Security Archives - Page 4 of 7

The 7 Steps Of A Cyber Attack Chain

October 3, 2022/in Cloud, data, IT Security, Security /by James Dell

If you have been following our Planet IT webinar series this year (if not, why not? Catch-up HERE), we have been talking through the various critical aspects of protecting a business in 2022 from the modern cyber threats.

In doing so we have referenced the 7 steps of the attack chain. This conceptual idea breaks down the activity of an adversary attacker into 7 clear steps, allowing us to directly reference the techniques, tools and approach used at each stage.

In this article I am going to take a deeper dive into these 7 steps and add some additional information that we don’t always have time to share on our webinars.

STEP 1 – Reconnaissance

During this first phase of an attack, our threat actor is looking for a virtual open door, a window left ajar or a poorly trained security guard. In technical terms this looks like a port scan, DNS look up, physical walk around your building. The threat actor is looking for a way in. In most cases they will find this looking for open ports on your wireless network that can be used to access an exposed system which they can use later in the attack chain. However, in this phase it may be as simple as finding on your DNS that you don’t have SPF, DKIM or DMARC configured and that our only email protection is provided by Microsoft or Google as part of your email hosting.

In a physical sense, if the attacker is looking for a way in, they could be outside your office building, completing a wireless scan looking for a network which uses a pre shared key or is open to the public which could easily be leveraged.

Once this stage is complete the threat actor has what they need to begin their attack and move onto the next stage.

STEP 2 – Delivery

With the information gained during step 1, the adversary now has all the information to hand to begin their attack. For an email-based attack which will leverage poor inbound security, they may simply deliver an email with a hidden attachment, a special font or a tracker which will give them all the additional information about your system including your endpoint protection, operating system and patch level.

For an attack coming in via an open port, this is when they will use tools to gain access at either code level or even remote desktop level to a system. Looking to gain clear access to a system with admin rights, the delivery step will often include the use of passwords ascertained from the dark web or from shares of other threat actors who have completed steps 1 and 2 before selling the information for gain.

For a wireless, attack a similar approach is taken to the open port however for this the attacker will have to come and either sit near your site in a range of your WiFi or place a device near your building that they can access remotely. The aim for this step for the attacker will be to gain access to the network and find a system which they can then deliver software onto in step 3.

This phase finishes where access to a system has been gained by any method and is ready to deploy their tooling or attack to a device.

STEP 3 – Installation

As all three steps begin to merge, the next action for the attacker is to get either the tools they are going to use to take control of the system in steps 4-7 or to have their ransomware, virus or associated malware delivered onto the target system or systems if they intend to have to spread to across the network automatically.

The key to remember is in step 3, no action to trigger an attack has taken place. This is the phase very much like the move before checkmate, the attacker is moving their pieces into place surrounding you ready to press forward.

This step is the last chance to intervene before serious damage is caused by that loss of business, reputation, or finical impacts.

STEP 4 – Actions On Objectives

This phase is where the attacker gets what they want, however, the end goal for different threat actors will be different. For most, it is to gain Intellectual property which can be used to blackmail a business into paying for its “safe” return. Others will exploit business customer data for sale on the dark web. This may include anything from usernames and passwords to bank details and national insurance numbers. The other side to any attack could be they simply want to hurt the business causing it to fail by removing IT as a function from the business.

During Step 4, this is exactly what a threat actor is doing, getting what they need, taking control and preparing to move into step 5.

STEP 5 – Weaponisation

Once we hit step 5, you have lost control of your system. The attacker is in control and they have leveraged their attack to gain whatever their goal was in step 4.

Now they are going to disrupt your business and drop the nasty surprises they have on you.

This is the phase that most unprotected or unskilled business notice an attack, after the adversary has already completed all of the actions and has begun to either encrypt systems, delete system data, delete backups, access or simply corrupt the system to make it unusable.

For most business, this is when a cyber response kicks into full swing with IT professionals scabbling to understand what has happened, where it has come from and how to stop it. If you find yourself in this position, I have some clear advice for you;

Disconnect all internet connections to all systems
Call your cyber insurance provider before you try to resolve the issue. They will have an approach they want you to follow and not doing so could leave you open to liability.
Take a breath. This is going to be a marathon, not a sprint and you need to make level-headed decisions. If you need it, call in external help; even if it’s just to provide a calming voice to those meetings where you will be making critical choices. An external party who are not invested in your business or employed directly by you will aid this process.

STEP 6 – Exploitation

At this point the attacker has gained what they wanted from you and may be in control of your IP, your data, or your finances. At this step the exploitation can take many forms and it could be;

A ransom note demanding payment for the release of your system or return of your data

A threat to release the information to the public showing your breach
Sharing this information on the dark web and allowing other threat actors to gain your business data
Selling your customer data on the dark web
Selling your IP to a rival or leaking it for free online

Only the attacker will know why they completed the previous steps but at this point, they will show their hands if they want either financial gain or if they want to damage your business or reputation. Once we have reached this stage you should be working with your Cyber insurance provider to take the necessary steps.

