Five Tips to Reduce Risk from Modern Web Threats

By Chris McCormack, Product Marketing Manager, Sophos and Chester Wisniewski, Senior Security Advisor, Sophos
 User education and awareness, preventive measures and a modern web security solution are all integral components of a comprehensive defense against today’s web threats. This guide covers some essential preventive measures you should implement to reduce your risk and keep ahead of the threats as much as possible.

This guide covers some essential preventive measures you should implement to reduce your risk and keep ahead of the threats as much as possible. In particular, it’s important to:

• Keep your systems patched and up to date
• Standardize your web software.
• Secure your browsers.
• Enforce a strong password policy.
• Use an effective web security solution.

1. Keep your systems patched and up to date.

Keeping systems fully up to date—including the operating system, web browsers, browser plugins, media players, PDF readers and other applications—can be a tedious, annoying and time-consuming ongoing task. Unfortunately, hackers are counting on most people to fall far short of what’s needed to keep their systems up to date. 

 Most web malware utilizes commercially available exploit packs that contain dozens of different vulnerability testers, redirectors and actual exploit code that attempt to test for and exploit any vulnerabilities they can find. These kits are designed specifically to prey on users who aren’t diligent about keeping their software and operating system patches up to date.

 Most web malware utilizes commercially available exploit packs that contain dozens of different vulnerability testers, redirectors and actual exploit code that attempt to test for and exploit any vulnerabilities they can find. These kits are designed specifically to prey on users who aren’t diligent about keeping their software and operating system patches up to date.

The most common targets for these web-based exploit packs are not just web browsers such as Internet Explorer, Firefox, Safari, Chrome and Opera, but also common cross-browser plugins such as PDF readers, Flash players, QuickTime and Java Runtime Environment, as well as operating systems themselves.

 The importance of applying system patches should be obvious. Although they are annoying and time consuming, they’re also critical to the security and efficient operation of your IT infrastructure. Therefore, it’s worth making an investment in system patches. One of the best ways to make patching easy is to keep auto-updating turned on for applications that support it and encourage users to apply all updates as soon as they are prompted to do so.

 2. Standardize your web software.

 If you’ve just read point number 1, you’re probably still thinking that keeping systems fully patched and up to date is an onerous task. What makes this worse is if you don’t know what software is running on your network or you have a variety of individuals using different browsers, plugins and media players.

As mentioned, modern web attacks often leverage commercial exploit kits that attempt to exploit dozens of different security vulnerabilities. The more varied your platforms and software are, the more opportunities you present to the hackers to exploit, and the more likely they are to find a vulnerability in an unpatched application.

Make your life easier and dramatically reduce your threat surface area by limiting users to—or better yet, standardizing on—a core set of minimal applications for interacting with the web. Enforce a policy that all users must access the internet with a common set of tools that meets the minimum requirements:

• Browser: Stick with a single mainstream browser. Popular browsers invite more exploits but also have more resources behind them to address vulnerabilities and provide patches more often.
• PDF reader: Again, stick with a single mainstream PDF reader. Keep it patched, ensure the auto-update feature is enabled, and ensure users are advised to install patches as soon as they become available.
• Media player: Avoid unnecessary media player add-ons and codec packs. If possible, stick with what your operating system provides and keep your OS patched.
• Plug-ins, add-ons and toolbars: Avoid unnecessary browser plugins and toolbars. They only increase the potential surface area for attack

 In addition, configure your browsers to ensure they are not installing plugins, add-ons, ActiveX controls and toolbars without at least a prompt by using settings. such as "Warn me when sites try to install add-ons." Simplify the task of minimizing security vulnerabilities and keeping your systems patched and up to date by reducing the variety of internet tools, applications and plugins used in your organization to the bare minimum, and standardizing and enforcing their use across your organization.

3. Secure your browsers.

You must familiarize yourself with the plethora of security, privacy and content settings that all browsers have in order to understand the trade-offs. Some security settings will merely increase the level of prompting—annoying users without adding any tangible security—while others can be important to limiting exploits and threats.

 Here are some common browser elements you can control through settings, and the trade-offs involved:

Cookies: Although cookies can be exploited in some malicious ways, they are an important component of internet usability. Therefore, turning them off altogether is not a viable option. However, controlling third-party cookie activity is important. Check that your browser is blocking third-party cookies if at all possible by using settings such as "Accept third-party cookies."

