Infinity Network Solutions

Outsourced IT: Do You Need Your Own Staff?

Wed, 05 Sep 2018 14:14:52 +0000

Running a business is a full-time job, and small-to-medium sized businesses (SMBs) in particular can often find their in-house IT resources stretched to capacity. As a result, it’s difficult to devote the necessary time and effort to deploying and managing the latest business technologies.

This is leading an increasing number of companies to outsource part or, in some cases most, of the day-to-day maintenance of their IT operations to third-party providers. Fueled by the growth of cloud computing, IT managed service providers (MSPs) can host and manage customers’ IT infrastructure more flexibly and more efficiently than ever.

But it’s not just SMBs that don’t have the time to manage their in-house IT operations, and so are opting to outsource–there are several reasons why companies are moving in this direction. Whether it’s to lower costs, improve security, scale their IT faster or get a greater return on their investments, an increasing number of organizations are turning to MSPs.

What Are IT Managed Services?

The MSP model is based on customers paying on a recurring basis for remote IT services, such as desktop and network management, applications management, remote help desk, and backup and disaster recovery. This means that as a customer, you only incur an operational expense based on your capacity and usage, as opposed to the large upfront capital investments associated with purchasing on-premises infrastructure.

It’s an option that has gained traction in recent years, with smaller companies especially attracted to the model’s fluidity. An April 2018 survey of 1,116 U.S. SMBs by analyst firm Techaisle shows that 46 percent of SMBs currently outsource their IT, and another 29 percent plan to do so.

“SMBs are dealing with an ever-expanding portfolio of increasingly complex applications and platform technologies. At the same time, these firms are struggling to rein in IT-related expenditures, including staff-related costs,” Techaisle’s chief analyst and CEO, Anurag Agrawal, tells Tom’s Hardware.

“This combination of increased reliance on technology as a key element of business success, burgeoning complexity and cost constraint has created a ‘perfect storm’ for use of managed services.”

Growing Your Business

Enlisting an MSP takes pressure off your IT department, and by outsourcing the critical day-to-day support and maintenance of your IT estate to an expert, more resources can go toward growing your business. In fact, 46 percent of the SMBs Techaisle questioned said working with an MSP helps them grow their business.

“Many of our SMB customers are trying their best to get out of the IT business,” David Huseonica, president and CEO of Georgia-based MSP Cloud AG, tells Tom’s Hardware. “With the option of cloud applications and outsourced IT, their attitude on buying, managing and maintaining their own servers has changed in that it is no longer viewed as necessary.”

Larger SMBs, also known as mid-market firms, also often use managed services as a means of augmenting their current staff: for example, delivering on niche specialties or covering standard tasks so that in-house resources can move on to new initiatives.

Addressing IT Complexity

A business’ reasoning for hiring an MSP can be as simple as lacking an in-house IT department. Many small companies with just a handful of employees rely on the most ‘technically savvy’ ones to take on the role of help desk when problems arise with devices, software or the network.

But as Estelle Johannes, director of member communities at IT industry association CompTIA, points out, as your company grows and your IT needs become more complex, this won’t cut it. You will either need to look to hire an IT person internally or hire an MSP to take on the management of your network on contract, as you would with any other utility, such as electricity or water.

“Depending on the extent of your IT needs, a full-time, in-house person makes sense if they are utilized consistently with the wages they are being paid. But if your IT needs ebb and flow or are mostly low-grade with few major initiatives, an MSP that offers pricing commensurate with technology usage or consumption might be the more cost-effective way to go,” Johannes told Tom’s Hardware.

The push to cloud services can also be a factor in deciding to bring managed services to your organization. Cloud AG’s Huseonica tells us that while some companies choose to outsource their IT due to the initial cost savings, that’s not the only driver. Many value the fact outsourcing frees them up to concentrate on other revenue-generating activities for the business. Additionally, the cloud enables them to scale their IT as per their demands.

Credit: Shutterstock | Mark Agnor

Offloading Day-to-Day IT Management

Another reason for adopting managed services is to offload routine IT tasks, such as system updates, user help desk and employee changes. These activities don’t necessarily require the highest skill level, but they are constant.

“You may find that your pet development projects seem to drag on and on because the IT department is always busy with keeping devices, networks and security running and up to date,” says Johannes, referencing the Gartner bimodal IT model.

According to Gartner, bimodal IT is the practice of managing two separate, coherent modes of IT delivery, one focused on stability and the other on agility.

“Rather than bring in more highly skilled and highly paid IT staff to take on Mode 1, you can offload the day-to-day tasks to the MSP, leaving in-house IT staff to take on Mode 2 and execute on the business-enabling and revenue-driving digital transformation projects stacking up in their queue,” Johannes explains.

Filling the Cybersecurity Skills Gap

IT security is another area where more businesses are turning to MSPs.

