m.a.collins

Why Geo-IP Filtering is a Critical Layer of Any Defense-in-Depth Strategy

Geo-IP filtering has been around for quite some time.  TCS has been configuring it for at least a decade on our next-generation firewalls.  This article will define what Geo-IP filtering is and why it is critical for any CyberSecurity model.  Before we get too carried away, it’s imperative that we emphasize that Geo-IP filtering is one of MANY layers that should comprise a CyberSecurity posture. Nevertheless, it is a vital layer.  What is Geo-IP filtering?

Geo-IP Filtering Defined

In writing an article of this nature, it would be foolish to assume everyone understands Geo-IP filtering is.  Every device that connects to the Internet is assigned an IP address, and the IANA (Internet Assigned Numbers Authority) allots different numbered IP addresses to different countries.  Since every country registers its own numbering format, this makes it possible to determine if Internet requests are coming from the US or Canada, British Isles, or even Zimbabwe. 

For SMBs and local governments and municipalities, there really is no need to allow your network to communicate with the entire world.  If you’re not running or managing a global enterprise, odds are allowing communication with every country in the world is more of a liability than a necessity.  Even global enterprises can benefit by whitelisting specific international IP addresses necessary for their business, but that is very complex – something that enterprises generally have the resources to handle internally.  Exceptions aside, the bottom line is a local plumbing company, doctor’s office, or financial institution probably has little need to communicate with Vietnam, North Korea (Democratic People’s Republic of Korea), or South Sudan.  Why South Sudan?  According to Kaspersky’s World Threat Map, It registers as number two (#2) on the world map of attack sources accounting for 8.49% of all attacks worldwide.  Who would have thought that?

Why Geo-IP Filtering Is So Critical

It might be obvious to some why filtering out countries known for their bad actors would be a good thing, but some might remain unconvinced.  One lead question I often use with potential clients is, “Do you want your business to be able to communicate with enemies of the US?”  Most business owners, unless they have some alliance to trade in other countries, answer “No way!”  That settles it for them.  But what are some of the nuances of how Geo-IP protection can benefit an SMB?

  1. Many Crypto-Ransomware attacks depend on being able to communicate with out countries in order to complete the ransomware hijack. 

Here is a very helpful infographic from Sophos showing the five stages of a crypto-ransomware attack: 



Note:  Full article including the graphic can be located here.

Notice Step 2 of their graphic:  Contacting Headquarters.  Often, these ransomware headquarters are off-shore, because they are trying to avoid legal accountability, or they are state-funded attacks to create disruption.

If the ransomware needs to contact a server in one of the blocked countries in order to complete the process, you have blocked an integral part of the process.  That doesn’t mean you are safe just yet, BUT your files aren’t encrypted yet either.

  • Email Scams with hyperlinks often originate in Eastern Europe and countries in Africa.  When you receive an email stating there is a problem with your Amazon purchase, or you have a UPS package that is undeliverable, those emails will often include a link to click on in order to resolve the issue.  Those links often point to webservers in other countries.  Filtering communications with those countries helps protect your users, should one click on the link.  This isn’t a substitute for end user security awareness training, but it does add another layer of protection against user error.
  • The final way that Geo-IP filtering can prove helpful is the all-to-common mistyped web address, or typo-squatting as it has commonly called in the industry.  While protections have been put in place to guard against these mishaps, they still occur.  The most well-known historical example is misspelling Google.com as Goggle.com.  This led to Google purchasing the rights to Goggle to ensure it didn’t get misused.  If the misspelling is attempting to connect a user to a server in a restricted country, the end user is blocked from accessing the site, which cues them to investigate the spelling instead of opening up your organization to malicious attacks.

Conclusion 

No single security layer is the end-all security measure for businesses and organizations, but Geo-IP filtering can help mitigate against malicious attacks on your network from other countries.  Management of Geo-IP filtering can be tricky and tedious at times, but the juice is most certainly worth the squeeze.  There’s no reason to allow communications with other countries beyond those mission-critical sites necessary for your business to function properly.

/by
Charlie Waters

Hardening the User

Defense in Depth Redux

Today, we are continuing our conversation on Defense in Depth.  We have firewalls with features like Geo-IP blocking, Intrusion Prevention, and content filtering.  Web browsers and DNS servers join in to warn about or block access to compromised web sites.  Endpoint security now goes beyond traditional signature-based anti-virus, adding artificial intelligence and application behavior analysis to protect against unknown threats.  Spam filtering and anti-phishing security protect our email inboxes from the nasties.  Hard drive encryption protects data at rest and security protocols encrypt data in transit.  Computer hardware helps protect operating systems from root kits that hijack the lower level “ring zero” (trusted) access to memory, cpu, storage, and other system resources.  Two-factor authentication and biometric access are quickly replacing traditional passwords.  In all of this “geek speak”, we left out a key ingredient – the end user.

