Securing Hybrid IT the Right Way

Securing Hybrid IT the Right Way

The average company today is a hybrid collection of traditional on-premise and cloud-based IT solutions.  On-premise solutions may include identity and authorization servers, custom applications, packaged applications, and local data repositories. Cloud services fulfill a wide variety of business tasks such as document sharing, group collaboration, customer relationship management, payment processing, marketing, and communication.  This combination of on-premise and cloud services is called Hybrid IT.

On-premise applications require equipment purchases, software deployment, and user training but cloud services can be purchased with a credit card and used almost immediately.  As a result, the same rigor in assessing the business need, risk, and other factors is not often conducted with adopting cloud applications.

Getting up to speed

Hybrid IT can be difficult to manage when different users who may or may not be tech savvy utilize cloud systems in whatever way they deem best for the situation.  Many organizations are in a hybrid IT situation now that was somewhat unplanned for.  Follow these steps to get up to speed.

  1. Identify the cloud solutions in place.
  2. Determine if it is feasible to continue using the solutions.
  3. Transfer administrative credentials to IT.
  4. Create an approved application list
  5. Enforce restrictions through network and endpoint controls on which cloud services can be utilized for organizational data.
  6. Standardize security controls on systems including those in organizational private clouds.

Identify a security solutions provider that can deploy consistent security onto your on-premise equipment, private clouds, and other assets. For example, Bitdefender delivers solutions that have solved the technical challenges of Advanced Persistent Threats (APT) and zero-day exploits.  These same solutions meet the increasingly stringent compliance requirements and give datacenter owners the ability to know what they don’t know, and act on information from below the operating system.

Maintaining control

The most frequently cited risk in hybrid IT is the potential for a lack of organizational control over customer, employee, and business data.  Without effective endpoint and network security controls, a single user may adopt a cloud platform using their personal email address. They can then load organizational data to it and leave the organization.  At this point, his or her successor tries to assume control over the system but realizes that they have no ability to do so.

Organizations need to strike a balance between agility and administration.  There needs to be a level of control over which cloud applications are used for business purposes, but the process for evaluating and approving applications needs to be able to keep pace with today’s fast-paced business. See the suggested steps below.

  1. Establish a procedure for requesting a cloud application.
  2. Create a semi-automated workflow from the procedure.
  3. Establish a cross-functional approval group that will respond to requests through the workflow.
  4. Educate employees on the process.

Risk mitigation

Hybrid solutions are often user or department initiated with little or no involvement of the IT department or those responsible for security within the organization.  Cloud applications may change the organizational risk profile, but the business as a whole is not often aware of this change in risk and therefore cannot evaluate whether actions are required to reduce the risk to an acceptable level. One good way for data center administrators to be as informed as possible about risks is to deploy solutions such as Hypervisor Introspection which can evaluate security independent of the virtual machine and analyze system memory at the hypervisor level.  This ensures consistent security management and awareness even when users or administrators deploy non-standard virtual machines.

From there, a combination of endpoint and network controls such as software restrictions on agents on user machines and traffic filtering on the network can be used to restrict access to unapproved cloud services and applications.  This way, users will be required to utilize the process to request applications.

Next, using the workflow developed earlier, users can take the information collected on the approved cloud applications and services and compile into a report for risk management.  The entire process of creating this document can be automated in the workflow.  The cross-functional approval team should have included someone from risk management but this portion of the process involves a more in-depth review of the hybrid IT portfolio of applications against the organizational risk tolerance threshold.  Risk management can then make recommendations to ensure that risk is kept to acceptable levels.

Reducing attack surface

In some cases, a cloud application is adopted by a user or department when another cloud application has already been adopted to satisfy the same need.  Redundant cloud services increase management costs as well as the attack surface because they create additional potential avenues for attackers to obtain access to organizational data or systems.

  1. Determine which cloud service offers the greatest fit for the organization
  2. Train users of the redundant service on how to use the preferred one
  3. Transfer data from one service to the other
  4. Terminate the redundant service.

