The problem that we’re seeking to solve is simply:
How do we provide access to our servers in a way that only authorized people have access and have it easily and reliably – i.e. when an IP address changes, authorized people don’t need to worry, admin staff don’t need to change anything and the system is still secure?
The solution is to use a bastion host as a SSH gateway to the devices we manage.
By using a Virtual Private Cloud (VPC) on AWS we can access instances which are not exposed to the Internet on port 22 (Secure Shell) or any other port listening for SSH connections. We still have to secure our Gateway Instance, but it becomes a bastion server with the sole purpose of providing SSH access to the other resources.
The bastion host is accessible and open to the Internet on port 22. Fail2Ban is running on this device to minimize the potential for DDOS attacks. The Security Group for this Instance allows only port 22 traffic. But in order to connect securely to the other hosts on the private subnet of the VPC we need to still use certificates and we don’t want to store our certificates on the bastion host (from hereon we’ll refer to this gateway device by it’s DNS name: remoteaccess.counselkit.com or simply remoteaccess).
SSH is able to perform key forwarding if ssh-agent is installed locally on the client computer. If the developer or system administrator is accessing remoteaccess via an Apple OS X device, ssh-agent is already installed. Adding the key to ssh-agent is done via the command:
ssh-add -K myPrivateKey.pem Enter passphrase for myPrivateKey.pem: Passphrase stored in keychain: myPrivateKey.pem Identity added: myPrivateKey.pem (myPrivateKey.pem)
You can list the keys that are included in your ssh-agent keychain by passing the -L argument:
ssh-add –L ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDHEXAMPLErl25NOrbhgIGQzyO+TYyqbbYEueiELcXtOQH gEFpMAb1Nb8SSnlxMxiCXwTKd5/lVnmgcbDwBpe7ayQ6idzjHfvoxPsFrI3QSJVQgyNcx0RylX9IjcvJOyw == myPrivateKey.pem
If you’re using a Windows workstation, PuTTY has ssh-agent functionality integrated. A good explanation of using PuTTY and OS X with SSH key forwarding is here.
Once you’ve added your key the SSH command requires only that you ssh to each successive instance:
kevinritchey ~ $ ssh -A email@example.com Last login: Sun Feb 15 21:38:36 2015 from 50-192-9-137-static.hfc.comcastbusiness.net __| __|_ ) _| ( / Amazon Linux AMI ___|\___|___| https://aws.amazon.com/amazon-linux-ami/2014.09-release-notes/ [kevinr@ip-172-30-3-194 ~]$ ssh -A firstname.lastname@example.org Last login: Sun Feb 15 21:42:33 2015 from ec2-54-152-199-138.compute-1.amazonaws.com __| __|_ ) _| ( / Amazon Linux AMI ___|\___|___| https://aws.amazon.com/amazon-linux-ami/2014.09-release-notes/ [kevinr@production ~]$
Note that I was able to connect from remoteaccess even though my private key is not in the ~/.ssh/ directory:
kevinritchey ~ $ ssh -A email@example.com Last login: Mon Feb 16 19:21:47 2015 from 101.sub-70-192-145.myvzw.com __| __|_ ) _| ( / Amazon Linux AMI ___|\___|___| https://aws.amazon.com/amazon-linux-ami/2014.09-release-notes/ [kevinr@ip-172-30-3-194 ~]$ ls .ssh/ authorized_keys known_hosts [kevinr@ip-172-30-3-194 ~]$ ssh -A firstname.lastname@example.org Last login: Mon Feb 16 19:11:31 2015 from ec2-54-152-199-138.compute-1.amazonaws.com __| __|_ ) _| ( / Amazon Linux AMI ___|\___|___| https://aws.amazon.com/amazon-linux-ami/2014.09-release-notes/ [kevinr@production ~]$
In this way we’re able to use SSH keys without compromising our private keys.
