Security Audit

What is it?

A detailed IT security audit that covers all your external threats.

What does this cover?

We will look for the most common website and infrastructure vulnerabilities. This includes exploits like; Injection vulnerabilities, Cross site scripting and unsupported or outdated services.

What is the benefit of this?

Discover and fix the same vulnerabilities a hacker would exploit to steal or manipulate your database, redirect people to malicious 3rd party content or a full defacement of your website.

How often will this take place?

One of the technical team will schedule in a test once a quarter. This will give you ongoing audits to cover any new threats.

What will get I get from this?

A clear report that highlights what impact this could have on your business alongside easy to manage fixes. A hassle-free service that requires no technical expertise.

iStock_000013067728Large

 

t  +44 (0) 333 200 1636

e    info@netshield.net

w    http://www.netshield.net

Advertisements

Office 365: Is your data as protected as you think?

THERE’S NO DENYING THAT OFFICE 365 has certainly revolutionised the way users are able to work. The ability to work anytime, from anywhere has given employees control over their working day. Applications such as Exchange Online, SharePoint Online and OneDrive are all accessible in one place. As the platform can be billed monthly per user, O365 is also a bonus for companies who have fluctuations in their user counts on a regular basis.

All sounds pretty good, right? However, were you aware that the data held is not actually backed up by Microsoft? In the event of data loss or a breach, you can’t rely on the O365 platform to restore. If you weren’t aware of this, you should now be asking yourself:

What can I do to ensure the security and safety of my data?

 

Office 365 offers geo-redundancy which can often be mistaken for a full backup. This only protects against the Microsoft site and hardware failure so users can continue working in either of these scenarios. You won’t be able to restore data that is lost, deleted or maliciously attacked.

Retention policies are limited, and when deleting a user you also delete their data held on their personal SharePoint and OneDrive so you won’t be able to refer back for very long. ExchangeOnline has limited recovery functions and cannot handle serious attacks.

It is YOUR data, YOU control it and YOU need to have the correct backups in place to protect it and your business.

Veeam® Backup for Microsoft Office 365 eliminates the risk of losing data and gives you control over your backup policy. 

Benefits include:

  • Protecting your data from deletion and security threats
  • Access backup archives
  • Store data according to long-term retention policies that quite your compliance or regulatory needs
  • Multi-repository/multi-tenant architecture
  • Quick search and restore of individual files
  • Backup hybrid email and SharePoint deployments

You have a lot of flexibility and control over the backup policy, it can be set to weekly, daily or even as often as every five minutes! Copies can also be stored in a location of your choice; on-premise, public Cloud or a local data centre provider.

The product is licensed per user, so only pay for the amount of employees you actually have using the platform on a monthly basis.

 

If you would like more information or a quotation, please contact us today. 

Best Data Security Practices

PREVENTION IS ALWAYS BETTER THAN A CURE. Not only does this apply to hygiene to prevent illness, but also to data security. Preventing any breach, accidental data loss or cyber attack will always trump over attempting to mop up the pieces afterwards.

Take a look at our quick take on what you can do to bring your security up to scratch..

 

1.Securing Data

Protecting data is more critical than ever. According to the Ponemon Institute’s 2017 Study, data breaches cost UK businesses an average of £2.48 million. This number doesn’t just include fines that could have been imposed, but also includes legal expenses, reputation damage, loss of customers and job losses.

Having a backup policy in place is one of the most important considerations that should be made. Should data be accidentally deleted, or maliciously encrypted, you have the full data backup to prevent loss. An additional security layer would involve having this data replicated to a separate offsite location which can be used in a disaster recovery scenario.

Ensure your infrastructure security is as robust as possible by installing and maintaining firewalls, anti-virus software and breach/event monitoring. Physical controls such as access procedures should also be considered, with ID needed for authentication and fob access.

Make use of network monitoring software, so network administrators are alerted to new network connections, crashed or overloaded servers so the continuity of data can be ensured.

 

2. Securing Mobile Devices 

79% of respondents to a RingCentral survey stated their Smartphone as the phone that they used most to conduct business with. Add this to the rise in remote working (an estimate in 2016 placed the number at 1.5 million home-workers) and it makes it all the more difficult to secure all remote devices as well as the systems and data they access. Of course the advantages outweigh the negatives, and it is possible to manage the risks:

  • Locking up devices when not in use and keeping them in sight when in a public place to deter thieves.
  • Have a robust password policy in place to prevent unwanted access in the event of a theft, including the banning of auto-saving passwords. If possible, fingerprint verification should also be used.
  • Invest in two-step authentication to further strengthen credentials.
  • Advise against the use of public WiFi if at all possible. It’s pretty easy for hackers to compromise these unsecured networks, so ensure mobile devices are configured to connect via VPN. It’s also best practice to only allow employees to use public WiFi when accessing non-critical business work, or ban it altogether.
  • Implement a mobile device management platform, so patch and firmware updates can still be installed and monitoring still occur.
  • Encrypt data on smartphones and laptops, so if they are lost or stolen access to the data on the device will be scrambled.