Hybrid IT offers organizations an excellent way to augment existing on-premise IT offerings with cutting-edge cloud services.  However, it can also be a nightmare if not management properly.  Some companies are in a precarious security position. Yet, the problem is not insurmountable.  With some planning, automation, discipline and the right mix of endpoint and network security controls, organizations can deploy and manage hybrid IT so that attack surfaces, cloud costs, and management time and efforts are minimized.

Continue reading

Share Button

Cybercriminals turn to DIY kits and Ransomware as a Service (RaaS)

Ransomware creators are monetizing their software in creative new ways. Not only are they using ransomware to encrypt files and collect ransoms, but they’re also selling their ransomware to others as do-it-yourself (DIY) kits and licensing it as a service.

DIY Ransomware

Criminals can purchase popular ransomware such as Cryptolocker, Cerber, Locky and Stampado as DIY kits with prices ranging from $39 to $3,000. These DIY kits allow criminals to quickly customize and distribute their ransomware to start collecting money.

There is wide variation in the types of DIY kits offered. Some are based on versions of ransomware that are already outdated while others are stable systems that work effectively. Some include advanced features, like one that allows administrators to delete random files at specific intervals until the ransom is paid.

DIY ransomware often includes a configuration wizard that helps criminals customize the ransomware to their specifications. These future extortionists define a custom name for the ransomware, determine the currency they will accept and the amount of the ransom, and upload a custom ransomware message. For encryption ransomware, criminals purchasing the kit select the file types that will be encrypted. Locking ransomware allows the purchaser to select which functions of the system to freeze.

Ransomware as a Service (RaaS)

Other ransomware creators are outsourcing the distribution element of the ransomware while still collecting the ransom. Such systems offer distributors a percentage of the ransoms received. Ransomware such as Petya, Mischa, Tox, Ransom32 and Cryptolocker Service follow this model of Ransomware as a Service (RaaS). Ransomware creators allow criminals to sign up on servers that are typically hidden behind an anonymous network to protect the creator’s identity and the distributor’s funds. All future extortionists need is a bitcoin account to sign up and they can download the ransomware for distribution. RaaS allows for some customization as well. Criminals can set the ransom demand amount and custom tailor their ransom message.

As victims pay ransoms, the RaaS providers track which bitcoin account was tied to the ransomware version, take a percentage off the top and deposit the remainder into the extortionist’s account. Extortionists can log into the RaaS page to see infection statistics and their earnings.

This has created a gold rush with new entrants to the ransomware market customizing and distributing malware in the attempt to claim their stake of the prize. Unfortunately for the rest of us law abiding citizens, this means that we can expect ransomware attacks to continue to grow. It is important to stay vigilant in implementing security controls, keep systems up to date and train users on the latest distribution techniques and incident response procedures. Make sure that important files are backed up to a location separate from the primary data so that ransomware infections will not impact both production and backup data.

Continue reading

Share Button

Will Hacktivists Turn to Ransomware?

The US presidential election is upon us and some political activists are out in the streets, and in convention halls. And some are busy hacking. I am referring to the hacktivists, those who illegally use technology to promote a social or political agenda. The main difference between hacktivists and other cybercriminals is that hacktivist crimes are typically associated with a protest or political motivation.

In the early days of hacktivism, hackers used computer worms to spread messages, such as the 1989 Worms Against Nuclear Killers (WANK) anti-nuclear message that sent system announcements on DEC VMS systems.

In recent years, hacktivists have used mostly website defacing, data disclosure, and Distributed Denial of Service (DDoS) attacks to spread their message. Hacktivists typically do not create the attack technology.  They simply augment it for their use. With versions of Cryptolocker, Cerber, Locky, and Stampado for sale at reasonable prices, hacktivists have all they need to launch their own attacks.

Hacktivist ransomware? Not yet.

The good news is that we have not seen hacktivist ransomware – yet. It is a concern because it will differ greatly from the ransomware we know today. Some hacktivists may not even make a demand.  Encrypting the data will cause the disruption in business they desire.

