Host your own secure file server

Setting Up Your Own Secure File Server: A Primer

Take Your Files with You

Just as the world never stops turning, our operations remain in constant motion. They take us on the road, in the air, and over the sea. We bundle up our technology and bring it with us so we can continue working, and no matter which types of tech we take along, one thing is always needed: our files.

Of course, you could take a thumb drive with your files wherever you go, but everyone knows how risky that is. Misplace the drive and your documents will most likely find a new life in dark places on the Internet where all sorts of bad things can result. Or, at the very least, multiple versions of the documents will be created, leading to version control confusion (i.e., you won’t know which version is the most recently updated and accurate).

The only answer is to have an online file repository where you can access your files, without creating and carrying around multiple copies. But which method is the best to create a secure file server?

Host your own secure file server

Cloud Storage Thunderstorms

The fastest way to give your files the gift of remote access is to upload them to a cloud storage server operated by one company or another. We won’t name cloud storage companies because for many, they are viable options for file storage. However, we will mention some of the potential security risks these cloud storage companies, as a whole, represent.

  • Lack of Crypto-Key Control – In simplistic terms, when files are encrypted, keys are created to encrypt and decrypt the files. If you don’t have the key, you can’t see the file. The problem with some cloud storage providers is they maintain ownership of the encryption keys, which means if the service was hacked, the hackers would have control over the encryption keys to your files.
  • Lack of Any Security Control – When you sign up for a cloud storage provider, they have their own methods of cybersecurity in place. You don’t have a say in what encryption they use, for example, or any other security features. In short, you are trusting their cybersecurity team with all your data.
  • Data Sharing – Sometimes cloud storage providers have shared data (or, at least, metadata) with third parties. When security is a prime concern, the sharing of any data about your data or your organization is potentially very harmful.
  • Shared Server Storage – When you upload files to a cloud storage provider, your files are stored on a section of one of their massive servers. If the file server gets hacked via another customer’s account, once again, the hackers can gain access to your files since they reside on the same server.

Host your own secure file server

Host Your Own Secure File Server

The easiest way to take total control over your file server needs is to set up your own. Though that might sound daunting, it is actually pretty simple. Plus, there are multiple manners of file sharing you can use. Here are a few:

  • NAS (Network Attached Storage) – NAS is one of the easiest ways to build a secure server, but it is reliant on you having the proper type of router. Some routers have USB ports for storage. Plug in a thumb drive, configure a few settings, and you’re the proud owner of a private server!
  • FTP (File Transfer Protocol) – FTP has been around for almost as long as the Internet. While it’s not exactly what you imagine when you think of a cloud server, FTP servers can be used to easily transfer large files. You can even add security measures to FTP. Use SFTP (Secure File Transfer Protocol) and you’ll be using SSH to protect the transmission of your files. Or, use FTPS (File Transfer Protocol Secure) which give you TLS encryption for data transmission.
  • HFS (HTTP File Server) – HFS is another protocol which has been around for some time. It can be set up quickly which is great for inexperienced users yet has tons of customizable options for the more advanced users.

The most important part, after you’ve determined the type of private server you plan to run, is to explore security options. You’ll need to do it all yourself (as compared to a cloud storage provider) but, as previously stated, you’ll have full control over your security. You can make sure your security measures are always up to date, your software properly patched, and access to your files exactly as controlled as you desire.

To learn more how Fognigma, our leading-edge enterprise software solution, can take your protected, online-accessible file storage to the next level, contact us today.

VoIP-vs.-Landline-Security

VoIP vs. Landline Security: A Comparison

Telephones Require Security, Too

Telephones were created to transmit person-to-person communication at a longer distance. Everyone knows that. It’s also expected by most people talking on phones that the conversation is only between themselves and the person or persons at the other end. But we in the cybersecurity world know that’s not always the case. We know that if communications are happening, there are always third parties trying to intercept those communications. Therefore, security is just as important for your telephony as it is for your networks, users, and other systems.

