As we move into 2015, it’s appropriate to look back and think about what we’ve learned about the threat landscape. To that end, CheckPoint’s 2014 Security Report makes for some pretty interesting reading.

According to their research, in a typical large enterprise:

• Every 1 minute a host accesses a malicious Web site
• Every 3 minutes a bot is communicating with its command and control center
• Every 9 minutes a high risk application is being used
• Every 10 minutes a known malware is being downloaded
• Every 27 minutes an unknown malware is being downloaded
• Every 49 minutes sensitive data is sent outside the organization
• Every 24 hours a host is infected with a bot.

If you’re an SMB rather than a large enterprise, it doesn’t mean you’re off the hook, it just means that you may have a bit more time before the law of averages catches up with you.

Why does this happen? It’s not because your users are stupid, and (in most cases) it isn’t because they’re malicious. It’s because they’re not IT security professionals, and they’re busy trying to do whatever it is that you hired them to do. When a windows pops up with an “OK” button in it, many of them will reflexively click “OK” without realizing exactly what they just agreed to. (And it may have been permission to install malware on their system.) Busy people also often think nothing of opening a file attachment that arrives by email, not realizing that more than two-thirds of malware-infected files are either PDFs, archive files (e.g., ZIP, tar, RAR, CAB, etc.), or MS Office files (typically Word and Excel, sometimes PowerPoint as well). People who are enticed to visit a compromised Web site, and who are then prompted to install an updated video driver in order to view the Web site content, will often approve it without thinking that what they’re installing might not be a video driver at all.

It also happens because, in the continuing arms race between malware writers and security software vendors, the malware writers are getting better at evolving their malware to avoid detection by existing products – typically giving them a 2 to 3 day window of opportunity to exploit systems before the malware is detected, security definitions are updated, and security software is able to detect and block it. And with today’s do-it-yourself malware toolkits, you don’t have to be a sophisticated code jockey to generate a new malware variant. Modern security software typically includes algorithms that look for suspicious behavior in order to try to block unknown malware, but according to CheckPoint, less than 10% of antivirus engines were capable of detecting new malware variants when they were first caught in the wild.

So, in the words of the 1965 “Total” cereal commercial, “What’s a mother to do?”

First of all, you should have a written security policy, and make sure that all of your employees have a copy of it, and sign off on a statement that they have read it and understand it. That way you know that (at least once) they’ve had to give some thought to security and what they are expected to do (and not do). Also, if you ever have to take disciplinary action against an employee, you’ve protected yourself against the “Wait, I didn’t know I wasn’t supposed to…” argument. If you need assistance in crafting a security policy, contact us. It isn’t that difficult, and there are readily-available templates that can be easily modified to adapt to most organizations’ needs.

Second, use a defense-in-depth strategy. A small or mid-sized organization may not be able to afford the sophisticated network intrusion detection/prevention systems that large enterprises deploy, but a good firewall appliance (like the latest WatchGuard models) can provide a layer of virus filtering, outbound URL filtering, and intrusion prevention right at the network boundary. A third-party email filtering service such as the Mimecast service that we offer with all of our hosted Exchange plans can provide yet another layer of malware filtering using multiple anti-virus engines, as well as outbound content filtering to help prevent “data leakage” from your organization. And, of course, it is still important to have anti-virus software on your servers and workstations.

Third, insure that you have a vulnerability management and patching process in place for applications (e.g., Office apps, Java, Adobe Flash, Acrobat, etc.) as well as server and workstation Operating Systems. If your business is very small, and you can’t afford to hire someone like us to manage this for you, make sure that systems and applications are set to update automatically. Yes, occasionally Microsoft has released a patch that has broken something. But your chances of getting bitten by something like that are smaller than your chances of falling victim to an exploit if your systems are several months out of date because you didn’t have time to test and apply all the patches as they were released.