“Many companies can’t compete with today’s sophisticated cyber adversaries,” Susie Cummings, SVP of managed services at Chicago-based IT consulting firm, SWC Technology Partners, tells us. “To source and hire an in-house security team isn’t an option for many SMBs—it takes a lot of time, isn’t cheap and it’s nearly impossible to find the right combination of skills and expertise—this has led to an increase in outsourced security. As cyberattacks continue to rise, IT security management has become even more complex and expensive.”

Research by Kaseya, which makes software for MSPs, titled 2018 State of IT Operations for Midsize Enterprises, found that one in three SMBs has experienced a security breach in the last five years and more than one in 10 has experienced one within the last 12 months.

Cummings notes that by outsourcing IT, companies also gain an increased confidence in their ability to prevent or quickly detect and respond to cyber attacks at any time of day.

“Cybercriminals don’t work office hours on Monday to Friday, so having 24/7 / 365 support from security consultants who have expansive practical experience and access to advanced detection technologies helps close those security gaps to protect your customer data and keep your business moving forward.”

Cost Savings

Aside from the operational advantages of outsourcing IT, the other big attractions are the financial benefits. With monthly subscription pricing, businesses avoid large upfront costs for new software and servers and move the cost of IT from a capital expense to an operating expense. By offering a predictable monthly subscription plan, organizations know exactly how much they are spending on IT each month and can plan their budgets accordingly.

Plus, you can scale your IT up or down depending on your business’ requirements, offering greater control over your company’s IT environment and reducing needless spend on IT.

Credit: Shutterstock | Twinsterphoto

Is Outsourcing for Everyone?

While the benefits of outsourcing your IT are clear, it may not necessarily be practical to offload the management of all your IT to an outside company.

You may work in an organization that, due to geographic or connectivity reasons, needs to retain at least some of its IT infrastructure on premises: for example, if there is a latency problem moving data between locations. Alternatively, your company’s policy requirements may have established rules around the management of data, often for regulatory and/or data sovereignty reasons, that would make it necessary to keep confidential data or systems on premises.

For these reasons, it’s not practical for most firms to outsource 100 percent of their IT. Many will adopt a hybrid approach to outsourcing, choosing to maintain some systems in-house.

Nevertheless, as an IT consumption model, outsourcing continues to prove popular, particularly for small companies. “A substantial and rapidly-growing segment of U.S. SMBs are using some combination of managed services to support IT and business requirements,” says Agrawal, who adds that “the ranks of managed services users are poised to swell further within the next 12-24 months.”

by Christine Horton September 2, 2018 at 2:02 PM

https://www.tomshardware.co.uk/it-outsourcing-versus-staff,review-34530.html

The post Outsourced IT: Do You Need Your Own Staff? appeared first on Infinity Network Solutions.

]]>

Vulnerabilities in Fax Protocol Let Hackers Infiltrate Networks via Fax Machines

Tue, 14 Aug 2018 14:47:54 +0000

By Catalin Cimpanu

August 13, 2018

Two recently discovered vulnerabilities in the fax protocol can transform fax machines into entry points for hackers into corporate networks, two Check Point researchers revealed last week in a talk given at the DEF CON 26 security conference held in Las Vegas.

Named “Faxploit,” this attack targets the ITU T.30 fax protocol, according to a copy of the DEF CON presentationgiven by Eyal Itkin and Yaniv Balmas last week.

More specifically, Faxploit leverages two buffer overflows in the fax protocol components that handle DHT and COM markers —CVE-2018-5924 and CVE-2018-5925, respectively.

Fax machines used as entry points into corporate networks

Itkin and Balmas say that an attacker can send malformed fax images to a fax machine containing code that exploits these two vulnerabilities and then gain remote code execution rights over the targeted device, allowing the hacker to run his own code and take over the machine.

From here, they say that an attacker can download and deploy other hacking tools that scan the local network and compromise nearby devices.

The two researchers have recorded a demo of a Faxploit attack that compromises a fax machine and then uses this machine to download and deploy the EternalBlue exploit that infects nearby computers exposed via the SMB protocol.

Faxploit carried out via phone lines, not Internet connection

Itkin and Balmas say the Faxploit attack is dead simple, as a hacker only needs the victim’s fax number to target an organization.

Since most organizations print fax numbers on their websites, and Google has indexed over 300 million fax numbers, hackers can use Faxploit to target any organization around the world they want.

Furthermore, no direct Internet connection is needed to the actual fax machine as the attack code comes in via the phone line. This also makes preventing Faxploit almost impossible, as no security software scans incoming faxes.

The only way to prevent Faxploit attacks is to apply patches to individual fax machines and all-in-one office printers, which also come with an embedded fax machine.

HP released patches, other fax vendors vulnerable too

At the time of writing, only HP has addressed Faxploit. The company released patches last week for HP Officejet all-in-one printers, the fax machine that the Check Point researchers used for recording their demo video.

“We strongly believe that similar vulnerabilities apply to other fax vendors too as this research concerns the fax communication protocols in general,” Check Point said today.

But while other vendors test their devices and release patches in the coming months, there is also a way to limit the impact of Faxploit attacks, if they ever happen.

