NetConnect Blog - Your Resource For IT Tips, Tricks and News

Reviewing the Impact of the SSLv3 POODLE Vulnerability

Posted by Joe Dunnigan on Oct 24, 2014 4:55:00 PM

PoodleFlaw_SQ-300x300Attack of the POODLE
Last week, a new high profile web vulnerability was disclosed, dubbed 'POODLE' (Padding Oracle On Downgraded Legacy Encryption). This vulnerability received much press, partly due to the fact that a number of other vulnerabilities have hit the news recently (Heartbleed and Shellshock in particular).

The POODLE vulnerability deals with attacks that downgrade the level of encryption and security in an https connection between a web browser and server, forcing the communication to use the old and less secure SSLv3 protocol over newer implementations like TLS 1.0-1.2.

SSLv3 has been around for nearly 15 years, and has outlived its usefulness. However, most systems have kept it enabled so that legacy systems can still function. At one time, this was the highest protocol that web browsers supported for secure communications, but TLS has been available for many years now. IE6 is the only browser with any notable market share that requires SSLv3 in order to establish secure connections. Any recent versions of IE, Chrome, Firefox, Safari, etc. will support TLS.

Sniffer-2-01So, what does this mean for us?
Upon reporting the vulnerability, it was recommended that systems be configured to not offer SSLv3 for secure connections. This includes web servers, application servers and appliances, and web browsers, among many other devices. If a user tries to connect to a secure service via SSLv3 and this support has been turned off, they will not be able to use the service any longer. The recommended approach is to ensure that recent versions of web browsers and other client software are as up to date as possible.

The greatest risk to allowing SSLv3 in communications is the possibility of a man-in-the-middle attack, where an attacker could listen in on the secure https communications and crack the encryption to expose sensitive information (passwords, banking information, etc.). By disabling SSLv3, this threat is successfully mitigated. 

In fact, disabling SSLv3 has been a topic of discussion prior to this discovery, as weaknesses in the protocol have been known for some time. However, the risk associated was not deemed worth the trouble of potentially shutting out users who were using older web browsers or application clients. With the POODLE vulnerability disclosed, it was determined that the risk to information disclosure is too great, and moving forward with disabling the protocol will be necessary. With IE6 usage falling below 0.1% in most of the world, the impact should be significantly lower than in previous years.

What should I do now?
As with all vulnerabilities, it is important to determine exposure and take action to remediate the issue as quickly as possible. By keeping software and systems up to date with security patches and new software versions, we can help to curb the possibility of serious attacks and information exposure.​

To find out if you are vulnerable, contact us at NetWork Center, Inc. for more information.

Topics: Network Security, Security, Protection, IT Consulting

Your Information, Their Cloud

Posted by Tyler Voegele on Sep 18, 2014 3:30:00 PM

CloudServerBy now, you've probably heard a lot about the cloud and how most of our private data is soon going to be stored there. Be forewarned, 'the cloud' will be used many times in the following article. If you aren't sure what 'the cloud' is yet exactly let me explain it to you simply. When we talk about 'the cloud' it really is just a collection of servers that store data somewhere that is not residing in your physical location. That's it. Nothing fancy floating up there in the sky, other than actual real clouds. The number of people entering information into the cloud increases each year by a fascinating amount. Everything we do might soon be stored in servers around the US or even other parts of the world. Some of our mobile devices already automatically sync our data to cloud services such as Apple's iCloud. Our PCs and documents are now also making the move to cloud services and why wouldn't they? It is an easy, no-hassle way to store our information safely and securely, or so we think.   

We trust our personal and work data completely with companies providing these cloud solutions, but just how secure are these companies keeping our personal information? You've most likely heard of numerous security breaches with multiple companies which almost seems like a common occurrence. Data privacy legislation proceeds in a tempo that is unable to keep up with the speed of our technological process. You'll find it hard to get any universal rules or laws that could be applicable to any cloud services legally binding companies to uphold standards to protect us. So, what must we accept if we are going to store our data in the cloud?   

password security1. Passwords can be hacked. This isn't something new that you've probably heard. Security professionals have long been shaking their proverbial finger at us for a long time. People who want to obtain our information will use a dictionary and brute force attacks to hack our passwords. You will have to think of a strong password that can easily beat these attacks but also keep you sane from having to remember a 25 character mess. (More on this below.)  