Now is the time to guard yourself from such attacks. Take an inventory of the data in your organization so you know where it is. Next, back up the data and ensure it can be recovered in time. Lastly, ensure that users know that your organization has a plan in place to respond to ransomware (your backup strategy) and educate them on the process for spotting and reporting ransomware. That last step, prevention, is key to your success.

Three steps to data protection

Many organizations have found out too late that valuable data was on a device that they did not track, and these oversights have resulted in data breaches, or data loss. Both consequences can be avoided when the organization understands what data they have and where it is located.

Craft a backup strategy that keeps the backup copies separate from the production copies so that ransomware will not infect both. The strategy should also allow for restores to be performed quickly enough so that business interruptions are kept to an acceptable minimum. In the industry, we call this the RTO or Recovery Time Objective. You also want to make sure the backups are performed frequently enough to avoid unnecessary data loss.

The final key to protecting your data from ransomware attacks of any kind is to communicate with employees. Ensure that they understand that the organization has a plan in place to deal with ransomware. In this way, employees will not feel that they need to take on the solution themselves by paying the ransom or, in the case of hacktivism, performing the requested action. Employees should also understand how to report ransomware so that the organization can respond to the incident quickly.

If hacktivism follows the route many believe it will, hacktivist ransomware will eventually enter the scene. Protect yourself from all ransomware by putting the right controls in place before the attack.

Continue reading

Share Button
Newest-Ransomware has polished professional look

Newest Ransomware has Polished, Professional Look

Criminals are raising the bar in the fight for your money.  It’s natural to expect that competition would follow success—and ransomware is succeeding.  Your data is the target and your pocketbook is the end goal.  As the landscape becomes more saturated, criminals are seeking ways to get a better return on their infections by making it easier to pay up.

One way extortionists are making it easier to pay is by using alternate currencies.  The process for purchasing bitcoins, the mainstream ransom currency, can be difficult for those who have never purchased them before.  Victims cannot just go to their bank and exchange dollars for bitcoins. That’s why some ransomware such as FLocker and TrueCrypter allow for payment with iTunes or Amazon gift cards.

Other ransomware distributors provide very clear instructions and online support.  Today’s ransomware is developed in multiple languages by professional translators so that the instructions for paying the ransom are easy to understand.  Some even come with a guide that explains how to obtain the desired currency. These cyber crooks utilize call center technology and live chat to walk victims through the process of purchasing bitcoins, paying the ransom, and decrypting their files.

Ransomware authors utilize graphic design professionals to create ransomware that has the feel of a professional application.  Sophisticated visuals and easily readable text can make paying a ransom feel more like renewing software.  Each new piece of malicious software is crafted in this way to make it more likely for you to pay rather than protect.

In some cases, organizations and individuals do choose to pay up. A one-time cost may seem the simpler route, but now you’ve opened the door to more attacks; you’re considered a paying customer. The best way to avoid being re-targeted is not to have to pay ransomware distributors in the first place.

No one ever put out a fire by feeding it.  Rather, we must starve the flames to see them extinguished.  Equip your company with the processes, people, and technology to fight the fire.  Protect yourself with a solid backup plan that can help you avoid paying cybercrooks. And you can help make ransomware a thing of the past.

Continue reading

Share Button
Geolocation tech targeted message vanderburg

Geolocation technology helps ransomware deliver targeted message

It might surprise you to know that ransomware uses geolocation technology to customize payloads and target individuals. You probably already know that geolocation is the approximate place where an Internet-connected device resides. Geolocation obtains an approximate location of a connection by referencing a machine’s IP address against various databases. As a reminder, here’s a good definition of IP address, which is the protocol by which data is sent from one computer to the other on the Internet.

Those databases are maintained by Internet Service Providers (ISP) and Traffic Detection Services (TDS), all of which utilize and maintain databases on the places where an IP address has been used. Geolocation data does not provide the actual address of an Internet-connected device, but it can get within 10 to 20 miles of a device’s location.