Fourth, consider blocking high-risk applications. For example, WatchGuard’s Application Control functionality can give you granular control over social media applications, instant messaging applications, and file sharing applications (e.g., DropBox, P2P apps like BitTorrent, etc.). You can selectively allow, block, or restrict access based on a user’s department, job function, and time of day – and generate usage reports so you know what applications are being run on your network, and by whom.

Fifth, ask yourself whether your users really need local admin rights to their workstations. Remember that if users have the rights to install software on their own PCs, and they inadvertently approve the installation of something that turns out to be malware, the malware is going to be installed. There are some utilities out there that can help, like CryptoPrevent from the folks at Foolish IT, which, among other things, can prevent disguised executables (e.g., mymalware.pdf.exe) from running, and prevent executables from running if they’re in folders that you wouldn’t normally expect executables to be in, but once you’ve given users local admin rights, it’s no longer possible to guarantee that they won’t shoot themselves in the foot.

Finally, talk to your employees regularly about security, so they understand the risks posed by certain applications – and understand why certain things are blocked or prohibited. Remind them about the things to look for that might tip them off that an email message may not be legitimate. Remind them not to open file attachments that they were not expecting to receive. A lot of security breaches are caused by simple human error – and people need to be reminded more than once, simply because they get busy and forget.

Here’s to a safe and prosperous 2015!

Scott Gorcester and Karl Burns were quoted in an article on CNN.com today. The article talked about the economic upswing currently happening in Seattle, Washington and the impact that cloud technology has had. Read the article here.

It is axiomatic that many of us (perhaps most of us) don’t worry about backing up our PCs until we have a hard drive crash and lose valuable information. This is typically more of a problem with personal PCs than it is with business systems, because businesses usually go to great lengths to make sure that critical data is being backed up. (You are doing that, right? RIGHT? Of course you are. And, of course, you also have a plan for getting a copy of your most critical business data out of your office to a secure off-site location for disaster recovery purposes. Enough said about that.)

So, with business systems, the biggest challenge is making sure that users are saving files to the right place, so the backup routines can back up the file. If users are saving things to their “My Documents” folder, and you’re not redirecting “My Documents” to a network folder on a server, you’ve got a big potential problem brewing. Ditto if people are saving things to their Windows Desktop, which is possibly the worst place to save things that you care about keeping.

But there’s an even more fundamental thing to remember, and to communicate to our users: The best, most comprehensive backup strategy in the world won’t save you if you forget to save your work in the first place! Even in our Hosted Private Cloud environment, where we go to great lengths to back up your data and replicate it between geo-redundant data centers, there’s not much we can do if you don’t save it.

Just as many of us have learned a painful lesson about backing up our data by having lost it, many of us have also had that sinking feeling of accidentally closing a document without saving it, or having the PC shut down due to a power interruption, and realizing that we just lost hours of work.

Microsoft has built an Autorecovery option into the Office apps in an attempt to save us from ourselves. Within, say, Word, go to “File / Options / Save,” and you should see this:

That’s where you set how often your working document will be automatically saved, as well as the location. But be aware that Autorecovery works really well…until it doesn’t. A Google search on the string “Word autorecovery didn’t save” returned roughly 21,000 results. That doesn’t mean you shouldn’t leverage Autorecovery – you certainly should. But take a look at the Word “Help” entry on Autorecovery:

Notice the text that I’ve circled in red? It says “IMPORTANT The Save button is still your best friend. To be sure you don’t lose your latest work, click Save (or press Ctrl+S) often.” Bottom line: Autorecovery may save your backside at some point…or it may not. And corporate backup routines certainly won’t rescue you if you don’t save your work. So save early and often.

And if you’re a mobile user who frequently works while disconnected from the corporate network, it’s a good idea to save your files in multiple locations. Both Microsoft (OneDrive) and Google (Google Drive) will give you 15 Gb of free on-line storage. And if it’s too much trouble to remember to manually save (or copy) your files to more than one location, there are a variety of ways – including ManageOps’s “follow-me data” service – to set up a folder on your PC or laptop that automatically synchronizes with a folder in the cloud whenever you’re connected to the Internet. You just have to remember to save things to that folder.