Autocomplete: Autocomplete or autofill is a feature in many browsers that stores information you recently typed, such as search terms, recently visited websites and your personal information (e.g., name, email, address, phone) in the interest of saving keystrokes. Although this data is obfuscated, some malware targets autocomplete data in order to steal passwords or other personally identifiable information. In addition, using autocomplete for login information can present a significant risk for lost or stolen laptops—allowing criminals to easily abuse account privileges. Ensure that you understand the trade-offs and risks involved and make the best decision for your particular organization with respect to usability versus security. Set up your browsers accordingly.

Add-ons: ActiveX controls, plugins, browser helper objects (BHOs) and toolbars are all examples of browser add-ons. As discussed in point number 2 above, it’s imperative to restrict add-ons to an absolute minimum in order to reduce your threat surface area for exploits. However, if your security vendor supplies add-ons for your browser, make sure you don’t disable them as they can be instrumental in bolstering the security of the browser—providing valuable pre-execution analysis of browser code. Make sure you understand how to view the active browser add-ons and force a prompt whenever a web page tries to install a new one.

Content filters: Although this is not a concern for users on a corporate network that implements a proper web security solution (see point number 5), users operating remotely, at home or at a Wi-Fi hotspot should ensure their browser content filters are enabled. Most popular browsers offer at least a basic phishing and/or malware site database that can help provide protection from the most ubiquitous threats (see Figure 3). Ensure that your users enable these filters on their browsers.

Popup blockers: Popups are not only annoying resource hogs, but they also can pose a security risk by either hosting embedded malware directly, or trying to lure users into clicking on something using a well known social engineering trick. For example, some popups can be ingeniously crafted to look like Windows dialog boxes, and the mere act of clicking the "X" to close the box can instigate a malware attack. Ensure that your selected browser has popup blocking enabled (see Figure 4) and make users aware of the dangers of interacting with any kind of popup.

4. Enforce a strong password policy.
 

The purpose of a password policy should be obvious: If you don’t want everyone to have access to something, you set up passwords to permit access only to authorized users. The purpose of an effective password policy is to keep passwords from being easily guessed or cracked by hackers. Despite this enormous vulnerability in every system, many organizations fail to take this threat seriously.

Here are some tips for creating an effective password:

• Use long passwords. The more characters they contain, the more secure they are.
• Include numbers, symbols, and upper-and lowercase characters.
• Do not use common dictionary terms. The first thing hackers will do is literally try every word in the dictionary to crack an account.
• Do not use personal information such as pet, romantic, family or other names, or birthdays
• Change passwords frequently.
• Avoid passwords users can’t remember, or equip them with a centralized password management tool to make password management simple and secure (such as LastPass and 1Password). The worst kind of password is one written on a sticky note next to the computer.
• Users should abide by simple and effective password policies both at work and at home. This will go a long way toward securing this major vulnerability in all systems.

5. Use an effective web security solution.
 

A proper web security solution is a vital component of an overall strategy for safeguarding your organization from modern web threats. It will reduce your threat exposure by limiting users’ surfing activity to website categories relevant to their work, or at least help them avoid the dirty dozen categories (adult, gambling, etc.) that are a breeding ground for malware. It will also protect you from trusted sites that you visit daily that may become hijacked at any time to silently spread malware to unsuspecting visitors. Finally, it will also help protect your internet resources from abuse as a result of the exchange of illegal content or bandwidth-sapping streaming media.

The key components of a web security and control solution are:

• Productivity and reputation filtering establishes acceptable user policy, limits threat exposure from notoriously malicious site categories and filters out sites with bad reputations regardless of category.
• Proxy filtering prevents users from bypassing web filtering and putting themselves and the organization at serious risk.
• Real-time malware filtering catches malware in real time, as it’s downloaded from hijacked trusted sites.
• HTTPS filtering secures this increasingly important vector that is completely blind to most web filtering solutions.
• Content-based filtering reduces the threat surface area from file types associated with malware and to control bandwidth consumption.

Review our Web Security and Control Buyers Guide for more insight into what constitutes an effective web security and control solution.

Are you concerned about the secuity of your data?  Call TeamLogic IT at 650.204.3150 for a free consultation.  We use only the best tools available and can monitor your systems 24x7.  Whether it is virus protection, intrusion prevention, insuring regulatory compliance, or helping your company to establish and document your security policies, our trained security experts can help you through whatever security concerns you have.

