Category Archives: Security

What’s Your Password?

Earlier this month, we posted a couple of articles on the state of cyber security. Of course, one of the biggest problems with cyber security is that too many people don’t take it seriously enough. Don’t believe me? Take a look at this:

In the words of cartoonist Walt Kelly (on Earth Day in 1971): “We have met the enemy and he is us.”

The State of Cyber Security

As we move into 2015, it’s appropriate to look back and think about what we’ve learned about the threat landscape. To that end, CheckPoint’s 2014 Security Report makes for some pretty interesting reading.

According to their research, in a typical large enterprise:

  • Every 1 minute a host accesses a malicious Web site
  • Every 3 minutes a bot is communicating with its command and control center
  • Every 9 minutes a high risk application is being used
  • Every 10 minutes a known malware is being downloaded
  • Every 27 minutes an unknown malware is being downloaded
  • Every 49 minutes sensitive data is sent outside the organization
  • Every 24 hours a host is infected with a bot.

If you’re an SMB rather than a large enterprise, it doesn’t mean you’re off the hook, it just means that you may have a bit more time before the law of averages catches up with you.

Why does this happen? It’s not because your users are stupid, and (in most cases) it isn’t because they’re malicious. It’s because they’re not IT security professionals, and they’re busy trying to do whatever it is that you hired them to do. When a windows pops up with an “OK” button in it, many of them will reflexively click “OK” without realizing exactly what they just agreed to. (And it may have been permission to install malware on their system.) Busy people also often think nothing of opening a file attachment that arrives by email, not realizing that more than two-thirds of malware-infected files are either PDFs, archive files (e.g., ZIP, tar, RAR, CAB, etc.), or MS Office files (typically Word and Excel, sometimes PowerPoint as well). People who are enticed to visit a compromised Web site, and who are then prompted to install an updated video driver in order to view the Web site content, will often approve it without thinking that what they’re installing might not be a video driver at all.

It also happens because, in the continuing arms race between malware writers and security software vendors, the malware writers are getting better at evolving their malware to avoid detection by existing products – typically giving them a 2 to 3 day window of opportunity to exploit systems before the malware is detected, security definitions are updated, and security software is able to detect and block it. And with today’s do-it-yourself malware toolkits, you don’t have to be a sophisticated code jockey to generate a new malware variant. Modern security software typically includes algorithms that look for suspicious behavior in order to try to block unknown malware, but according to CheckPoint, less than 10% of antivirus engines were capable of detecting new malware variants when they were first caught in the wild.

So, in the words of the 1965 “Total” cereal commercial, “What’s a mother to do?”

First of all, you should have a written security policy, and make sure that all of your employees have a copy of it, and sign off on a statement that they have read it and understand it. That way you know that (at least once) they’ve had to give some thought to security and what they are expected to do (and not do). Also, if you ever have to take disciplinary action against an employee, you’ve protected yourself against the “Wait, I didn’t know I wasn’t supposed to…” argument. If you need assistance in crafting a security policy, contact us. It isn’t that difficult, and there are readily-available templates that can be easily modified to adapt to most organizations’ needs.

Second, use a defense-in-depth strategy. A small or mid-sized organization may not be able to afford the sophisticated network intrusion detection/prevention systems that large enterprises deploy, but a good firewall appliance (like the latest WatchGuard models) can provide a layer of virus filtering, outbound URL filtering, and intrusion prevention right at the network boundary. A third-party email filtering service such as the Mimecast service that we offer with all of our hosted Exchange plans can provide yet another layer of malware filtering using multiple anti-virus engines, as well as outbound content filtering to help prevent “data leakage” from your organization. And, of course, it is still important to have anti-virus software on your servers and workstations.

Third, insure that you have a vulnerability management and patching process in place for applications (e.g., Office apps, Java, Adobe Flash, Acrobat, etc.) as well as server and workstation Operating Systems. If your business is very small, and you can’t afford to hire someone like us to manage this for you, make sure that systems and applications are set to update automatically. Yes, occasionally Microsoft has released a patch that has broken something. But your chances of getting bitten by something like that are smaller than your chances of falling victim to an exploit if your systems are several months out of date because you didn’t have time to test and apply all the patches as they were released.

Fourth, consider blocking high-risk applications. For example, WatchGuard’s Application Control functionality can give you granular control over social media applications, instant messaging applications, and file sharing applications (e.g., DropBox, P2P apps like BitTorrent, etc.). You can selectively allow, block, or restrict access based on a user’s department, job function, and time of day – and generate usage reports so you know what applications are being run on your network, and by whom.

