Manx Technology Group (MTG) has launched “Umbrella”, a Cloud-based secure internet gateway that provides visibility and protection against internet threats. The secure internet gateway (SIG), powered by Cisco, secures internet access from the corporate network and for staff working remotely. The service is ideal for businesses of every size, capable of scaling from 1 to 10,000 users – and with the basic service, there is no need for expensive new hardware or software to be installed.
Industry 4.0 is the latest trend in manufacturing that encompasses automation, instrumentation and data. Many describe the concept of Industry 4.0 and the Smart Factory as the beginning of the fourth industrial revolution. Read more
ServiceTech, a provider of IT, network and security solutions has joined the Manx Technology Group (MTG). Headquartered in the Isle of Man, MTG provides a comprehensive range of services and solutions in technology, consulting, software, security, data and business operations. Formed in 1997, ServiceTech has a strong track record in the provision of IT and technical solutions to organisations throughout the UK and Europe.
Chairman, John Webster said
ServiceTech joining MTG completes our strategy of providing customers and partners with a complete portfolio of the latest IT and software products and services. This has been particularly welcomed by clients in manufacturing, biotech, egaming and financial services who are all facing the challenges posed by cyber-threats and competition from those using technology to improve their operations
Joe Hughes, CEO of Manx Technology Group commented:
MTG is an internationally focused business with an ambitious strategy of growth through the delivery of innovative technical solutions, coupled with the highest levels of service and support. Our focus on innovation ensures that we are able to deliver real value and a sustainable, competitive edge to our clients.
Concepts such as software integration, cloud adoption, automation, data and cyber-security are in demand, ServiceTech will enhance the Group’s capabilities and service provision in these areas.
MTG’s clients are continually looking to enhance their business models and operations through the use of technology and data. This has become a universal trend across all organisations, with concepts such as Industry 4.0, cyber-security, automation, machine learning and IoT gaining traction in every sector.
One of the biggest sources of innovation in technology is from adjacent industries; a principle that underpins MTG’s Fusion concept. The Fusion concept draws on MTG’s extensive expertise in financial services, e-gaming, security, manufacturing and biotech to provide a unique technical and operational perspective. Fusion intends to accelerate the uptake of new technologies, concepts and ideas across industry.
In all cases, the type of client engagement that our teams are working on demands a diverse skill-set with considerable cross-sector experience. The addition of ServiceTech into the Group strengthens our Fusion proposition and allows us to provide a diverse range of solutions, from inception through to delivery.
The companies already share many customers and business partners, and MTG’s strategy is to enhance and expand these essential relationships over the coming months.
Darren Bell, Director of ServiceTech commented:
We are thrilled to be joining the Manx Technology Group (MTG). The synergy of Group members opens up many exciting opportunities. ServiceTech has consistently delivered customer-focused technical solutions for nearly 20 years and the reputation we have developed throughout this time is testament to our committed and talented team – whose expertise will contribute towards the success of the Group.
Power Routing is a powerful, simple to use feature of the ShoreTel IP Phone system that allows your users to customise their incoming call routing in a flexible manner. Users can opt to have certain callers divert to their mobile, change the routing by time of day or the routing can respond to their calendar status in Microsoft Outlook (i.e. during a meeting).
The first step to configure power routing is to identify the number (or type of number) to perform an action against:
- A specific number (e.g. +44 1624 639420)
- Any internal number (from other staff members, or offices)
- Any external number (outside callers)
- A private (withheld) number
You can then choose to take an action based on:
- Your availability (within your Outlook Calendar or manually set)
- The time of day or day of week
- If you are on the phone
Finally, you can take an action:
- Take a voicemail.
- Selectively call your mobile, or multiple numbers.
- Undertake a find-me operation.
- Call someone else.
What are the possibilities?
There are a number practical applications of Power Routing:
- A “universal number” solution where contacts only need to know your office number, you don’t need to hand over your mobile number.
- You can opt for calls from key clients or suppliers to always divert to your mobile, irrespective of your status.
