How secure are your employee’s endpoints – at home?

How secure are your employee’s endpoints – at home?

How secure are your employee’s endpoints

COVID-19 continues to present problems for employees working remotely. Over the past few weeks, a number of threats have been identified in the banking industry – namely, social engineering, third-party data breaches and ransomware. Across the globe fraud and cyberattacks have soared. IT News Africa says this is of particular concern for South Africa as funds are collected to uphold the economy during lockdown and new grants are implemented to ensure the wellbeing of citizens.

We’ve also seen numerous reports of cybercriminals ramping up their attacks as more and more people started to work from home. Now the Wireless Application Service Providers’ Association (WASPA) has reiterated the need for South Africans to practice good cybersecurity at home.

“With 90 million mobile connections and widespread availability of money transfer and digital banking facilities, SA is tremendously attractive to mobile fraudsters who use malware embedded in downloadable apps to gain access to passwords, user names and other sensitive data,” General Manager of WASPA, Ilonka Badenhorst said.

Exposed Services in Africa

“The way we are preyed upon by criminals has changed. We understand how to protect ourselves from physical crimes, but cybercrime is different – it is nameless, faceless and borderless. We can’t protect ourselves directly because most of us are not IT security professionals, and there is no failsafe system,” says Rohan Isaacs, who heads the technology and privacy team at law firm Herbert Smith Freehills in South Africa.

The global Cyber Exposure Index ranks SA sixth on the list of most-targeted countries for cyberattacks, with the highest concentration of exposed or smaller businesses.

“Most organisations are blissfully unaware of the degree of cybercrime that’s out there. People believe they are well-protected, and they are definitely not – they are using yesterday’s technology to protect themselves against today’s threats,” Brian Pinnock, Mimecast.

A recent study done by ShadowServer also reported an increase in malware infection statistics, which come from data collected from sinkholes, honeypots, network telescopes and other sources, operated by either ourselves or our partners. Example network report types that contain this data include: Botnet Drone Report, HTTP Sinkhole Report, Microsoft Sinkhole Report, Brute Force Attack Report and the Darknet Report.

Based on these datasets, we see in total up to 600,000 malware infected IP addresses per day in Africa. However, it should be noted that observed activity by malware family is biased towards the threats that ShadowServer and its partners are currently sinkholing or otherwise have visibility of (around 400 malware families/variants).

Perhaps unsurprisingly, the amount of infections by unique IPs tend to be higher in absolute numbers in more populous countries and/or countries with better Internet infrastructure including Nigeria and South Africa.

What endpoint protection is required?

As already established, IP addresses are vulnerable and email is the single biggest attack vector for cybercrime, accounting for about 90% of the total cyberattacks, but how do we determine what endpoint protection is required to keep our devices protected at all times?

Antivirus software is no longer viable as it works on a detect and respond basis which is proving to be more inadequate to protect more common cyberattacks. We have moved into a modern time and technology to rather prevent than only detect as this can save a company a lot of time and money. But you may still ask yourself is this even possible?

 

Here are  8 key security considerations(5) for protecting remote workers as many security and IT teams suddenly have to support and protect employees who must work remotely so make sure these areas are covered too.

 

The endpoint protection you need

Cybersecurity Resilience Services cover all avenues of potential breaches through the combined efforts of key InfoSec principles and the deployment of rapid detection and response systems. Professional teams of engineers and analysts go through rigorous training programmes, developed by and for the military on real world scenarios and situations. They are trained to analyze, understand and recognize patterns presented by cybercriminals, and it is their responsibility to identify a threat before it happens with their extensive knowledge and understanding of cyber warfare and the determination to intercept a cyber-attack before it takes place.

As most cybersecurity firms base their defenses on the assumption that all attacks will occur from an endpoint or human vulnerability, ACDS’s intercept product knows that sophisticated cybercriminals can enter your network through other avenues linked directly to your perimeter or different network components, skipping endpoints altogether. Intercept covers all aspects of your endpoint, perimeter and network through a variety of tools to detect and defeat any unauthorized entry with speed and accuracy, to not only detect but protect!