2. Data can be captured en route. Fortunately, most cloud services encrypt data while it's going to and from their site, making it impossible to read even if someone were to obtain the files while in transit. Still, if you are using a cloud service in the web, make sure that you have "https" instead of "http" in front of the URL in your browsers address bar. Secure HTTP or HTTPS ensures you that the site you are currently using should be sending guessed it, securely.  

3. Data breaches can happen. The data breach at Target, resulting in the loss of personal and credit card information of up to 110 million individuals, was a recent theft that took place during the normal processing and storage of data. People can sometimes get access to data, and what we store in the cloud is susceptible to whatever security practices companies currently have in place.  

4. Data loss can also happen. A data breach is the result of a malicious and probably intrusive action, and data loss may occur when disk drives die without the company having created a backup or having reliable redundancy. Small amounts of data were lost for some Amazon Web Service customers who suffered "a re-mirroring storm" due to human operator error in April 2011, showing that data loss could occur un-intentionally or intentionally in the event of a malicious attack.  

5. Denial of Services can stop you from obtaining your data. The assault by hundreds of thousands or millions of automated requests for service has to be detected and screened out before it ties up operations, but attackers have improvised increasingly sophisticated and distributed ways of conducting the assault, making it harder to detect which parts of the incoming traffic are the bad traffic versus legitimate users. This leaves you without access to your data and sometimes they shut down the service for an unknown amount of time to fix the problem.  

6. There could be malicious insiders. With the Edward Snowden case and NSA revelations in the headlines, malicious insiders might seem to be a common threat. If one exists inside a large cloud organization, the hazards are magnified. We must rely on the company to have practices in place to protect us, or have encrypted data to protect us from theft.    

We can break these problems down into 3 simple questions. Is my data securely stored? Is my data safe from outside intruders/attacks, and also protected from other tenants in the cloud service? Is my data protected from the cloud provider themselves or government officials trying to collect corporate server data? These are very important questions to ask our providers. The real question is, how can we protect ourselves from what almost seems like an inevitable breach in our personal data we store in the cloud?  

1. Read up about where you are storing your information. Every cloud provider has different guidelines and security about how they store your data. You wouldn't want your important or sensitive data stored in someone’s garage server would you?  They should even state whether or not they comply with government gathering data. Most big companies are cracking down on security measures and offer many ways to protect you such as two-factor authentication. I always recommend the extra step in enabling two-factor authentication. It may seem like a hassle, but if security is important to you then this step is a must.  

2. You need to get serious about passwords. Yes, yes, you've heard it one thousand-trillion-infinity times, but it's still a problem! The reason people lose sensitive and important data is almost always related in some way with weak passwords. Even worse, many people use the same password for multiple accounts making them even more vulnerable with cloud services. My favorite XKCD comic shows us how we've been creating our passwords all wrong. Creating a long password such as "correcthorsebatterystaple" is very easy to remember, but for a PC to guess it is very difficult. Obviously, simplicity is what we are going for, (Which is why most of us use the same "strong" password for many accounts.) so try to correlate your passwords with your service. You want to create a password in Google Drive cloud storage for your accounting documents? What about, "storagedocumentsaccountingworkgoogle." See? Easy as pie.

comic photo

3. Encrypt your data before sending it to the cloud. Encryption is, so far, the best way we can protect our data. Encrypting our data before we send it to our cloud storage is often the safest solution in many of the cases we made above. This way if someone was to obtain the data they would not be able to read the contents.  

4. Use an encrypted cloud service. This may not always be an option and there isn't many options as of late. The cloud provider in some way should provide local encryption and decryption of your files in addition to storing and backing them up. This means that the service takes care of both encrypting files on your computer and storing them safely in their cloud infrastructure. This way not only would intruders not have access to data, but also neither would the service providers or administrators.  

The bottom line is we need to think about where we are storing our data and how comfortable we are with storing it in sometimes less than reputable places. Whether we like it or not data is slowly migrating to cloud infrastructure in many businesses, but we also have a choice to choose what we do to protect ourselves and our data.   

Are you a candidate for cloud services? Are you currently using cloud services? How safe is your data? Contact NetWork Center, Inc. to talk to one of our engineers about your cloud services.

Contact Us Today!

Topics: NetWork Center Inc., Data Backup, Protection, Cloud computing, Security Technologies, IT Consulting

Network Health: Do You Know if Your Network is Healthy?