The days of keeping confidential business information locked in a metal filing cabinet are gone. Most businesses have most everything, from personnel files to client information and financial information, stored on their personal computers or computer network. What happens when your company runs out of storage space? Or, worse yet, what if your computer information is attacked by a virus, stolen, or damaged by a flood? Would you be able to quickly recover all of your important information and keep your company running smoothly? Online Data Storage Services are the answer.
Many companies find that keeping their own network running and up-to-date is expensive. In this economy, most companies are looking for ways to cut expenses in order to survive. There are many online data storage companies currently available, so if your business is looking for an online storage company, here are some questions that you need to ask:
What Features Do Online Data Storage Services Offer?
Look at what features the company offers in its basic package. Most online data storage services offer online file storage, backup services, remote access that allows you to access your data from anywhere in the world, the ability to file share with other employees in your office, and the ability to upload and download files.
How Secure are Online Data Storage Services?
Does the online data storage service offer any type of security? Businesses will want a service that offers file encryption, authentication, and password protection in order to keep your information secure. You may also want to know if they offer any type of tracking in the event of a security breach, as well as the ability to lock out former employees after they have left or been terminated. Also, businesses should inquire as to what type of backup plan the service offers in case of any unforeseen disasters such as a virus attack or fire.
Are Online Data Storage Services User-Friendly?
The service should be easy to learn and use, easy to access for the average employee, and not require a computer science degree. If the service is too difficult or complicated to use, look for another service.
How Much Do Online Data Storage Services Cost?
Is the service reasonably priced and does it fit into your company’s budget? Find out how much storage you get for the price.
Do Online Data Storage Services Offer Technical Support?
Even with the easiest to use service, you may one day have a question or a problem that you may not be able to resolve on your own. Does the service offer a customer service hotline, or chat support? Is it available 24/7, if needed?
Additionally, it is important to look for a well-established online storage service that has a stellar reputation. Online storage has many benefits for your company. A good service can be cost effective, offer better security, up-to-date software, and unlimited storage space.
Click here to learn how [contentblock id=company] can help you reduce your data security risk and bring you peace of mind with our Remote Online Data Storage Services for your business in [contentblock id=location].
Information Technology services are essential to the success of every organization, large or small. With increasingly competitive business environments, CEOs and small business owners are under great pressure to maintain a highly qualified staff and to make sure their technology is obtaining a better ROI than their competitors’.
These goals are not easily achieved, particularly for young or small businesses with less financial resources and time available. Having your own successful information technology department can eat up too much of the company’s budget and time resources, and eventually cause a loss of its competitive edge. These disadvantages of maintaining an in-house IT department are why companies of all sizes have turned to using managed service providers to either assist their existing IT department or become their virtual IT department, handling all of the technology involved in keeping their businesses running at optimal levels.
The benefits of using a managed IT services solution are numerous, but the top 5 benefits of managed services for business include:
- Benefit from the expertise of a specialist, without having to spend time and financial resources training your staff to become experts
- Decrease your technology risks with Managed IT Services. Your company doesn’t have to worry about losing and trying to replace trained staff members, or about repairing, implementing or replacing complex technology solutions with Managed IT Services
- Enjoy access to the most up-to-date, sophisticated technology solutions without having to invest in expensive equipment.
- Experience ultimate control over your business technology without having to manage an information technology department. This gives you the time you need to focus on what you do best: your business functions.
- Reduce stress and improve efficiency of your staff. When you make good use of Managed IT Services resources, your staff isn’t tied up with IT concerns and they have more time to focus on tasks that are productive for the business.
Do you have regular and versioned off-site backups on disconnected systems which rely upon third-party tools with inaccessible credentials? If the answer to that question is no – please read on.
Much has been written in the past 12 months to raise the level of anxiety regarding so-called ransomware. This new type of malware works by encrypting files with a key that is held on a command-and-control server. After the files are encrypted – with a very good encryption algorithm, the user is notified and given a limited amount of time to either pay a ransom or lose access to their files forever due to the deletion of the decryption key on the command-and-control server.