You just have to remember to save things, period. Did we mention saving your work early and often? Yeah. Save early and often. It’s the best habit you can develop to protect yourself against data loss.

You may have already heard rumblings about support for Windows 7 and Windows Server 2008 (and 2008 R2) ending in January. It’s true that mainstream support for those products ends January 15, 2015, but extended support will continue for another five years – so there is no need to panic. Here’s a helpful Microsoft graphic that clarifies the difference in the support phases:

So the most critical thing we need – security updates – we will continue to get, and if you really get into a jam, pay-per-incident support will still be available.

What this really means, particularly for the desktop side of things, is that it’s time to start seriously thinking about what comes next. No one but the purveyors of malware will benefit if we have another struggle like we did with Windows XP (“You can upgrade my Windows XP system when you pry it from my cold, dead hands!”). Yes, it was a great O.S., arguably the best that Microsoft had produced at the time, and maybe, just maybe, even better than Vista – although I’m not entirely ready to concede that. (I liked Vista – I was just annoyed by the lack of device drivers when it was released.) But Windows 7 was clearly a superior Operating System, and the resistance to change finally reached the point where it was just silly. Heck, as recently as last month, Windows XP still had a 17% market share, according to Net Applications, and that’s just crazy from a security perspective.

I’m cautiously optimistic that Windows 10 (what the heck happened to Windows 9, by the way?) will be Microsoft’s next great desktop O.S. I ran Windows 8 for quite a while, and I’m now running Windows 8.1, but I’m also running Start8 from Stardock Software, which gives me back some of the features whose absence in Windows 8.x I found most annoying. It sounds like Windows 10 may, out of the box, do the things that Windows 8.x only did with the addition of third party utilities. That may not be good news for the makers of those third party utilities, but it’s an indication that Microsoft understands that they missed the mark and plans to address those issues. So, if I was a desktop admin for a sizable company, I’d be all over the early releases of Windows 10 and already starting to plan how I’m going to transition to it, if it’s as good as it appears it may be.

On the server side, there’s no reason not to deploy Windows 2012 R2 on any new servers you’re installing these days. It’s a fine O.S., it’s stable, it’s secure. You may as well start getting your feet wet, if you haven’t already.

Bottom line: plan, don’t panic. Start planning now. Don’t repeat the Windows XP saga.

In this context, “POODLE” stands for “Padding Oracle On Downgraded Legacy Encryption,” and refers to a specific way to attack SSL-encrypted communications. SSL v3.0 is an older encryption standard that has a known design vulnerability. Although SSL v3.0 has largely been replaced by TLS encryption, which does not have the same vulnerability, many servers and other systems that accept SSL connections remain backward-compatible, and will fall back to SSL v3.0 if a TLS connection fails.

To exploit this vulnerability, the attacker must be able to control portions of the client side of the SSL connection, and must have visibility of the resulting encrypted text. The most common way to gain this access is via a “Man-in-the-Middle” attack in which the attacker inserts himself into the connection between the two parties, and relays messages between them while making them believe they are talking directly to each other over a private connection. While it is not trivial to gain this level of access, it is possible, particularly in access scenarios such as public WiFi.

If the attacker is able to gain “Man-in-the-Middle” access, it is possible to create a condition under which the connection will fall back to SSL v3.0, unless that fall-back option has been disabled. The attacker can then proceed to exploit the vulnerability.

All SSL connections into the ManageOps hosting infrastructure are terminated by Citrix NetScaler VPX virtual appliances. Citrix has documented the configuration settings required to disable NetScaler fall-back to SSL v3.0, and our engineering team has verified that these settings are applied on all of the NetScalers in our infrastructure.