Itkin and Balmas say the simplest defense to neutralize Faxploit attacks is network segmentation. By breaking large corporate networks into smaller ones or by isolating fax machines on their own subnetworks, companies can limit the type of data an attacker can gain access to via this attack.

https://www.bleepingcomputer.com/news/security/vulnerabilities-in-fax-protocol-let-hackers-infiltrate-networks-via-fax-machines/

The post Vulnerabilities in Fax Protocol Let Hackers Infiltrate Networks via Fax Machines appeared first on Infinity Network Solutions.

]]>

[Heads-Up] Warn Your Employees. This Is the Year That Sextortion Spear Phishing Is Skyrocketing..

Tue, 07 Aug 2018 14:01:32 +0000

[Heads-Up] Warn Your Employees. This Is the Year That Sextortion Spear Phishing Is Skyrocketing…

Intrepid cyber-investigative reporter Brian Krebs noticed that a story published on his blog July 12 about a new sextortion-based spear phishing scheme—which uses a real password used by each recipient—had become his most-read piece since his site launched in 2009.

He commented: “And with good reason — sex sells (the second most-read piece here was my 2015 scoop about the Ashley Madison hack).

But beneath the lurid allure of both stories lies a more unsettling reality: It has never been easier for scam artists to launch convincing, targeted phishing and extortion scams that are automated on a global scale.

And given the sheer volume of hacked and stolen personal data now available online, it seems almost certain we will soon witness many variations on these phishing campaigns that leverage customized data elements to enhance their effectiveness.”

Krebs is right, this is only the start and most of these passwords were old. Cyber criminals test scams like companies test marketing campaigns and if the response rate is high enough in the beta, they go full-scale.

The Problem: 50% of Casually Dating Men Watch Porn Weekly

The Institute for Family Studies recently confirmed what everyone more or less already knew, but since last year there are hard numbers. Men are more likely than women to view pornography, and this is particularly true of viewing porn regularly on a daily or weekly basis.

A whopping 50% of casually dating men watch porn weekly, and this percentage only drops to 40% when they are seriously dating, and 20% for engaged or married.

Unfortunately, looking at this from a “criminal marketing perspective” the total addressable extortion market is massive.

Cyber gangs will start using fresh hacks, with recent and real passwords, highly likely combined with other personal data that was sourced from the dark web and appended to the record using big data technology. This method is also going to be used by the tech support scam artists in a variety of ways.

It’s almost a matter of: “What took you so long?”, I have been warning you here for a while that this was imminent.

Phishing Continues to Be on the Rise in 2018

The Anti-Phishing Working Group (APWG) most recent report (link to PDF in blog) covers the phishing trends found in Q1 of 2018.
https://blog.knowbe4.com/phishing-continues-to-be-on-the-rise-in-2018

The highlights of the report included:

Over 11,000 phishing domains were created in Q1
The total number of phishing sites increased 46% over Q4 2017
The use of SSL certificates on phishing sites continues to increase to lull visitors into a false sense of security and site legitimacy.

All three of these trends add up to one thing – the bad guys are rapidly becoming more sophisticated. The higher the threat levels they can establish through targeted spear phishing attacks which leverage very private information, the more successful the campaign.

I suggest you send the following to your employees. You’re welcome to copy, paste, and/or edit. You might want to coordinate with HR on this one.

Sextortion is a serious internet crime that can lead to devastating consequences for victims. Sextortion occurs when someone threatens to distribute your private and sensitive material if you don’t provide them with images of a sexual nature, sexual favors, or money.

According to the FBI, here are some things you can do to avoid becoming a victim:

Never send compromising images of yourself to anyone, no matter who they are — or who they say they are.

Don’t open attachments from people you don’t know, and in general be wary of opening attachments even from those you do know.

Turn off [and/or cover] any web cameras when you are not using them.

If you receive an email that claims they have video of you viewing pornography, do not answer, delete the scam email and do not pay any amount in any form.

The FBI says in many sextortion cases, the perpetrator is an adult pretending to be a teenager, and you are just one of the many victims being targeted by the same person. If you believe you’re a victim of sextortion, or know someone else who is, the FBI wants to hear from you: Contact your local FBI office (or toll-free at 1-800-CALL-FBI).

Full blog post with links to articles. Please forward this one to your peers:
https://blog.knowbe4.com/heads-up-warn-your-employees.-this-is-the-year-that-sextortion-spear-phishing-is-skyrocketing?

The post [Heads-Up] Warn Your Employees. This Is the Year That Sextortion Spear Phishing Is Skyrocketing.. appeared first on Infinity Network Solutions.

]]>

Attacks Evolving – Phishing via XPS Files

Fri, 13 Jul 2018 20:28:13 +0000

Uptick in Phishing Attempts via XPS file extensions

We’ve seen it time after time, malicious actors routinely attempt to confuse recipients of messages with obscure or lesser-utilized file extensions.

Over the past month, some phishing attempts using xps files instead of the typical pdf or doc/docx formats have been captured by our filters. The xps file format is Microsoft’s alternative to pdf files. Windows machines with Vista or later operating systems natively support this extension with Windows xps file viewer. Actors have started taking advantage of this lesser-utilized format for their phishing campaigns.

