Today’s threat environment is forcing organizations to rethink their security tools. Traditional firewalls no longer provide adequate protection at the network perimeter. They are being replaced by next-generation firewalls, which use deep packet inspection, application-level policies and other features to detect and block modern security threats.
These advanced capabilities have made security more effective – and more complicated. That’s why many smaller organizations are looking for a simpler way to manage the security infrastructure.
Unified threat management (UTM) was introduced as a new approach to security management that integrates various security technologies. Typical UTM solutions include a firewall, gateway security, intrusion detection and prevention, anti-malware software, content filtering, and other security features. This functionality is integrated into one solution, making it easier to install, update and maintain than traditional security tools.
In addition, the integration of multiple security engines makes it possible to detect blended threats that employ a combination of attacks — such as a mix of viruses, worms, Trojans and denial-of-service attacks — crafted to circumvent a single line of defense. With UTM, the integrated security engines work together, enabling the system to inspect real-time traffic from multiple vantage points.
For example, a seemingly harmless e-mail that might pass through any antivirus system could contain an HTML-based attachment that ultimately points to a Trojan. Because a UTM solution can use a combination of antispam, antivirus and other security engines, it can detect such blended threats more readily.
Single-console management makes it easier for administrators to enforce detailed security policies throughout the organization, and eliminates the need to investigate multiple alerts generated by various systems for the same event. Automatic security updates protect against emerging and evolving threats without administrator intervention.
In addition to reducing management complexity, UTM solutions can be configured to meet regulatory compliance standards. The more complex the infrastructure, the more complex those configurations will be. However, configuring a single UTM appliance is simpler than separately configuring several security tools.
When selecting a UTM solution, there are a number of things to consider:
Note that the industry lacks consistent nomenclature with regard to UTM. Some vendors call UTM products “security appliances” while others refer to them as next-gen firewalls. ICG can provide you with objective advice on security solutions and help you implement the right tools to protect your business.
The Q2 2015 Cyber Threat Report from cybersecurity firm CYREN reveals that phishing attacks increased 38 percent overall during second quarter. Phishing is a technique used by criminals to bait you into sharing sensitive corporate or personal information. Usernames and passwords, financial account information, social security numbers and basic contact information are the most common targets of phishing attacks. Consumers with PayPal, Apple and Gmail accounts are frequent victims of phishing.
Phishers mimic the logos and websites of legitimate organizations, and pose as friends, business partners, clients, bank officials or IT staff. They hook their targets by fooling people into clicking malicious links or opening attachments that automatically engage and activate viruses and malware. Then, these criminals can use these compromised accounts to spread the misery to others.
Common phishing scams include:
For its Q2 2015 report, CYREN looked beyond these types of attacks to examine phishing campaigns that seek intelligence or financial gain from businesses. The security analysts grouped these sophisticated attacks into two categories:
There are simple ways to protect yourself and your business:
Phishing attacks are reaching epidemic proportions. Make sure your security systems are working properly and your staff is using common sense and extra caution when checking email.
With all of the talk about new technology, new mobile devices and applications, and new models for designing and managing data centers, it can be easy to overlook very basic questions. What web browser are you using? What browser should you be using? Do you even know what a browser is?
Don’t laugh. Ask 10 people what a web browser is and you’ll probably get a handful of entertaining answers.
A web browser is software that connects to the Internet and enables you to access and view web pages and files. The first web browser, WorldWideWeb from Nexus, was released 25 years ago. Other early browsers include Mosaic, Netscape Navigator, and Microsoft’s Internet Explorer (IE), which recently celebrated its 20th birthday with a fairly substantial drop in market share.
According to Net Applications, 51.6 percent of Internet users worldwide used IE for desktop browsing in September 2015, down 7.5 percent from December 2014. Google Chrome has reached an all-time high in browser market share at 29.9 percent, while the 11.5 percent share for Mozilla’s Firefox represents its lowest number in nine years. Apple’s Safari checks in at 5.08 percent.
In the workplace, the IT manager will typically choose a web browser based upon certain criteria and install it on every company-issued device. They’ll consider the browser’s performance, or how quickly it can open a web page. Other factors to consider include compatibility with critical business applications, design and customization options, and employee preferences.