Posted by Kyle Riveland on Sep 3, 2014 3:30:00 PM

emergency symbolWe all know computers and servers can catch infections, and most of us are well prepared to combat them. But, do you have insight into the core hardware and software health of not only your servers, but your switches, firewalls, SANs, etc.? While a common email virus is much like a head cold, an unhealthy SAN would be a more severe affliction that typically requires a few days in a hospital. An unhealthy SAN (or any other device) is largely a completely avoidable situation through preventative maintenance.   

Most people check in with doctors to get help with preventative maintenance of their personal health, so what can you do to gain insight on your network health? Fortunately, there are many options to prevent infection. Among them are:  

  • Gain insight into the health of your servers through monitoring logs and spot checking hardware

  • Monitor logs on your networking equipment, keep software levels up to their latest version

  • Ensure important core system hardware, such as SANs, are up-to-date and have no error conditions

  • Replace aging hardware periodically, as older hardware may be holding back the potential of your network

maintenanceThat seems like a lot of work for someone to do regularly! Fear not, much like doctors have a battery of tests to find ailments, there are many devices and software solutions available to help diagnose early warnings of degrading network health.   

Applications such as PRTG, IBM’s Tivoli Network Manager, ManageEngine’s software suite, Cacti, and myriad others can help you gather network metrics and provide alerting for issues on devices like switches, firewalls, or anything else that has an IP address. Some of these applications can even give you a history of the device with just a few clicks. If the device has SNMP (Simple Network Management Protocol), you can usually gather a multitude of metrics from it.  

Logs upon logs upon more logs. How can one keep up? Even the task of regularly monitoring a single server is daunting. Applications from companies such as ManageEngine, GFI, IPSwitch (What’s Up Gold), and others can gather all the logs for you in one tidy central location. Most of these programs give reporting and alerting so you can immediately attend to issues that arise and prevent them from getting worse. Many of the blue screens that happen in a Windows OS have early indicators before it actually happens. This type of software can help prevent the dreaded ‘Blue Screen of Death’ and avoid costly downtime.   

For other more specific items in your network, vendor software also available and can be sometimes just as good as 3rd party programs. As long as the software has alerting, it should be good enough to give you the tools necessary to combat network health issues as they arise.

Now that you have an idea of what is available, what’s next? Even after you choose these solutions, it is important to configure the software correctly. These tools are not going to be very useful if they only cover parts of your network (or worse, misconfigured). These situations would give you a false sense of security which could be very dangerous.  

Please talk to any of our sales staff or techs, and we can give you additional information or answer any questions you may have.

Contact Us Today!

Topics: NetWork Center Inc., Security, Protection, IT Consulting, IT Solutions

IT Infrastructure: Expense or Business Investment

Posted by Jon Ryan on Aug 25, 2014 2:00:00 PM

1It’ll be here before you know it. You are told by your IT provider that your hardware needs to be replaced. “Again?  Didn’t we just replace that recently?” The mindset of the traditional business is to only purchase infrastructure based on their depreciation schedule. In some cases that schedule can be up to 5 years. Depreciation is often used by businesses for capital purchases to help deduct expensive infrastructure costs. But what is the driving factor to replacing or upgrading your infrastructure?

Days of the Old

Back in the day, businesses relied more on manual processes to operate as a business. File cabinets and paper copies were a large part of business process. People actually used “In-boxes” on their desks to process requests. Most of the company infrastructure was aimed at backbone services only. Businesses would purchase phone systems and financial processing servers for running the core business infrastructure. Network traffic was minimal and desktops were used until they no longer powered on. Businesses would re-use their old hardware until it was completely necessary to replace it. Thus viewing this as a necessary expense that only needs to be replaced once completely unusable.

Today’s IT Landscape

Fast forward quite a few years to today’s IT needs. The technology landscape has changed drastically. In today’s world, server and desktop computer processing is the center of your business. “In-boxes” have been replaced by email and workflow processes and that core server is being used for more than just backbone application processing. Computer technology has become the center of every business. To show how much we rely on technology, just think if your computer crashes or you lose your data. Or your servers are down for several days. What kind of impact does that have on you and your company?  One thing that many businesses don’t realize is that their business drives your technology needs. As businesses grow, more resources are needed to support the growth. Faster and more efficient processing of your day to day operations can lead to very substantial efficiencies. When new systems are put in place, it is not uncommon to adjust internal process to keep up with the faster technology.  That pile of orders sitting on your desk no longer takes a week to get into the system. Resulting in faster order processing and more output.