ACDS offers full-service Information & Cybersecurity solutions that identifies, analyzes and detects a variety of cyber threats while helping you to better respond and recover from any unwanted intrusions in your business with real-time results. Our cybersecurity resilience services cover all avenues of potential breaches through the combined efforts of key Information & Cybersecurity principles and the deployment of ACDS’ rapid detection and response system.

The Shadowserver Foundation Threat Report: A Spotlight on Africa

The Shadowserver Foundation Threat Report: A Spotlight on Africa

Here at The Shadowserver Foundation, we like to regularly drill down into our datasets to provide our global partners with a wider and deeper insight into our scan and threat visibility for their regions. This insight can then be used to better drive our outreach activities. Most importantly, it can hopefully allow National CSIRTs in the region, as well as numerous other authorities/partners and private enterprises, to enhance their incident response coordination and share information from our public benefit victim remediation network reports with local communities in a more effective manner. There is also a significant, direct benefit to us: through feedback and collaboration with our report recipients, we get to see how useful our reports are at ground level and gain a better understanding of the local challenges faced in combating Internet security threats. In the long run, this allows us to improve our public services to the Internet defender community.

This blog is the first in a series in which we will take a look at different world regions in order to demonstrate what taking a more holistic view of our data can reveal – starting with the African continent.

Over the past few years, we have taken a particular interest in Africa as we seek to increase our reporting services, especially to the continent’s National CERT/CSIRTs and ISP communities. In order to look at the African threat landscape and to achieve the above objectives, we have partnered with our good friends at AfricaCERT. In doing so, we open up the opportunity to engage with multiple nations and ensure that these countries make the best possible use of our free reporting services. We are also happy to attend training events to share our understanding and insights with the community as a whole, once the global COVID-19 situation allows!

Key findings

In order to paint the current threat picture for Africa, we collated various IPv4-based datasets held within our repository, including an analysis of malware infections (primarily through sinkhole data); exposed services (some of which may be vulnerable) discovered by our daily scanningamplification DDoS attacks (obtained from honeypots); as well as reputation IP blacklists.

MALWARE INFECTIONS IN AFRICA

Our malware infection statistics come from data collected from sinkholeshoneypotsnetwork telescopes and other sources, operated by either ourselves or our partners. Example network report types that contain this data include: Botnet Drone Report,  HTTP Sinkhole ReportMicrosoft Sinkhole ReportBrute Force Attack Report and the Darknet Report.

Based on these datasets, we see in total up to 600,000 malware infected IP addresses per day in Africa. However, it should be noted that observed activity by malware family is biased towards the threats that Shadowserver and its partners are currently sinkholing or otherwise have visibility of (around 400 malware families/variants).

Absolute number of malware infections per day by counted daily IP addresses in Africa – March/April 2020

The graph above shows the absolute numbers of infections seen over the past month. Different colors represent different countries – for ease of understanding we have only labelled “Egypt” and “Algeria” above (as the most infected in absolute numbers), with the rest of the countries grouped into “Other African States”.

Top 20 Most Malware Infected Countries in Africa by Counted Daily IP addresses – 16th April 2020

Perhaps unsurprisingly, the amount of infections by unique IPs tend to be higher in absolute numbers in more populous countries and/or countries with better Internet infrastructure. In Africa, we see that, currently, most malware infections are in North African countries (such as Egypt, Algeria and Morocco). South of the Sahara, the countries with the greatest number of infections include Nigeria and South Africa.

Top 20 Threats Seen in Africa by Daily Unique IP addresses – 16th April 2020

Top infections within the scope of our visibility include very well known and current Crimeware-As-A-Service and botnet infrastructures such as Andromeda (which was taken down as part of the international Avalanche operation) and Mirai. Instances of infection with both of these malware strains were observed across the whole continent, which is consistent with global trends. The recently disrupted Necurs spam botnet also features in the Top 10. An Illustration of the top threats seen per African country for a given day (16th April 2020) is given below.

Northern Africa: Top Threats Seen Per Country (where top is understood as most unique IP addresses seen daily) – 16th April 2020

Southern Africa: Top Threats Seen Per Country (where top is understood as most unique IP addresses seen daily) – 16th April 2020

Relative Ratio of Avalanche Andromeda Malware Distribution in Africa – 16th April 2020

Relative Ratio of Necurs Malware Distribution in Africa – 16th April 2020

Relative Ratio of Mirai Malware Distribution in Africa – 16th April 2020

However, what makes Africa stand out in comparison to other regions is the relatively high prevalence of Android threats vs other Windows x86 infections.