Implementing and communicating a robust mobile device and remote working policy to all employees gives them guidelines to follow and also covers any HR implications.

 

3. Winning Against Malware 

Malware is the most common form of cyber crime impacting UK businesses, making up 18% of all cyber attacks. Always be sure to protect against any vulnerabilities.

Maintaining a patch management program across all network devices, browsers and software plasters over security vulnerabilities that have been discovered so they cannot be exploited. A good patch management program will also include remote devices and mobile phones.

Don’t fall victim to phishing. Emails may look like they are from banks, a member of management or CEO’s but always check the senders address to be sure. More details of how to protect against phishing can be found here.

USB’s are an easy way to introduce viruses onto IT networks. Restrict USB use, or if these are important for employees to use in their line of work have them checked by your IT team before use to ensure they are not infected.

Of course, using firewalls, anti-virus and anti-malware software will provide a multi-layered approach to help keep you protected from all the nasty fallout a malware attack can bring.

 

4. Password Security & Encryption

Having a good password policy in place is the start of ensuring access is only granted to the correct employees. However, you cannot rely purely on credentials alone.

Two-factor authentication requires users to have an extra token or code to add to the end of their usual credentials. There are many different products available that cover various software and applications such as OWA.

Regularly changing all passwords (every 60 – 90 days for AD accounts, consider every 30 for critical systems or those containing personal data) is so simple to build into a password policy, but can often be overlooked!

Encryption can be used when data is in transit on removable media such as external hard drives, but also for emails. Encryption scrambles the data so only the recipient can see it, so if devices are stolen data cannot be accessed.

 

5. Employee Awareness 

Employees are a businesses best assets, and are also the key that make or break infrastructure security. All employees should be aware of the risks their actions can have and what they can do during working practices to prevent security compromises.

All policies and procedures should be documented and regularly provided to all employees, especially to remote workers who may not be in the office much. It’s also a good idea to have these documents in a central location such as SharePoint so everyone can access the latest copies.

A structured training plan for all new starters and refresher courses for existing employees must occur to ensure all employees understand phishing attacks, scams and best practices when determining if an email is legitimate.

Is it especially important that IT staff are given time and training to keep up to date with the latest security threats and hacker strategies so they can in turn implement controls to deter such risks.

 

Netshield can provide an overview of your security including penetration testing, vulnerability assessments and provide recommendations based on backups, software and best IT practices. Contact us today for more information. 

Technology and Education: What’s the Impact?

Technology has made a huge impact in every sector over the last ten years; this is especially true for the education sector. 

Universities and colleges are offering online courses to make studying more accessible across the world, challenging the ‘traditional’ picture of education. But could there be more of an impact?

Remote Working

In the era of many businesses now using a wide range of remote desktop services to allow employees to work from home or remotely when needed, will schools soon be following suit?

During the poor weather at the start of 2018 which led to schools, colleges and universities being closed, some for weeks on end due to heating issues, could the impact on students learning be lessened with virtual classes being available? This would minimise the amount of learning lost during adverse weather conditions, and long term illness. Virtual lessons would also help connect students and teachers in different locations, removing any geographical barriers.

However, does remote learning lead to an issue: how do tutors and teachers ensure students are remaining productive when they’re not working in a classroom? There aren’t many surveys that have been conducted to this end, but according to a survey performed with teleworkers by TINYpulse,  91% of remote workers believe they “get more work done when working remotely”. This is of course a self assessment performed by the workers and may not offer a true reflection of how productive they actually are! It does however show an insight into how the freedom of remote working could actually improve the productivity of students.

Digital Portfolios

Gone are the days of scrambling around for the USB long forgotten about at the bottom of a school bag; the embarrassment of submitting work and realising it hadn’t been saved; sharing external storage devices during a group project. Digital portfolios are becoming more common, allowing students to share notes and collaborate during projects in one place, usually an online portal or application. Tutors are also able to mark work and submit it back straight away, removing the need for 100’s bits of paper being printed and handed back.

