m.a.collins

Why Geo-IP Filtering is a Critical Layer of Any Defense-in-Depth Strategy

Geo-IP filtering has been around for quite some time.  TCS has been configuring it for at least a decade on our next-generation firewalls.  This article will define what Geo-IP filtering is and why it is critical for any CyberSecurity model.  Before we get too carried away, it’s imperative that we emphasize that Geo-IP filtering is one of MANY layers that should comprise a CyberSecurity posture. Nevertheless, it is a vital layer.  What is Geo-IP filtering?

Geo-IP Filtering Defined

In writing an article of this nature, it would be foolish to assume everyone understands Geo-IP filtering is.  Every device that connects to the Internet is assigned an IP address, and the IANA (Internet Assigned Numbers Authority) allots different numbered IP addresses to different countries.  Since every country registers its own numbering format, this makes it possible to determine if Internet requests are coming from the US or Canada, British Isles, or even Zimbabwe. 

For SMBs and local governments and municipalities, there really is no need to allow your network to communicate with the entire world.  If you’re not running or managing a global enterprise, odds are allowing communication with every country in the world is more of a liability than a necessity.  Even global enterprises can benefit by whitelisting specific international IP addresses necessary for their business, but that is very complex – something that enterprises generally have the resources to handle internally.  Exceptions aside, the bottom line is a local plumbing company, doctor’s office, or financial institution probably has little need to communicate with Vietnam, North Korea (Democratic People’s Republic of Korea), or South Sudan.  Why South Sudan?  According to Kaspersky’s World Threat Map, It registers as number two (#2) on the world map of attack sources accounting for 8.49% of all attacks worldwide.  Who would have thought that?

Why Geo-IP Filtering Is So Critical

It might be obvious to some why filtering out countries known for their bad actors would be a good thing, but some might remain unconvinced.  One lead question I often use with potential clients is, “Do you want your business to be able to communicate with enemies of the US?”  Most business owners, unless they have some alliance to trade in other countries, answer “No way!”  That settles it for them.  But what are some of the nuances of how Geo-IP protection can benefit an SMB?

  1. Many Crypto-Ransomware attacks depend on being able to communicate with out countries in order to complete the ransomware hijack. 

Here is a very helpful infographic from Sophos showing the five stages of a crypto-ransomware attack: 



Note:  Full article including the graphic can be located here.

Notice Step 2 of their graphic:  Contacting Headquarters.  Often, these ransomware headquarters are off-shore, because they are trying to avoid legal accountability, or they are state-funded attacks to create disruption.

If the ransomware needs to contact a server in one of the blocked countries in order to complete the process, you have blocked an integral part of the process.  That doesn’t mean you are safe just yet, BUT your files aren’t encrypted yet either.

  • Email Scams with hyperlinks often originate in Eastern Europe and countries in Africa.  When you receive an email stating there is a problem with your Amazon purchase, or you have a UPS package that is undeliverable, those emails will often include a link to click on in order to resolve the issue.  Those links often point to webservers in other countries.  Filtering communications with those countries helps protect your users, should one click on the link.  This isn’t a substitute for end user security awareness training, but it does add another layer of protection against user error.
  • The final way that Geo-IP filtering can prove helpful is the all-to-common mistyped web address, or typo-squatting as it has commonly called in the industry.  While protections have been put in place to guard against these mishaps, they still occur.  The most well-known historical example is misspelling Google.com as Goggle.com.  This led to Google purchasing the rights to Goggle to ensure it didn’t get misused.  If the misspelling is attempting to connect a user to a server in a restricted country, the end user is blocked from accessing the site, which cues them to investigate the spelling instead of opening up your organization to malicious attacks.

Conclusion 

No single security layer is the end-all security measure for businesses and organizations, but Geo-IP filtering can help mitigate against malicious attacks on your network from other countries.  Management of Geo-IP filtering can be tricky and tedious at times, but the juice is most certainly worth the squeeze.  There’s no reason to allow communications with other countries beyond those mission-critical sites necessary for your business to function properly.

/by
Charlie Waters

Hardening the User

Defense in Depth Redux

Today, we are continuing our conversation on Defense in Depth.  We have firewalls with features like Geo-IP blocking, Intrusion Prevention, and content filtering.  Web browsers and DNS servers join in to warn about or block access to compromised web sites.  Endpoint security now goes beyond traditional signature-based anti-virus, adding artificial intelligence and application behavior analysis to protect against unknown threats.  Spam filtering and anti-phishing security protect our email inboxes from the nasties.  Hard drive encryption protects data at rest and security protocols encrypt data in transit.  Computer hardware helps protect operating systems from root kits that hijack the lower level “ring zero” (trusted) access to memory, cpu, storage, and other system resources.  Two-factor authentication and biometric access are quickly replacing traditional passwords.  In all of this “geek speak”, we left out a key ingredient – the end user.

End users are often referred to by IT support in the pejorative as the weak link in security, ie: PEBKAC (Problem Exists Between Keyboard and Chair) or ID-10-T error (read: IDIOT).  If you have ever watched an episode of The IT Crowd, then you have likely observed the true nature of many tech-heads.  This arrogant attitude is often delivered with snarky and condescending questions like: “IS IT PLUGGED IN?!”, “IS IT TURNED ON?!”, “DID YOU REBOOT IT FIRST?!”  And whenever I’m on the receiving end of this treatment, I want to respond, “If I’m calling you then it’s not in your scripted manual, so please escalate to someone who can really help!”