We see Android trojan malware infections, such as android.backdoor.prizmesghost-push and android.iop, in quite substantial volumes.

Relative Ratio of Android Prizmes Malware Distribution in Africa – 16th April 2020

Like virtually everywhere else in the world, devices infected with legacy malware, for example VirutConficker and Lethiccontinue to be observed, which indicates that multiple African victims have been suffering from long-term infections.

EXPOSED SERVICES IN AFRICA

Aside from collecting data about infected machines, for example, via sinkholing, we also scan the entire IPv4 Internet on 48 services/protocols each day in order to find exposed services (i.e. services that can be accessed externally). This does not mean that these services are necessarily vulnerable to attack. Our scans are, rather, a combination of searching for accessible services, identification of misconfigurations or specific vulnerabilities, finding services that can be abused or misused in some way (for example for amplification scans), detecting (but not exploiting) backdoors, etc. Our goal is to alert network defenders to the fact that services are exposed or abusable in some way and could be used to harm either their own networks, or those of the wider public Internet. We do not generate reports from all of our scans, as in some cases, we do not think that having a service exposed immediately signals danger – so, for example, we refrain from reporting on SSH servers listening on TCP port 22. We generate 43 different types of reports based on our daily IPv4 scans out of 77 reports in total.

Our scan statistics for Africa total 1.4 million IP addresses daily. A range of IPv4 devices are revealed each day with multiple services exposed externally, which could therefore potentially be vulnerable to cyber crime exploitation.

 

Absolute number of Exposed Services per day by counted daily IP addresses in Africa – March/April 2020

The graph above shows the number of exposed services seen over the last month. Different colors represent different countries – for ease of understanding we have only labelled “South Africa”, “Tunisia”, “Egypt” and “Morocco” above (as the most exposed in absolute numbers), with the rest of the countries grouped into “Others”.

Top Exposed Services Per Country without SSL and SSH services (where top is
understood as most daily unique IP addresses seen) –
16th April 2020

Top Exposed Services Per Country without SSL and SSH services (where top is
understood as most daily unique IP addresses seen) –
16th April 2020

Our scan statistics which include also general population scans  (see below) show that the services most exposed by unique IP addresses in Africa include CWMP (port 7547/TCP and 30005/TCP), SSL (port 443/TCP) and SSH (port 22/TCP).  As we explain below, this does not mean these are all vulnerable!

CWMP (CPE WAN Management Protocol – a protocol used by ISPs to auto-configure their customer-premises equipment devices, such as DSL routers and cable modems) has had flaws in the past that have been exploited by IoT malware (such as Mirai Botnet #14 and a TR-069 zeroday vulnerability). There is no reason to have CWMP services exposed publicly to non-trusted, potentially hostile IP addresses.

SSL – number 2 on our list – is the name tag that we apply to all HTTPS services exposed on port 443. While most of these are, of course, not vulnerable by default, and their exposure is usually necessary for business reasons, the statistic does give an overview of web-enabled services in Africa. In general, the more advanced the Internet infrastructure, the greater the number of enabled Web services.

There is nothing inherently wrong with having SSH enabled and exposing the service publicly on TCP port 22. Nevertheless, misconfigurations in SSH, or the use of default or weak passwords, could lead to the compromise of devices (which could include servers, routers or IoT devices). Indeed, password brute-forcing attacks against SSH are very common, as they also are for telnet. Both services are regularly targeted by IoT malware. Unlike SSH, there is usually no good reason to have non-encrypted telnet services exposed publicly.

A number of UDP-based services that can be exploited for amplification DDoS attacks , such as DNS or NTP (see our NTP monitor and NTP version reports) were also found to be prominent.

Top 20 Exposed Services Seen in Africa by daily unique IP addresses – 16th April 2020

In general, we observed that countries with greater quantities of IPv4 space tended to harbor more infections and to have a greater number of exposed/accessible services. This trend is much the same throughout the entire world, and is not unique to Africa.