Taking the worry out of your technology.

Managing the Email Demons

Article submitted by Jon Simms of TeamLogic IT of Mountain View

How much valuable time does your staff lose accessing their email, sorting through spam, finding misplaced messages, and dealing with unexpected outages? Electronic communications are the lifeline to most businesses today, and if you don’t have a comprehensive system that connects your customers and employees in a timely fashion, it can cost you dearly.

In today’s competitive climate, email has become the most reliable and cost-effective way to move documents and other communications. However, the networks that deliver email are so efficient that it’s also easy to deliver malware (commonly known as viruses) and spam using the same system. Safeguards need to be in place to ensure business email remains effective, reliable and secure.

In addition to ensuring optimal productivity and protection from spam and malware, companies must also comply with federal and state statutes that require businesses to be able to produce email and related files in the case of legal action. Failure to do so can have substantial ramifications in terms of time and money lost.

The most effective businesses recognize the importance of developing proper email procedures and implementing the latest technologies to improve efficiency and security. When these companies combine the enforcement of company computer policies with continued employee education, they are better prepared to deal with potential threats and other issues that could affect their bottom line.

The Real Cost of Spam

Unsolicited bulk email messages make up a significant percentage of the electronic communication. I say “too much” spam because, to some degree, every system is vulnerable to spam. Creative spammers understand the verbiage these filters look for and continually look for new ways to beat the system. This is why you and your solution provider have to remain diligent with the maintenance and updates to your security controls.



Time Spent on Spam Mail



The primary cost associated with spam is lost productivity. According to the most recent National Technology Readiness Survey, dealing with spam messages costs companies approximately $21.6 billion per year! Businesses that implement the latest proactive procedures to thwart these malicious attacks typically gain a competitive advantage over their peers.

Secondarily, archiving these worthless messages can increase data storage costs and put a strain on the efficiency of computers and servers. Prompt removal can result in cost savings and help to ensure greater efficiency of your systems.

Reduce Viruses and Security Threats

Viruses are often delivered via email, exposing a company to huge security concerns. The financial losses from a breach of intellectual property or confidential information can be devastating, ranging from lost revenue to the cost of litigation, or potential fines for noncompliance with state and federal statutes. Even if liability is not a major concern, losing client information or company secrets can significantly damage a company’s reputation or their customer relationships.

Antivirus software and antispyware are essential to prevent the invasion of your business networks. Isolating email messages that contain potential threats is a key first step, with employees playing a significant role. Each must be personally responsible for reviewing and disposing of suspicious messages and attachments, and alerting the technology support team when they have questions or concerns about an email they receive. Due diligence is the best threat-prevention method.

Reducing Your Business’ Litigation Risk

When called into court by a customer or former employee, finding related (and required) electronic messages and attachments can be a nightmare —unless the proper archiving and retrieval tools are in place. You need to be able to archive and retrieve certain information quickly and simply.

In addition to the requirements of the Federal Rules of Civil Procedure, some state and industry regulations dictate that businesses have the ability to locate and produce certain email messages and related files. Those not complying with these rules face significant court penalties or even the forfeiture of a lawsuit. The eventual cost of not having the proper archiving solution in place could be expensive, considering business lawsuits typically approach millions of dollars.

Implementing an easily searchable archival storage system could save your business a substantial amount of labor hours and reduce the aggravation of trying to find all the files required to defend a lawsuit. Growing organizations typically produce a large number of emails and other data, so sorting through it manually can be a monumental task. If your archive has search functionality, the process will be much less painful and costly.

Email is a mission critical application for almost all businesses today. If the productivity of your company suffers from unwanted SPAM or virus infections due to malicious emails, TeamLogic IT can help. We use state of the art SPAM and virus filtering to protect your company and keep your communication channels open. For more information, contact us at 650-204-3150 or email MountainViewCA@TeamLogicIT.com.

www.TeamLogicIT.com/MountainViewCA

The Time is NOW for Virtualization

By Blake Britton – VP, Axxys Technologies

As we continue to look forward at the IT landscape, virtualization is a rapidly growing trend in our business. Here are a few reasons we are encouraging some of our clients to move to a virtual server environment for their infrastructures:

Maximize Resources

Can you imagine hiring someone with the intent of using 10% - 20% of their potential? This is what seems to happen when a client purchases a new server for their business. Server hardware is incredibly powerful with Quad Core processors and the low cost of memory these days; however, it is challenging to utilize the resources to their full potential because of operating system and software limitations. By implementing virtual software such as VMware ESXi (FREE) you are able to create multiple servers each with their allotted piece of the processor and memory "pie". This will allow you to create multiple environments where hardware resources are fully utilized per server for each role. I know you think this may be creating too many servers but this is simply needed in a lot of environments so applications and processes can be run at their full potential.