2IT as a Business Investment

As opposed to traditional views of company technology being an expense, something that is only done out of minimal necessity, businesses need to start realizing and thinking of their technology as a Business Investment. In order to really see your technology as an investment, you have to ask yourself, what does my technology drive? You’ll be surprised to find out that it drives EVERYTHING! From scheduling, to payroll, to orders, to accounting, to communication, to profit, your infrastructure is there processing it all. As you do with hiring and investing in good staff, you also need to invest in your IT Infrastructure. It is not uncommon for us to see servers and infrastructure that is 5 - 7 years old. Many times only replaced because of discontinued OS support. But the more important issue with using antiquated technology is that with all of advances and the fast changing IT world, there are much more efficient technologies to take advantage of. Possibly even propelling your business to an all new level.

At NetWork Center, Inc. we can help review your current technology age and usage and recommend any changes that might be needed. With over 28 years of in the technology industry, we have the engineers and consultants that can help you determine your IT business investment opportunities. 

Contact Us Today!

Topics: Technology Solutions, NetWork Center Inc., IT Consulting, IT Solutions, technology consulting

One Size Fits All, Sasquatch, and Consulting

Posted by Ric Todd on Jul 23, 2014 5:00:00 PM

Flash Consulting 2 resized 600Like Sasquatch, One Size Fits All (henceforth referred to 1SFA) in IT is a myth. Sure there are people who still cling to the belief despite copious evidence to the contrary. Some will even end up throwing all kinds of well-intentioned money and time to prove otherwise. Often it’s just easier to fill a need with the easiest answer, but in the end, without asking what the underlying problem or question is, it’s really never truly solved. More importantly, was there an opportunity to move the entire effort forward? Was there an opportunity to pivot? 

What am I really talking about? 

I wish I had dollar for every time someone asked me, "What should we do?" Really, what the question being asked when boiled down is..."How do I spend the least amount of money and brain power to get this problem solved so I can move on with what I need to focus on?" These are perfectly legitimate questions. Regardless the problem, it’s pretty safe to say the business wasn't started to solve the problem at hand. To be clear, I couldn't agree more. That's why people pay me to answer the questions. They want to move on and think about what they are supposed to be thinking about….Enter Consulting. 

So what do I mean?

I am often asked to be involved in preliminary conversations with new customers in order to strategize the best course of action for their IT needs. Whether they are a 5 person or 5000 person organization, this conversation is extremely helpful in bringing together the right forces for the effort. If we begin with the goal in mind, we always end up at the right destination. This is the real benefit of consulting, otherwise known as "asking pertinent questions and using experience and critical thinking to give recommendations and guide efforts towards a desired result."  

But holdup, isn't consulting expensive? 

It depends on whether you take the long or short view. Sure, sometimes writing a check for a document that has a bunch of words and some neat looking graphics is hard. But when you take a look at what the impact of those words and graphics can be, it’s a whole different ballgame. Further, I am constantly involved in engagements with differing levels of influence, whether approving budgets and expenditures, or literally turning knobs, it’s not always just words. It's a whole lot more. 

pic technology consulting resized 600Spit it out already...

I have a tough time when people ask me what I do, because the easiest thing to say is...computers. Most people can wrap their heads around that. The fact of the matter is, I work in solutions. Infrastructure and computers cost money and historically have rarely directly contributed to a Profit &Loss report. Solutions on the other hand, can have a profound direct impact. Whether it’s a discussion surrounding mail services or an entire cloud migration, all of these decisions should be synchronized with the organizations overarching strategy, not brought to the table after the fact. 

In other words, I deal in solutions. There is no 1SFA solution. It doesn't exist because there are no two business that are identical and no two problems that are the same. Sure, we use many of the same tools to solve them, but I make sure I understand what we are really after, even if sometimes the asker doesn't necessarily know. 

Here's a 10 cent tip....

Anyone who is proposing a product or item without asking what your business does and how its players operate before proposing isn't really concerned with your success, they are more concerned with selling something. 

So that's what I mean...

sasquatch resized 600Yep, it’s a novel concept in any field, but I want to talk to you about what you do, what your employees do, and how you make your money or perform your services, and what drives you. Not only is it the right thing to do, but I also find your story interesting. There is also a good chance that there is a more impactful way to execute that technology plan you may or may not have. After all, one answer would never work to answer every question asked of me. And sorry folks, Sasquatch doesn't exist. Bummer. I know. 

Give us a buzz if you're ready to have that conversation.

Contact Us Today!

Topics: IT Consulting, IT Solutions, technology consulting

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all