Top 20 Countries in Africa with Exposed Services by counted daily  IP addresses – 16th April 2020

To provide some further  insight into the above distribution by country, we took the top 3 scan results (without SSL and SSH) and mapped them to specific countries in Africa.

Top 3 Open or Vulnerable Services Seen By Country

In this analysis, we focus on the Top 3 services whose exposure we consider problematic – that is, these are unnecessarily open or vulnerable to abuse. For this reason, we skip SSL and SSH, which commonly must be exposed as is also often the case with FTP.

CWMP

Top 10 Countries in Africa with CWMP exposure

Clearly, Tunisia currently has the greatest number of accessible  CWMP servers. As already mentioned, this can unnecessarily provide  an attack vector for malicious actors should a vulnerability be found in CWMP server implementations.

(Open) DNS

Top 10 Countries in Africa with (abusable) Open DNS exposure

Morocco, South Africa and Tunisia have the greatest quantity of exposed open DNS servers. These services can be abused for amplification DDoS attacks. It is important to fix the configuration of these services if possible. More information on amplification DDoS attacks can be found in the paper “Amplification Hell: Abusing Network Protocols for DDoS” by Christian Rossow and on our open resolver scan page.

Telnet

Top 10 Countries in Africa with telnet service exposure

South Africa has the greatest quantity of exposed telnet services, with larger amounts seen also in Kenya and Egypt. Using telnet is a dangerous security practice, as the traffic can be sniffed and credentials along with all the traffic content exposed. Additionally, the telnet service is very often the target of brute force attacks carried out by various variants of malware. It is likely most of these services are actually running on home routers or other IoT devices. If remote access is necessary, a properly secured SSH service should be configured instead.

AMPLIFICATION DDOS OVERVIEW IN AFRICA

Together with our partners, such as CISPA, we monitor amplification DDoS attacks across the world using honeypots, see for example, our joint participation in the EU H2020 SISSDEN project. These attacks primarily exploit UDP-based services – including DNS and NTP services that have been highlighted in the discussion of  our scan datasets above.

We found that these types of attacks are currently, reasonably uncommon against African infrastructure compared to the rest of the world. This does not mean that such attacks do not happen. When they do occur, they can have devastating effects on the target infrastructure, potentially even felt at a country level (as was the case, for example, in the infamous Mirai Botnet #14 attacks that affected Liberia in 2016/2017).

Our statistics currently show roughly 20 to 60 IPv4 devices being targeted by amplification DDoS attacks in Africa per day.

Amplification DDoS Targets in Africa in March 2020 (Unique IP per day)

The highest number of attacks in a single day in March 2020 was seen on the 27th of March – 54 IP addresses were targeted, with most being located in Morocco.

Country breakdown of DDoS amplification attack targets on March 27th 2020

AFRICAN IP ADDRESSES ON PUBLIC BLACKLISTS

One other category of sources Shadowserver monitors are public blacklists (we currently draw upon over 110 different sources) of malicious IP addresses. We bundle all of the data from these sources into our blacklist report. Over the past few months, we have typically seen 2 million to 3 million entries for African IP addresses per day present on these types of blacklists.  Note that sudden zero entries appearing on the charts is usually the result of a data collection failure on our side.

Number of IP entries geolocated to Africa on public blacklists – March/April 2020. Note that an IP may appear on multiple lists and thus be counted more than once.

Top Countries in Africa Blacklisted IP addresses (by unique daily IP addresses) – 16th April 2020

As can be seen on the tree map above, Mauritius and Seychelles IPv4 addresses have a very high profile presence on these lists, unlike in the previous datasets we explored.

A breakdown of the top observed IP blacklist source per country is shown on the maps below:

Top Blacklist presence per country by unique daily IP addresses – 16th April 2020

Top Blacklist presence per country by unique daily IP addresses – 16th April 2020

Recommended Actions

The following is a list of actions we believe may have an impact on the state of operation security on the African continent.

First and foremost, we want to continue to deliver – and to extend – our public benefit remediation network reports to more of the right kind of defender entities in Africa. This includes not only National and Government CSIRTs, but also ISPs/Domain Registries operating within the continent, as well as other private or public enterprises and network owners. As our reporting maps show below, our current National CSIRT report coverage could be improved. The number of network owners that directly receive our feeds is also low in comparison to other continents.

