TitanHQ News

Network Segmentation Best Practices to Improve Security

Whatever the size of your company, one of the most important security measure to deploy to block threat actors from gaining access to your servers, workstations, and data is a hardware firewall. A hardware firewall will make sure your digital assets are well secured, but how should your firewall be set up for optimal network security? If you follow network segmentation best practices and implement firewall security zones, you can improve security and keep your internal network isolated and protected from attacks by remote hackers.

Most companies have a well-defined network structure that incorporates a secure internal network zone and an external untrusted network zone, often with intermediate security zones. Security zones are sets of servers and systems that have similar security requirements and include a Layer3 network subnet to which several hosts link up to.

The firewall provides protection by managing traffic to and from those hosts and security zones, whether at the IP, port, or application level.

Network Segmentation Best Practices

There is no single configuration that will be ideal for all companies and all networks, since each business will have its own requirements and required functionalities. However, there are some network segmentation best practices that should be implemented.

Possible Firewall Security Zone Segmentation

Network Segmentation Best Practices

In the above depiction we have used firewall security zone segmentation to keep servers separated. In our example, we have used a a sole firewall and two DMZ (demilitarized) zones and an internal zone. A DMZ zone is an isolated Layer3 subnet.

The servers in these DMZ zones may have to be Internet facing in order to function. For instance, web servers and email servers need to be Internet facing. Because they face the Internet, these servers are the most susceptible to cyberattacks, so they should be separated from servers that do not require direct Internet access. By keeping these servers in separate zones, you can minimize the damage if one of your Internet facing servers is compromised.

In the diagram above, the permitted direction of traffic is shown with the red arrows. As you can see, bidirectional traffic is allowed between the internal zone and DMZ2, which includes the application/database servers, but only one-way traffic is permitted to take place between the internal zone and DMZ1, which is used for the proxy, email, and web servers. The proxy, email, and web servers have been located in a separate DMZ to the application and database servers for the highest possible protection.

Traffic from the Internet is permitted by the firewall to DMZ1 but the firewall should only permit traffic through certain ports (80,443, 25 etc.). All other TCP/UDP ports should be closed. Traffic from the Internet to the servers in DMZ2 is not allowed, at least not directly.

A web server may to link up with a database server, and while it may seem like a good idea to have both of these virtual servers operating on the same machine, from a security perspective this should be avoided. Ideally, both should be separated and located in different DMZs. The same applies to front end web servers and web application servers which should similarly be located in different DMZs. Traffic between DMZ1 and DMZ2 will no doubt be required, but it should only be permitted on certain ports. DMZ2 can connect to the internal zone for certain special cases such as backups or authentication through active directory.

The internal zone is made up of of workstations and internal servers, internal databases that do not have to be web facing, active directory servers, and internal applications. It is recommended that Internet access for users on the internal network to be directed through an HTTP proxy server located in DMZ 1. Remember that the internal zone is isolated from the Internet. Direct traffic from the internet to the internal zone should not be allowed.

The above setup provides important security for your internal networks. In the event that a server in DMZ1 is compromised, your internal network should still be protected since traffic between the internal zone and DMZ1 is only allowed in one direction.

By complying with network segmentation best practices and using the above firewall security zone segmentation you should be able to improve the security of your network. For greater security, we also recommend using a cloud-based web filtering solution such as WebTitan, which filters the Internet and stops end users from accessing websites known to host malware or those that break acceptable usage policies.

New Geo-blocking Email Security Feature Included in SpamTitan 7.11 Release

New Geo-blocking Email Security Feature Included in SpamTitan 7.11 Release

A new version of TitanHQ has been launched that introduces Geo-blocking email filtering in addition to many other updates and fixes aimed at enhancing usability.

This new version of the award-winning email security solution added geo-blocking due to the high level of demand from existing users. It will be included with the solution at no additional cost to the subscription. This Geo-blocking feature means that users of the solution will be able to prevent, or permit, emails sent from specific geographical areas being delivered to their inbox(es). This is done using the country of IP address of the mail server that the email is sent from. This places an additional level of security for companies that allows them to restrict access to geographic threat vectors and stop malware, ransomware, and phishing emails from landing in inboxes.