This geolocation information is used by extortionists to direct ransomware to specific regions where they can believe they can get a big return. They might use geolocation to customize ransom messages for each target region, so you are fooled into thinking a fraudulent email or link actually leads to information you want or need regarding changes to your regional bank or utility provider.

Also, ransomware distributors can target regions or countries with a higher average level of income such as those in the United States, Japan, and Europe where users more capable of paying more than $500 to get the keys to decrypt their data. Recently I wrote about how ransomware distributors are using graphic designers and online chat tools to make it simpler and more likely that victims will pay — and geolocation is just another way that ransomware is becoming more sophisticated.

Geolocation customization

Ransomware uses geolocation to customize the language and content of the ransom message it displays to a user. Cybercriminals know that it will be much easier to get paid if their victims do not need to translate their messages first so they write ransom messages in the language used by the victim’s region. Some ransomware also check the language settings on the computer in addition to using geolocation information so that they utilize the correct language.

A variety of ransomware threats have included false claims from law enforcement agencies that users have conducted illegal activities such as downloading copyrighted movies, games, or music. Those that falsely claim to be from a law enforcement agency have the greatest chance for success when the law enforcement agency they claim to represent is one that has jurisdiction over their intended victim.  These ransoms lock the computer until fines are paid to the extortionists. Such schemes use geolocation to customize which law enforcement agency is used in the ransom message.

As you can see, geolocation is an essential part of ransomware. No matter where you live, though, the basic rules of data protection apply. Avoid phishing emails that lead you to bogus sites. Back up your data with a reliable provider. Take the time to check out and reminders or invitation to click on links, to upgrade applications or browsers, simply by hovering over the link to see the full name of the URL. Often times, you’ll find suspicious words in the URL you are being encouraged to use. Ransomware of any type feeds on fear, and the motivation to move fast to avoid danger. Instead take the time to look for any hints of trouble.

Continue reading

Share Button

Adding Ransomware to Security Radars

Ransomware is the quickest way to turn your valuable data into garbage.  Ransomware is a form of malicious software that blocks access to user data such as documents, spreadsheets, pictures, music, or videos, typically by encrypting those files.  At this point, the ransomware will display a demand for payment in order to send the victim the decryption keys to the data.

Businesses and consumers often do not know what they have until it is encrypted.  It is then that they realize their Christmas list, family photos, and personal financials are inaccessible.  It can be much worse for companies.  Imagine the impact when payroll data, product formulas, or inventory records are suddenly unavailable.  Now imagine a doctor who is unable to prescribe medicine or perform an operation because the prescription information or patient records they need are encrypted.  As you can see, the impact of ransomware can be severe.

Despite ransomware’s severe impact, its attack vectors are more mundane.  Ransomware is obtained through a variety of well-known routes including email, websites, online advertising, exploits on system vulnerabilities, and infected files on shared folders or cloud file sharing services.


Emails, particularly phishing emails, frequently entice users to open attachments that contain ransomware or to click links leading to infected websites.  The techniques used here are the same ones used by scammers, hackers, and other malware distributors.  Protection techniques include screening attachments with antivirus tools and utilizing email gateway scanning and filtering tools.  It is also important to educate employees or family members on how to recognize suspicious emails.

Infected websites and online advertising

Ransomware is also distributed from infected websites and through online ads.  Extortionists seed websites with malicious code and then wait for unsuspecting Internet users to visit a compromised site and get infected with their ransomware.  The likelihood of infection from such sites can be greatly reduced by utilizing a web filter, scanning web sites for malware or by browsing the web in a virtual machine.

Extortionists also create ads on social media or in search engines that download the malware.  Ads might pretend to be a flash player update, help or chat ads, or fake antivirus.  These ads are collectively known as malvertising.  The best way to protect against ransomware distributed through malvertising is by using an ad blocker.  There are many extensions for common browsers or standalone applications that can perform this activity.

