch this demo from our partners at Exinda and find out how to:

  • Diagnose and solve the most common network problems
  • Pinpoint which applications and users are causing network performance issues
  • Apply policies that control traffic at a user and application level
  • Monitor apps, users, and conversations on the network in real time

Learn how to troubleshoot #network problems faster with @exinda join our webinar 11am 10th September.

Setting the stage for 20 years …. The challenge is finding the star performers

By Michele Lewington, MD at Netutils

All the world’s a stage,
And all the men and women merely players;
They have their exits and their entrances,
And one man in his time plays many parts…

20yearsPictureDuring 20+ years in the industry I can recall a time when my company felt more like a stage with a revolving door than a business. You’d bring in new employees – nurture, mentor and train them and no sooner they’d become a useful member of society, they’d be headed through the revolving door and looking for a starring role on a West End stage. It’s the way of the world and over the years you get better at finding ways to mitigate the fall-out.

On the flip side, I can’t help but be touched by the loyalty and commitment of others. It’s not always easy to win trust, to secure that much needed longevity and to walk the road of fair but firm. When you manage to do so and get it right, you can find yourself surrounded by the most remarkable, talented people.

I am gratified to have several such team members today; they have the capacity to make me forget about those that came and went via the revolving door and I am staggered to be celebrating 20 years in September with one of the first of our employees who acts as a constant reminder of how important it is to get the balance right.

Can she be accused of lacking ambition? Absolutely… mostly by uninformed individuals who know little about the dance of responsibility that we have performed and perfected over the years. Does she feel as if she has been held back or had her potential stifled? I don’t believe so, but just to be sure, I asked her to write a blog. It’s her first (and quite possibly her last) but read Claire’s story here and judge for yourself.