Helpdesk : 24x7x365
Minerva House, Ballafletcher, Douglas, Isle of Man, IM44QJ
+44 1624 640400
IPS - part of firewall security solution

Intrusion Prevention Systems (IPS) in the Enterprise

The IPS (Intrusion Prevention System) is a solution MTG regularly deploy for our clients at their network edge. The IPS has its place for any organisation that does business online and our deployments include solutions in financial services, service provider, banking and healthcare environments. What we frequently find is how many businesses do not understand the role of an IPS, and for those that do – they believe an IPS is only used in highly secure environments or by businesses who are constantly under the threat of attack (which, with opportunists – is every business on the internet).

Is antivirus software still relevant?

In a 2014 study by LastLine Labs, much of the newly released Malware went undetected by nearly half of the leading antivirus vendors. This is a worrying fact, especially given how many businesses rely solely on antivirus as their only form of defense!  The general recommendation is a defense-in-depth approach, and an IPS is a key component of that strategy.

What is an IPS?

In brief, an IPS is a system that tries to identify threats and attacks through a combination of pattern recognition, anomalous behavior and traffic signatures. MTG predominantly implement IPS solutions at the network edge, so in the context of IPS – the systems scan all inbound and outbound network traffic, trying to spot potential attacks or behavior that typically proceeds any attack (e.g. network enumeration).

Fortinet describe an IPS as:

a technology protects networks from both known and unknown threats, blocking attacks that might otherwise take advantage of network vulnerabilities and unpatched systems.

..

FortiGate® IPS technology leverages a database of thousands of unique attack signatures to stop attacks that might evade conventional firewall defenses, plus anomaly-based detection that enables the system to recognize threats for which no signature has yet

How does an IPS defend the enterprise?

You may ask if your business has antivirus, then what sort of malware/attacks can an IPS prevent? The key thing to emphasise here is not every attack or exploit can be classified as a virus. Often antivirus can kick in after the horse has bolted – which is often too late.

Some examples of an IPS:

  • Someone on the internet has opened 1000s of connections to your mail server. If this was to continue, the mail server would be starved of resources and be unable to function. An IPS would detect this anomalous behavior and block the attacker.
  • A user has browser to a website that is trying to instantiate the Adobe PDF viewer in a malicious fashion, the IPS blocks this.
  • An attack is scanning your IP range, the IPS identifies this behavior as an enumeration attempt, assumes ill intent – and blocks the attacker.
  • A malicious web request is sent to your website, this specially crafted request is designed to exploit your web server, this is identified and blocked.

Furthermore leading IPS systems are linked to the Cloud, this link provides shared intelligence and a centralised threat resource. If an attack is experienced in the UK and the signature is well known, then this same signature can be distributed to other IPS systems.

Custom IPS

The Fortinet IPS systems has several thousand pre-build signatures that are constantly updated. If your business has its own web application or portal, then a Custom signature can be written to help safeguard your system.

For example:

  • When someone logs into your financial services portal, if they get their password wrong, the browser responds with “Error 2301 – Password incorrect”
  • An IPS can log the number of this occurrences per IP address, if that exceeds a threshold, it will block the IP on the firewall!

Key points

  • MTG typically deploy an IPS system as part of a firewall security solution.
  • An IPS will scan traffic in real-time.
  • This provides comprehensive security controls that compliment the security provided by antivirus and firewall solutions.
  • An IPS protects against a whole range of attacks, not just viruses.
  • The IPS can be installed on LAN or DMZ segments, alongside existing firewall environments.

Your business must plan to protect against all threats; not just current threats, but all threats, known and unknown. Speak to MTG about how an IPS can enhance the security within your enterprise.

 

 

The future as predicted by Five Top Venture Capitalists.

Forbes covered the 17th annual Top 10 Tech Trends dinner in San Jose. The event seen the coming together of leading technologists and venture capitalists, all there to predict the future!

Some of the technological visions include:

  1. On-demand ambient computing. Shervin Pishevar of Sherpa Ventures. “What you’ll see is services that will be able to predict what you want before you even express it”
  2. Traditional banks will keep losing share to startups while bitcoin fades. Rebecca Lynn of Canvas Investment Fund. “banks are inefficient and not so great at serving customers, and it’s better done by fast, nimble startups.”
  3. The Virtual Me. Jenny Lee of GGV Capital. Wearables, hardware and sensors – the connected human.
  4. The Skynet economy. Steve Jurvetson of DFJ. Low altitude satellites, 16GB/s broadband and ubiquitous connectivity.
  5. The end of the auto nation. Bill Gurley of Benchmark. “We may have hit what’s called peak car. Kids aren’t showing up on their 16th birthday to get a driver’s license. The smartphone is more of a social status than a car is.”
  6. The Fifth mode of transportation. “Technologies such as the hyperloop and massive drones that can land and take off on water will transform the transportation of people and things, said Pishevar, who has invested in Hyperloop Technologies Inc.”
  7. The reemergence of women in tech.  “In the next 5 years, half of computer science students will become women, which will lead to more female founders and CEOs.”
  8. The economy of me. By 2020, commerce and services will fundamentally shift to being online and global. In the next five years, the number of people on the mobile internet will double, forming the “personal economy.” Brick and motor will be obsolete.
  9. The rise of robocars. “For those of us who have a chance to be in one, you’ll never go back. I believe they are already safer than my parents.” Initially they will run at speeds of 25 mph or less in urban settings”
  10. The native mobile application platform will continue to dominate the mobile Web. “Gurley said smartphones will be the remote control of our life. “The browser and search are kind of like a platform, and that platform is finally maturing”

