Monthly Archives: December 2015

  • -

HOW CAN I MAKE SURE MY SIP TRUNKS ARE SECURE?

SIP trunk security encompasses a number of different issues. To address them, most security vendors prefer a layered approach to provide an effective way of isolating and protecting the telephony system and the communications path to the SIP service provider.

Here are some tips to help identify which areas of SIP security need to be changed or redesigned to help avoid unpleasant surprises.

  • Ensure complex passwords for your SIP trunk: SIP trunk providers require authentication in order to allow incoming and outgoing calls from the SIP trunk. Make sure complex passwords are used for the authentication process to your SIP provider.
  • Limit access to the telephony system: Only specific people from specific locations should have access to the telephony system. Always ensure your telephony systems are isolated in a separate VLAN and the correct VLAN security policies are in effect.

Accept SIP traffic only from your SIP provider: Block traffic from all external sources except your SIP provider. This will help limit access to your telephony system and minimize chances of unauthorized access.


  • -

Keep Your Hacker Hands Out of My Phone System

If you are an OfficeSuite Phone customer and read the New York Times article Phone Hackers Dial and Redial to Steal Billions you might be in a panic, worried how to protect your business from such a scam.

But don’t worry, Broadview has your back.

Protect your business from hackers and fraud.

Fraud prevention starts by protecting your business phone system.

The scam or hack mentioned in the article involves people calling into a phone system’s voicemail service to make outbound calls. While this feature is convenient for some, it poses a huge risk as most passwords are easy to guess (more on that below).

So hackers call into the phone system, automatically try different passwords until they get through and then make calls to premium toll phone numbers (900) or other phone numbers to rack up charges.

Broadview decided years ago to cut this off by simply eliminating the not often used “call out” feature, thus thwarting the hackers.

We also recommend that OfficeSuite Phone customers update their “Permission profiles” by turning off any calling permissions that employees do not need or should not have, especially when the office is closed.

There was another problem years ago of overnight cleaning crews racking up international calls while working without much oversight. Companies were surprised to see lots of unusual international calls on their bill and were again worried about hackers.

With the OfficeSuite Phone service you can turn off any type of call, except emergency, during “closed” hours. Plus you can define “closed” hours differently for different people or groups with our Business Hours function. This is especially useful if you have multiple shifts during the day.

Finally, it is always recommended to change passwords at least once a year. We offer passwords up to 10 digits which are significantly harder for hackers to crack than four digits. We also recommend not using easy to remember passwords like 1111 or 1234.


  • -

Bring your Own Device

Whether it’s vacation season or not, the demand for mobility in business in general has been growing steadily, fueling the adoption of the Bring Your Own Device (BYOD) movement. If your business is ready to embrace the rewards of BYOD (think happier, more productive employees), it’s time to get serious about mitigating the risks that come along with allowing personal devices to access your company network.

Let’s explore BYOD’s evolution; take a look at the risks and rewards of embracing BYOD; and then take a deeper dive into how to balance it all so that you and your employees can enjoy the best of both worlds. If you want to see our interactive webinar where we discuss BYOD, visit our community post here.

BYOD 1.0

BYOD 1.0 is roughly defined as occurring from 2009 to 2012, but you could argue that it all started back in 2007 when more and more business professionals began switching from their BlackBerry® devices to the newly-introduced iPhones®. When BlackBerry ruled the business mobility scene, security was much easier for the Information Technology (IT) department.  IT purchased, distributed and managed the devices for employees. At this stage, IT only had to concern itself with protecting two things:

1) The device itself and any data stored on it. (Known as Mobile Device Management, or MDM.)

2) The connection between the device and the corporate network. (Known as Virtual Private Network, or VPN.)

While this may seem easy as compared to today’s BYOD challenges, it actually caused frustration for both IT and employees, and here’s why. With BYOD 1.0, it was all or nothing, meaning IT had to protect the entire device and any data and activity on it. There was no way to hone in on the company data and leave an employee’s personal data and activity alone.