In most cases paying a ransom won’t get you your data, systems or Intellectual Property back, however some insurance providers will take the risk on the payment.

STEP 7 – Command and Control

If the attacker is not finished with you then step 7 is where they can leverage your network, its devices and its users and systems from their own means.

Think of a Zombie army once you are infected you join the army and become part of the problem. Many attack chains will see your IT systems leveraged to accelerate the attackers next targets and allow them to spread to other systems. During WannaCry, this was one of the main issues. Interconnected systems where getting the Ransomware passed onto them after another. Linked or associated business fell victim and this is why the NHS was affected so badly by the WannaCry outbreak.

I hope that the above information helps you understand how the attack chain takes place and the number of steps involved by the attacker when gaining access. If you are reading this and thinking, “how do I protect against each step of the attack?”, then you are in the right terms and you will stand a better chance of protecting your systems.

If you want to talk to one of our experts about how we can help you to avoid being the next victim then please call 01235 433900 or email [email protected]. Alternatively, if you would like to speak to me directly you can reach out to me via DM or at [email protected].

Corridor Digital, A Story of skirting over cyber security

August 22, 2022/in Cloud, data, IT Security, Security /by James Dell

First of all I want to start by saying I love to watch CorridorCrew by the team over at Corridor Digital on YouTube. I appreciate the skill they have in their respective fields and the work they put into high quality content, I was therefore extremely interested when they uploaded this video (Channel was TERMINATED, we got Hacked (Not Clickbait)). As someone who lives in the Cyber Security space I wanted to know more, however this video only highlighted one thing to me the lack of emphasis in their video on the real issue, their own lack of cyber security.

To summarise the video the Corridor Crew’s YouTube account was compromised and a 3rd party took over their Near 6 Million subscriber page and removed all the videos on the page, replacing the name and starting a live stream of a Crypto mining scam. In the video it is highlighted that a member of the team had full admin rights to the business’s Google account , now to be clear in the video they are vague and say that this persons phone of MFA has also been compromised, but they never expand on this. Following another admin being able to force change passwords and kick all live sessions out and with some support from Google the team manage to restore access and return to function, using their other social media outlets to let fans and followers know what is happening.

What did they do wrong?

To me this video highlights a critical issue with business today which is the mentality of it what happen to us and when it does many business chalk it off to a one off event. As a specialist in the field, my concern would not only be what else does access to this account give them, but what other tools or techniques could they have put in place for a second or 3rd wave attack. While taking over a YouTubeChannel for a Crypto scam is far from they most serious of crimes.

A serious though needs to be put to what other data could they have taken or used from this account, could they have got into the business own site and in turn the customer data on it including credit card details. The list goes on but this event cannot be brushed away as well we are back online, the severity of the business failing to take cyber security seriously has to be looked at, they however are not alone.

I am not calling out Corridor Digital for any reason other than they posted this onto YouTube and highlighted the event and therefore are asking for commentary. I do feel it reflects heavily on the general approach to cyber security in business and therefore I yet again employer you to look at your business practices, look at the tools and protections you have in place and ask yourself “Is this enough” .

What tools should they have used?

If you haven’t already secure every online account you have with two factor authentication, and make sure than the second stage authentication is not a text message to your phone or an email back to your main account, you should be using tools with time sensitive codes, physical tokens or bio metrics. This is they minimum protection you should have, it therefore goes without saying that you should always have a secure pin on mobile phones and tablets and that they should also use biometrics for security where possible, companies like Apple and Google spend millions on technology to protect data so leverage them.

What can you do to avoid it happening to you?

In closing I ask you to review your cyber security now! Before it is too late.

If you want to talk to one of our experts about how we can help you can avoid being the next victim then please call 01235 433900 or you can email [email protected] or if you would like to speak to me directly you can reach out to me via DM or at [email protected].

Email Security Gateway – What is it and why should you have one in place?

June 27, 2022/in Cloud, data, IT Security, Security /by Maciej Owsiany

I recently wrote a blog post about how to spot a phishing attack (read it here), and also incorporated some of the content in a webinar we did with Precursor Security which showed how easy it is to was to compromise a Microsoft 365 account (watch it here). In both I mentioned that if you had a sufficient Email Security Gateway in place then it should help to catch and block phishing attempts. Here I will go into more detail about what an Email Security Gateway is, and what it can do for you.

What is it?

An Email Security Gateway is effectively a security barrier between your email solution and the outside world. It has visibility of all emails sent / received and interrogates them looking for malicious content.

How does it work?

When an Email Security Gateway is put in place, the MX records for your email domain are changed to the servers of your chosen provider. This then points all email traffic to your chosen solution which will then forward the email traffic to your email servers after interrogating them. Connectors are also configured within your email solution to allow mailflow to and from the Email Security Gateway.

How does it protect you?