Phishing Examples

Our SecureTide email filtering has captured a wide range of these phishing messages. So far, they appear to be attributed to threat actors currently conducting Business Email Compromise (BEC) attacks. Attacks originate from legitimate (compromised) senders with the similar techniques, tactics, and procedures. Below is an example which could easily dupe unsuspecting users.

Viewing the XPS File

Users should not open or view unsolicited attachments, even from a known sender without intense scrutiny and/or verification. Scammers do exploit the trust that known contacts share. Hopefully a user will never see one of these, however, this is what these attached files look like when opened in an isolated test environment.

Linked Phishing Portals

If the user happens to click on the link in the attached xps file (pictured above), below is an example web phishing portal they might encounter. For this particular one, the first screen requests their email address. If they proceed with entering it, the next image shows the resulting page requesting their email credentials.

After entering email address:

Filter Evasion Techniques

Malicious actors are attempting to use filter evasion techniques. They break up the suspicious phishing text via canvas clip mappings inside deeply embedded fpage files. An image portion below displays how they used multiple canvas clip mappings to stitch together the words, “open with your professional email login credentials.”

Minimal Anti-Virus Signatures for XPS Files

Most anti-virus engines do not have many phishing rules setup for the xps extensions like they would for more commonly used ones. We can see this example received 0/60 hits when processed thru a popular anti-virus engine aggregator.

AppRiver Protection

There is no shortage of spam, malware, phishing, or nefarious websites AppRiver’s staff and systems continuously protect and defend against. Malicious actors work around the clock, therefore, we at AppRiver work even harder to stay one step ahead. Our team is here 24/7 365 days a year protecting and supporting clients and partners from security threats.

POSTED BY DAVID PICKETT IN DIGITAL DEGENERATE, PHISHING, SECURETIDE, SECURITY RISKS, TECH NEWS

https://blog.appriver.com/2018/05/bec-attacks-evolve-to-phishing-via-xps-files-appriver

The post Attacks Evolving – Phishing via XPS Files appeared first on Infinity Network Solutions.

]]>

SEND AND RECEIVE LARGE FILES SECURELY

Thu, 15 Mar 2018 22:03:12 +0000

A NEW PARTNERSHIP WITH LIQUIDFILES

Infinity Network Solutions has partnered with LiquidFiles. Our partnership allows us to provide a solution to send and receive large files securely, fast, that has ease of use, manageable, flexible and is brandable.

A perfect solution for any professional office that sends large, confidential files. Excellent, competitively priced alternative to paid programs such as Citrix, ShareFile and Dropbox.

Features and benefits of LiquidFiles:

Send and Receive Unlimited File Size — LiquidFiles does not have the very common 2 Gb file size limit common in competing solutions and cloud services. LiquidFiles is limited only by the disk size you assign to it, enabling you to send anything from DVDs to massive CAD drawings without having to worry about file size limitations.
Transfer Speeds— Running a system on your own network is always going to be faster than a cloud service. When sending multi-gigabyte files, the transfer time can easily be several hours less, being the difference of getting there before close of business today instead of first thing tomorrow morning, like an old-school courier delivery.
Security — When something is installed in your own network, in your security perimeter, in your control, with your security configuration. It will always match your security requirements with no questions raised of who might also get access to your secret and sensitive data. With Infinity Network Solution’s partnership with LiquidFiles you will feel safe that your data is secure.
Branding — You can make LiquidFiles look like a complete internal solution with your own logos, colour scheme and no LiquidFiles branding on anything that your users, customers or partner sees. Every user visible text string and all emails sent from the system is changeable to your liking. You will look like a pro.
Self-Managing — LiquidFiles is built to be as easy to use as it can possibly be, and as self-managing as possible. All files sent have an expiration date and will be automatically deleted at the time of expiration. You can assign roles based on LDAP/Active Directory Group belongings and almost all settings are configured on a per group basis and so on. All of this is to make ongoing maintenance a breeze with as little ongoing configuration as possible, leaving more time for you to focus on other things.

As a LiquidFiles partner, Infinity Network Solutions enjoy partner pricing and support from LiquidFiles to integrate the solution into our client’s environments to ensure happy joint customers and an overall integrated security capability.

The post SEND AND RECEIVE LARGE FILES SECURELY appeared first on Infinity Network Solutions.

]]>

Turns out the Equifax hack was even Worse than we Thought

Wed, 21 Feb 2018 19:21:00 +0000

The largest breach of 2017 may have been even more serious than initially thought: The cybercriminals behind the Equifax hack accessed user data not previously disclosed by the company, including tax identification numbers, email addresses, and driver’s license information, The Wall Street Journal reported.

The criminals behind the Equifax breach accessed user data not previously disclosed by the company, including tax identification numbers, email addresses, and driver’s license information (as described several months ago in a press rele ase ) .
The Equifax hack and its aftermath should serve as a wake-up call to enterprises about the importance of strong cybersecurity practices.