Employee Complaints

Most people don’t want to have a phone for work and a phone for all the other times. It’s too much of a hassle! So what naturally happened was company-issued BlackBerries and other devices were used for both work and play. (As someone who had a BlackBerry back in the day, I’ll admit to this!) But that meant the company could invade your privacy whenever it wanted. And, if you left the company, the IT department would ‘wipe’ your device, so along with all your company data and applications went your personal data (photos, etc.) and apps. It’d all be gone.

IT Complaints

IT did not want to see any evil or hear any evil. In fact, IT did not want to be bothered with an employee’s personal data and apps! To them, this only introduced a new challenge: how to protect the device from potentially harmful web browsing by the employee.

In short, BYOD 1.0 left both employees and IT wanting. Enter BYOD 2.0.

BYOD 2.0

From about 2013 on, we’ve been living in the 2.0 version of BYOD. The biggest difference between BYOD 1.0 and BYOD 2.0 is the ability to provide security to only the company’s data, apps and network access and leave the employee’s personal data, web browsing and apps alone. This has been accomplished by changing the focus from device protection to application protection. Remember Mobile Device Management, or MDM, from 1.0? That has now been replaced by Mobile Application Management, or MAM. With BYOD 2.0, both groups are happy. Employees are no longer concerned with their company infringing on their privacy. IT is also happy because they can now focus making sure the business’ data, applications and network are all locked down and secure.

Weighing the Risks and the Rewards

If you want your staff to be happier and more productive, BYOD is definitely the way to go. Studies have shown:

  • Employees whose companies embrace BYOD work up to 20 additional hours per week, unpaid1.
  • 92 percent of these newly-mobile workers “enjoy their job flexibility” so much so that they are “content” with working the additional hours.
  • On top of that, 42 percent of business professionals would like “even greater flexibility for their working practices.”
  • Companies realize cost-savings in two ways: reducing or eliminating the capital expense of purchasing mobile devices and reducing or eliminating the monthly service costs.
  • When companies embrace BYOD, the IT department is re-branded as innovative and forward-thinking, which many times carries over to the entire organization’s brand.

Those are all positives, but here are the downsides:

  • 76 percent of business professionals believe that BYOD introduces serious risks2.
  • Only 39 are prepared to mitigate the risks.
  • 59 percent of organizations had increased malware infections over the past 12 months because of unsecured laptops, smartphones, and tablets.

Overcoming  ‘Different’ Challenges

Back in BYOD 1.0, there was typically one kind of device, from one vendor, serviced by one carrier. But that’s when IT bought, owned and managed everything. Now that employees are brining different brands of smartphones, tablets and laptops, which they purchased from different places, and running them on different carriers’ networks, the complexity has multiplied. While it may seem overwhelming, it doesn’t have to be. All you have to do is create what’s called dynamic policy enforcement which gives you flexible security over company data and applications.

Different Strokes for Different Folks

As with everything else in life, it all depends on who you are. Based on how complex your data storage and data center services are, you’ll require different types of mobile device security. Here’s a quick cheat sheet:

  •   Have a traditional data center set-up? Control access with a VPN gateway.
  •   Use an Infrastructure as a Service (IaaS) public cloud offering, (such as Amazon EC2)? Control access with a VPN  gateway and secure applications by hosting them on virtual servers.
  •   Use a Software as a Service (SaaS) offering? Skip the VPN but still enforce identification and authorization to access corporate data.

It’s no longer enough to secure the device itself. If employees are using their own devices to access your network, you need a solution that extends beyond data and apps on devices into wherever you store your company’s data, whether that be in cloud-based services such IaaS or SaaS, or in your own data center.  Look for a mobile device service provider who combines mobile and access management into one service. And look for a provider who can offer all the security you need, including authentication and authorization, data-at-rest security, and data-in-transit security, among others.

The Key Lessons

  • Determine your company’s BYOD goals before worrying about the risks.
  • Don’t let your employees become secret hackers.
  • If your IT team has no idea what harboring rootkits, keyloggers , data-at-rest and data-in-transit security are, hire an expert.

Your employees want to use their smartphones and other personal devices for two things: 1) they want to store and use your company data outside of work, and 2) they want to conduct business, which often requires accessing your company network and services (think email!). As you’ve seen, the rewards are great but the risks can be, too if you don’t know how to properly secure your company’s proprietary information and safeguard against employees accidentally introducing harmful malware into your network. Knowledge is power so they say, and it certainly rings true with BYOD. The more you know, the more you can balance the risks and rewards and reap all the benefits without worrying about the unwanted repercussions.