For office use, two types of phone systems are the most plentiful: hardwired landlines (also called PSTN, or public switched telephone networks) and virtual VoIP (Voice over Internet Protocol). Which is more secure: landline or VoIP? Let’s explore further.

Landline phones need security

Landlines

The oldest and more traditional method of telephony is the landline—wires literally stretching all over the world, physically connecting handset to handset (with all the switches, terminals, cables, etc. in between, of course). It’s a system and infrastructure that’s been built up over one hundred years and works via circuit switching (a dedicated link between the two callers that exists as long as the call takes place). By having an actual physical connection, landlines are quite secure. In order to intercept communications, the wires themselves must be hacked into. This is not impossible, but it is quite an undertaking. However, to get this innate security, one must pay for the infrastructure by way of taxes, per-call fees, and other applicable charges. Also, this technology is limited to only voice calls—no other type of data (SMS, video, other file types) can be transmitted.

VoIP phones need security

VoIP

VoIP calls have the curse and blessing of traveling over the Internet. VoIP calls are more feature rich and can transmit voice, video, and files. Because calls are placed over IP, there are little to no fees per call. However, VoIP calls work via packet switching, in which the information is digitally sent over the Internet in sections via many different and ever-changing routes (to be reassembled when they reach the end caller). As this article on Lifewire points out, “It is easier . . . to intercept VoIP data thereby breaching your privacy.” The articles goes on to say, “Many of the nodes through which the VoIP packets pass are not optimized for VoIP communications, which renders the channel vulnerable.”

That was the curse part. The blessing comes in the form of cybersecurity. Since VoIP calls are traveling over the Internet, you can protect them using all the cybersecurity methods you use for your organization, networks, and users. Firewalls, encryption, VPNs, and virus and malware protection (yes, you can get malware from a VoIP call) can enrobe and strengthen the security of VoIP telephony. These security measures are just not available for landline phone systems.

Telephony security is important

One Final Warning

There is one other way to intercept any type of phone call, possibly one you thought about in the section about landlines, and that is eavesdropping. Yes, no matter how much security you put in place, someone simply could be listening in at your door or through an electronic device. This means the final telephony security measure is your own discretion. Are you in a secure location for a call? Is there the possibility that devices could be hidden around you? Is there anywhere more secure you could place the call? Along with the type of telephony your organization is using and its intrinsic and additional security measures, being aware of your surroundings is the extra step which will help your phone calls stay secure.

Fognigma’s telephony solutions take VoIP security to the next level, featuring leading-edge technology and the utmost in communications protection. To learn more how our solutions can help your organization or to schedule a demonstration of them, contact us today.

importance of patches

The Importance of Patches and Updates

Everything was Once New

A new bit of software is released. It’s sparkling, it’s fun, it’s revolutionary. Everyone loves it and starts using it. Or, perhaps the new thing is an IoT device which lets you monitor the air quality of your office. In order to survive in today’s marketplace (read: make the company money), products get pushed onto shelves to be sold often times before they are fully functional and secure. Because of this rush, most software and software-based products are flawed at the time you purchase them.

You know the drill: you get your brand-new cognition amplifier home and what’s the first thing you do after you turn it on and connect it to Wi-Fi? That’s right, you search for (and normally install) updates. Many people think that’s the only maintenance they need to do, but it’s not. Just like a flower in a pot. It will look nice as soon as you get it home, but if you think you can just leave it and it will always look nice, you are wrong. You need to care for it and provide what it needs, or it will get sick. Just like your devices and software.

“Data is moving in and out of hospitals very freely and they’re very unsegmented. We have customers who are still using Windows 95. That’s insane … And we’ve been told that, since they’re saving lives 24/7, they never patch. They’re afraid of rebooting the system or messing it up.” – Chris Morales, Head of Security Analytics at Vectra

What can go wrong without patches?

What Can Go Wrong?