But why this love-hate or sometimes hate-hate relationship between end-users and technical support?  It shouldn’t be that way.  Users need technology and the IT Department doesn’t exist for its own sake.  This dynamic needs to change from what is often “us versus them”, to “we”.  Working with, rather than against, the user is an opportunity to enhance security…and that’s a win-win!  To borrow a line, “All in all it’s just another brick in the wall.”  The user is a critical component of information security, perhaps the most critical.

The True Enemy

When we recognize we are all on the same team, we are ready to do battle against the true enemy – the sinister hacker.  We should not be surprised the end goal for hackers is often financial reward.  Our business systems with its files and data are a treasure-trove of valuable information – proprietary business intellectual property, credit card numbers, social security numbers and other Personally Identifiable Information (PII).  Healthcare has what is called Protected Health Information (PHI).  Selling this information for use in identity theft and insurance fraud is a big reward.  Don’t forget bank account information, stored user credentials to all sorts of internal and external systems.  And even if our data isn’t valuable to the attacker, they know our data is valuable to the operations of our business.  Hackers encrypt the stored data, holding it hostage in exchange for a ransom.

Remember the Colonial Pipeline shutdown?  Their CEO authorized a $4.4 million dollar payment to the hackers.  Just imagine making that tough decision! Somehow departing with millions in Bitcoin was the best decision in the moment. Monday morning quarterbacking makes me wonder about their business continuity plan, but that’s a topic for another time. Much of this activity is coming from foreign governments – their employees clock in every day and launch attacks against businesses, large and small.  Many hackers get paid commissions on how much money they can extort.  We are all targets!

How to Harden the User

How do we go about solving the problem?  Here are some proposed first steps on our journey to hardening our end users:

  • Recognize the need to start a security awareness and education program
  • Incorporate regulatory compliance standards if required
  • Start somewhere, make improvements each time, and measure results

To that end, let’s start somewhere…

The upcoming TCS Education Webinar for Q3 2021 – “Hardening the User” will provide practical advice on how to be aware of and avoid the following user security issues:

  • Not believing we are a target (optimism bias)
  • Identity theft and other data privacy issues
  • Bad password habits
  • Using public wi-fi
  • Social engineering, including phishing and SMShing
  • Unsecure browsing

Stay tuned for more when we release the upcoming video companion and training guide to this article.  You will be able to share this out as a Security 101 class for your users.

/by
m.a.collins

Cybersecurity: The Razor’s Edge Between Education and Scare Tactics

TCS is committed to educating our client base and small-to-medium sized organizations at large about Cybersecurity – the existing threats out there and how best to protect against and mitigate the effects of those threats.  To some, that can sound scary.  The scary reality is that there are real threats out there that can disable and sometimes even pose an existential threat to your company or organization.  Sticking our collective heads in the sand is not a viable option.

The Distinction between Scare Tactics and Education

So what is the distinction between educating about scary topics and using scare tactics?  Education first seeks to increase awareness, not for the sake of scaring but for the sake of providing reasonable dialogue regarding ways to protect against those scary outcomes.  Scare tactics seek to manipulate emotion and shutdown dialogue.  They present no discussion, but only seek to scare someone into a decision.  Education, on the other hand, presents the potential scary scenarios and then reasons through a range of solutions to protect against them.

For instance, there is a world of difference between informing someone that accounts tied to their organization are available for sale on the dark web, and detailing every scary outcome that could result from that vulnerability.  Scare tactics use threatening language to get their desired outcome while education seeks to have a simple conversation.  The fact of the matter is that those accounts for sale on the dark web may not have the most current password associated with that login, which makes it less of a threat.  Nevertheless, a conversation can be had regarding how even old passwords can give attackers clues as to how you typically approach creating your passwords.  Simply changing the password may not be the best solution in that scenario. 

TCS Is Committed to Cybersecurity Education

Is your MSP doing a good job of educating you on those matters?  Do you know whether you have compromised accounts on the dark web?  If your internet/email domain has been online for more than a few years, then chances are you do have some compromised accounts.  The real question is, do you know what those accounts are and what have you done as a result?  The only thing that makes this scenario scary is the unknown.  TCS seeks to take out that unknown and educate organizations on how they can respond in a way that mitigates the ill effects of compromised accounts.

Coming out of the Dark

What differentiates TCS from other MSPs?  In this context, TCS doesn’t want you to be in the “dark” (pun intended) regarding your Cybersecurity position.  We encourage all Cybersecurity education, whether it comes from TCS or not.  Hopefully, if someone comes along and mentions to one of our clients that they have compromised accounts on the dark web, our customer is educated in Cybersecurity enough to respond, “Of course we do, and we’ve responded in these ways to mitigate the effects of those compromised accounts.”  When a prospect responds in a way that indicates they are unaware of what that means or the potential ramifications for what that means, we see opportunity to educate – not for the aim of scaring them, but to the end that they comprehend what’s at stake and how best to protect themselves against it.  Sure, there is a fine line there; but TCS is committed to education, not emotional manipulation.

/by