- Family members or key contacts can always reach you.
- Third parties or suppliers who are not a priority can always be diverted to voicemail.
- Your calendar status in Outlook/Exchange always determines the call routing that takes place.
Power Routing is a popular feature with our ShoreTel customers. The self-service and intuitive interface offers a real benefit to our customers and their teams.
A survey of over 2,000 security professionals has found only 42% of organisations have policies in place that restrict or monitor the use of unsanctioned cloud applications. This figure is despite the fact that 53% of respondents said unauthorised apps are their biggest cloud security threat. The survey, undertaken by BitGlass Inc looked at the evolution of cloud security. Read more
More and more companies are being impacted by Ransomware. Not a week goes by where cyber-attacks, malware and ransomware are not featuring in the news. Unfortunately, this trend does not appear to be slowing down. There are a number of steps an organisation can take to help you reduce the risk of infection and to help you defend against similar threats.
What is Ransomware?
Ransomware is an advanced piece of malware (malicious software) that, once it has infected a system, seeks to encrypt or otherwise render useless data files, office documents, images and other important files. For a business to regain access (and use!) of these files, they are required to pay a ransom (typically in Bitcoin). The concept of ransomware is not new, and there have been incidents as far back as 1989, but the events in 1989 are a million miles away from what we see today. The Internet potentially makes every internet user a target, malware is far more sophisticated and difficult to detect; and organisations are far more digitally enabled and connected. You also need to remember that Ransomware is a lucrative business and the Internet knows no bounds – so there is an added incentive for Ransomware authors (rather than just kudos). Read more
Many organisations have a desktop estate that could range from an SMB with handful of desktops in a single site or an enterprise with several hundred (or thousand) workstations and laptops deployed across many sites. Take the example of an organisation with 500 windows workstations. In our experience, many organisations will not have USB device control and the ports are free for anyone to access (or use) without futher thought given to Data Loss Prevention (DLP). The data loss vector here is fairly obvious. A user can copy data to (or from) a removable device, potentially stealing data, accidentally disclosing data or introducing malware to your IT environment. Read more
There are several ways of address the risks that originate from a risk assessment; you can avoid the risk entirely (withdraw), reduce or mitigate the risk, transfer the risk (e.g. insurance) or accept the risk.
If you consider a datacentre operator who houses a large amount of IT equipment, fire is a risk, whether that is due to an electrical malfunction or a fault with customer equipment. Read more
Shadow IT is a term often used to describe a situation where IT systems; applications, software, devices, cloud services and similar solutions are used by an enterprise without the knowledge or approval of the business. This can present a security and operational risk to the business given it bypasses the organisations’ standards, processes and procedures. This could include the enterprises’s configuration, licensing setup, security controls, documentation and implementation standards. More serious scenarios could actually jeapordise an organisation’s ability to comply with certain industry regulations such as data protection, PCI or even SOX. Imagine a serious breach relating to software even the IT department wasn’t aware of!
Security incidents are not new. Data theft, DDOS attacks and website defacements have been commonplace for many years. The thing that stands out with the recent spate of attacks is the amount of time it can take an enterprise to realise they have been compromised. The attackers may have been inside for some time.
The recent UCLA breach is a prime example. They suspected something as early as October, the FBI identified the breach in May. Quite some time, but a reflection of how good the malware is at remaining undetected. I do not doubt UCLA had firewalls, antivirus and followed best-practice, you have to assume they did.
Many commentators are quick to criticise the IT team, the lack of security investment or they blame human-error. There is no denying the fact that human error and poorly developed software are common causes, but not always.
Advanced Persistent Threats
Nowadays, there is a new class of threat, the Advanced Persistent Threat (APT).
APTs are forcing many enterprises and organisations to rethink their security strategy and revisit their approach to identifying and safeguarding against threats.