But what really can go wrong if you don’t update your stuff? Can it really be that bad? You might just be missing out on some new features, right? Let’s explore some recent update and patch news:

These examples provide insight into potential security breaches on a massive scale that were all fixed with a patch. You don’t want to install some weather-checking software or an IoT thermostat and have it serve as a doorway outsiders can exploit to compromise your systems, steal your data, and destroy the credibility of your users and organization. And software/IoT device companies don’t want to get in the news as being the cause for such a compromise and feeling the wrath of litigation, bad press, and governmental fines rain down upon them.

All the above stories have one thing in common (other than the scale and potential damage the flaws could have inflicted): every vulnerability was fixed with a patch. This is what responsible software and software-reliant hardware companies do—they monitor and patch and update to make their product the safest and best it can be.

This is something you should think about and investigate when selecting software and hardware options. See if the company has frequent updates or patches. Make sure they are continuing to support their product and make it secure. Otherwise, you could put a lot of faith in a product that will just leave you exposed to those who wish to do you harm.

Always update and patch your software

A Final Word on Patches and Updates

It’s not just for your own organization’s security that you want to keep your software and hardware updated and patched. Between GDPR regulations (where organizations can be fined up to 4% of their annual income or €20 million, whichever’s greater)  and the new Binding Operational Directive from CISA ((BOD) 19-02) setting a deadline for updating any and all systems when a patch is available (15 days for “critical” vulnerabilities and 30 days for “high”-severity flaws), pressure is on from national and international institutions to protect your systems. Like herd immunity for viruses and diseases, the world has seen the importance of all organizations keeping their software updated.

It does take a little time but make it part of standard operating procedure and get it on a schedule. Find the best time for updates to take place for your organization and make sure they are never missed. Your organization’s cybersecurity will thank you.

To learn more how we make sure our solutions stay updated and our customers are alerted any time a new update or patch is released, contact us today.

The Problem with Old Encryption Methods_header_Blog Image Header

The Problem with Old Encryption Methods

Encryption is Vital

Mission success depends on organizational data and communications staying protected. It behooves organizations, therefore, to shroud their comms and data with encryption. So why don’t they? Why don’t organizations and agencies rush out and implement at least some form of encryption? Why don’t they make encryption a top priority? Well, it’s not as easy as just pressing a button, but perhaps not for the reasons you think. Let’s examine encryption, some of the things that prevent organizations from adopting it, and some of the disasters that can occur without it.

Encryption is Nothing New

As soon as the first person had a secret they wanted to tell another, without the whole world knowing, encryption was born. (We’ve covered some of this before in our blog about Dual Encryption. Take a read for some extra background into the history of encryption.) Encryption of one form or another has been used to protect trade secrets, important communications, and military intelligence.

All encryption is based on ciphers — rules of reorganizing the information so its actual meaning is hidden from anyone who doesn’t know the rules. In a simplistic model, the ciphers work with special keys to lock up the data, and the same key (symmetric encryption) or a different key (asymmetric encryption) unlocks the data and allows it to be deciphered.

Since encryption was first born, however, others have been working hard at breaking encryption. And so, encryption methods have grown more and more complex. The current accepted standard of encryption is AES-256 encryption which creates digital keys 256 characters long. Brute force (i.e., guessing all random combinations) a number that size would take a billion times longer than the age of the universe.

So, encryption has been around a long time, which brings the question again: Why aren’t organizations adopting encryption for all their data and communications?

Encryption Costs Time

Encryption doesn’t just happen. A method must be chosen, procedures must be implemented, users must be trained, and then everyone actually needs to use the encryption. All this disruption to the current way of doing things takes time. Lots and lots of time, especially the “everyone actually using it” part.

Encryption adds extra steps to workflow and users are notorious for going around company policy if it slows down their work. A new report from Symphony Communication Services shows 24% report they are “aware of IT security guidelines yet are not following them;” “27% knowingly connect to an unsecure network;” and “25% share confidential information through [unsecure] collaboration platforms.”