End users are often referred to by IT support in the pejorative as the weak link in security, ie: PEBKAC (Problem Exists Between Keyboard and Chair) or ID-10-T error (read: IDIOT).  If you have ever watched an episode of The IT Crowd, then you have likely observed the true nature of many tech-heads.  This arrogant attitude is often delivered with snarky and condescending questions like: “IS IT PLUGGED IN?!”, “IS IT TURNED ON?!”, “DID YOU REBOOT IT FIRST?!”  And whenever I’m on the receiving end of this treatment, I want to respond, “If I’m calling you then it’s not in your scripted manual, so please escalate to someone who can really help!”

But why this love-hate or sometimes hate-hate relationship between end-users and technical support?  It shouldn’t be that way.  Users need technology and the IT Department doesn’t exist for its own sake.  This dynamic needs to change from what is often “us versus them”, to “we”.  Working with, rather than against, the user is an opportunity to enhance security…and that’s a win-win!  To borrow a line, “All in all it’s just another brick in the wall.”  The user is a critical component of information security, perhaps the most critical.

The True Enemy

When we recognize we are all on the same team, we are ready to do battle against the true enemy – the sinister hacker.  We should not be surprised the end goal for hackers is often financial reward.  Our business systems with its files and data are a treasure-trove of valuable information – proprietary business intellectual property, credit card numbers, social security numbers and other Personally Identifiable Information (PII).  Healthcare has what is called Protected Health Information (PHI).  Selling this information for use in identity theft and insurance fraud is a big reward.  Don’t forget bank account information, stored user credentials to all sorts of internal and external systems.  And even if our data isn’t valuable to the attacker, they know our data is valuable to the operations of our business.  Hackers encrypt the stored data, holding it hostage in exchange for a ransom.

Remember the Colonial Pipeline shutdown?  Their CEO authorized a $4.4 million dollar payment to the hackers.  Just imagine making that tough decision! Somehow departing with millions in Bitcoin was the best decision in the moment. Monday morning quarterbacking makes me wonder about their business continuity plan, but that’s a topic for another time. Much of this activity is coming from foreign governments – their employees clock in every day and launch attacks against businesses, large and small.  Many hackers get paid commissions on how much money they can extort.  We are all targets!

How to Harden the User

How do we go about solving the problem?  Here are some proposed first steps on our journey to hardening our end users:

  • Recognize the need to start a security awareness and education program
  • Incorporate regulatory compliance standards if required
  • Start somewhere, make improvements each time, and measure results

To that end, let’s start somewhere…

The upcoming TCS Education Webinar for Q3 2021 – “Hardening the User” will provide practical advice on how to be aware of and avoid the following user security issues:

  • Not believing we are a target (optimism bias)
  • Identity theft and other data privacy issues
  • Bad password habits
  • Using public wi-fi
  • Social engineering, including phishing and SMShing
  • Unsecure browsing

Stay tuned for more when we release the upcoming video companion and training guide to this article.  You will be able to share this out as a Security 101 class for your users.

/by
Charlie Waters
, ,

When is the “IT Guy” not enough?

Before we start to answer this question, let’s first consider answering when an “IT Guy” (or Gal) IS enough.  Some organizations are adequately served by what the industry calls “Break/Fix” service.  Simply put, when something goes down, you have a resource on speed dial who can come out and get things up and running again.  Many companies use this model successfully or, at least, some variation like perhaps buying a block of hours – this is the same as break/fix except you are buying time in advance and often at a discount.  Perhaps some of your work is still on paper and your processes are mostly manual.  And on the surface, this arrangement is workable (even if not ideal) for businesses who have very simple technology needs.

When Break/Fix Breaks…

At some point, as a business becomes more operationally mature, it begins to leverage technology as a competitive advantage and the underlying technology to drive more efficient workflows becomes more complex.  You are now running servers with key line of business applications that require running a database.  Your workflows are more efficient, your company can scale its efforts, and processes have become automated, reducing human error.  As a result, organizations begin to value its technology operations as being strategic and mission-critical to company success.  As the operational maturity level (OML) continues to increase, an inflection point is reached where the break/fix model no longer works and is a hinderance to efficiency and security.  Your needs have outgrown the old model. 

Think about it this way – the incentive for the break/fix IT guy is misaligned with your organization.  They are rewarded (paid) when your technology is down, not when it stays up and running.  This creates a dynamic where addressing root cause issues of technology failures and building more robust (but also more complex) systems is not in the best interest of the person doing the work.  Why should they invest energy to prevent failures rather than band-aid symptoms or develop workarounds to keep things just stable enough to not get fired?

Yeah, but…

Some IT folks have the integrity to do things in the best interest of their clients despite this not being in their own financial interests.  Unfortunately, I have seen too many of the former and very few of the latter, so the odds are high your “IT Guy” could be taking advantage of you.  Perhaps this isn’t even a conscious decision, but simply the cause and effect of being rewarded to maintain the status-quo.  The other reason is they simply lack the knowledge and experience to manage things in a better way.