I am not going to explain what an APT is, definitions vary by vendor – but in short, it is a new type of advanced threat that can go unnoticed, bypassing existing security controls and often moving throughout an organisation’s internal systems. Some describe it as custom malware. Vendors are quick to develop APT-beating solutions, analysts have a new market segment to discuss and businesses have something new to worry about!
The purpose of this brief article is to outline some of the technologies available to helpsafeguard your business against APTs.
(I am assuming your systems are already patched, hardened and you have a robust perimeter security policy – that is common sense.)
1) Control lateral movement with an Internal Segmentation Firewall
In the network world, your LAN to Internet traffic iscan be described as North-to-South. The traffic flow between your users and servers is referred to as East-to-West. Traffic that moves East-to-West is also known as Lateral movement.
Once you are infected by modern malware or an APT, it (or they!) will attempt to move laterally throughout your IT and network environment. Using network enumeration, privilege elevation and further exploitation, they will try and compromise other systems or hone-in on higher value targets. This can be automated or controlled externally by an individual with malicious intent. The end-game could be ransom ware or data theft.
A common approach to prevent this lateral movement is to break up your network into zones or segments.
Think of your network as a big circle. Your network is on the inside, and the perimeter of the circle is your firewall. Outside of that firewall is the internet. Once someone is inside, they are free to move around your business. It is very similar to castle walls.
Segmentation takes a different approach. Instead of a single circle or “wall”, your network still has that perimeter wall, but it is also made up of several internal zones. Think of a honey-cone structure within the circle, each department is a zone.
Traffic passing between these zones is subject to a network security policy, traffic flows are limited and scanned for malicious content or anomalous behaviour. A breach in one zone can (hopefully) be contained to that zone.
Most firewall vendors such as Fortinet, Palo Alto and Cisco have sold solutions like this for some time. It is only recently that the terms such as internal segmentation firewall and internal network firewall have grown in popularity. SANS has a paper about internal firewalls dating back to 2001, so it’s certainly not new!
In the absence of a firewall, most modern switching platforms also support some form of IP access list or network policies that can be applied to zones (typically L3 VLANs or SVIs). These can be used to inhibit or control lateral movements. They don’t solve the problem but they can make things harder. That is the name of the game.
The network segmentation approach is relatively inexpensive, and unfortunately for high-end environments, it may not scale.
For your typical enterprise or large organisation; 1GE, 10GE and 40GE solutions are available. If you are trying to secure 100Gbps of traffic between blade chassis or Hadoop clusters, then things can and will get out of hand.
Ultimately the cost will depend on your topology (e.g. the number of zones) and the volume of traffic.
Virtualisation presents another challenge. East-to-West traffic can physically move around your network (between devices). With VMWare and the likes, this lateral movement takes place within the virtual environment. Fortunately, many vendors (including VMWare) have virtual product equivalents and to some extent, these are easier (and cheaper) to implement than dedicated appliances. If you run VMWare/Citrix, you cannot overlook the virtual network.
2) Identify threats with DNS Intelligence and behavioral analysis
Every time one of your internal systems or servers wishes to access the internet, the DNS protocol will be used somewhere to resolve the domain name of the website or mail server they are trying to reach. When malware (or a hacker) tries to phone home, they too may use DNS to connect to their command and control (C2) servers.
A growing number of DNS and security providers are offering a new kind of DNS service. Essentially you re-point your DNS traffic towards one of these providers and they screen it.
DNS and its functionality continues as before. The key difference is they check each one of your DNS queries in an attempt to identify anomalous behaviour or attributes that may indicate ill intent. Using their intelligence networks, machine-learning and the power of the crowd – they can make split-second judgements on the behaviour of your DNS traffic, this could be based on known-knowns, inference or patterns.
This is an easy service to implement and rarely requires any kit or significant change in your infrastructure.This service is more of a diagnosis tool rather than a fix. It can tell you something is going on, but it won’t necessarily prevent it. It is a starting point though!
DNS solutions are often priced upon the number of users or on the volume of DNS queries originating from your network. This is often a simple inroad for an organisation, even if the solution is used as a barometer to gauge if something is going on.