 

Sources:

1. 2012 Mobile Workforce Report from enterprise WiFi access firm iPass

2. Poneman Institute/Websense survey


  • -

What can you learn from the VTech breach

The breach of VTech by an unknown cyber-criminal continues to escalate. After initial reports of a breach exposing personally identifiable data of it’s customers (despite VTech’s statement otherwise), the hacker released a limited set of personal messages and photos from VTech customers to prove a near-complete compromise.

It’s been a bad week for VTech. Make no mistake, VTech is the victim of a crime. However the more immediate issue is the potential fallout for their customers and their children. And it’s here that VTech’s initial response has made things worse not better. Thankfully, they’ve adjusted course in the last 24 hrs and are being more open with information.

Let’s learn from this. Here’s what you can do as a defender to make sure your organization is better prepared to handle a breach.

Communicate Openly

The time to figure out your post-breach communications plan is now. When you’re dealing with the fallout from a breach, you want to be able to implement a step-by-step plan that is appropriate for the situation.

Here’s a basic outline of what you’re going to need;

  • An open and honest email to customers that contains;
    • specifics of the data that was stolen
    • contact information to speak to someone fully informed of the situation and ready to respond immediately to their concerns (e.g., customer care)
    • an apology
    • a timeline for future communications
  • A press release that contains;
    • specifics of the data that was stolen
    • the steps you’ve taken to inform your customers
    • a media contact for comment and additional information
  • An open and honest communication to stakeholders that contains;
    • specifics of the data that was stolen
    • what is know so far about the mechanics of the breach
    • the steps you’ve already taken in response
    • the steps you plan to take
    • who is the lead for communications
  • A public URL that you can use to gather information (like an FAQ)
    • this should be constantly updated as the situation evolves
    • use this as the default resource to send everyone to
    • don’t hide this away on a corporate site. Make sure it’s visible where your customers visit

These items should be written ahead of time in a customizable template. Remember this is in addition to the internal response that you’ll require.

When you realize that you’ve been hacked, here are the steps you need to take to effectively communicate;

  • acknowledge that there has been a breach and that you’re actively investigating it
  • identify and inform affected customers
  • publish the public URL for general awareness
  • inform and brief stakeholders
  • issue a press release with critical information and a point of contact

All of these should be written in a tone that is clear and apologetic. Don’t needlessly muddy the waters (e.g., VTech’s re-definition of personally identifiable information), try to deflect blame, or raise the point that your a victim too. You can provide an explanation and get into the specifics of how this happened afterwards.

The immediate goal is to reduce the impact of the breach.

This means ensuring that your customers have the necessary information as quickly as possible. If they need to take action of some sort (cancel credit cards, change account credentials, etc.), you want them to be made aware so they can reduce the chances of something bad happening.

Act Decisively

Once you start to respond to an incident, the process has 5 key steps;

  1. detect
  2. analyze
  3. contain
  4. eradicate
  5. recovery

These steps are bookended by “prepare” and “improve/learn” and together these steps form the foundation of a solid incident response (IR) process.

Most often, the biggest challenges are faced in the “contain” step. This is often when the IR team is faced with tough decisions that directly impact the business.

VTech issued the following update on their FAQ 01-Dec-2015;

“As a precautionary measure, we have suspended Learning Lodge, the Kid Connect network and the following websites temporarily whilst we conduct a thorough security assessment.”

This is not something that any organization ever wants to have to write. But it’s 100% the right call despite the potential impact to the bottom line.

When is the right time to make this type of call? There’s no firm rule. It’s a judgement call based on the information you have at the time.

What you can do to make this easier is to work out possible scenarios ahead of time. This is an extremely difficult exercise to work through as it assumes your other work in defending the organization has failed. But it’s critical to work through these scenarios in theory and in practice (called a game day) in order to write a playbook for IR.

Part of this exercise is to determine who in the organization has the required authority to make the decision to shut down services. Hopefully you never have to make that call. But if you reach that point, you need to know who to call.

