With more and more companies taking advantage of cloud computing for on-demand infrastructure and additional resources, penetration testers are being called upon to perform more security testing on virtualized environments. Clients may require testing for compliance standards like PCI DSS, or they may be evaluating multiple cloud providers for the most secure option. The cloud brings with it a new set of considerations for testers, as a virtual environment could house multiple tenants on the same architecture.
The first thing to decide is whether you are outsourcing pen testing to a third party or keeping it in-house with your security team. With a third party you will only need to mitigate any contract and SLA problems. Be sure to vet a third party thoroughly, asking exactly what they will test, what tools they will use, scan policies, whether they used white-box or black-box testing (in black box, the tester infiltrates without any previous knowledge of the environment, while white box is the opposite).
Either way you’ll need to know exactly what will be tested including which applications, database servers, devices including storage, and devices.
What is Heartbleed?
This vulnerability takes advantage of a memory configuration within the ever-popular OpenSSL software library. The TLS heartbeat extension (RFC 6520) on an exploited version of OpenSSL allows an attacker to view up to 64k of what is in memory with each “heartbeat.” Thus, a multitude of information can be obtained unnoticed. It is important to note that this exploit is found in OpenSSL's implementation of SSL/TLS, not within the TLS protocol itself.
How does this affect Green House Data's services?
We are actively pursuing efforts to mitigate any presence of vulnerable systems within Green House Data's cloud infrastructure. From what we have seen so far, these efforts are primarily focused on systems using OpenSSL to encrypt TLS connections. Green House Data provides service and customer portals that use SSL and have taken the necessary actions to secure our systems.
What steps can be taken to fix this?
You may have seen recent headlines about NTP attacks, a new variation of Distributed Denial of Service Attacks (DDoS) that is driving massive attacks with up to 400 Gbps of traffic overwhelming servers. Victims have included Xbox Live, customers at CloudFlare, and hosting company OVH.
The new NTP attacks take advantage of Network Time Protocol, which is used to sync timestamps between servers and networks. Hackers amplify their attacks through NTP, by sending a small packet to the NTP server under the guise of the target IP. The NTP automatically replies to the spoofed IP with the last 600 IP addressed that connected. The specific command used is “monlist”, which replies with the list of IP addresses.
January 28th is Data Privacy Day, an international event focused on educating the public about information security and personal data privacy. With hacks and security breaches making headlines every week (see the massive Target breach), keeping your digital information safe is more vital than ever. Here are some quick tips to help you secure your data from prying eyes, and a quick overview of how Green House Data technicians approach cloud security.
Security. When it comes down to it, security is the main reason many executives are wary of cloud hosting. It’s a good reason, too. It takes a bit of faith to put critical business data into external infrastructure. Managed cloud security services offer peace of mind as dedicated NOC staff keeps watch 24 hours a day for incoming threats, both taking precautions and responding to attacks as soon as they are detected. The three stages of managed security services are:
One major concern for parents and small business owners both is how to keep employees or kids safe and productive on the internet without having to spend a lot of money. While there is a wide variety of commercial software available, there is a free tool that does not require installation on every internet capable machine in the home or business. It is called OpenDNS.
You’ve likely heard of “shadow IT” or BYOD (bring your own device). Both terms refer to employees using private devices or software at the workplace—think iPads for work, or Google Drive to share files in a department. These practices may not be sanctioned by the IT department, but they improve productivity and save provisioning costs. However, they come with the risk of security breaches or other issues, causing IT headaches. By implementing an official BYOD policy and deploying hybrid cloud tools, companies can eliminate shadow IT and empower employees at the same time.
At the end of August, news broke that two hackers had broken the two-factor security deployed by Dropbox, a cloud storage platform used by millions of people across the globe. The hackers published their methods in order to promote an open-source version of the program that could, they claimed, be safer for users overall. The hack puts cloud providers and users on edge: how safe is SSL?
Although digital security is paramount to keeping your business data safe within our data center, and for meeting compliance standards, the physical security measures are just as important. For example, our HIPAA infographic shows how many data breaches result from stolen equipment. These threats are largely internal in nature, which is why four layers of security—physical facility security, that is—help ensure the safety of equipment and information stored in our facility.
One vital managed service for Green House Data virtualization deployments is taking steps to ensure the security of your critical data. Although our data center compliance standards attest to our security management protocols, additional steps are necessary to secure data within a vSphere environment. One of our most popular services is therefore the security hardening and audit.