The Equifax breach, first disclosed in September 2017, impacted 145.5 million people, compromising their names, Social Security numbers, dates of birth, and addresses. The fallout should serve as a wake-up call for enterprises about the consequences of poor security practices, and encourage them to keep up with cyber best practices, TechRepublic contributing writer Matt Asay noted.

The additional data accessed was uncovered by Senate Banking Committee member Elizabeth Warren, after a five-month investigation detailed in a Friday letter to acting Equifax chief executive Paulino do Rego Barros.

It is not yet clear how many of the 145.5 million people are affected by the additional data accessed, the Journal noted.

“We are fully aware — and have been — of the data that was stolen,” Equifax spokesperson Meredith Griffanti told our sister site ZDNet. Griffanti said that the company had always been clear about the data “primarily included” in the breach, but that it has recently given the Senate Banking Committee information “that may have been accessed that we categorized and analyzed in the forensic investigation.”

“We sent direct mail notices to those consumers whose credit card numbers or dispute documents with [personal data] were impacted,” Griffanti told ZDNet.

Equifax’s response to the breach has been widely criticized: First, the company established a data breach checker that was essentially useless. Then, it tweeted a link to a fake phishing site in an attempt to direct affected customers to their support site.

The post Turns out the Equifax hack was even Worse than we Thought appeared first on Infinity Network Solutions.

]]>

Cisco Report: Bad Privacy, Cybersecurity Procedures Causing Companies To Lose Sales

Mon, 05 Feb 2018 21:32:34 +0000

A new report from Cisco showed that two-thirds of companies are currently losing sales because of their customers’ growing privacy concerns, which prolong the sales process. Similarly, bad cybersecurity practices are costing companies millions to hundreds of millions of dollars in repairing data breach damage, as well as lost revenue.

2018 – The Year Of Strong Data Protection?

Privacy is quickly becoming a bigger factor in companies’ sales, according to Cisco’s 2018 Privacy Benchmark Maturity. Privacy policies are longer just legalese meant to keep companies out of trouble, because if done wrong, many businesses risk losing sales from potential customers.

Over 65% of the companies questioned by Cisco have already admitted that data privacy concerns are delaying their sales process. Over 90% of the companies reported delays up to 20 weeks, while the average delay was 7.8 weeks.

A significant number reported delays between 50 to 100 weeks. This means the sales process can take at least 1-2 years longer simply because their customers don’t feel satisfied with the companies’ existing focus on privacy.

The delays don’t just mean that the customers will buy the products later than they would otherwise, because some of them end up either not buying the product at all or buying it from a competitor. Therefore, bad privacy policies can lead not just to lost sales but also to a loss of market share to competitors’ benefit.

The study shows that the longest sales delays happened in Latin America (an average delay of 15.4 weeks), Mexico (13 weeks), and Japan (12.1 weeks). The shortest delays were reported in China (2.8 weeks) and Russia (3.3 weeks).

In terms of industry, government and healthcare sales saw the biggest delays due to cybersecurity and privacy concerns.

Privacy-Immature Companies Most At Risk

The report also found that companies that didn’t take privacy too seriously were the most impacted by these delays. Cisco benchmarked the privacy-maturity of companies based on standards defined by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). These standards are defined as follows:

Ad hoc — Privacy procedures or processes are generally informal, incomplete, and inconsistently applied.
Repeatable — Privacy procedures or processes exist; however, they are not fully documented and do not cover all relevant aspects.
Defined — Privacy procedures and processes are fully documented and implemented, and cover all relevant aspects.
Managed — Reviews are conducted to assess the effectiveness of the privacy controls in place.
Optimized — Regular review and feedback are used to ensure continuous improvement towards optimization of privacy processes

Companies that had a “defined” privacy procedures, saw a 70% improvement in sale processes compared to the companies that had “ad hoc” or informal and incomplete privacy procedures.

Privacy-Mature Companies Are More Secure

Companies that are privacy-mature are not only seeing much shorter sales processes, but are also more protected against data breaches. Only 39% of the privacy-mature companies saw losses of over $500,000 compared to the 74% of the privacy-immature companies. According to Cisco, the lower damages that privacy-mature companies see may also have something to do with them gathering less data than the immature companies.

As hackers become more sophisticated in breaking into large organizations, it may be a good idea for companies to treat customer data as more of a liability than an asset, at least data that isn’t required for the functioning of the product or service. Then, if a data breach does happen, at least the damage will be minimized and the companies won’t have to suffer as large of a hit to their public image.

Maersk Chair: Companies Need To Stop Being Naive About Cybersecurity

Recently, the giant shipping company Maersk suffered a devastating cyber attack through the NotPetya malware. After the attack, the company had to essentially replace its whole infrastructure and reinstall 45,000 PCs and 4,000 servers. This task, which the chair Jim Hagemann Snabe said would have normally taken six months, was performed in a record 10 days. However, even though getting rid of NotPetya from its large infrastructure took a relatively small amount of time, this single attack still ended-up costing the company $250-$300 million, part of which was due to losing 20% of the sales in that period.