Faster Server Provisioning

When you build a virtual server environment you have the ability to build your servers to be flexible. Flexibility allows you to access and run a virtual server at any time to take over operations of a downed server should the need arise. For example, if your file/print server goes down and you have it backed up, under the right circumstances, you can migrate from the backup or rebuild your file/print server to a virtual server using the tools provided from VMware. This eliminates the need to wait on new hardware and provides you the ability to immediately work on the solution for the downed server.

Reduce Your Server and Carbon Footprints

By using virtualization technology you can still have the right amount of servers needed to operate your business efficiently.  If you are moving to a datacenter environment, having less servers means you need less "real estate" to house those servers. It also provides you with the ability to lower your power and cooling requirements since you are running less physical equipment. This allows all businesses to think and act "green' without compromising your business productivity while saving money on location housing and electricity.  There are many other reasons to begin building your virtualization strategy, but the keyword here is STRATEGY. You are moving to a new model when thinking of technology so it is important to plan this migration out so your business can achieve the greatest value possible. Consult with us on your strategy.

As your business becomes more server intensive, virtualization is the best way to defray the costs because it allows you to maximize your hardware utilization and improve your efficiencey of deployment.  Call TeamLogic IT at 650-204-3150 and ask us how to get started.  We are industry leaders in virtualization and high availability.

5 Steps to Create and Execute a Technology Plan

by Courtney Kaufman
Marketing Manager of Accent Computer Solutions, Inc.

As an owner or business executive have you ever contemplated your business objectives and come to realize that your technology is in the way of your plans?

Have you had a great idea about improving business operations or productivity and found out that you just don’t have the right computer systems, or that it will cost a ton of money to upgrade? Would you like to know what the new trends are and how they could benefit you?

Technology planning helps answer the above questions and many more that you may not think to ask. The primary goal of a technology plan is to support your business plan objectives and to keep productivity and compliance issues front and center. Here are the five steps in creating and executing a Technology Plan.

HAVE A VISION

This is where your mindset needs to be on the vision for your company as a whole.

First, picture the business as you want it to be, paying no mind to technology – just the business. Out of this exercise will come ideas of how your business should perform as a whole.

Do you see what you want your staff to be able to do, what roadblocks or bottlenecks you want to be eliminated, what job function you would like to see automated, etc.?

Thinking about it this way takes the actual technology (hardware, software, etc.) out of the picture and gives you an infinite number of possibilities to get where you want to go. This will give you a better idea of what you need to do.

EVALUATE WHAT YOU HAVE


Now get together with your IT provider or your CTO (Chief Technology Officer) and draw out exactly what systems you have. This should be a visual representation of your systems and processes. The document should provide comprehensive details regarding the systems, versions, Internet Service Providers, security, and risk related to hardware and software age, as well as compliance with regulations.

MAP YOUR ROUTE

There may be many ways to get to your planned destination. Technology changes rapidly, but that gives you options you may not have had even just last year. Considerations for which path you should take need to include your budget, your risk tolerance, legal compliance, anticipated company growth or contraction, and necessity for change.

This is where your CTO or IT provider will present you with all of the technology options for how your business can get from your current position to your vision.

BUILD THE PLAN

Building your plan is a simple matter of understanding the goal and putting budgets and dates together to execute the plan. A solid technical architect is required to design and compile the appropriate solutions that meet your expectations. The design process should include a hybrid of all technical options available.

START THE JOURNEY

The actual execution of a technology plan can be challenging to say the least, but it should not be so frustrating that you wish you had not started the process. A good technical team will be able to make the transition relatively painless.

How is your business running?.... be honest.  Are there things you wish you could be doing that you can't today because of limitations in your compurter and networking systems?  At TeamLogic IT, we work with you to understand your goals, suggest options for achieving these goals and help you implement your business objectives in a phased approach.  Call us today at 650-204-3150 for a free consultation and an evaluation of your current system.

Takeing the worry out of your technology