Secondly, we believe that a data-driven approach to improving the resilience of the African Internet is a good way to move forward. For example, dedicated malware awareness and eradication campaigns focused on threats like Andromeda or IoT-related malware, could be effective in leading to an increase in resilience of African networks. Focusing on Android malware and general Android security awareness would also be beneficial. However, these initiatives would require a collaboration with a large set of stakeholders. We are happy to explore any options in this regard. If you can help, or know someone who can, please reach out on social media and help get the message out, or get in touch by email.

Thirdly, collaboration with ISPs on reducing the footprint of exposed services (for example, focusing on CWMP or Open DNS or  telnet) would also be a step forward in terms of improving network resilience.

Conclusion & Next Steps

As with nearly every region around the world, Africa has its own specific threat profile. There is much work that can be done both against legacy-threat malware and newer variants to make the region more secure for the benefit of all Internet users. Spambots, such as Necurs, and malware droppers, such as Andromeda, have powered waves of past attacks against many global targets, while Mirai-infected devices have powered huge DDoS attacks. Infected systems are likely to also be infected by (or become infected with) similar current and future threats too.

Much the same can also be said of the exposed protocols and potentially abusable services that are most at risk of cyber exploitation uncovered by  our scans. Our ultimate goal is to improve the resilience of African network security and thus see our map and time series charts reflect a reduction in volumes of detected devices. We can only achieve this goal by working together, through continued and expanded collaboration between ourselves and our ever growing constituent base.

In terms of National CERT/CSIRT coverage (reflected in our coverage map below), only a small number of these organisations subscribe to our public benefit daily feeds. In total, we have 13 National CSIRTs in Africa receiving our feeds at a country level and 139 network owners that subscribe to our feeds directly, out of 109 National CSIRTs in 138 countries and 4900+ network owners that receive our data worldwideWe would encourage all  African network owners to subscribe and act on our reports, and stand ready to supply any National CSIRT  in the region with data.

As a community appeal, if you hold any contacts in Africa, we would be most grateful if you could help us out with an introduction in order to enable us to build new relationships with the right partners!

National CSIRTs in Africa subscribing to Shadowserver public benefit feeds – April 2020

Direct recipients of Shadowserver reports in Africa – April 2020

Whether in Africa or not, if you are not already a subscriber to Shadowserver’s public benefit daily network reports but would like to receive our existing 77 report types, then please sign up to our free daily remediation feed service.

Making Remote Work Secure: Five “Must Do” Steps

Making Remote Work Secure: Five “Must Do” Steps

Since COVID-19 became a global pandemic and steps were put in place to contain its spread, more and more
people have been forced to work from home. This transition requires many changes in how individuals and
organizations operate and communicate, especially in terms of using computers, personal devices, and
specific software that enables remote work.

 

At the same time, cybercriminals recognize that attacking home users is much easier as they are typically less
secured outside their office, where security policies and measures are enforced (at least at some level). Yet to do
their jobs, these remote workers need to connect to various servers and access and create confidential, sensitive
documents and data from their less-secure home office environment.

The risk of losing important data or being compromised becomes much greater at home. That is why every remote
worker should be prepared to secure his remote workspace. Here are five recommendations for securing a home
office.

1. Use a VPN
Whether you are connecting remotely to company resources and services, or you are just browsing web resources
and using telecommunication tools, use a Virtual Private Network (VPN). VPNs encrypt all of your online traffic to
prevent hackers from capturing your data in transit.
If your company has a VPN practice, you most likely will get instructions from your admin or MSP technician. If you
have to secure your working place yourself, use a well-known, recommended VPN app and service – they are
widely available in different software marketplaces or directly from vendors.