Traditionally, an Email Security Gateway would be hosted on-premises scan an email’s attachments for viruses and that would be that. These days an Email Security Gateway is based in the cloud and will protect you against much more. Here are just a few of the attack types that a competent solution will prevent:

Denial of Service (relevant to on-premises email servers)
Impersonation emails
Malicious links in emails
Zero-day threats
Email account takeover
Low reputation senders

Some numbers for you…

91% of cyberattacks start with an email
85% of organisations were hit by a phishing attack in 2020
1 in 7 organisations experienced an account takeover in 2020
$200,000 is the average ransom fee paid in 2020

“But I am using Microsoft 365 which has built in protection”

While technically this is true, the Microsoft Defender for Office 365 product requires a license uplift to get only some of the comparable features that a dedicated Email Security Gateway would provide. Being a dedicated solution, a 3^rd party product would sanitise email traffic before it even hits Microsoft 365 and provides protection against more threats than Microsoft. Additionally, in independent tests Microsoft 365 ATP tends to perform poorly against the competition (full test here):

An Email Security Gateway would also provide an Email Continuity solution should the Microsoft 365 email servers ever go down (which they have done in the past). See a brief diagram from Barracuda on how this would work:

Email servers working

Email Servers NOT working – Barracuda’s Email Continuity service takes over

What do we recommend?

Planet IT recommends a capable 3^rd party Email Security Gateway like Barracuda or Mimecast to protect your business against email threats, as both solutions provide all the tools and protection you need to keep your organisation safe.

If you would like to discuss further how Planet IT can help you secure your email environment and protect your users from scams like the above email, please get in touch via DM or email [email protected].

My name is Adam, and I am a security-focused Technical Architect. My job is to provide expert advice on security solutions and assist our customers with protecting their environment from viruses, ransomware, and other nasty attack vectors! My background is in Security as a Service, Infrastructure and Helpdesk Support; I keep myself up to date with the latest threats and security products, so you don’t have to! Want to hear more of my thoughts on Cybersecurity and other technology news? Connect with me on LinkedIn

Cyber Essentials, What’s new 2022?

May 24, 2022/in Cloud, data, IT Security, Security /by Thomas Packer

Cyber Essentials is an effective, government-backed and industry-supported scheme to help organisations protect themselves against common online threats.

Cyber-attacks come in many shapes and sizes, but the vast majority are very basic in nature, carried out by relatively unskilled individuals. They’re the digital equivalent of a thief trying your front door to see if it’s unlocked. Cyber Essentials looks to guide you to better understand these threats and help to keep that metaphorical front door firmly shut.

What are the differences between different Cyber Essentials Accreditations?

There are two levels of Certification: Cyber Essentials Basic and Cyber Essentials Plus, which I have expanded on in some more detail below to help you decide what’s right for you and your business.

Fundamentally the Cyber Essentials framework was designed to provide a security baseline for every business in every industry against the following 5 key areas:

Access control
Firewalls and routers
Malware protection
Secure configurations
Software updates

What’s new to Cyber Essentials for 2022?

Due to the COVID-19 global pandemic, businesses operational models have drastically changed and adapted over a relatively short amount of time.

To continue operating, most businesses were forced to adopt a fully digital model and allow remote or hybrid working. This transformation and rapid adoption of cloud services that has prompted these changes to the existing Cyber Essentials scheme to ensure organisations uphold the basic level of cyber resilience which reflect the current working environments and cyber security risks.

Some of the key updates to Cyber Essentials will specifically cover changes to cloud services and web applications, bring your own device (BYOD), and security updates including password management and multi-factor authentication (MFA). Other changes include, but are not limited to the below:

Some questions have been expanded upon with more details needed in your answer.
Cloud services are now in scope of your basic and Plus assessments.
The Cyber Essentials Plus test will include local admin rights checks and a MFA test for each workstation tested.

The Two Levels Certification

Cyber Essentials Basic is obtained by completing and independently verified Self-Assessment. This option gives you protection against a wide variety of the most common cyber-attacks. This is important because vulnerability to basic attacks can mark you out as target for more in-depth unwanted attention from cyber criminals.

Certification gives you peace of mind that your defences will protect against most common cyber-attacks simply because these attacks are looking for targets which do not have the Cyber Essentials technical controls in place

Cyber Essentials Plus is a little more involved and to achieve Cyber Essentials Plus, a business must also first complete the online Cyber Essentials assessment as part of the Cyber Essentials Plus certification or have received the basic Cyber Essentials certification a maximum of 90 days prior to applying for the Cyber Essentials Plus

Unlike the Self-Assessment method for the basic certification, a hands-on technical verification is required to be carried out. Similarly, however, a qualified assessor examines the same five controls, testing that they work through a technical audit.

Another benefit of a Cyber Essentials plus certification includes automatic cyber liability insurance for any UK organisation who certifies their whole organisation and have less than £20m annual turnover.

**So, is it Essential?**

The threat landscape to businesses is changing rapidly, with modern working practices always evolving. More and more businesses and IT professionals placing a higher level of emphasis on the security strategy, and this is where the new changes to Cyber Essentials, will help to strengthen businesses overall cyber security stance.