The use of digital portfolios helps keep all submissions stored securely, often making use of Cloud services which has the additional benefits of scalable storage and backups for extra security and continuity.

From an environmental view, digitising assignments submissions would of course minimise the amount of paper being used, and also drive down the cost of printing, inks and toners.

Taking Control of Learning

Students in college and university often have to juggle their coursework, lectures and lessons with work schedules. Virtual classes provide the freedom for students to learn at their own pace in bite-sized chunks, and work around their often busy work rotas.

Making the choice between a late shift at work vs being on time the next morning for a lecture would be eradicated with the student able to access a lesson if it had been pre-recorded and distributed virtually.

E-books are also becoming more commonplace, with teachers able to prepare students before a class with the lesson content or distribute afterwards to give everyone a chance to recap.

Digital vs Traditional

As with everything, there are of course negatives to such advances being made within the education sector.

Does digitising as much as possible take away traditional writing skills, leaving students so used to typing away unexposed to the usual pen and paper concept? The introduction of E-books also raises the question of what can be done with the sheer amount of paper-based books left sitting unused in libraries and classrooms.

The Verdict?

Of course there’s a long way to go before every school, college and university can offer remote desktop services to all students. The work (and cost!) of implementing such solutions can look scary on paper. However, staggered rollouts or making just certain departments accessible through this medium could help to combat this.

The question of controlling students access during the ‘school day’ can also be harder to answer if allowing them to work on their own time unsupervised through mobile devices. This is where good management of anti-virus and patching is important, with a good, stable and secure back-end infrastructure still needed.

 

With technology changing the face of all sector in some way, education is no different. The next ten – twenty years could make it almost unrecognisable. 

 

 

Why Run Regular Vulnerability Assessments?

Why run regular security tests?

As we probably all know, information security is a broad subject and for many of us understanding the different layers that can help within this spectrum can be at times difficult. In this blog we will look at the risk and what you as a business could do about it!
Over the years when advising various organisations on the importance of regular vulnerability scanning, conversations would typically suggest that most would adopt some form of security measure including the likes of conducting a yearly manual penetration test, having a web application firewall in place (WAF) or conducting ASV PCI scanning if not a combination of the three, just to highlight a few.

What is the actual risk to your business?

The Verizon report suggests that more than 75% of attacks are actually from external sources rather than your internal disenfranchised employees. “While this goes against InfoSec folklore, the story the data consistently tells is that, when it comes to data disclosure, the attacker is not coming from inside the house. And let’s face it, no matter how big your house may be there are more folks outside it than there are inside it.” – Verizon Data Breach Investigations Report
Verizon Data Breach Investigation Report: 40% of Breaches from Web App Attacks, 5,334 total incidents (through web apps,)
908 with confirmed data disclosure. If you look at the stats they all point to the fact that external and web applications specifically is a highly likely route for a hacker to exploit.

Three common misconceptions

1) Performing a manual penetration test is important for most organisations, although this is not always easily accessible on a regular basis for various factors. An in-depth penetration test will certainly give you a thorough snapshot of your current vulnerabilities at that moment in time and allow you to make remediations before a hacker can breach any vulnerability that was discovered. However, in between your next penetration test how can you confirm that you do not have a major vulnerability within one of your websites?

2) Many organisations feel they are protected by their firewall or other forms of external ‘wrapper like’ defence. The fact is that no matter what defences you have in place you will not be un-hackable (the Dark Web Specialist Darkbeam believes that more than 98% of business have already been hacked-they just aren’t aware of it yet). And the landscape is changing every day making it impossible to be ahead of the game, to say that having a firewall will protect you unfortunately just isn’t the case. Blue chip companies will spend millions on firewalls but still have data breaches.

3) Now it must be mentioned that conducting your ASV PCI scanning is a crucial part of your compliance, however it is an important point to highlight the difference between PCI scanning and vulnerability scanning. If you were to swap your compliance hat with your security hat for just a moment it is fair to point out that passing your ASV PCI scan may give you a false sense of security. Your PCI scan will limit your vulnerability discovery to only find the vulnerabilities within PCI standards which may lead to exploitable vulnerabilities that would not fall within the PCI remit.

I am sure for many the above points will sound familiar, however, a key question to ask yourself, should you incorporate regular vulnerability scanning into this equation? Is it worth the extra costs? The areas highlighted can certainly raise potential security gaps but the simple answer is that without having regular checks you do not have consistent visibility on your vulnerability landscape and are potentially one step behind a hacker. If you would like more information on how Netshield can assist you please email info@netshield.net or call 0333 200 1636.