Fifth, ask yourself whether your users really need local admin rights to their workstations. Remember that if users have the rights to install software on their own PCs, and they inadvertently approve the installation of something that turns out to be malware, the malware is going to be installed. There are some utilities out there that can help, like CryptoPrevent from the folks at Foolish IT, which, among other things, can prevent disguised executables (e.g., mymalware.pdf.exe) from running, and prevent executables from running if they’re in folders that you wouldn’t normally expect executables to be in, but once you’ve given users local admin rights, it’s no longer possible to guarantee that they won’t shoot themselves in the foot.

Finally, talk to your employees regularly about security, so they understand the risks posed by certain applications – and understand why certain things are blocked or prohibited. Remind them about the things to look for that might tip them off that an email message may not be legitimate. Remind them not to open file attachments that they were not expecting to receive. A lot of security breaches are caused by simple human error – and people need to be reminded more than once, simply because they get busy and forget.

Here’s to a safe and prosperous 2015!

Security Breaches – Assigning the Blame

One of the few newsletters I try to read on a regular basis is the one put out by the good folks at WServerNews.com. Their January 5 issue has an excellent article on security entitled “Blame the Software.” In part, it talks about the way blame for a security breach gets progressively shifted as an audit of the situation progresses:


In my view this kind of reaction [blaming the software] is almost always shown to be wrong once a full internal audit of the situation has been completed. Usually as the audit proceeds the assignment of blame gets progressively shifted as follows:

  1. Bam–you’re hacked!!!
  2. Blame the software!!
  3. We also need to confiscate the server that software is running on!
  4. It looks like the admin is really the one we should blame–he went rogue.
  5. Wait–who hired this guy in the first place? What kind of controls did we have over him and why weren’t they applied consistently?
  6. I think we all failed here, it’s clearly a failure of our corporate culture. We need to do a full review of our security policies and processes for applying them.
  7. Let’s move on, what’s done is done. We just need to make sure it never happens again.

Note the progression here from blaming tools (software and systems) to placing the blame on individuals (usually an administrator) to recognizing that inadequate businesses processes (security policies and controls) are the true culprit. Unfortunately as the blame gets shifted around its energy also dissipates, and while the end result is typically a tightening of security controls the issue of how those controls got weakened in the first place is usually not addressed.

The article goes on to discuss how, frequently, exceptions get made to security policies for reasons of convenience in order to get a high-priority task completed, and how an IT administrator might respond to such requests in a manner that won’t result in termination of employment. That’s often not an easy conversation to have – but it’s an essential conversation to have if we really want to address the problem. I’d recommend reading the article in its entirety.

eDiscovery Part 4 – the eDiscovery Process

This is the fourth and final installment in our series of blog posts on eDiscovery, containing video excerpts from the presentation we made on September 26 at the O365 Nation Fall Conference in Redmond. This installment is a bit longer (14 minutes), but it deals with the question of how you search for and retrieve the content we’ve discussed in previous posts. To review:

  • Part 1 discussed the lifecycle of an Exchange email message, what the “Recoverable Items” folder is all about, and the role of the “Single Item Recovery” feature in Microsoft Exchange.
  • Part 2 discussed PST files – why you may not want people using them, how to prevent their use, and why the archiving function that is built into Exchange 2010 and 2013 is a better option.
  • Part 3 discussed discovery hold – the different kinds of discovery hold available in Exchange 2013, how they work, and how they differ from what was available in Exchange 2010.

In this installment, we address the discovery process itself, and specifically how to configure and use the eDiscovery Center that’s available in SharePoint 2013:



Finally, as you moved through the video series, you saw a number of URLs in the PowerPoint presentation that led to various Web resources that would provide more information on the topics discussed, and you may have wished that you could see them more clearly so you could write them down. Not to worry – here they are for your convenience:

eDiscovery Part 3 – Email Discovery Hold in Microsoft Exchange

This is the third in our series of blog posts on eDiscovery, containing video excerpts from the presentation we made on September 26 at the O365 Nation Fall Conference held in Redmond. Part 1 dealt with the lifecycle of an Exchange email message, what the “Recoverable Items” folder is all about, and the role of the “Single Item Recovery” feature in Microsoft Exchange. Part 2 discussed PST files – why you may not want people using them, how to prevent their use, and why the archiving function that is built into Exchange 2010 and 2013 is a better option.

In this segment, we dive into discovery hold, and talk about the different kinds of discovery hold available in Exchange 2013, how they work, and how they differ from what was available in Exchange 2010.