Shared folders or cloud file sharing

Ransomware can also be obtained when a computer is connected to a network share that has ransomware on it.  Many ransomware variants are capable of spreading to shares that a computer is connected through, typically through mapped drives.  Ransomware can also infect your machine if you are using a cloud file sharing service that synchronizes files between machines.  If a personal computer is infected and has the cloud file sharing software on it, it can replicate the malware to other computers that are part of the sharing relationship, infecting them all in the process.  Monitor file servers for mass file changes to detect ransomware behavior and scan files that are placed on network shares.  Similarly, equip each computer that utilizes cloud file sharing applications with antivirus software and segment business cloud file stores from personal ones.

System vulnerabilities

Vulnerabilities in operating systems, applications and browser plugins are well documented once they have been discovered.  Attackers create exploit kits to target these vulnerabilities and then other malicious actors utilize these exploit kits to deliver malware to your machine.  The most common exploits are those related to operating systems such as Windows, applications such as Adobe Acrobat, or browser plugins such as Java, Flash, or Silverlight.  The best way to protect against the exploitation of such vulnerabilities is to keep systems, applications, and plugins updated to the latest version.  Vendors frequently release new versions or patches to software that fix the vulnerabilities that have been discovered.  Applying these updates can prevent those vulnerabilities from being exploited.


There will always be exceptions in a security system.  No system will protect you one hundred percent of the time and that is why it is important to have contingency plans.  When ransomware gets past your defenses, and it will at some point, be sure you have up-to-date backups of critical files so that you can remove the malware and encrypted files and then restore clean versions of the files back to computers.  Backup solutions should be distinct from production systems.  For example, a hard drive connected to a computer or a network attached storage device are both accessible from an infected machine so they are likely to be infected too.  However, tape backups or online backup services are distinct from production storage and can be relied upon to restore clean copies of data if the restore points predate the infection date.

Continue reading

Share Button

Preparing Your Storage Environment for Tomorrow’s Opportunities

Businesses today can’t exist without data. They feed on it, breathe it, and those that understand how to most effectively harness it, achieve competitive advantage. Not only will those companies see returns today but tomorrow as well since they will be well-poised to seize future data storage opportunities and better leverage their data to make decisions and glean insight.

As you know, companies and consumers alike are producing data at a rate never seen before and this continues to increase. Those companies looking to the future know that they will need to support a data set vastly larger than the one they support today and at faster speeds. However, this is only part of the future storage landscape.


Looking towards the future in any industry can be difficult because so many things will change, but change is expected, often cumulative, consisting of a series of many small changes that overall shift the business and technology landscape forward. In this way, they are somewhat predictable even if we do not know the exact specifics of how those changes will take place.

It is true that organizations will have much more data in the future, but this huge amount of data will be spread among a variety of different providers including cloud services, local storage, peripheral devices, and datacenters. Employees will interface with their data not only via computers, browsers and apps, but through wearable technology and possibly augmented and virtual reality. Users will not be the only ones creating the data of the future. As sensors continue to decrease in cost, the Internet of Things (IoT) will become more prolific and see many new use cases.

In fact, IDC expects the “digital universe” of global data to double in size every two years between now and 2020, when it will reach 44 zettabytes.[1]

These changes will produce new storage opportunities for organizations.


The main opportunities for storage and IT will be in protecting data’s competitive advantage and achieving new insights and capabilities from integrating systems, while supporting larger data volumes and faster access to data.

Self-protecting data

Data today provides significant value to organizations. Without it, many companies would not be able to exist. The value of data will only increase and as that data is used in more and more places, securing it in the absence of traditional organizational security controls will be of prime importance because the secure data will allow companies to maintain their competitive advantage. Companies will do this by allowing data to be self-protecting. Data will need to be able to move freely but still enforce organizational security policies.

New insights and capabilities from system integration

Creation and consumption of data by users and things will take place on many devices, peripherals and connected things, managed by their own systems. Such systems will most likely be a diverse collection of companies and technologies. Those companies that can effectively integrate the data from these sources will be able to gain new intelligence and it will set the stage for data management opportunities.