Due to IE’s somewhat checkered history caused by security issues and unnecessary add-ons, Microsoft is replacing it with Microsoft Edge in Windows 10. Edge is said to be faster, more secure and more modern-looking than IE. While Edge is certainly a more stripped-down browser with fewer features than IE, it does have newer features that have raised eyebrows.
Web Note is a new tool that lets you “write” on websites using a virtual pen or highlighter. You can then add a personal note, sign your name, and share it with a coworker. No other browser offers this functionality. Edge also enables you to create a Reading List so you can save web pages for later reading. The Reading List includes a headline and photo for each item and appears above bookmarks and favorites.
However, Edge has yet to support extensions that let you add services and features to a web browser. Extensions are supported by Chrome, Firefox and Safari. Even more shocking is that Edge’s page load times are a full second longer than its predecessor, although IE is faster than its top competitors. The slow speed is due in part to more advanced security features, and Microsoft claims that Edge will eventually be faster than IE could ever be.
Each browser has its pros and cons. Chrome is known for speed and security, and the options to browse privately and customize the dashboard. Firefox is known for the simplicity of its user interface and the ability to learn preferences and suggest relevant content. Opera, a relatively new browser, is known for its speed and bandwidth efficiency. Safari is known for delivering the best possible experience for Mac users. It’s too early to make a call on Microsoft Edge, which is only available on Windows 10 and is likely to see dramatic improvements in the next few months.
As elementary as web browsers may seem in the grand scheme of things, it’s important to choose a browser that is best suited for certain use cases within your organization. Let ICG help you determine what exactly you need from your browser and choose options that help your employees do their jobs better.
Many organizations first resisted the bring-your-own-device (BYOD) model in which employees use their personal laptops, smartphones, tablets and other devices in the workplace. IT managers were concerned about device and data security, supporting and managing a wide variety of devices and applications, and a general lack of IT control in a BYOD environment.
However, as employees have continued to push to use their own devices at work, many IT managers have relented and even embraced the BYOD model. Proponents say BYOD boosts productivity and employee satisfaction, enables greater flexibility, and reduces technology costs. In fact, Gartner predicts that nearly four in 10 organizations will stop issuing company devices and rely exclusively upon BYOD by 2016. By 2020, 85 percent of companies will have a BYOD policy of some kind.
While BYOD has garnered much of the attention, the choose-your-own-device (CYOD) model has experienced slow, stealth-like growth. Somewhat of a compromise between BYOD and the traditional model, CYOD requires employees to choose from a group of company-approved devices. The desire to corral BYOD, eliminate management and security complexity, and create a more standard corporate IT environment led IDC to predict in 2013 that CYOD would render BYOD obsolete.
That hasn’t happened. BYOD is doing just fine. Cloud services have become more widely used, and employees can access cloud resources from their own devices without going through the corporate network. Organizations are relying more upon temporary and contract workers, and it doesn’t make sense to supply each of these individuals with a company-owned device. In some cases, BYOD is used on a limited basis for certain departments. For example, a simple change in phone number could affect a salesperson’s relationships with industry contacts.
But CYOD is growing, too. As data breaches continue to occur at an alarming rate, organizations and employees are becoming more sensitive to the issue of cybersecurity. CYOD enables IT to simplify device management and control how devices are used. Devices are preconfigured and security software is preinstalled. Also, concerns about employee satisfaction are overblown at times, as employees will typically end up with a device that makes them happy when CYOD is properly implemented.
Many organizations turn to CYOD because of the legal complications of BYOD. How do you differentiate work time from personal time and compensate employees accordingly? Where do you draw the privacy line between personal data and company data? Does your BYOD policy hold water with various state, federal and industry regulations?
When deciding between BYOD, CYOD and a hybrid approach, start by analyzing how employees use their mobile devices. Find out what applications are most popular with your employees and how these tools help them perform their job functions. If you don’t have employee buy-in, your model won’t work.
Once you choose a model, make sure you develop a security strategy that will protect your data inside and outside of the workplace, and create an incident response plan to minimize the impact of a breach. All of these decisions involve more than IT, so include legal, human resources and finance from the planning phase through implementation.
ICG understands pros and cons of CYOD and BYOD as they relate to the unique needs of small businesses and their employees. Let us help you devise a plan that prioritizes security and strikes the right balance between productivity, cost efficiency and employee satisfaction.