Not only is Cyber Essentials cost-effective and easy to implement but it will ensure businesses deter hackers from targeting their infrastructure once the necessary Cyber Essentials technical controls are in place.

You will also give your customers and partners the reassurance that you are working to secure your IT against cyber-attacks. In an ever-competitive landscape these certifications will also display the emphasis your business is placing on security and may even help attract new business with the knowledge of these cyber security measures in place.

If you would like to discuss with myself or any of the Technical Architecture team at Planet IT about how you can get ready for a Cyber Essentials certification you can reach us using the contact details below.

Contact me at –
LinkedIn Message: Thomas Packer

Call 01235 433900 or Email: [email protected]

What is Phishing?

May 16, 2022/in Cloud, data, IT Security, Security /by Maciej Owsiany

A phishing attack is sending emails that appear to be from trusted sources to gain personal information, deliver malicious payloads, or compromise account credentials. Phishing attacks are usually transmitted to many email addresses. The contents are not specific to the receiving user and are generally along the lines of “Your Netflix account has been locked, CLICK HERE to unlock” or similar.

What is spear-phishing?

Spear Phishing is a method of cyber-attack that tries to convince users to provide access or information by pretending to be someone important who is in some way relatable to the targeted user. CEOs are a common vector of attack, as is a potentially lucrative new client. These attempts influence the recipient to do something such as transfer money or buy Amazon / Google Play vouchers.

Example

I received this email on my account not too long ago and thought I would use it as an excellent example of a phishing attempt. At first glance, you can see why people would think it is genuine:

But let’s look a little closer. Notice the sender email is using the @msn.com domain, suggesting that this is a free Microsoft email account that has been set up for this purpose:

If we hover over the Confirm Your Email Address link, you will see it wants to take you somewhere that is NOT Microsoft:

If we click the link, we can see that the site we are forwarded to does not look professional at all:

As expected, a login box to steal your credentials:

Also, note that the tone of the email is assertive and trying to portray urgency. Even though it is the first you have heard of it, according to the email, you absolutely MUST click the link within 48 hours to make sure you keep your account. Many people don’t even log into their emails every 48 hours, so this is a ridiculous request.

Finally, the grammar is not good and certainly not what you would expect from an official email from Microsoft. Spelling and Grammar errors are good indicators of a malicious email. Sometimes they are even included on purpose as the assumption is if you miss them, then you will miss other signs and therefore be more gullible to fraud!

What advice can we give?

If in doubt, don’t click! Hover over links in emails if you are not sure they are from a trusted source. A phishing email may claim to be from a legitimate company. When you click on the link, it may look like the actual website, but double check by hovering over the link and checking the URL.

Never give out personal information online – as a rule, you should never share personal or financially sensitive information over the internet. If you are paying for an item or service, check that the website is secure and the address starts with “HTTPS”.

If the email contains spelling mistakes or has grammatical errors – this could indicate that it is a scam email; people write many phishing emails outside of the UK, so the standard of English is usually not good.

If the email asks you to do something urgent – claiming that your account will be closed unless you submit your details instils a sense of panic, double-check that it is from a natural source.

An unusual attachment – if you receive an unexpected email from a company that contains an attachment, it could include a malicious virus – don’t open it! These generally come in Word / PDF documents claiming to be an invoice or remittance advice but can be anything.

In Conclusion

Phishing attacks are one of the most common types of cyber-attacks today. It is so important to keep alert and question any suspicious-looking email that you receive. There are several 3rd party solutions that can help you mitigate this risk:

Email Security Gateway – this sits between your email provider and the outside world, filtering spam, phishing, fraud attempts and other malicious email categories.
Training & Testing – there are several trusted vendors that provide end-user training on how to spot a phishing email, as well as running test campaigns to keep everyone on their toes!
Multi-Factor Authentication – the main aim of a phishing email is to forward you to a fake website and have you enter your credentials, so they are stolen and the account used for malicious activity. If you have MFA enabled on your email accounts (Office 365, for example), even if a user falls for a phishing email and enters their credentials, they cannot be used without the MFA code from a separate device.

WEBINAR RECAP: Ransomware in the real world. Is your IT Department ready to be attacked?

April 4, 2022/in Cloud, Latest Tech, Microsoft, Remote Working, Security, Telephony, voip /by James Dell

Last week, we hosted a Webinar to ask businesses if their IT department is really ready for a ransomware attack.

Over 50% of businesses will be victim of Ransomware in 2022, and the average bill to rectify an attack, considering downtime, people time, device cost, network cost, lost opportunity, ransom paid, and more… will be over £1.3m!

Did you miss it? Or would you like to watch it again? Well, the good news is that we recorded it and you can check it out here:

Your Questions, Answered.

A sign of a good webinar is the quality of the questions asked at the end. We had too many questions to be able to answer them all in the time allowed so James and Kosta have answered anything we didn’t have time for during the session.

Remember, if you you would like to find out more about Sophos MTR, have any questions around cybersecurity or need advice for your IT team, please reach out to James directly, [email protected], or call one of the team 01235 433900

What about false positives within Powershell and ps1 files, repositories like PSGet, NuGet etc – these constantly get flagged in our org with Defender Endpoint!