One data management opportunity for future storage systems will be to reduce rework. Data created on one device can be shared with other devices, so that users do not need to recreate the data. This will be especially important for teams working on the same project. Organizations will be able to take this a step further and integrate data from different teams together, so components from one project or initiative are automatically correlated with others. This will increase agility and key business metrics such as time to market, closed sales or customer response time. Furthermore, the insights and uses of different systems will allow for users to utilize the data they create in multiple ways, enhancing data utility and maximizing the data’s organizational value.

Those companies skilled in data management will also be better equipped to protect data against loss. Data creation and change events can be tracked across systems so that they are effectively synchronized and archived.

Larger data volumes, faster speed

Companies and storage partners will need to effectively architect a solution that meets current and planned capacity and performance needs without introducing bottlenecks down the road. Disk has been our bottleneck for so many years that we are conditioned to focus on it, sometimes to the exclusion of other factors.

As flash storage approaches new heights in speed at lower price points, utilizing more open standards, bottlenecks will crop up in other parts of the storage network such as switches, Host Bus Adapters (HBAs), and virtual fabrics. Future ready solutions need to take this into consideration and allow for increased bandwidth, expandability and flexibility in the storage network and various interconnects such as WAN or cloud services.

Case in point – Wunderlich Securities Inc. implemented a flash-storage solution, and chief information officer Aaron Goodwin reports “We’ve got a lot of headroom for growth, plus more peace of mind.”

Future Ready Strategy

How effectively companies can utilize their current and future data will depend upon the ability of companies and their storage solutions to tag and categorize data, evaluate and integrate data platforms, build system organizational intelligence and empower end users.

Define policies for tagging and categorizing data now

Most data now are like a patient in the ICU without ID. Doctors don’t know who the person is, including their medical history which limits treatment options. Tagged data, like the patent with ID, has a history and it can tell that history to the applications that work with it. Some patients refuse care and some data will refuse to be accessed while others may be accessed with some restrictions.

Establish methods for evaluating and integrating data platforms

Data that exists in silos can only benefit applications and users operating within those platforms. Future ready companies will need to allow for secure integration between these diverse platforms. However, they will need to ensure that data leaving is protected and that incoming data is screened. The organizational data silos of today are like fresh water cisterns. Those can be combined together into a much larger collection, but introduce saltwater and the entire repository is unusable. Similarly, garbage data in a system will result in poor decision making, and new data created based on this data will be similarly flawed. This is particularly important for companies employing machine learning and artificial intelligence based business intelligence systems.

Build organizational intelligence and awareness into systems

From a security perspective, future ready storage solutions act more like a parent at a playground rather than an executive secretary. Whereas the secretary keeps the executive sealed off from the world, the parent lets their child experience the playground under the parent’s watchful eye. Those that believed the secretary would protect the executive’s schedule were proved wrong again and again as attackers pushed their way past the secretary or worked around her. The parent, while not infallible, is ever-ready to intervene. He or she is intelligent enough to make decisions in a changing environment with many simultaneous interactions and they can take appropriate action such as negotiating with other parents or communicating and coordinating with more powerful entities such as law enforcement when the need arises. Data, like that child, will need to interact with many systems under an intelligent, flexible guardian.

Empower end users

Lastly, users of tomorrow’s systems will need to be aware of how their creation and use of data impacts the organization. It is not enough to have effective data integration and security controls if users incorrectly categorize data, disclose it to unauthorized persons, or feel so restricted that they do not utilize the systems. Users must be empowered so that the technology and data allows them to work more effectively. Such users will embrace the technology and bring the most value to the organization. They will also find their careers more enjoyable when they do not need to compete with the technology. Technology should be a tool, not a restriction, a pencil rather than handcuffs. Are your storage systems ready for the future? It is coming faster than you think so prepare yourself for tomorrow’s opportunities.

Continue reading

Share Button