In our previous post, we discussed that small-to-midsize businesses (SMBs) are turning to the cloud to take advantage of “anytime, anywhere” access to applications, data and infrastructure through mobile devices. These capabilities give employees the flexibility to work remotely while maintaining the highest levels of productivity, collaboration and customer service. As a result, small businesses are investing in mobile-friendly, cloud-ready infrastructure.
Once considered a nice-to-have luxury, mobility has become essential for day-to-day SMB operations. According to Manta’s SMB Wellness Index, four in five small business owners use their mobile phones for business purposes every day. One in four use mobile phones at least every hour, and 78 percent use them while sitting in front of a desktop computer. Some of the most common tasks include scheduling, customer communication, creating to-do lists and banking.
While mobility delivers obvious business benefits and makes employees happy, it also creates a number of risks. Are employees using applications or software that could drag down network performance, increase the risk of compliance violations, or open the door for cyber criminals? Is data being stored securely? Are company data and applications getting mixed up with personal data and applications? How do you keep them separate? What happens if a mobile device is lost or stolen? These and other questions need to be answered before diving headfirst into the mobility pool.
Mobile device management (MDM) software can help SMBs address these concerns by enabling IT to centrally deploy, manage, monitor and secure both company-owned and employee-owned devices. Security and compliance policies, antimalware, access controls, passwords, encryption, and applications are updated and managed remotely. Data can be remotely wiped from a lost or stolen device, and jailbroken devices can be automatically detected and flagged. MDM not only protects company data and applications, but also ensures optimal performance and functionality for employees.
MDM software can be licensed to a single device or to a single user who utilizes multiple devices. One license per device is ideal for small companies in which each employee uses a single mobile device. For companies with employees who use smartphones, tablets and laptops, a per-user license is typically the more cost-effective approach.
This is the model most SMBs use with Microsoft Windows Intune, which provides MDM capabilities for Office 365 products. In addition to Windows, Intune can be used to monitor, secure and optimize Outlook clients on Android and iOS devices. Intune is capable of defining and enforcing policies and access controls at the device level. If a device is lost or stolen, Intune uses selective wipe functionality to remotely delete company data and applications without touching personal data.
Of course, Intune is just one example of an MDM solution for SMBs. There are a number of other products available, as well as free software and apps built into the devices themselves. Some enterprise-class MDM platforms are now available in a cloud model, making them more affordable for small businesses.
Although MDM helps SMBs reduce many of the risks associated with mobility, it is rather complex to implement and manage. Let us help you deploy, configure and remotely manage your MDM software and keep your mobile environment secure.
One of the core drivers behind the emergence of cloud-based services for small-to-midsize businesses (SMBs) is flexibility. Having the flexibility to access applications, data and infrastructure anytime, from anywhere, leads to faster decision-making, improved customer service and responsiveness, greater productivity, more collaboration and more innovation.
In fact, a recent study found that 91 percent of organizations using the cloud have at least one employee working remotely. Nearly one in five companies say the majority of their workforce works remotely.
SMBs are increasingly turning to an Infrastructure-as-a-Service model in which applications, hardware, software, storage and other tools and services are hosted by a third-party service provider and accessed on virtually any Internet-connected device. These resources can be scaled on demand and shift the financial burden of IT procurement, management and maintenance to the provider.
Of course, another big reason for the popularity of the cloud is the popularity of smartphones and tablets. Mobility and the cloud are speeding forward side by side as employees demand the highest levels of performance and reliability when accessing the corporate network from their favorite mobile devices. To meet this demand, organizations are making investments in mobile-friendly infrastructure and ensuring that devices, applications and data are running in the cloud.
The cloud fills a very basic need for the mobile workforce – the ability to remotely access files and applications. Documents can be reviewed, edited, stored and sent from any device. Manager approvals no longer require a trip back to the office.
Unified communications and collaboration tools allow employees to use a variety of channels to seamlessly communicate with colleagues and customers. Videoconferencing no longer requires high-tech conference rooms and complex planning. All an employee needs is a smartphone or tablet and login information.
The key advantage of the cloud – anytime, anywhere access to network resources – also creates a downside. Organizations that rely upon the cloud to support mobility are also relying upon mobile employees to establish and manage their own Internet connectivity. This can lead to service degradation, which prevents users from taking full advantage of a flexible working arrangement. The cost of access to cloud resources, if not monitored and controlled, can quickly wipe out any financial gains of cloud computing. Finally, security can be compromised by users who visit questionable websites, download malicious software, utilize unsecure networks, or fall prey to phishing scams.