A country can be selected and all emails from individuals and groups in that location will be blocked. Doing this can greatly improve your company’s cybersecurity efforts as the majority of malicious emails originate from a small number of countries. These are, in most cases, countries that most small- to medium-sized businesses do not have any contact with. Due to this it will not have any impact on business to block this country and it could save a lot of money that would have been lost in addressing a successful cyber attack. 

This is simple to configure within the SpamTitan solution. It can be enabled within the SpamTitan Country IP Database. For companies that do not wish to block every group from a specific country or domain, there is a whitelisted option which will allow you to approve specific senders and their email will be allowed to reach the correct inboxes.A

Along with geoblocking there are a range of other security improvements that have been created in order to further strengthen the already excellent threat detection and blocking mechanisms within SpamTitan. These include an upgraded sandboxing tool that places more security from attacks featuring malware, ransomware, phishing, spear-phishing, Advanced Persistent Threats, and malicious URLs hidden within emails. 

Recently reported bugs have been addressed and have resulted in better email rendering in Mail Viewer and the option of removing quarantine report token expiry and improving domain verification.

TitanHQ CEO Ronan Kavanagh said: “Geoblocking has been a much-requested feature and as always we listen to our customers and provide what they need to implement the very best email security they can. After experiencing 30% growth in 2021, TitanHQ expects these product enhancements and new features to make 2021 another record-breaking year.”

SpamTitan can be provided as a 100% cloud-based solution or as an anti-spam gateway, which is run as a virtual appliance on existing company hardware. Existing users of SpamTitan Cloud will have their solution automatically updated on September 14, 2021.A full description of the latest updates in SpamTitan 7.11 is available here.

Users of SpamTitan Gateway will need to manually upgrade to the latest version via System Setup > System Updates.

 

Cybercriminals Stole $1.9m in Southern Oregon University Phishing Attack

A Southern Oregon University phishing attack has demonstrated exactly why so many hackers have opted for phishing to make money. The Southern Oregon University phishing attack involved just one phishing email. The attackers pretended to be a construction company – Andersen Construction – that was erecting a pavilion and student recreation center at the University.

The attackers spoofed the email address of the construction firm and asked for all future payments be directed to a different bank account. The university then transferred the next payment of €1.9m to the new account in April 2019. The university realized the construction firm had not received the funds three days later. The FBI was made aware of the situation as soon as the fraud was discovered and attempts were made to recover the funds. The university reports that the hackers had not emptied all of the funds from their account, but a sizeable amount of the payment had been withdrawn and could not be recovered. Joe Mosley, a representative for SOU said, “It’s certainly not all of the money that was transferred, but it’s not just nickels and dimes, either.”

In order for a scam like this to be successful, the hackers would need to be aware that the construction project was taking place and the name of the firm that had been awarded the contract. that information is not hard to find, and universities are easy to target as they often have ongoing construction projects.

These attacks are referred to as Business Email Compromise (BEC) scams. They typically involve a contractor’s email account being hacked and used to send an email requesting changes to payment information, although these scams need not involve compromising an email account. Spoofing an email account can be just as effective.

Increase in BEC Attacks Prompts FBI Alert for Universities

In this instance, the payment was massive but it is far from an isolated incident. The FBI has issued warnings to universities to be wary of attacks such as this. BEC attacks may not be nearly as common as other forms of cybercrime, but they are the leading cause of losses to cybercrime as the payments made to the attackers are often considerable. Payments are often of the order of several hundred thousand dollars or in some cases millions.

The FBI said that access to a construction firm’s email account is not required. All that is required is for the scammer to buy a similar domain to the one used by the firm. Accounts department employees should carefully check the email address in any request to change banking information or payment methods, as it is common for domains to be used that differ from the genuine domain by only one letter. for instance, an L may be used instead of an i or a zero instead of the letter O.