This is very troublesome when incorporating encryption into your organization. For encryption to protect properly, everyone needs to be using it instead of finding ways around it. A report by the Government Business Council showed that of those Defense employees who admit to using their personal devices to conduct agency work, 94% say their devices have not been approved by the agency. Once again, more evidence that users are choosing convenience over security—choosing to save time over protecting the organization. Time, then, is the true cost (and problem) with old encryption methods.

Automated Encryption is the Future

In the future, encryption will be easier for organizations to adopt because it will all be handled behind the scenes. You’ll simply log in to a program (which will handle all the key exchanges and encryption/decryption) and let it run in the background. You will then be able to send encrypted messages as easy as sending a regular chat message—no extra steps needed. You’ll be able to encrypt files that only the specific users you selected will be able to open (even if the user is just yourself). And this encryption will be available on desktop and mobile devices, all working together to ensure your organization’s encryption.

Think that sounds like a pipe dream? Too good to be true? Too far out in the future? What if we told you the future was in the final stage of development and testing, and will be ready for release very soon? It has a name: Conclave. It has a purpose: to make sure you use encryption and protect your organization without all the extra steps. To learn how our automated encryption solutions can help secure your data, users, and organization, please contact us today!

Spawner Storm

Spawner Storm: An Introduction

Always Innovating

One key goal of innovation is not always to do something new, but to do something better. The process in which Fognigma communicates with various cloud service providers, leasing and building virtual machines, and uniting those machines to function as one invisible and secure network is new (which is why it’s patented). But we’re not content with just creating an amazing product and then resting on our laurels—we want to continue to make the product evolve into an even better version of itself. We are constantly checking our software and stretching our brains to figure out ways to make it more secure, more undetectable, and more valuable to the customers who use it.

Which is why we created Spawner Storm, a revolutionary and patent-pending method for anonymizing Fognigma Network builds and communications even more. But we’re getting ahead of ourselves. Let’s first describe the issue and then we can showcase Spawner Storm’s technology and how it takes Fognigma Networks to the next level.

Even a Little is Still Too Much Association

When the Fognigma engine builds a network, it sends messages to the cloud service providers communicating the plans to build each virtual machine. Then, the engine continues to talk to the cloud and all the virtual machines. What we realized is because the engine has a set IP address, if anyone could discover some of the virtual machines and see the IP address that was communicating with it, they’d be able to associate all the machines. That is, they could tell the virtual machines were working together and then trace them back to the engine using the discovered IP address of the engine. This sort of association could possibly lead a nefarious third-party right to your Fognigma’s engine’s front door and, from there, learn where your organization is located, your IP address, etc. Even the remote possibility of this happening is not acceptable to us. We had to find a solution.

Suddenly, the sky darkens and thickens with a mass of water-laden clouds. Lighting and thunder tear the sky open and the rain begins to deluge down. The Storm is here.

dissociates communication

Unleash the Spawner Storm

Spawner Storm dissociates the Fognigma engine from its components and build requests like never before. It does so by leveraging our patented Portal Proxy solution. Portal Proxies are unique, on-demand URLs from which users access web services (including internal Fognigma components). Portal Proxies add a singular dissociative layer between the user and the web service (i.e., between the two communicating parties).

What Spawner Storm does is create a mass of Portal Proxies and then passes all the virtual machine build requests and further communications to Fognigma components through those proxies. In one test we performed, we created a Spawner Storm with 200 Portal Proxies through which to pass communications. At the end of the test, the virtual machine we were pinging noted contact with over 60 different IP addresses spread throughout clouds in various locations across the globe.

Spawner Storm ensures that communications between an organization’s Fognigma engine, cloud service providers, and all virtual machines are as scattered as possible to prevent any chance of association.

Working together yet seeming apart is one of the main benefits Fognigma can offer organizations, and Spawner Storm is the newest innovation to make that separation even more separate. For more information on Spawner Storm or Fognigma or to schedule a demo, please contact us here.