Mobile policy management (MPM) can overcome these issues by establishing and automatically enforcing policies that provide greater control over how the cloud is used. Networks used to connect to the Internet are prioritized and selection is controlled by policy. This can significantly reduce support costs and optimize data usage while simplifying the user process for accessing cloud resources. From a security standpoint, MPM protects corporate data and applications by preventing the use of rogue networks that are often labeled as “free Wi-Fi.” It also allows users to roam between networks without security or compliance issues.
ICG’s IT-as-a-Service (ITaaS) solution is focused on making businesses more flexible and agile. It includes virtualized server infrastructure, hosted email, automated and managed backup, Microsoft Office licensing, remote desktops, and a comprehensive suite of security tools. Let ICG show you how our cloud services can help you take full advantage of mobility and flexible working.
In our previous post, we discussed the pending deadline for switching to Europay, MasterCard and Visa (EMV) payment cards. Although switching to EMV cards is voluntary, merchants who process fraudulent purchases with non-EMV card readers after October 1, 2015, will be liable. The cards themselves will provide additional security at the point of sale (POS), but organizations will need to update their POS systems to minimize the risk of fraud.
In the midst of all of these changes, the 2015 Mid-year Point-of-Sale (POS) Security Health Assessment from Bit9 + Carbon Black revealed that more than half of organizations are using POS systems with unsupported Windows XP operating systems. 94 percent of organizations use antivirus software, but 26 percent believe antivirus is not enough. Also, one in four companies that increased their security budgets continued to invest in antivirus protection. While antivirus is an essential part of security, these statistics indicate an overreliance on tools that are incapable of detecting or stopping advanced threats.
Most Windows XP embedded operating systems, including some used on POS devices and ATMs, are still being supported until early next year, but that shouldn’t give merchants peace of mind. POS systems generally are weakly supported by IT. Most are using outdated platforms that are rarely if ever patched and maintained. Many use default configurations and passwords, making them easy targets for hackers. In addition to inadequate defenses, POS malware attacks continue to increase in number because POS systems provide a gateway to a number of systems within the corporate network.
New forms of malware have been designed specifically to attack popular POS systems, scrape credit card data, steal passwords, and upload data to remote servers. Some of these threats are capable of downloading updates on their own to add features and eliminate bugs. Although Windows XP users are easy targets, newer versions of Windows are also at risk, and hackers are always looking for new ways to infect POS systems.
Just as hackers understand the opportunity created by outdated POS systems, merchants need to understand the risks, be more proactive and follow security best practices. Around-the-clock network monitoring enables organizations to track network activity in real time, monitor remote access software and detect suspicious behavior. Two-factor user authentication, as well as updated firewalls and antivirus software, will help to prevent unauthorized access to the POS. Of course, all systems must be regularly patched and maintained in order to be effective.
Organizations that continue to use Windows XP on their POS systems are knowingly increasing the risk of a security breach. In the very near future, all XP support will be cut off. Those who don’t start planning now will be left scrambling for an effective replacement. This is bad for business and bad for your customers. Let ICG evaluate the state of your POS systems and implement the updates you need to keep criminals at bay and protect your data.
The time-honored tradition of swiping a credit or debit card is being replaced by the “chip and dip” as the U.S. prepares to shift from magnetic strip payment cards to Europay, MasterCard and Visa (EMV) cards. EMV cards with small computer chips are “dipped” into payment terminals and removed when the transaction is complete. The deadline to switch to EMV cards is October 1, 2015. Although the transition began years ago, there has been a greater sense of urgency to speed up the process due to the rash of high profile security breaches.
EMV cards use transaction authentication technology to protect consumers against fraud. Traditional cards store data in magnetic strips. This data can be stolen, copied and used to make purchases or sold to the highest bidder. However, the computer chip in an EMV card creates a one-time, random code for each transaction. If someone stole the code and tried to make another purchase, the card would be denied. While most security mechanisms focus on preventing unauthorized access, EMV cards focus on making sure criminals have nothing of value to steal.