It is worth mentioning that many firewalls support IP reputation analysis which performs a similar function. If your network assets are connecting to dodgy networks (and IP addresses), it alerts you and blocks said traffic.
3) Advanced Endpoint Threat Detection
Traditional antivirus has its limitations. It uses a database of known vulnerabilities and viruses. It attempts to identify known threats through signatures or basic behavioural observations, often using heuristics. Traditional AV has a place but in many respects it is being overtaken by more advanced solutions.
The concept of databases is like having a register of all the bank robbers in the world. Naturally, you wouldn’t want these in your bank, but at what point does a bank robber become a bank robber… After they’ve robbed a bank. Before they do, they are a civilian like any other. In a similar way, a virus is only a virus once someone says it is. Until then…
The latest generation of solutions that build upon the limitations of AV are known as Endpoint Threat Detection systems or Endpoint Behavioural Analysis platforms.
The intelligence in these solutions is typically a central appliance, software solution or it is located in the Cloud (keeping the vendors intellectual property safely tucked away).
The agent’s job is to observe behaviour, kernel system calls, privileged processes, network-traffic and file access – all the while communicating its findings to a centralbrain. The brain has insight into your whole IT environment so using its advanced intelligence, machine learning, pattern matching or crowd-intelligence – it can make a judgement call.
Many of these agents work in harmony with additional devices or controls, providing containment alongside detection. In the event an attack or if a potential incident is detected, the solution can trigger events that can force other solutions to take action, whether that be containment or alerting individuals.
To make this work effectively, you need an agent on each and every endpoint (workstation or server). This can be costly, but effective.
4) Sandboxing (Payload Analysis)
Sandboxing is a technology that effectively mimics your live environment. In an enterprise, traditionally if someone e-mails you an attachment, your mail filter would scan it for spam and viruses, perhaps the file-type (e.g. PDF) and if ok – pass it through.
Much like traditional AV, these solutions are unable to spot advanced threats.
Sandboxing takes a different approach. When someone e-mails you a file, the sandbox will open the attachment in a secure contained environment and observe its behaviour. Does it act maliciously? What does it do? What files does it access? It then makes a judgement call. This is also known as payload analysis. Rather than looking at the label on the packet, it opens the packet, pokes it, eats it, tests it and sees what happens.
The challenge with sandboxing is that malware is intelligent. Modern malware attempts to detect the presence of a sandbox, trying to evade detection.
Sandboxing solutions are clever too. They are aware of these evasion techniques so they employ their own anti-evasion techniques.
Crafted malware is intelligent too, it understands the evasion-detection techniques the sandboxes use so it tries to avoid the anti-evasion-detection techniques with more magic. You get the picture. It really is a constant battle.
Sandbox solutions are rated on the number of files or messages they can process per hour. There is typically a capex purchase with ongoing support and maintenance. Some sandboxing vendors are cloud solutions, so represent an ongoing opex.
With Cloud, you need to be careful from a regulatory compliance perspective (HIPAA, Data Protection, PCI-DSS), after all, you may be uploading your files to the sandbox provider who could be located in a country that falls foul of your obligations.
That was a quick run through some of the technologies available to help safeguard your organisation against APTs. It is by no means exhaustive list but serves as starting point in any discussion around network security.
Cyber-security is an increasingly board-level topic of discussion, and conversations about security should now happen at every level. If you are in IT, educate your board. If you are on the board, ask IT.
Now is a good time to consider the security controls your organisation employs to safeguard against these emerging threats.
If your IT budget is a challenge or if the business has other priorities, you may find your existing systems (albeit with some tweaks) are already capable of providing an additional level of security without a massive capex or the sudden onslaught of a security subscription.
— Technologist Joe Hughes is a CEO of Manx Technology Group, a company that provides a range of IT, network and security services to organisations of every size. A key area of interest to Joe is cyber-security, FinTech, healthcare technology and the growing use of data throughout every aspect of business.