We would suggest if these are trusted internal tools they should be excluded from Scanning based on their HASH values or path. If these are dynamic libraries then in Sophos central we would create a policy for staff allowed to use these system tools and restrict all other user access to these tools.

How much Sophos will be responsible in case of a Ransomware attack?

If your business only has the Sophos Endpoint products, firewalls or email products in the case of an attack Sophos will provide remote support but hold no responsibility as the configuration and management of the platform is the responsibility of the business. However if the MTR service is in use then the business does have a level of protection from Sophos and the remediation services are covered under your contract.

How do we get the board to take cybersecurity seriously? We’ve covered the basics in terms of controls, but anytime I try to increase budget to add additional controls – it gets pushed back.

The best option to get senior management / board to take ownership of cyber security and cyber insurance is to use the scare factor of examples like our cyber victim where all senior management, directors and the board where removed from their posts under gross negligence as part of the work that took place to recover the business. Many of these have struggled to get new roles following the merger of the business because of the legacy association with such a large scale failure.

What are the biggest cybersecurity threats right now?

The biggest threat remains ransomware and this continues to appear in different forms and flavours but ultimately the goal remains the same and that is to disrupt system usage.

Am I spending enough, appropriately on information security-related tools and controls? (Is there a network security or information security tool I should buy?)

There is no golden figure for how much to spend on protection but what you need to do is take a risk based assessment on what protection you have in place and make sure you are covering the full stack and have a solution in place for every risk in the system.

Not convinced that cyber insurance provides any real cover

Cyber Insurance is only going to work for you and your business if you have the right tools in place to protect the business in the first place as with car insurance they wont pay out if you are negligent , it is up to you and your business to make sure you have the correct protection in place.

Who would you recommend in terms of cyber security insurance providers?

We don’t directly recommend providers.

If you have someone in your team who is a disgruntled Employee and may be leaving the company and they leave a logic bomb on your network without you knowing it would Cyber Security Insurance cover this or would it then be void as its happened within your own team? What would be the legal response to this?

This is a very loaded question. In most cases, Cybersecurity Insurance will protect against this provided you have all other requirements in place. If however this disgruntled employee was part of your security team, that may raise questions around your employee vetting process and you may need to lean on your employee terms and conditions, specifically your computer misuse act should you need to follow up with legal proceedings.

Is the standard Sophos Endpoint not enough either?

We would recommend Sophos Intercept X as a minimum for protection in 2022.

Are there any courses that you would recommend for Cyber Security specialisation?

We would recommend you look at CISSP and then anything linked to business solutions you have in place.

Are the MTR team UK based?

Sophos MTR is a global follow the sun team. There is a UK team as part of this but to enable truly 24/7 support this is covered by a global team.

How do we get the board to take cybersecurity seriously? We’ve covered the basics in terms of controls, but anytime I try to increase budget to add additional controls – it gets pushed back.

For us, the major deficiency we see today is not with attacks via known end points or servers but the chances of unknown devices being attached to our networks. This is an area which I feel very few companies or vendors are addressing well and cost effectively so I’d love to know if this is an area you guys both Planet and Sophos are investigating/investing in?

There are a number of NAC product’s that have surfaced over the years to try and fill this gap. What we are seeing the the solution for most business now is to terminate all VLAN’s on the firewall and use the synchronised security aspects of the Sophos XGS firewall to remove unwanted network traffic in controlled sectors, with only trusted devices being able to route traffic.

Is webinar recorded?

Yes, you can watch it here: https://youtu.be/qLPPw4kndy4

Please don’t tell me it’s Window’s Defender!

February 3, 2022/in Cloud, data, Education, IT Security, Latest Tech, Microsoft, Security /by Maciej Owsiany

Cyber-attacks happen and are increasing in frequency. Certain sectors are naturally susceptible to these attacks; banking, government, healthcare, and energy sectors will always be targets due to the nature of what they do. But did you know that the Education sector is also very high up the list?

Around 20% of all educational institutions have been specifically targeted by cyber criminals, and a MASSIVE 83% of UK schools had experienced at least one cyber security incident. There are many other scary statistics that can be quoted, and you would think that with this information being readily available for review, schools and other institutions would take cyber security seriously; you would think wrong.

It’s just not good enough

Here at Planet IT, we have many dealings with the education sector, whether that be providing fully managed support, running security health checks or just the facilitating the procurement of specific classroom hardware, we have seen how vulnerable a lot of school environments are. We talk to schools daily and something that keeps coming up is the widespread use of Microsoft Windows Defender as the sole endpoint security solution. Something else that keeps being apparent on most calls we join is that the on-site IT team are too busy being reactive and fighting fires to spend the time being proactive and looking at the bigger picture.

Microsoft Windows Defender is a consumer-grade antivirus that is native to Windows 10 and comes preconfigured. There is an anti-ransomware element to it, but the testing we have done in the past shows that it is not capable of detecting most live ransomware threats:

So, what should you do?