At the World Economic Forum in Davos, Snabe said that this incident should be a significant “wake-up call” for every company out there, because it could be them next. He also talked about three important lessons that the company learned during this whole incident:

Cybersecurity needs to become their competitive advantage, and being mediocre like everyone else is no longer enough. This is a lesson he argued more companies should learn sooner rather than later.
Companies need to stop being naive about cybersecurity. Many companies will experience their own similar data breaches in the future if they don’t treat cybersecurity in a more proactive, rather than reactive way.
There is a need for a radical new and more secure infrastructure for the internet, as everything we do becomes more digitized, and thus more at risk of suffering cyber attacks.

This year may be the year when do get this wake-up call that cyber security and data privacy and protection is important not just for the customers who give their data away to the companies, but also for the companies themselves if they don’t want to lose sales of suffer major disruptions because of poor data protection procedures.

by Lucian Armasu January 26, 2018 at 10:10 AM – Source: Cisco

The post Cisco Report: Bad Privacy, Cybersecurity Procedures Causing Companies To Lose Sales appeared first on Infinity Network Solutions.

]]>

The device you’re using right now has a big security flaw — but you don’t have to panic

Sun, 07 Jan 2018 20:53:16 +0000

There’s almost certainly a critical security flaw or two in the device you’re using to read this story — but you don’t have to panic.

To varying degrees, the flaws affect processors found in virtually all computers and phones, and could allow an attacker to access data stored in a device’s memory that should typically remain private.

The researchers announced the discovery publicly this week — calling the two bugs Meltdown and Spectre — and warned the security of everything from passwords and encryption keys to documents and photos could be at risk.

‘One of the worst CPU bugs ever found’
But while the problem is serious, and an inherent part of how most modern computer processors are designed to function, there are already efforts to minimize the impact and help you get on with your life.

What do I need to do?

For most people, the same advice as usual applies: Make sure the applications and operating systems on your phones, laptops, and other devices are up to date.

If you’re using a Mac, iPhone, iPad, or Apple TV, Apple recently rolled out an update that attempts to mitigate the problem, with more fixes on the way, according to the company.

Google says the latest version of Android already contains the necessary fixes, while Microsoft pushed out an automatic update for Windows users Wednesday night.

Computers running Microsoft’s Windows operating system should automatically receive a software update designed to mitigate the Meltdown flaw disclosed by researchers this week.

PC users will also require a separate CPU update from whoever made their device (for example, Lenovo or HP). “By the end of next week, Intel expects to have issued updates for more than 90 percent of processor products introduced within the past five years,” the chipmaker said in a press release.

You’ll also want to update apps like your web browser and anti-virus software when they become available. Developers are beginning to roll out fixes to make it more difficult for sensitive user data to be accessed.

What are these updates trying to fix?

The two flaws let attackers access parts of a computer’s memory that they shouldn’t normally have access to, by abusing the way that computer processors are designed to handle information more quickly.

One of the flaws, called Meltdown, allowed the researchers to access data stored in the kernel — the core of a computer’s operating system, which runs in a protected part of a computer’s memory, and effectively watches over everything your computer does.

By design, applications can’t access the kernel, a protection that’s built into the hardware of the CPU itself. But the researchers found a way around that, giving them access to the kernel and, from there, any data stored in a computer’s memory — which could include everything from passwords to photos. This attack has only been found to work on processors made by Intel.

“The bug basically melts security boundaries which are normally enforced by the hardware,” the researchers wrote.

HOLIDAY SHOPPING

One of the software flaws identified by researchers only affects processors made by Intel, while the other affects AMD and Intel chips as well. The processors are found in virtually all modern phones, computers, and servers.

The other flaw, called Spectre, allowed researchers to target data that applications store in a computer’s memory directly (typically, applications can’t access the memory used by other applications).

It’s related to Meltdown, but differs in a number of ways that the researchers detail in a pair of technical papers. This attack was found to work on Intel, AMD, and even ARM processors, which are commonly used in mobile devices such as smartphones and tablets.

How would someone attack?

The same way that most other types of attacks work: by gaining access to your computer.

As such, the usual advice for dealing with malicious software applies here too. Install updates when they become available, and always scrutinize the apps you install, the files you open, and the links you click.

But everything will be fine now, right?

Sort of. While Meltdown can be patched, Spectre will be much more difficult to defend against long-term because of the way that CPUs are designed — and that’s worrying, because it’s the vulnerability that affects a far wider range of chips.

The researchers say any Spectre-specific software patches for applications, operating systems or CPUs should be considered stopgaps while more research takes place.

“As it is not easy to fix, it will haunt us for quite some time,” the researchers wrote.

All of the big cloud providers — Amazon, Google and Microsoft — say their systems have been updated to help prevent Meltdown-style attacks, but customers are being advised to patch their own systems as well.

Who’s most at risk?
Home users aren’t at any more risk than usual when new bugs and flaws are discovered, as long as you install your updates.