All of the processes you have in place with your security practice work towards never having to make a call to shutdown services. If you’re hacked and you have to make that call, you’re far better off working from the playbook you wrote ahead of time instead of calling an audible.

Know Your Exposure

The most important thing you can do now to reduce the impact of being hacked is to review the data your are collecting and storing. By creating an inventory of the type of data you have, it is much easier to evaluate the risk you’re facing.

With the list in hand, you want to run through a very simple exercise. Put each data point on it’s own sticky note. Use the stickies to combine various data points to create different points of view.

The goal of this play on usability card sorting is to find which data points pose more risk to your business when they are linked to other data points.

If we take the VTech example, their app store requires a billing address, the social app links parents and children, and the messaging server temporarily stores photos and private messages. Individually each of these data points poses a risk. Combined, that risk escalates dramatically.

Mapping out all possible connection between all of the data points you collect & store let’s you better identify risks and set the appropriate mitigations.

Those mitigation could entail;

  • not storing the data at all
  • isolating the data in separate backend systems
  • ensuring that your monitoring practice is looking for warning signs of data aggregation

Until you map out the entire landscape of data you store & collect, you won’t know what level of risk you’re facing. Without that knowledge, how can you formulate an effective defence?

Prepare For The Worst

No one wants to be hacked. It’s a security team’s worst nightmare. You can reduce the impact of a breach by taking steps now.

  • Set out a communications plan. Create a few templates for key communications so you can fill in the details during the incident in order to reduce your response time
  • Practice and planning are key. Work through possible response scenarios ahead of time. Practice them. Make sure you know who has the authority to suspend services if you need to take dramatic steps to contain a breach
  • Know what data you are collecting and where you store it. Understand how those data points can be combined and how those combination affect the risk (and value) of the data. Add additional protections as appropriate

When you’re focusing on keeping the lights on or, worse, getting them back on. The last thing you want to do is to shoot from the hip. Writing out a clear playbook for all aspects of incident response is the key to a successful response.


National Computer Security Day: Is Your Business Protected?

We all use computers for something in our lives, but for businesses that rely on them, National Computer Security Day is a great reminder to review the security measures you have in place. We’ve discussed in several posts how important it is for your business to keep your security measures up-to-date, but in honor of the holiday,  we are going to focus on the different areas of security that might be at risk and how to best keep them safe.

Email
Your email systems can be at risk for a number of reasons. If the server fails, you might not be able to access important information, and if any emails contain sensitive information, that information could be obtained by hackers.  There is also the age-old scam where people send viruses through email. Having a good email security system in place will make sure that emails containing questionable content will be blocked and quarantined. It will also ensure that your emails are backed up for easy access in case of emergency. You and your employees, with the right protection, are able to enjoy inboxes that are spam-free, contain no unsafe content and are properly backed up.

Firewall
What are your security objectives? How much of a block do you want between your computer network and the outside world? Having a well-managed firewall lets you call the shots and ensures that your network is constantly being monitored. You can reference web-based reports at any time to identify any erratic behavior and address any issues.

VPN
If you have employees or clients who access your network remotely, you need your VPN to be secure. VPN security means that you can have people work from home without worrying, and that any data sent through the network will be encrypted so that it cannot be intercepted and obtained, avoiding any cyber-attacks.

Internet Policy
What types of websites would you like to allow your employees to access from the at-work network? Having a security system that enables internet-use management allows you to put filters on accessible URLs to avoid any legal issues or potential issues for your employees who might access dangerous sites. Some managers also employ internet policy management systems in order to boost workplace productivity.

Data Storage
Storing your business’s critical data in a place that is easily accessible, secure, and backed-up is imperative. Having a good managed security service means that your data will be backed-up on a regular basis, which reduces the amount of time it would take for your business to recover from a potential security threat, as well as the amount of time you’d be exposed to any risk. This is hugely important to have In place to ensure that your sensitive data is monitored and secure 24/7.

What steps is your business taking to avoid security threats? Are you using a managed security service? National Computer Security Day is the perfect time to make sure all of your security management efforts are up-to-date and that you have the right protection in place for your business. We offer a variety of managed security services and is always here to help you get started.

 


Contact us