2. Be wary of phishing attempts
As a topic, COVID-19 is already being widely used in all types of phishing attempts – and the number of such
malicious activities will only grow. Every remote worker needs to prepare for the increase in phishing attempts by
understanding and recognizing the threat.
Themed phishing and malicious websites appear in large numbers every single day. These typically can be filtered
out on a browser level, but if you have a cyber protection solution installed on your work laptop or your company’s
MSP delivers that protection with a solution like ACDS Cyber Protect Cloud, you are also secured by dedicated URL
filtering. The same functionality is also available in endpoint protection solutions, although in ACDS Cyber Protect
we have a special category related to public health which is updated with higher priority.
Of course, those malicious links have to come from somewhere, and they are typically delivered in instant
messages, emails, forum posts, etc. Do not click any links you don’t need to click on, and always avoid those that
you did not expect to receive.
These attacks also use malicious attachments to emails, so always check where an email really comes from and ask
yourself are you expecting it or not. Before you open any attachment, be sure to scan it with your anti-malware
solution, such as ACDS Cyber Protect Cloud.

To be sure that all phishing and malicious websites are blocked by security solution with embedded Web/URL
filtering functionality like ACDS Cyber Protect Cloud

It also helps to remember that the information you really want regarding COVID-19 or similar pandemics can be
found from official sources like the World Health Organization (WHO), your national ministry of health, and
state/local government agencies. Refer to those official agencies rather than opening links or emails from unknown
sources.

3. Be sure to have good anti-malware up and running properly
Having a good anti-malware solution installed is a must nowadays. With Windows, where the majority of threats are
targeted, the built-in Windows Defender makes it easier. It does a good job of stopping threats, although it still
cannot match the top anti-malware products from security vendors. ACDS Cyber Protect Cloud delivers many
well-balanced and finely tuned security technologies, including several detection engines, so we would
recommend it to use instead of an embedded Windows solution.
Simply having an anti-malware defense in place is not enough, however. It should be configured properly, which
means:

  • A full scan should be performed at least once a day
  • A product should be connected to its cloud
    detection mechanisms, in the case of ACDS Cyber
    Protect to ACDS Cloud Brain. It is active by default
    but you need to be sure that the internet is available
    and not accidentally blocked by anti-malware
    software.
  • A product need to get updates daily or hourly, depends
    how often they are available
  • On-demand and on-access (real-time) scans should be
    enabled and adjusted for every new software installed or
    executed.It is also important that you do not ignore
    messages coming from your anti-malware solution. Read
    these carefully and, if you use a paid version from a
    security vendor, be sure that license is active.

4. Patch your OS and apps
Keeping your operating system (OS) up to date is crucial, as a lot of attacks succeed due to unpatched
vulnerabilities. With ACDS Cyber Protect, you’re covered with embedded vulnerability assessment and patch
management functionality. We track all identified vulnerabilities and released patches, which allows an admin or
technician to easily patch all their endpoints with a flexible configuration and detailed reporting.
ACDS Cyber Protect not only supports all embedded Windows apps, but also more than 40 third-party key popular
apps including all telecommunications tools like Zoom or Slack, and a lot of popular VPN clients that are used to
work remotely. Be sure to patch high-risk vulnerabilities first and use success reports to confirm that patches were
applied properly.
If you don’t have ACDS Cyber Protect and do not use any patch management software, it is much harder. At a
minimum, you need to be sure that Windows gets all the updates it needs and they are quickly installed – users
tend to ignore system messages, especially when Windows asks for a restart. Ignoring these requests is a big
mistake.
Also, be sure that auto-updates to popular software vendors like Adobe are enabled and such apps like PDF
Reader are also updated promptly.

ACDS Cyber Protect Patch Management supports all the popular collaboration, conferencing and messaging tools

5. Keep your passwords and workspace to yourself
While this step has been mentioned many times as the top piece of security advice, during the response to
COVID-19 it is doubly important to ensure your passwords are strong and known only to you. Never share
passwords with anyone, and use different and long passwords for every service you use. Password management
software makes this easier. Otherwise, an effective approach is to create a set of long phrases you can remember.
And when we say long, we mean long, since the old eight-character passwords are easily opened by brute-force
attacks now.
Also, even working from home, do not forget to lock your laptop or desktop and limit access to it. There are many
cases when people can access sensitive information on a non-locked PC from a distance. Don’t assume you are
protected simply because you are not inviting anyone you don’t know or trust into your home oce.