The Southern Oregon University phishing attack shows just how simple it can be for cybercriminals to pull off a BEC attack. Protecting against BEC attacks requires employees to be vigilant and to use extreme caution when requests are made to alter bank accounts. Such a request should always be verified by some means other than email. A telephone call to the construction firm could easily have identified this scam before any transfer was completed.

Some Credit Unions Still Lacking Strong Email Security

It is well known that financial institutions are an ideal target for cybercriminal. Despite this Credit unions still lag behind when it comes to configuring adequate cybersecurity for their email systems. This shortcoming leaves these bodies wide open or hackers who aim to get access to banking systems and financial data.

With a strong email security system in place internal employees and the financial institution’s customers are safeguarded from possible infiltration. It can prevent a phishing email tricking an account holder believing that they have received what looks like an email from the credit union. A spoofed message will be designed so that only a closer look will reveal that it is not genuine. Skilled cybercriminals are availing of email servers that don’t have any spam flags in place so they will be able to bypass basic security measures to land in a prospective victim’s inbox. Additionally there is a chance that the account holders use an email provider with poor spam detection, which means that the malicious message will not be quarantined.

However, if the account holder has good email filters, the malicious message will be marked as spam. As this is not, typically, the case cybercriminals are aware that their phishing messages will reach a good number of the intended recipients, potentially earning them thousands of dollars.

Credit unions require a minimum of Domain-based Message Authentication, Reporting & Conformance (DMARC) in order to tackle phishing messages. In order for this to be as successful as possible, both the recipient email system and the domain owner (the credit union) must configure DMARC.

There are two parts to a DMARC system: SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). SPF is the IP addresses that are permitted to send email for the domain. The SPF entry is placed on the domain owner’s name server as a DNS record, from here it will prevent email spoofing. When email messages are issued with an unauthorized IP address, it is marked as a “failed” DMARC status and is not shared with the intended recipient. There is, however, an onus on the recipient’s email service to review the status and quarantine/delete the incoming message.

DKIM is a signature system that makes sure that cybercriminals have not altered a message. An encrypted signature is shared including the headers of the message using the recipient’s public key placed as a DNS entry at the host. The recipient’s mail server can then authenticate the recipient message to deduce if the signature is the same by encrypting the same message and comparing it to the resulting value. The resulting value should be the same if no content within the message has been changed.

It is often, incorrectly, believed that small businesses are not a valued target of phishers. However, Credit Unions are small financial institutions that can be perfect targets as they are known for not having a strong cybersecurity suite in place. DMARC rules will address the threat posed to these bodies. 

Phishing can be conducted at a low cost by hackers so it is crucial for organizations to focus their efforts on fighting it. Using DMARC will safeguard internal staff members and account holders who are being sent emails

 

 

MSP Cybersecurity Selling Tips

Managed Service Providers (MSPs) are often used by smaller organizations that do not have their own IT department, in order to meet the technology and cybersecurity requirements.

The challenge in this scenario is that MSPs need to be able to relay to the small companies that are trying to make their budgets stretch as far as possible the importance of investing in the strongest possible cybersecurity measures. 

It is crucial that small businesses are fully aware of the dangers that they are facing unless they introduce a strong cybersecurity suite. Any data breach could lead to regulatory fines and costly litigation. There are a number of different ways that MSPs can get this message across to their clients and we have detailed them below. 

Focus on Enhancing Cybersecurity

There is a good business opportunity for MSPs to increase their revenue by selling cybersecurity security services to small companies that currently have no structure in place.The easiest way to do this is to show clients the risks that they are taking by not having strong cybersecurity measures implemented. As all companies have different needs it is up to the MSP to spot where the need of the company sits in relation to cybersecurity and concentrate on this. 

This is easier following an audit of the company’s current cybersecurity strategy, or lack thereof. Companies will appreciate a bespoke level of cybersecurity measure, matched to their specific needs, rather than being sold a package that includes a range of measures that they have no need for. Providing the company with the audit will assist in the sales process also as these companies may not have the resources to complete this themselves.

