IAAS, CLOUD, AND MANAGED SERVICES BLOG
If you are considering hosting any data covered by the Sarbanes-Oxley (SOX) Act either in the US or Canada, know what you are getting into. Outsourced SOX hosting has specific implications for your Managed Services Provider (MSP) and if they are not compliant, you're both at risk.
HIPAA is a big deal in the US for most businesses involved in health and medical related sectors. And if these companies are compliant - and want to outsource HIPAA hosting or store data north of the border - they need to work with a Canadian provider that offers HIPAA compliant managed services.
A few years ago, the enterprise was abuzz with concerns about the security implications of the use of mobile devices by employees. Many IT folks wanted to restrict the use of mobile devices over which they had little control. While the media embraced BYOD as the next big thing, those tasked with maintaining the security of corporate data were less enthusiastic.
Some of our customers are facing and are impacted by the recent round of "Forex" site injections. The typical symptoms are site injections redirecting users to a "forex" landing page. Content can either be injected into existing pages, or, the injected bots can delete the content entirely and replace the content with code which accomplishes the same thing. The majority of the reported infections exploited a vulnerability in out-of-date Joomla and Wordpress core, plugins, modules and templates. Infections leverage publicly known vulnerabilities in WordPress, WHMCS, and Joomla enabled servers, and other customized dynamic PHP/ASP/SQL web applications. Database injections, via these exploits is also possible, and can act as a back door to re-inject websites after they have been cleaned once. I wanted to take a few minutes and discuss what Cartika is doing to help our customers, and what customers should be doing to deal with this situation if you have been impacted by it
Earlier this year, some of the world’s leading experts on artificial intelligence met in Puerto Rico for a private conference. The purpose? To determine whether or not intelligent machines would be good for human society or bad. Not surprisingly, IBM’s Watson Supercomputer was a central topic of discussion. First developed in 2005 by IBM Research, Watson enjoyed its first real moment in the spotlight when it defeated Jeopardy winners Brad Rutter and Ken Jennings. From there, it experienced a meteoric rise to fame, finding its footing in a host of different fields - healthcare among them.
In the never ending battle against spam, the resultant eco-system has generated some really interesting dynamics. Often times, organizations working in synergy to try and address and resolve spamming issues, and most importantly, keep legitimate email flowing to users, get caught in tug and war battles. Often times, this is nothing more then newer players coming into a space they know little about and attempt to make their mark by flexing some muscle – when all that is actually required is a little common sense and an ability to work with each other. This is what is happening right now with SpamRats.
Last month, Anthem Incorporated - one of the world’s leading health insurance companies - made a very grim announcement to shareholders and clients. It was, a representative explained, the target of a “very sophisticated external cyberattack,” which allowed hackers to gain unauthorized access to its IT systems. The personal information of eighty million clients - data ranging from birthdays and names to medical IDs, social security numbers, street addresses, email addresses, and employment history - was compromised.
Even the smallest of modern companies use networks that are both heterogeneous and dispersed. Business networks are composed of multiple services spread over many servers in diverse locations. I'm a writer, so you'd think I could make do without much of a network, but when I add up all the services I use to run my small business, I find that I rely on an extensive network of personal computers, mobile devices, backup servers, file servers, cloud storage servers, virtual private servers, SaaS applications, web hosting servers, and email services; hosted in the cloud, in my home, and on traditional hosting; and distributed all over Europe and the US.
There’s a dream of the cloud in which data flows freely around the globe, available anywhere, stored wherever is convenient, and detached from the normal concerns of information management. Technologically, companies don’t have to care about where their data is stored: it’s in the cloud and the cloud encourages users to be agnostic about which server, which data center, and even which country their data is housed in. But, legally and politically, the location of data matters a lot.
If there’s one thing that’s obvious to anyone who’s spent even a little bit of time online, it’s that security is one of the biggest hot-button issues on the modern web. As we store more and more information online, cyber-attacks are becoming increasingly lucrative - and the stakes involved in securing our data are rising ever higher. Not surprisingly, that means cyber-criminals are getting smarter and craftier. Whereas before a business might have to deal with the odd DDOS or man-in-the-middle attack, now there’s a constant risk that someone might jump in to exploit even the smallest security hole. It’s a culture of not-completely-unjustified paranoia - particularly since it seems as though many organizations aren’t pulling their weight as far as protecting their data is concerned.
There’s probably no one with access to the Internet who isn’t aware that the security of Apple’s iCloud platform was called into question recently. I’m not going discuss the appalling theft of private data that ensued, but I do want to look at a related issue: rate limiting. While we’re not entirely sure of the cause of the leak of celebrity’s private photos—the likely strategy was simple social engineering, research of publicly available information, and the exploitation of poor password choices—we do know that around the same time a vulnerability was discovered in iCloud that made life much easier for any potential hackers.
DDoS attacks have been hitting the headlines with increasing frequency over the last few months. They’re a favored strategy of “hacktivists”, extortionists, and online criminals hoping to create a distraction. In principle, DDoS attacks are quite simple. At the most basic level, a collective of compromised Internet-connected machines direct a flood of data at the target with the aim of degrading its performance, either by saturating its connection to the Internet or using up its resources. The result is a site or service that is no longer usable by visitors. If you’re a Feedly user, you’ll have experienced the results of a DDoS attack recently. Attackers flooded the RSS feed reader’s servers with data, in effect knocking it out of service for several days with the intention of extracting a payment from the company — a sort of modern protection racket.
Site security is a complex issue. The online economy is huge and hackers stand to reap considerable benefits from attacks against sites that store sensitive data or give them access to large numbers of visitors. Hackers are a motivated and intelligent group of people, albeit a group with a consistent lack of concern for their fellow Internet users. In spite of the potential complexity of securing a site, attacks tend to fall into a number of clearly defined categories, and the mitigation of a significant majority of attacks can be achieved by following a small set of best practices. That’s not to say that by implementing the strategies we’re going to discuss here a site will be rendered impervious – that’s all but impossible, but most hackers focus on low hanging fruit, and by ensuring that a site is difficult to exploit, web masters will discourage all but the most persistent online criminals.
DNS amplification attacks are one of the most pernicious vulnerabilities in the Internet’s infrastructure and a favored tool of online criminals with an axe to grind or a need to create a distraction. They’re also a useful example of how infrastructure that grows organically over many years can cause problems because of features created in a different time. Even more striking is the fact that if companies and others running DNS servers put their mind to it, DNS amplification attacks could be rendered impossible.
They say money makes the world go round, and that’s certainly true of the world wide web. In spite of its early and idealistic origins as a platform for unhindered communication, the Internet has grown to its current size and influence because of its commercial potential. eCommerce is one of the strongest drivers of that growth, and eCommerce would be impossible without a secure and trusted way to transfer money between customers and vendors. The Payment Card Industry Data Security Standard is the de facto standard to which responsible hosting companies who deal with credit card data adhere. The PCI-DSS lays out a set of best practices that help guarantee that when customers send credit card data across the Internet, it will be treated with the respect and level of security necessary to deserve their trust.