Well, you should start with an industry-leading endpoint / server security solution such as Sophos Intercept X Advanced which will detect ANY Ransomware attack using the CryptoGuard element (this detects any file encryption attempts and rolls them back using Windows Shadow Copy if any encryption has started by the time it is stopped). This combined with the award-winning Endpoint Protection / Server Protection means that your endpoints and servers would enjoy a very high level of cyber security protection.

With any good security solution should come a good EDR product. EDR stands for Endpoint Detection & Response. This provides additional reporting and threat mitigation tools for your environment.

But does this really happen?

A real-world example that I have seen first-hand – we have a large private school as a customer. They were hit by ransomware which took down some critical file servers AND compromised the backups. With Sophos Intercept X Advanced with XDR (Sophos’ EDR offering), we were able to see that not only did Windows Defender not stop the ransomware from running but didn’t even detect it as a threat.

Also, with the recent Log4j vulnerabilities, and further back the Hafnium vulnerability, XDR was a requirement to investigate customers’ environments to easily check if they were open to attack due to these vulnerabilities. With Hafnium, XDR could report what hosts were vulnerable but also if they had been compromised and the location of the remote consoles that had been deployed by the bad actors. We at Planet IT saw at least 2 instances of Microsoft Exchange servers that had been compromised, and our job was made easier with XDR.

What if my team just don’t have the time to manage XDR.

The downside of adding XDR to Sophos Intercept X Advanced is that you need the resources to respond and investigate detected threats. Sure, Sophos Intercept X Advanced will of course detect and block any threats it comes across, but any advanced solution like this requires the time to configure and monitor to ensure you get the value from the product.

This is where MTR comes in; MTR (or Managed Threat Response) is a managed SOC (Security Operations Centre) provided by Sophos themselves, and will give 24/7 threat detection and activity reporting among many other benefits that are essential for any security conscious educational institution. With the Sophos MTR service, you can focus your time on ensuring your local infrastructure is running well safe in the knowledge that your Sophos environment is being looked after competently.

Planet IT recommends Sophos Intercept X Advanced with XDR and MTR Standard as the minimum level of protection for any educational institution.

The tech that should shape your business in 2022

January 5, 2022/in Backup, Cloud, data, datacentre, General, IT Security, Latest Tech, Microsoft, Remote Working, Security, Software /by James Dell

All the way back in January 2021, I wrote an article about what technology trends would shape your business in 2021. Looking back on those predictions, I can say without a shadow of a doubt that for many of our customers these technologies certainly did just that. If the pandemic continues to rear its ugly head some of what I said last year will still echo very true this year. You can read that article HERE.

However, the show must go on. For 2022 I am looking forward to what the new normal has become and how the technology we leverage every day can and must adapt to fit this need. Alongside this, I am exploring the tools, advancements and innovations that will change the way your business operates.

I always want to take these opportunities at the start of the year, to introduce or to develop your understanding of the technology trends we as a leading IT provider are seeing coming over the horizon. Ultimately these are what your business should and will be looking into and adopting to keep your business is safe, secure and able to compete in today’s busy market.

Cloud Services

Here we go again… Another year, another year of the cloud. I may have said this last year, and for that matter the last 2 years before that. Cloud Services, be that in the form of IaaS (Infrastructure as a service), PaaS (Platform as a Service) or SaaS (Software as a service), will change your business in 2022 regardless of if you want to let it.

The reason I say this is because we are no longer in an IT landscape where as a consumer you can choose how to run many of the platforms or software your business uses. Your ERP or MIS, most of these platforms are or have completely moved to SaaS or PaaS offering in 2022.

Take Sage for example, the development of this product as nearly completely killed-off on premise or as a standalone. The focus is on the delivery of the cloud hosted version. That may be with Sage directly or one of their key partners.

The bad news for IT managers who are cloud adverse or cloud sceptical?

Now is time to change your mind and move with the industry or risk getting left behind with systems and solutions that will only age and cause you greater issues down the road.

Continuing on the vain on SaaS, Microsoft continue to also drive services across to Microsoft 365 in favour of the cloud hosted, forever updated version of their tools vs the previous on premise products, I’m looking at your Endpoint Manager (Intune). This product is going from strength to strength. However it is doing so off the back of SCCM and ultimately galvanising the features from this well-established platform but developing them on Microsoft’s Cloud service. This leaves the on premise version to simply hook into the cloud and co-exist rather than get any substantial upgrades itself.

With businesses that implemented cloud services in 2020 and 2021, they saw an decrease in running costs of up to 50% and an increase in uptime and productivity up to 99.99%. This makes the cloud space one that from a CFO point of view cannot be ignored and from the position of the wider business can only make day to day IT services better.

If you take anything from this about Cloud service, let it be this; They are here to stay. They are the key focus for all software vendors and it’s a case of be onboard or be left behind.