Although October 1 is less than two months away, a report from Javelin Strategy and Research estimates that up to three-quarters of merchants won’t make the deadline. When the study was conducted, most small merchants hadn’t even heard of EMV. That is expected to change as consumer awareness increases and credit card companies begin to apply pressure on merchants to make the switch. However, most merchants will not be ready by October 1, and the consequences could prove costly.
Beginning in October, if someone tries to make a fraudulent purchase with an EMV card, and that purchase goes through because the merchant doesn’t have an EMV card reader that’s capable of denying the card, the merchant will be liable. Technically, switching to EMV cards isn’t mandatory, but the liability shift is being used as a strong incentive. Also, the absence of EMV card readers could be viewed as a red flag to consumers who are well aware of widespread payment card security issues.
Merchants need to prepare by replacing traditional magnetic strip readers with EMV readers. Prices for EMV readers typically range from $30-$300, depending on the level of functionality you want. Your point-of-sale system may need to be upgrade, and employees will need to be trained to follow a new process for accepting card payments.
Despite the fraud protection delivered by EMV cards, merchants still need focus on staying compliant with Payment Card Industry (PCI) standards. EMV won’t protect a network infrastructure that uses unsupported Windows XP operating systems and outdated antimalware, fails to isolate cardholder data from the rest of the network, and allows unauthorized users to remotely access these systems. Employees who fail to follow best practices also put their employers and customers at risk. While EMV adds an important layer of authentication at the point of sale, PCI compliance on the actual point-of-sale devices and across the back end of the network is essential to protecting cardholder data throughout the transaction process.
Experts are predicting that attackers will ratchet up their efforts prior to the October deadline and look to exploit other vulnerabilities during the transition to EMV. For example, EMV cards offer no additional protection for online transactions. Let ICG help you manage this change, keep your network secure and PCI compliant, and minimize the risk of fraud.
In a previous post, we discussed the growing danger and complexity of security threats and why outsourcing security has become a business necessity, especially for resource-strapped and budget-conscious small-to-midsize businesses (SMBs). However, outsourcing security doesn’t absolve the organization or its employees of all security-related responsibilities.
Just how bad has it gotten? According to Check Point’s 2015 Security Report, the average number of malware attacks increased from 2.2 per hour in 2013 to 106 per hour in 2014. Insider threats are on the rise as the emergence of bring-your-own-device (BYOD) policies and risky shadow IT applications provide more ways for current and former employees to access the network. Mobility is a major challenge as 42 percent of companies were victims of mobile-related breaches that cost more than $250,000 on average to address.
Of course, the weakest link in the security chain continues to be human beings. The use of email phishing scams and social engineering – a method in which hackers interact with employees to break through security and carry out cyberattacks – are expanding. As sophisticated as today’s cybercriminals are, they just want access to data, and the easiest way to gain access is through employees, not advanced security software. According to the BakerHostetler Data Security Incident Response Report 2015, the top cause of IT security incidents was employee negligence.
The increased targeting of employees underscores the need for security awareness training. Uneducated, untrained employees make the hacker’s job easy. Too many people take a “share everything,” social media mentality to the workplace, connect with people they don’t know, fail to log out of their accounts, and give their passwords to others without considering the consequences.
Formal training and documented policies, and enforcement of these policies, are essential to not only improving network security, but also ensuring regulatory compliance. All too often, security and compliance are assumed to be the responsibility of a select few. However, individual employees who violate compliance regulations due to carelessness or ignorance can bring heavy penalties on their employers while potentially compromising the private information of their customers.
A security awareness program should include both general best practices and the specific responsibilities of individual employees. In addition to increasing understanding of phishing and other hacking methods, organizations should establish procedures for reporting a suspected breach to minimize its impact. Security should be covered in training for new employees and in ongoing refresher training for all employees. In fact, security awareness programs are now required by the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), and other regulatory standards.
The biggest problem with most security awareness programs is the absence of clear goals. What behaviors need to change? What is each employee’s role? What is the penalty for violating the company policy, and how will this improve security? Many programs also tend to focus on certain topics even though they haven’t assessed the risk related to those topics. Organizations need to better understand the true problem, and how employees typically encounter these problems, in order to maximize the effectiveness of their security awareness programs.
Security is an all-hands-on-deck, round-the-clock process, even when security is outsourced. Every employee needs to be vigilant, and every organization needs to provide its employees with the necessary training to prevent a breach.