For cloud computing providers on the other hand, this is a nightmare scenario.

In the cloud, multiple customers typically share the resources of a more powerful computer by running their applications and services in a so-called virtual machines. However, the researchers warn Meltdown can be used to access data from beyond the virtual machine — data from the host computer, or even inside other customers’ virtual machines.

All of the big cloud providers — Amazon, Google and Microsoft — say their systems have been updated to prevent Meltdown-style attacks, but customers are being advised to patch their own systems as well.

Why do these issues even exist? The researchers sum it up pretty nicely in one of their papers: “The vulnerabilities in this paper, as well as many others, arise from a longstanding focus in the technology industry on maximizing performance” — but at the expense of security.

In fact, the flaws detailed by researchers this week are so fundamental to the design of modern processors that the only way to truly prevent any attacks is for Intel, AMD and ARM to redesign their chips. In fact, the Software Engineering Institute’s Computer Emergency Response Team (CERT) was especially blunt in its proposed solution: Get a new CPU.

Of course, that’s not going to be practical for most people and businesses, and so hardware and software companies are attempting to mitigate the two flaws’ effects with software updates the best they can.

By Matthew Braga, CBC News Posted: Jan 04, 2018 4:11 PM ET

The post The device you’re using right now has a big security flaw — but you don’t have to panic appeared first on Infinity Network Solutions.

]]>

The 3 Organizing Principles of Digital Transformation

Sat, 14 Oct 2017 01:13:41 +0000

Find out how investing in human capital, getting value from data and aligning APIs can help your business transform.

Why is it important for organizations to embrace digital transformation? Ask anyone who used to make their living running a video store, selling encyclopedias or driving a taxi.

Consumer demands haven’t changed much: People still watch movies at home, look up information on obscure topics and need rides around town. But the companies that identified early on how technology would change these industries (Netflix, Google and Uber, among others) are now dominating these sectors.

“The real challenge is how to help your organization align the answers between what business you’re currently in and who you want your customers to become,” says Michael Schrage, research fellow at the MIT Center for Digital Business. “That requires you to think about innovation as something beyond what will make your products or services faster and better. You also need to think about who you want your customers to become and how new technology transforms your customers, not just your business.”

With so many emerging technologies in the marketplace today — often touted as “disruptive” and “transformative” — it can be difficult for executives to discern which will have a tangible impact on the future of their organizations and which will prove to be overhyped.

Schrage offers three organizing principles to help guide organizational strategies around digital transformation: innovations to human capital investments, design of data-driven virtuous cycles and the alignment of application programming interface (API) capabilities.

1. Focus on Both Employees and Customers

“If you’re wondering how to collaborate to create more valuable innovation,” says Schrage, “you should begin by asking a new question: ‘How can innovation create more valuable people?’”

The “people” Schrage is talking about include both employees and customers. Of course, technology can dramatically increase productivity among users, allowing them to perform key aspects of their jobs more quickly while often simultaneously improving the quality of their work. But Schrage says enterprises should also try to use technology to create “better customers.”

“We want to use technology not just to help people do a better job at work, or have a better user experience,” Schrage says. “We want to enable them to do better jobs and have better user experiences in ways that make them more valuable to the business, and make the business more valuable to them.”

Schrage says examples of this approach can be found throughout history, including the first mass production of automobiles. Henry Ford didn’t just introduce affordable vehicles to America, Schrage argues; Ford also essentially taught the entire country how to drive.

“I believe the most important innovation [by Ford] was not the mass production of automobiles,” Schrage says. “It was the mass production of driving, the human capital of driving.”

For a more recent — and almost as ubiquitous — example, Schrage points to Google. “What makes Google work?” Schrage asks. “The page rank algorithm. Google doesn’t just search. It creates searchers. Google may be in the search business, but what Google has effectively done is cultivated and harvested the human capital of its users. Everybody essentially works for Google, and they like it.”

2. Squeeze Value Out of Your Data

As mobile applications, Internet of Things (IoT) technologies, wearable devices and other digital tools create exponentially more data, organizations risk becoming bogged down with data management processes that don’t create significant value.

“Don’t ask the old IT question, ‘How do we manage 100 times more data?’” Schrage says. “Instead, ask, ‘How do we get the value out of 100 times more data?’”

That value, Schrage says, is often the result of a “virtuous cycle” — the way organizations create data through customer interactions and other processes, use that data to inform and improve their operations, then collect new and better data from those improved processes, and on and on.

For example, Facebook collects and analyzes data from its hundreds of millions of users and then uses that data to fine-tune its user experience. Similarly, Uber collects data on its riders and then uses that data to attract and retain riders, which has led to its explosive growth. Amazon would be worth only a fraction of its current value if its business model were limited to selling items online and then shipping them to customers. Instead, the retailer tracks purchases and product searches, and then uses the resulting data to promote certain products, make recommendations and optimize pricing.