Taking a deeper look at the problem…

Let’s examine the usual case:  You hire someone who is inexpensive and eager to grow their skillset.  Their only experience is building a PC or two and setting up the family’s home network.  They know just enough to be dangerous, but they have more knowledge with IT than you do.  You decide to give them a try.  Your company’s network has now become their personal IT playground.  He/she will happily persuade you to try new things in your environment.  Let’s consider when this “new thing” is the backup system for your important documents and company QuickBooks files.  He tells you the system can be implemented with minimal cost because the software is “free” (perhaps Open-Source Linux or something) and you happen to have an old PC that can be repurposed to host the system.  What could go wrong?!

Well, let’s list a few potential issues:

  • Due to inexperience, the tech didn’t ask or know where all the critical data resides and failed to include the QuickBooks files in the backups.  The QuickBooks PC dies and there are no backups.
  • The single drive in the backup server starts failing, but the condition is not known because nothing is monitoring the performance of the hardware.  Your primary application server crashes and there are no good backups (due to the failing hard drive) because your tech never tested restoring the data.
  • A flood in the IT closet destroys both the server and the backup system resulting in total data loss – and there is no off-site copy.
  • One of your employees clicks an email link, unleashing a ransomware attack on your network and because their account had admin privileges on the network, the server and backup files are also encrypted, resulting in total data loss.
  • Your main server crashes and it takes a week for your tech to source new hardware, rebuild the server from scratch, and then restore your data from the backup.  Everything worked as designed, but your tech didn’t consider how long your company could be down while everything was being rebuilt.  Your business just lost a week of productivity.

Truth or Consequences?

We wish we could say these horror stories are complete fabrications, but you would be surprised (or maybe not) at the many ticking time bombs we have come across. To be sure, we won’t name names here, but trust us when we say, “We have seen it all!” The fortunate ones are those who made the switch to more professional IT management before things went south. It would not be a bad idea to quiz “your guy” about what measures are in place to ensure these things don’t happen. You’ll likely get one of two reactions – a smile (with a laundry-list of precautions being taken) or sweat (with a ton of excuses)! You be the judge. And this pop-quiz of sorts doesn’t require being technical…it is easy to read whether someone is confident and knows what they are saying or trying to talk you in circles to avoid answering the question. Reminds me of final exam essay questions where you don’t know the answer, but hope you can write enough to eventually touch on the correct response.

In any of these scenarios, your company will have paid a hefty price for the inexperience of your IT guy.  Important lessons were learned by both parties.  Your business has just become aware of the need to be more operationally mature, and your IT guy knows what not to do next time.  Layer on top of the operational issues, the constantly evolving need for better security, and the problems become even more complex and the risk to your organization that much greater.

Oh, but he is an employee, so there’s more…

Here are some other limitations of having a single resource (perhaps your employee) running IT:

  • Who fixes problems when he/she is on vacation or out sick?
  • Where is the escalation path when issues are outside of your tech’s skillset?
  • You hired them at a low salary, but now they have experience and a resume (at your company’s expense), and they leave you to make 50% higher salary elsewhere.
  • Your IT needs have grown, and you need: a desktop technician, a network/server admin, and an IT Director.  Even if there is overlap in the technical competencies, now you are spending $200K+ (over $16K per month) to hire and retain competent technology staff.

Take note that many of these problems are also inherent in outsourcing IT to a single-guy shop whether the agreement is structured as break/fix (with the problems discussed above) or fixed-fee.

Managed Service Providers to the rescue!

We have looked at why the break/fix model doesn’t work for many organizations AND why hiring IT staff has serious limitations.  There is a sweet spot in Small Business where the MSP model thrives – higher OML organizations who value quality IT services but cannot afford to staff a full IT department.

MSPs operate with fixed-fee monthly services and provide outsourced IT resources for your business.  They staff experienced technology professionals who fill the various roles of an IT department.  MSPs provide best-of-breed tools to monitor and manage your systems, all-you-can-eat help desk support, and even strategic IT management (usually with a virtual CIO service serving as your IT Director).

Managed Service Providers buffer your organization from the challenges of hiring and retaining quality staff, plus provide redundancies in various technical competencies.  MSPs can offer technology talent a better compensation package: 401K, flexible PTO, career tracks with promotions, training programs, performance pay, and other benefits.  And the employee doesn’t have the stress of being on an island with no other technical resources to help when needed.  They are part of a team.

Win-Win

All of this and the MSP’s interests are aligned with the needs of your organization.  A fixed-fee monthly contract means both companies benefit when technology is stable and end-users are productive and happy.  This is a win-win since the cost of outsourcing support is less than staffing an IT department.  So, to answer the question, “When is an IT guy not enough?”: When your organization values the benefits of well-managed technology, but it is not practical to staff your own IT department.

/by