Coronavirus Puts Remote Work Security to the Test

Coronavirus Puts Remote Work Security to the Test

As authorities worldwide work to contain the deadly coronavirus and try to keep it from spreading, the travel
restrictions put in place are causing many organizations to rethink their operations. Rather than traveling to a region
where their return flight might be at risk of being quarantined, many are turning to videoconferencing, file sync and
share, and other remote work solutions to keep their businesses going. In China, where the disease started and
where remote work policies are historically uncommon, the remote collaboration tool Zoom saw a single-day
increase in downloads of 15%.

Remote work can certainly benefit a company, encouraging more collaboration and knowledge sharing. That’s why
its adoption has grown significantly in the last several years. In fact, the global enterprise file synchronization and
sharing (EFSS) market is expected to reach $24.4 billion by 2027, up from $3.4 billion in 2018.

Yet the wrong solution can put organizations at risk if they don’t address data security and privacy. To combat this
predicament, businesses need to implement secure file sync and share technologies so that employees can work
from home while also being able to access and transfer data in a manner that is both secure and safe.

What is file sync and share?
File sync and share technology is designed with the modern professional landscape in mind; a landscape where
workforces rely on multiple devices and location flexibility in order to maximize productivity. File sync and share
gives organizations the power to share files across multiple devices and with multiple people using file
synchronization – allowing files to be stored in any approved data repository and accessed remotely by employees
from any of their IT provisioned devices.

Security risks associated with remote work
Historically, remote work policies have been a sensitive topic for organizations. While some employers might fear
that remote work creates a dip in employee performance, the larger concern is actually securing the proprietary
and business-critical data modern companies rely on.

On a corporate network, IT teams can easily secure employee devices, but this becomes much more difficult to do
once an employee accesses the system from outside the network.

Outside of the corporate network, devices are easily susceptible to attacks from third parties and cybercriminals.
Attacking these unsecured endpoints can reveal the employee’s login credentials to cybercriminals so they can
access the company’s system, or even use ransomware to lock company data – which happened to the NextCloud
service last fall.

Benefits of secure file sync and share
Solutions that are built to deliver secure file sync and share give organizations the flexibility to enable employee
collaboration and productivity while giving the IT department control over the protection of company data. Here are
some of the ways that secure file sync and share technology protects and empowers businesses:

Secure File Sharing – It’s well known that when a file sync and share solution isn’t provided, employees will
often resort to using their own personal devices and tools. Because these tools and devices exist outside of
the control of IT departments, they’re inherently not secure and put sensitive company data at risk. With
secure file sync and share, employees can easily share and access company files while IT maintains the
privacy and security of the data.

Easy Anywhere, Anytime Access – Organizations are beginning to see the workday less as a clock-in/clock-out
office environment, and have adopted an environment that supports the various schedules and lifestyles of
their employees. With secure file-sync and share, employees are no longer constrained to a single
corporate-owned device to be productive.

Data Loss Prevention and Disaster Recovery – When corporate data is centrally stored, it’s better protected
against data leakage. This includes data lost to a cyberattack, employee error, or a lost or stolen device. With
an enterprise-grade file sync and share solution, sensitive corporate data is kept secure and protected.

Easy Collaboration – File sync and share services are adapting to not only protect company data but to aid in
remote workplace collaboration. Some file sync and share tools now provide users with tools to preview and
edit files in-browser, search and find specific company documents and versions, and keep all employees on
the same version of a document.

Final Thought
While global emergencies such as the coronavirus outbreak may highlight the benefits of having a secure remote
work policy in place, the use of secure collaborative tools should be understood as part of a larger cultural shift. As
more organizations adopt remote work policies, the IT teams, and MSPs that service these companies should adopt
secure file sync and share solutions.

To help organizations introduce remote work policies in a way that is safe and secure, MSPs can offer their business
customers ACDS Cyber Files Cloud, a secure enterprise file sync and share solution that features end-to-end
encryption, user controls, and an audit trail.

Similarly, organizations that do not rely on an MSP can choose ACDS Cyber Files Advanced, an easy, complete, and
secure enterprise file sharing solution that makes users more productive and gives IT complete control over
business content to ensure security, maintain compliance, and enable BYOD.

What makes ISP’s an easy target?

What makes ISP’s an easy target?