A New World for Back-Up and DR

Building off of what I have said above about Cloud Services, the world of back-up and Disaster Recovery is also dramatically changing. This is twofold; you no longer have all your data sat locally on servers, storage and systems, which a local back up can collect and protect. Also, the fact that now, if your data is in a public cloud provider with a 99.99999% uptime guarantee, are you really going to move this data from them to a private datacentre or back to on-premise?

This change is making many businesses have to rip up their back up and DR strategies. For many IT Managers, Business Owners and Businesses, this is causing some hard conversations.

My take on the situation is simple.. Look at what you have now and where your business will be at the end of 2022. If your data is mostly moving to PaaS and SaaS solutions then you need to ensure that as data is moved that each of these providers or systems has a solid separate back up in place. Now for a platform like Microsoft Azure this does not need to be off platform but it needs to be in a different location. So with Azure we would look at Geo Redundancy or even multi-Geo Redundancy leveraging the technologies and services of Microsoft to back up your data to their other datacentres across the globe. If the system is 3rd party hosted like Sage, which I mentioned above, then you need a tool and a location which is away from this provider to store your data. For this I would always recommend looking at AWS, GCP or Microsoft Azure as the level of protection and guarantees you get from these providers is 10 fold that of a private or local storage solution.

If we look at wider IaaS and Infrastructure backup solutions and DR these also need to change. The first thing I will say on this is that tape back up’s are going the way of the dinosaur. (To be honest they should have gone a few years ago). While the logic of having a removable magnetic tape sounds like the right decision for all businesses. In the past few years we have seen that these devices don’t hold up in a DR situation and if they do, they are often too slow to react.

The best solution a business in 2022 can implement is to have an immutable back up in place. This is based on technology and tools that allow for near instant recovery. As we have seen time and time again businesses cannot support multi-hour or day outages in a disaster. Traditional back up technologies and techniques are beginning to leave business’s vulnerable to large periods of downtime in a true disaster situation.

If you are thinking about how your business should be protected in 2022, why not reach out to the team and we can talk you through in detail the cloud era back up approach to support your business.

The Human Firewall

I said it last year and I will say it every year until I go blue in the face! We need to invest as much time into training our staff to ensure they can be safe and secure when using the systems and solutions that as a business we expect them to use. That is why in 2022 The Human Firewall continues to be one of the key areas of development we believe all business should be investing heavily into.

By this we mean training your staff to know what is safe and is not safe in the digital world and how to prevent risks to the business.

Now with this there has never been a one size fits all approach. There is however a logical approach which will prevent your business being open to risks that exist on your doorstep. We can teach our staff in 2022 to stop, deal with and report these problems. By doing this, then we increase the ability of a business to be robust and secure and remove the guesswork from the technology we need to ensure a business is safe. This coupled with MFA massively reduces the risk of account credentials being compromised.

For me as we enter 2022, the Year of the Human Firewall (2021) continues and I am now campaigning for the decade of the Human Firewall! So please go and train your staff and protect your business!

Silicone…. Oh Silicone

For some reason I have left the doom and gloom to last, but it has to be said that what ultimately will shape many businesses in 2022 is the continuing silicone and chip shortages. We are now 2 years into this problem and it is not getting better. We have all felt it. Consumer devices like the PS5 and Xbox Series X which where like gold dust for another Christmas. Servers and Laptops which are still being delayed by months at a time. We will all continue to feel the pain while the chip making industry rushes to fix the supply and demand issue.

As a cautionary tale for 2022, if your organisation is looking at a large refresh or even a big project this year which is time critical, think and act early when it comes to device purchasing.

We have seen wireless access points being delayed by 365 days from certain vendors in 2021. If your new office space or move is critical then this could cause you serious issues. Alongside this you have to think that every business will be in the same boat in 2022 so don’t be the one who gets caught out by lead times. I would also say don’t hold your breath for a new car any time soon as it seems the motor industry, with its love hate relationship with technology providers, has finally realised it’s not good to be at the bottom of the queue!

To stay ahead of the trend…

In conclusion 2022, like 2021 and 2020 before it is going to be a very different year to the 10’s that proceeded it. Cyber criminals and the threat landscape changing everyday, new vulnerabilities and risks appearing on a daily basis, for systems which are integrated in all of our lives and with potentially dramatic effect. However as business owners, technical professionals or employees we need to switch our approach and ensure we are using these changes to make our business ready for this continually changing landscape as we move forward. Think forward, think ahead and don’t get caught out by 2022 as I believe it will be a huge year for IT change.

If you want to talk to one of our experts about how we can help you in 2022 then please call 01235 433900 or you can email [email protected] or if you would like to speak to me directly you can reach out to me via LinkedIn or at [email protected].

Log4J Zero-Day Flaw – Are you are risk? And How Do you Protect Yourself?

December 14, 2021/in Cloud, data, IT Security, Latest Tech, Security, Software /by James Dell

The Log4j vulnerability is effecting everything from development tools and games like Minecraft to cloud and security devices and even your car. Therefore the question is what do we look for?What is the latest information about keeping you and your business safe?

Firstly, what is Log4J?

Log4J is a flaw in a Java library.