This is scary but it gets worse. Many IT service providers have incorrectly assumed that having a good backup is the best step to mitigate the damages caused by ransomware. Some solution providers have incorrectly assumed that using measures such as a very good anti-virus program, a very good Unified Threat Management system or a very good DNS scanning tool can be used alone or in combination to thwart the criminals behind the ransomware schemes. But each of these assumptions may leave the end user in a precarious position.
Data is the target of these threats. In the wake of Suxnet we should anticipate that malware can and will evolve to anticipate threats. DNS mitigation for example assumes that the malware component will need to call home using DNS mapped command-and-control servers. But there are clever ways to avoid this including accessing IP addresses via whitespace text hidden in compromised but legitimate web sites; using P2P networks; temporary and short-lived DNS names generated by algorithm; and Tor/Onion routers. All of these ways would defeat a DNS only approach where the IT service provider assumes that because the DNS addresses of C&C servers are redirected the network and hosts are protected because the malware can’t call home to get an encryption key or store an encryption key and therefore won’t start encrypting files.
Like DNS, anti-virus tools largely depend upon known intelligence – file signatures and known file activity. In the case of prior ransomware tools the data directories are known, the file signatures are known and these are included in nightly updates. Yet we’ve seen that anti-virus tools can suffer from the fate of too-late-to-the-party malware that simply defeats the anti-virus tool by shutting it down, hiding itself from the anti-virus tool or disguising the anti-virus tool altogether and preventing the user from knowing they are infected. This is a good step to take – but insufficient to provide the best mitigation against ransomware.
Other methods, including anti-malware and Unified Threat Management tools suffer the same weaknesses and will always have these weaknesses. There is no silver bullet for defending against a ransomware attack. Why? Because there is a huge amount of money to be made in ransomware. Users pay the ransom in an alarming percentage of cases. Ransomware authors are clever and there is a market for newer and better ransomware. We are seeing the age of innocent disappear on the Internet.
But there are proper mitigation steps to be taken.
1. Proprietary Versioned Off-site Disconnected Backups
4. DNS screening tools such as OpenDNS
5. IDS/UTM devices such as a Fortigate UTM device
6. Diligent file management procedures
The first step is a proprietary and versioned off-site disconnected backup. What this means is that the system isn’t connected to the backup store all the time. This alone reduced the likelihood of infection. Using a proprietary solution means that not just any program can access the file store either – e.g. using a program that requires credentials to access the file store (e.g. S3) and which stores those credentials securely means that the malware cannot piggy-back on. The most important is, however, a versioned backup. If – and more likely when – a file becomes encrypted, the IT service provider should be the knite in white armor who shows up to offer last night’s version – or last Tuesday’s version for that matter, with no encryption. Imagine the accolades. Imagine the good will.
Every step counts. Cut off the infection by preventing drive-by-downloads with premium anti-virus tools such as Kaspersky, Bitdefender or Panda. Cut off malware behavior by using heuristics and tools that watch suspicious system activity. Cut off communication to the C&C servers. Watch for suspicious traffic with UTM devices. But most importantly make sure that any damage is limited. Disk space is cheap. It’s cheaper than the ransom, it’s cheaper than the other prevention tools and it’s the one thing that can save the day when all else fails. Versioned backups made with proprietary tools which access off-site and disconnected storage is indispensable in the fight against data-encrypting malware.
ZenPan recommends using an IT service provider who is reluctant to rely on a single tool or method – and one who is aware of the weaknesses of the threat. Ransomware’s achille’s heel, for now, is it’s need to access the file directly, either through a call over CIFs/SMB or via FAT/NTFS. It will try to encrypt network shares first, then local files. Stopping the threat before encryption is ideal. But like Sun Tzu plans for victory before engaging in the battle, the IT service provider needs to plan for the recovery of data before allowing their client’s data to be exposed to new and unforeseen threats.