 

 

IP enabled drug pump vulnerable to hacking

The US Department of Homeland security have issued a warning after an internet-connected drug infusion pump was found to be vulnerable to exploitation. The security researcher described the pump as “literally the least secure IP enabled device I’ve ever touched in my life.”

lifecareThe warning received a rating of 10/10 for both severity and impact according to the vulnerability report.

The device in question (Hospira Lifecare PCA3) running software 412 allowed people to telnet to the device without authenticating, allowing any would-be attacker to gain root privileges.  Furthermore, wireless encryption keys were stored in plain-text.

What this means is anyone with access to the device, and close proximity to the wireless network could subsequently access a “Life Critical Network”, where other medical devices could be connected! You can imagine the severity of such network access, and the impact this could have on the network infrastructure.

The vulnerability is well covered in the security press with websites such as scmagazine covering it in great detail.

One thing is apparent, it is fast becoming a challenge to keep up with biotech and advances in medical technology. Fortunately, there are various standards and industry best practices that advise on the best way to secure medical software, devices and networks.


 

ISO 80001  (“Application of risk management for IT-networks incorporating medical devices”) applies to medical device manufacturers and providers, governing the risk management of an IT network incorporating medical devices.

ISO 27799:2008 (“Health informatics, information security management in health using ISO 27002) applies to health information, and encompasses computer networks and electronic devices.

ISO 14971:2007  (“Application of risk management to medical devices”) covers the devices themselves.

Outside of ISO standards, you have working groups such as the EU Data Protection working party issuing guidance notes. Opinion 08/2014 covers the IoT (Internet of Things).

You also have HIPAA (“Health Insurance Portability and Accountability Act”). NIST 800-66 outlines the “Implementing the HIPAA Security Rule”.


 

It is plain to see that with shear growth of internet-connected medical devices, wearables and implantables – the likelihood of vulnerabilities and attack vectors can increase proportionally. For device manufacturers, operators and health authorities, it is critical a thorough risk assessment is undertaken and wherever possible, a security policy and architecture put in place to ensure risks are managed.

Patient data is one of the most crucial types of data, and one that cannot easily be replaced. Reputationally, a medical data breach can be fatal for an operator and embarassing for a health authority.

 

data security

Data Breaches in Healthcare – Damaged Confidence

In a world striving for better patient outcomes, the increased use of health technology and the adoption of wearables and the IoT – data breaches do little to instill confidence in patients or healthcare professionals.

PHI (Protected Healthcare Data) as the name suggests is “any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. This can include any part of a patient’s medical record or payment history”.  You can therefore understand the importance of safeguarding this data, unlike a credit-card, it is very difficult to change you individual healthcare data in the event of a breach!

There is also a growing market for PHI and health data. You may ask why? Some estimate the price of a stolen health record can fetch $10, more than 10 x the price of a stolen credit card.  A recent data breach in the US saw the data of 39,000 patients disclosed through an E-mail Phishing Attack.

Dave Kennedy, an expert on healthcare security and CEO of TrustedSEC LLC said:

“As attackers discover new methods to make money, the healthcare industry is becoming a much riper target because of the ability to sell large batches of personal data for profit. Hospitals have low security, so it’s relatively easy for these hackers to get a large amount of personal data for medical fraud.”

There has been a surge in targeted phishing attacks against healthcare, with further phishing scams reportedly targeting some 80 million records.

As the use of IT, technology and IoT (Internet of Things) increases in healthcare – it is imperative, software vendors, device manufacturers, healthcare bodies and clinicians understand the risks, attack vectors and the security controls needed to safeguard patient data. The growing eco-system of players in the healthcare IT sectors is growing and along within their exposure to threats.

 

1 in 3 Businesses plan to run Windows 2003 after End Of Life (EOL)

In February 2015, Bit9 + Carbon Black surveyed over 500 enterprises to try and understand their plans for the upcoming Windows Server 2003 EOL deadline. The survey found many faced serious challenges trying to migrate key applications and that as many as 2.7 million servers would continue to run unsupported.

MTG have been working tirelessly with many businesses to migrate their systems to Windows 2012. This is often not a straight forward process; legacy applications, Microsoft Exchange, SQL Server and various other line of business applications are present or rely upon the Windows 2003 servers. The EOL date is not a surprise, but it does place many businesses under immense pressure.