In the current months, COVID-19 has presented us with a number of rather unusual challenges and changes, and the most common one being employees being requested to work remotely where possible. How does this impact us and businesses in general? The protection of our employees working remotely is quintessential to the protection of our data, our systems and our business. But have the correct measures been put in place to ensure the protection of both your employees and your business?

The role of ISP’s

An ISP or Internet Service Provider, as further defined by TechTarget (https://searchwindevelopment.techtarget.com/definition/ISP), continue to be questioned about their role in cybersecurity. What role should Internet service providers (ISPs) take in cybersecurity, should they proactively protect their customers with upstream security controls and filters or are customers responsible for their own security?

But it has been deemed acceptable that ISPs can offer optional security services, but ultimately should leave it to their customers to decide whether to protect themselves or not. The one thing all ISPs should ensure though is that they block IP address spoofing (https://www.darkreading.com/endpoint/what-role-should-isps-play-in-cybersecurity/a/d-id/1328716). But for the rest of it, it is up to the owner to ensure they take the necessary precautions because ISP’s are a soft target for cybercriminals and an easy route in for an attack, on either a home or work device.

What makes ISP’s an easy-route in?

  1. ISP’s run huge infrastructures, with thousands of interconnected devices providing connectivity, routing and other requirements. Each of these devices could be vulnerable, at any given time, to a myriad of attack vectors. These are often attacked, and unmonitored, and therefore the attacks are not seen and successful at a large scale.
  2. ISP’s are targets as they see all traffic, as the connectivity traffic flows through their equipment, and the related internet-peer exchanges to serve connections and requests. So it is recommended that all traffic should be encrypted to prevent any data exposure.
  3. ISP’s use BGP (Border Gateway Protocol) to route internet traffic to different peers and addresses. BGP leaks and hijacking takes place EVERYDAY because the BGP protocol wasn’t built with longevity or with long-term security in mind. For example, BGP works by advertising addresses or routes that say “Address XYZ lives on my network” resulting in ISP’s taking those adverts and routing traffic for that address to that BGP segment. Which means that an attacker can state that google.com (for example) lives in Russia, build a web server to act as, or relay traffic to google.com and record all interaction between the ISP’s clients which believe that google.com lives there. This can include highly sensitive data such as usernames and passwords. The latest BGP releases can include BGP security to prevent this, however ISP’s need to specifically implement it and many ISP’s have sadly not done so yet.

Cloudfare states (https://blog.cloudflare.com/is-bgp-safe-yet-rpki-routing-security-initiative/): “The Internet is too vital to allow this known problem to continue any longer. It’s time that networks prevent leaks and hijacks from having any impact. It’s time to make BGP safe. No more excuses.”

But the rest is on you

So what is the required protection you need to keep your employees and ISP’s from being a soft target? Start by first understanding the current threat landscape, scope your vulnerabilities and threats thereof and then invest in a Cyber Security partner to cover all avenues of potential breaches through the combined efforts of key Information Security principles and the deployment of a rapid detection and response plan.

As most cybersecurity firms base their defenses on the assumption that all attacks will occur from an endpoint or human vulnerability, ACDS’s Intercept product knows that sophisticated cybercriminals can enter your network through other avenues linked directly to your perimeter or different network components, skipping endpoints altogether. Intercept covers all aspects of your endpoint, perimeter and network through a variety of tools to detect and defeat any unauthorized entry with speed and accuracy, to not only detect but protect.

With the combination of a solid detection and response plan and a professional team of engineers and analysts who have gone through a rigorous programme to analyze, understand and recognize patterns presented by cybercriminals, you will be equipped to be less of a target for an attack than your closest competitor. Rather making it the responsibility of ACDS with their extensive knowledge and understanding of cyber-crime and the determination to intercept a cyber-attack before it takes place or it is too late.

ACDS offers full-service Information & Cybersecurity solutions that identifies, analyzes and detects a variety of cyber threats while helping you to better respond and recover from any unwanted intrusions in your business with real-time results. Our cybersecurity resilience services cover all avenues of potential breaches through the combined efforts of key Information & Cybersecurity principles and the deployment of ACDS’ rapid detection and response system.

www.acds.io
info@acds.email
+27 87 073 9370