Don Barker, an enterprise collaboration consultant with CDW, notes that data can also help organizations optimize how they’re using their technology solutions. For example, he cites collaboration tools that enable users to meet remotely. “We use the analytic extension on the back end to measure, to ensure that people are using the tools correctly,” he says.

“It’s not just you deliver this, you deliver that,” says Schrage. “Things feed and play off of one another. I think, going forward, our challenges are going to be around what kind of virtuous cycles our technologies are creating, and how we go to our line-of-business counterparts and make the case that we in IT enable a higher return on investment.”

Technology vendors are starting to leverage this data to improve the solutions they deliver. For example, Cisco Systems integrated data analytics into its collaboration solutions to help organizations understand how these tools — and their users — work most productively.

“There’s an enormous amount of analytical data, very powerful data that you can bring to bear,” says Mark A. Nash, Cisco’s director of strategy and innovation for worldwide collaboration. “You can leverage the data to improve the way your users meet, interact with each other, and collaborate and communicate.”

3. Use APIs to Make Connections Between Your Business Systems

APIs are essential to the success of IoT technologies, enabling communication and interaction among different systems. For example, when a homeowner remotely adjusts the temperature of a room in his or her house using a mobile app, the app calls on the API controlling the air conditioning system. Or when an event attendee buys tickets online, an API verifies payment information.

Schrage says APIs are “gateways for turning silo-ized processes into interoperable platforms.” Because of this, he says, compatibility among APIs is crucial to most successful digital transformation strategies.

The more connections organizations can make between systems, the more useful these systems become. For example, Cisco has deployed APIs on its Spark collaboration platform that enable organizations to embed the solution into their own applications. Conversely, an organization’s apps can be embedded into Spark. Either approach allows organizations to create new capabilities that greatly enhance both Spark and native applications.

“You have the ability through the APIs to do anything you want with the solution, including the ability to integrate with anything else,” Nash says.

The more systems rely on these processes, the more important API alignment becomes. “Increasingly, one of the economic and financial variables you will be asked is, ‘How do we assess return on API?’” he says.

As the IoT market matures, the greatest value is likely to come from deployments that synthesize numerous systems and utilize data from each of them, multiplying the impact of the technology.

“APIs enable and facilitate interoperability,” Schrage says. “For larger organizations, most coding is stringing together APIs. That’s going to be true for Internet of Things and for a lot of the processes that businesses are managing these days and into the future.”

Biz Tech Magazine, Biz Tech Staff, www.biztechmagazine.com

The post The 3 Organizing Principles of Digital Transformation appeared first on Infinity Network Solutions.

]]>

Why Phishing Attacks Persist Despite Increased Awareness

Fri, 27 Nov 2015 15:26:13 +0000

Phishing attacks are not going away.

They remained a steady tactic used by cybercriminals throughout the first half of 2017, according to the Phishing Activity Trends Report recently released by the Anti-Phishing Working Group (APWG), an international coalition of industry, government, law enforcement and nongovernmental organizations.

In phishing attacks, scammers use fraudulent websites and false emails. Perpetrators attempt to steal personal data, most commonly passwords and credit card information.

The number of unique phishing email campaigns averaged around 98,000 per month in the first half of 2017, with a spike of 121,000 in March. The spike may have been tied to an upswing in the W-2 email phishing scam that the IRS warned about in February. The APWG report contained a number of interesting insights on phishing activity so far this year.

Those launching phishing attacks continued a years-long trend of focusing on only a few hundred companies at a time. This limited scope reflects the additional time and money needed to carry out a successful phishing attack.

Those organizations in the bullseye are attacked on a regular basis from every few weeks to every day, with a small group of firms being targeted more intermittently.

The Industries Targeted Most by Phishing

Among industries targeted by phishing cybercriminals, the payment industry was in the crosshairs 45 percent of the time, with the financial industry and Software as a Service/webmail industry filling out the top three at 16 percent and 15 percent, respectively.

This is a big upsurge in focus on the payment industry, which accounted for only 11 percent of phishing attacks in the fourth quarter of 2016, according to an earlier APWG report.

Attackers are increasingly using free hosting providers as one of the resources to build their campaigns, notes APWG contributor Crane Hassold, manager of threat intelligence for PhishLabs.

“These free hosts are not only easy and cheap to use, but they also allow threat actors to create subdomains spoofing a targeted brand, resulting in a more legitimate-looking phishing site,” Hassold says in the APWG report.

While the total numbers of free hosting-based attacks increased from 1,323 in January to 1,939 in June, the use of free hosting services continued to trend at about 10 percent of the total number of attacks each month.

APWG contributor Axur, a digital risk monitoring company located in Brazil, notes the heavy use of social media platforms such as Facebook, Instagram, LinkedIn and YouTube as phishing attack vectors in South America. Many of these attacks involve users being served up fake login pages that collect username and password information. These platforms accounted for about 39 percent of all phishing attacks among Latin American countries in the second quarter of 2017.

Alexander Slagg, Biz Tech, www.biztechmagazine.com

The post Why Phishing Attacks Persist Despite Increased Awareness appeared first on Infinity Network Solutions.

]]>