For those reading this who are less technically included, Java is baked into many pre-made applications and used across a number of services. Therefore this vulnerability is prevalent across a number of attack vectors. Because of this it is currently the most talked about and high risk security vulnerability on the market at the moment with everyone scrabbling to patch out the risk.

The library is developed by the open-source Apache Software Foundation and is a key Java-logging framework. As detected in the vulnerability logged as CVE-2021-44228, a remote code execution flaw in Log4J, was already being exploited in the wild. Any system which has the same vulnerability is at serve risk. Warnings have been issued by the UK’s National Cyber Security Centre (NCSC).

What is at risk?

Basically any device which is exposed to the internet is at risk if it is running Apache Log4J versions 2.0 to 2.14.1. Now, the list of applications that have this would fill pages and pages – everything for Minecraft servers to Tesla’s car OS, with companies like Apple and Amazon also being pulled into the mix. Because of the way that Apache package software this vulnerability as per the NCSC notes, can also be found in anything running Apache Struts2, Solr, Druid, Flink, and Swift frameworks. With AWS having detected and working to patch the vulnerability currently, pushing mitigation protections via its CloudFront service.

Vendors with popular products known to be still vulnerable include Atlassian, Amazon, Microsoft Azure, Cisco, Commvault, ESRI, Exact, Fortinet, JetBrains, Nelson, Nutanix, OpenMRS, Oracle, Red Hat, Splunk, Soft, and VMware. And this list will continue to grow as product try to patch out the issue and make it known they have the vulnerability.

What can I do right now?

Because there is currently no direct patch for this, the best option is possible is to Airgap any system that is using or known to have Apache components or frameworks as part of its services from the internet. If you can’t do this then get a Web Application Firewall in place in front of any public facing system as it is very likely that these players will be able to provide WAF rule sets quicker than Apache can get a new version of Log4j tested and out into the wild.

As soon as a patch is available, get your Apache systems patched and up to date and ensure that you check all of your systems, as many IT administration tools install parts of the Apache framework for running web front ends or even systems of management and control for your devices.

The best action you can take as an IT system owner is to review anything you have that is publicly facing or publicly accessible. You need to take action now as this attack does allow the system to have complete control taken over by the attacker and it is not yet known how other defence tools are responding to this infiltration as the Java libraries are normally a trusted location and as such can leave a business open to attack.

If you are concerned about the security of your business then I implore you to call Planet IT today. One of our security specialists will be able to join you on a call and discuss the mitigation actions you can take and advise you of the best way to ensure your business is protected.

If you would like to discuss with myself or any of the cyber security team at Planet IT about how you can better protect you business, should that be with new technology, strategies or even better back ups you can reach us using the contact details below;

Contact me at – LinkedIn Message James Dell or Email : [email protected]

Call 01235 433900 or Email : [email protected]

Why Endpoint Protection is still a key line of defence

December 6, 2021/in Cloud, IT Security, Security, Software /by James Dell

You won’t believe this. I tell a lot of business owners and IT Managers that they need to ensure they have a robust, well architected and industry leading anti-virus and anti-ransomware product at the core of any cyber security programme. I am shocked by how many businesses rebuff with “we have never had a virus, so why do we need these products”. Unfortunately this level of naivety is exactly what threat actors are betting on. They are leveraging your lack of belief or understanding in the value of protection to slip onto your system undetected and carry out whatever heinous activity they wish.

“We don’t need protection!”

First of all I must address the elephant in the room; “We have never had a virus“.

The simple question would be, how do you know? Gone is the age of pop-ups and loud annoying virus sent more to disrupt. Modern attacks focus to data extractions, data corruption/encryption or device harnessing. For all of these, bar corruption/encryption, the aim is to remain undetected. For the most part if you are trying to pull data from a device or harness the computer as a salve for your attack network then you don’t want the device owner knowing you are there. Therefore, the argument that you have never had a virus falls over. You should be saying “We have no idea if we have had or have a virus or suffered a cyber-attack as we don’t have the tools to detect such attacks” .

“I barely use that laptop”

Secondly, I need to address the obvious. Any device is at risk regardless of how little you use it, how infrequently it is turned on and how expensive it was when you bought it. This principal also applies to servers, virtual, physical and on cloud platforms. If it is running an operating system based on Windows, Linux, Unix or MacOS there will be an attack out there that is designed for that system. This even applies to appliances provided for dedicated applications like, phone voicemail systems, door access control and system controllers. Because of this, you need to ensure that your servers also have the protection in place and if they cannot have the protection directly installed that you have a product that can protect at network and hypervisor level against incoming attacks.

Therefore it is critical that your business protects itself with the minimum protection being put in place in the form of endpoint security. This said, while you can pick up these products for a few pounds from certain vendors, we would always recommend looking at a industry leading vendor. Choose one who specifically work within your business space and have the full suite of tools that can be used. This will help ensure that you reduce the risk your business faces from cyber threats.

If you would like to discuss with myself or any of the cyber security team at Planet IT about how you can better protect your business, should that be with new technology, strategies or even better backups you can reach us using the contact details below;