The summarised findings include:

  • Roughly 1 in 3 enterprises plan to run WS2K3 after the July 14 deadline, leaving an estimated 2.7 million servers unprotected
  • More than half of enterprises did not know when Microsoft was ending support
  • 14 percent of enterprises do not yet have an upgrade plan for WS2K3

 

The findings are staggering, if not concerning. If your business is facing similar challenges or is worried about the looming EOL date – speak to MTG. We are working with numerous businesses in the Isle of Man and UK who are eager to migrate their core systems to a more recent, supported platform.

 

cyber security

Defence in Depth

In 1994, a new computer virus was released once every hour. By 2006, this had increased to one a minute. Now, there are 350 000 new samples every day¹

The team at MTG support and work within enterprise IT and network environments that encompass several thousand endpoints. Desktops and laptops running Windows make up the majority of this estate, with Windows Server powering the back office and business applications.  There is a growing number of clients who are using Macs and Linux, in the case of Linux – this is typically in their server or hosted environments. In all cases – there is a level of security to safeguard business systems.

The most common layered defense in the enterprise consists of the following controls:

  • Network Edge – Firewall. Secures the network edge. A mix of UTM/NGFW and traditional firewalls.
  • Inbound E-mail Anti-Spam and Anti-Virus. Scans all inbound e-mail for viruses, malware and spam.
  • Enterprise E-mail – Exchange Anti-Virus. Scans all internal e-mails and mail stores for viruses.
  • Server – Anti-Virus client (scans memory, files, processes)
  • Desktop – Anti-Virus client (scans memory, files, processes, Outlook, Office, Macros)

To the layman, this seems quite a comprehensive list of controls; securing the enterprise at multiple levels and checking for threats at different entry points.

However – we regularly speak to companies who employ many of these controls and yet they are still impacted by viruses and malware. These companies will use well known brand software, maintain up to date virus definitions and strictly control web-access, so what gives? With the advent of CryptoLocker and similar ransom-ware, some have suggested CyberCrime is responsible for this boom in malware. As the earlier quote alluded to, Kaspersky believe there are over 350k new virus samples every day – it makes you wonder whether traditional anti-virus can keep up!

From my perspective, I would say there have been two marked changes in the enterprise IT threat landscape. The first is the mobile workforce and the rapidly increasing and often unnoticed adoption of BYOD (bring your own device) in the enterprise. The second is the staggering onset and progression of new malware, viruses and similar exploits, many of which often go unnoticed by your typical anti-virus software.

In the next series of articles we will walk through the sort of systems your business should employ to eliminate risks, how to gain additional insight and visibility, and other ways your business can safeguard their data and key business systems.

We will focus on the following:

  1. Unified Threat Management (UTM) and Next Generation Firewalls (NGFW).
  2. Intrusion Prevention Systems (IPS).
  3. Sandboxing.
  4. Inbound and Outbound e-mail anti-virus scanning, anti-spam filtering and mail archiving.
  5. Enterprise messaging anti-virus(e.g. Microsoft Exchange).
  6. Endpoint protection including anti-virus software, heuristics and best practices for desktop hardening.
  7. Risk and Policy Management which ensures continuous, enterprise-wide compliance and configuration checks against a defined baseline/best-practice.
  8. Change-Control (Manual and monitored).

MTG provide solutions to a variety of customers ranging from SMEs, enterprises and public sector organisations. We have a range of sector specific solutions focused on Financial Services (including FSA and FSC regulated companies), Healthcare and Biomed, and solutions for the hospitality industry. If your organisation would like to review their defence mechanisms or are facing a particular problem with security, please get in touch today.

¹ – Kaspersky Lab deputy director for global research and analysis Sergey Novikov

Android Security Report

Android is the most popular mobile device OS with over 52.8% market share (according to comScore)

Google have published their 2014 Android Security Report. The report outlines the improvements made to Android, its security architecture and the report includes statistics relating to vulnerabilities relating to the Android OS.

Key points include

  • Less than 0.15% of devices that only download from Google Play had potentially harmful applications (malware+adware+riskware)
  • Less than 1% of all devices had PHA
  • There are more infected devices in Russia
  • Rooting tools are most common in China (~4%)
  • On average, 0.5% of devices use rooting tools
  • There is a marked growth in ransomware

Fortinet have a blog post which echos this findings and overlays them against its own vulnerability analysis garnered through its Fortiguard network.

The report goes to show the importance of solutions such as BYOD (Bring your own device) and MDM (mobile device management). Despite an enterprise having robust perimeter security and firewalls, stringent windows update policies and anti-virus – an organisation can be exposed through mobile devices.

MTG’s range of security solutions include MDM, Firewalls and BYOD services that can enhance and strengthen an enterprise mobile strategy.

Request a quote
+44 1624 640400