With the audit a step-by-step process for addressing each vulnerability can be included to allow the company to see how their worries will be alleviated. As configuring and investing in cybersecurity solutions is a massive step for small companies with a limited budget it is crucial that the decision makers for potential clients are able to quantify the benefits that they are gaining from any possible investment. 

Importance of Cybersecurity Support Being Provided by an MSP

In order for them to be effective, cybersecurity solutions have to be properly set up and managed. MSPs must do their utmost to ensure that clients also invest in cybersecurity so that the product they are selling is set up correctly. 

By relaying to the client the importance of this aspect, and the difference between IT support and cybersecurity support, clients will be more likely to invest in this service. After communicating with the client there should be no confusion between the two and the needs for the latter should be obvious to the purchaser. Doing this successfully will make the business relationship easier going forward as there will be less issues and a stronger level of service provided. 

TitanHQ

TitanHQ can be an excellent solution for MSP clients to avail of as it is competitively priced, strong and configured to tackle the most common attack vectors, along with a solution for backing up and archiving business critical data.

Contact TitanHQ nwo to find out more in relation to TitanHQ email security, DNS filtering, and email archiving for MSPs, and the TitanShield Partner Program. MSPs that are a member of the TitanShield Program will be given in-depth and strong tools, marketing advice, and training support.

 

Should You Block File Sharing Websites in the Workplace to Stop Malware Infecting Your Network?

There are valid reasons why you should block file sharing websites in the workplace. These websites are mainly used to share pirated software, music, films, and TV shows. It would be improbable that the owner of the copyright would take action against an employer for failing to stop the illegal sharing of copyrighted material, but this is an unnecessary legal danger and there is currently a crackdown on illegal file sharing.

The main risk from using these websites comes in the form of malware. There is limited data on malware downloads from pirated software, although data from a study in 2013 highlight how common it is. The study as conducted by IDC on 533 websites and peer-2-peer file sharing networks, the downloading of pirated software led to spyware and tracking cookies being downloaded to users’ computers 78% of the time. More concerning is the fact that Trojans were downloaded with pirated software 36% of the time.

A survey carried out on IT managers and CIOs at the time showed that malware was downloaded 15% of the time with the software.  IDC found that overall there was a 33.3% chance of infecting a machine with malware by using pirated software.

Even browsing on torrent sites can be harmful. Malwarebytes has reported users of the popular torrent site The Pirate Bay were shown malicious adverts. An advertiser used a pop-under to silently redirect users to a malicious site that had the Magnitude exploit kit which was used to install Cerber ransomware onto users’ devices.

A study completed by UC San Diego involved testing pirated software downloads using VirusTotal. VirusTotal reviews files against the databases of 68 different anti-virus services. The research team found that 50% of pirated files were infected with malware.

Dealing with malware from pirated software was found to take around 1.5 billion hours per year. For companies the cost can be considerable. IDC estimated the cost to enterprises to be around $114 billion in 2013 alone. And that was just for the clean-up. The cost of data breaches caused by illegal software installations was calculated at around $350 billion.

New malware variants are often discovered in pirated software and fake software available through P2P file sharing websites. In 2021, NordLocker identified a previously unknown malware variant that was being distributed in pirated video games and software such as Adobe Photoshop. The malware was not detected for 2 years, during which time it had infected more than 3.2 million computers.

Businesses can monitor devices and check for unauthorized software downloads on individual devices; however, by the time a software installation has been identified, malware is likely to already have been downloaded. A recent report by Verizon indicates that on average, hackers are able to extract data within 28 minutes of obtaining access to a system.

One of the simplest ways to manage risk is to block file sharing websites including P2P and torrent sites. A web filter can be easily set up to block file sharing websites and stop them from being accessed. Many web filters can also be set up to block specific file types from being installed, including keygens and other executables.

If organizations block file sharing websites in the workplace they will ensure that copyright-violating activities are stopped and and the risk of malware downloads is effectively mitigated and users are prevented from visiting websites hosting phishing kits.

Choosing not to block file sharing websites in the workplace could turn out to be expensive for a company. It is far better to block possibly dangerous websites and online activities than to have to cover the cost of removing malware infections and remediating data breaches.