News of a Bash vulnerability is spreading across the web today, and Green House Data has received multiple inquires from customers about the state of Linux servers, which are susceptible to the exploit. This bug allows remote code execution, so it could be used to distribute malware, run additional exploits, or access data. Bash is a command interpreter that is bundled with many distributions of Linux and Unix. Systems at risk include websites, servers, OS X Macs, routers, and other connected devices.
As you build out your cloud resources, you may begin to feel overwhelmed with the different elements that need your attention. Even if you have smaller environments, notifications are essential in case something is about to break or has already gone wrong.
VMware vSphere includes default alarms as well as the ability to add custom alarms that can notify admins for various events, conditions, or states. You can set up and configure alarms from the vSphere web client or native application.
Patching is necessary to keep servers secure from attackers and viruses as well as free from bugs, which can sap productivity. Designing your server and virtual machine infrastructure to suit service levels and future change management will save you time and potential outages when the time comes to patch—and when it does, these simple best practices will help smooth the process.
With more and more companies taking advantage of cloud computing for on-demand infrastructure and additional resources, penetration testers are being called upon to perform more security testing on virtualized environments. Clients may require testing for compliance standards like PCI DSS, or they may be evaluating multiple cloud providers for the most secure option. The cloud brings with it a new set of considerations for testers, as a virtual environment could house multiple tenants on the same architecture.
The first thing to decide is whether you are outsourcing pen testing to a third party or keeping it in-house with your security team. With a third party you will only need to mitigate any contract and SLA problems. Be sure to vet a third party thoroughly, asking exactly what they will test, what tools they will use, scan policies, whether they used white-box or black-box testing (in black box, the tester infiltrates without any previous knowledge of the environment, while white box is the opposite).
Either way you’ll need to know exactly what will be tested including which applications, database servers, devices including storage, and devices.
What is Heartbleed?
This vulnerability takes advantage of a memory configuration within the ever-popular OpenSSL software library. The TLS heartbeat extension (RFC 6520) on an exploited version of OpenSSL allows an attacker to view up to 64k of what is in memory with each “heartbeat.” Thus, a multitude of information can be obtained unnoticed. It is important to note that this exploit is found in OpenSSL's implementation of SSL/TLS, not within the TLS protocol itself.
How does this affect Green House Data's services?
We are actively pursuing efforts to mitigate any presence of vulnerable systems within Green House Data's cloud infrastructure. From what we have seen so far, these efforts are primarily focused on systems using OpenSSL to encrypt TLS connections. Green House Data provides service and customer portals that use SSL and have taken the necessary actions to secure our systems.
What steps can be taken to fix this?
You may have seen recent headlines about NTP attacks, a new variation of Distributed Denial of Service Attacks (DDoS) that is driving massive attacks with up to 400 Gbps of traffic overwhelming servers. Victims have included Xbox Live, customers at CloudFlare, and hosting company OVH.
The new NTP attacks take advantage of Network Time Protocol, which is used to sync timestamps between servers and networks. Hackers amplify their attacks through NTP, by sending a small packet to the NTP server under the guise of the target IP. The NTP automatically replies to the spoofed IP with the last 600 IP addressed that connected. The specific command used is “monlist”, which replies with the list of IP addresses.
January 28th is Data Privacy Day, an international event focused on educating the public about information security and personal data privacy. With hacks and security breaches making headlines every week (see the massive Target breach), keeping your digital information safe is more vital than ever. Here are some quick tips to help you secure your data from prying eyes, and a quick overview of how Green House Data technicians approach cloud security.
Security. When it comes down to it, security is the main reason many executives are wary of cloud hosting. It’s a good reason, too. It takes a bit of faith to put critical business data into external infrastructure. Managed cloud security services offer peace of mind as dedicated NOC staff keeps watch 24 hours a day for incoming threats, both taking precautions and responding to attacks as soon as they are detected. The three stages of managed security services are:
One major concern for parents and small business owners both is how to keep employees or kids safe and productive on the internet without having to spend a lot of money. While there is a wide variety of commercial software available, there is a free tool that does not require installation on every internet capable machine in the home or business. It is called OpenDNS.
You’ve likely heard of “shadow IT” or BYOD (bring your own device). Both terms refer to employees using private devices or software at the workplace—think iPads for work, or Google Drive to share files in a department. These practices may not be sanctioned by the IT department, but they improve productivity and save provisioning costs. However, they come with the risk of security breaches or other issues, causing IT headaches. By implementing an official BYOD policy and deploying hybrid cloud tools, companies can eliminate shadow IT and empower employees at the same time.