But understanding the odds and ends of cyberthreats is something that still eludes the casual computer user. Terms like malware, spyware, DDoS, botnet, advanced persistent threats, we know they’re bad news, but beyond that they’re just jargon used by IT guys and technology pundits. Even those who do claim to understand the nuances of cybersecurity have a tendency to confuse the details or explain them unclearly.

Who, not what, are APTs?

One of the most commonly misunderstood cybersecurity issues is the advanced persistent threat (APT). This phrase has popped up several times in recent years, often in connection with international incidents, like cyber espionage and digital terrorism.

However, the important thing to know about an APT is that the term describes a who rather than a what. One incident that’s commonly misidentified as an APT is the Stuxnet computer worm that reportedly wreaked havoc on an Iranian nuclear facility in 2010. After the attack, many pointed to the Stuxnet worm itself as an APT. Close, but not quite on the money.

The organization that created and launched the Stuxnet would be the APT in this scenario. Stuxnet itself is an example of malware – more specifically a rootkit. Malware is a word that we’re pretty much all familiar with by this point. Short for malicious software, malware is the term used to describe viruses, Trojans, spyware, worms and rootkits, among other threats.

Malware can infect a person’s computer from many access points. Most often, malware is downloaded either through a malicious email attachment or an infected website, but it can also be transferred through a USB drive, a CD or any number of devices.

With a rootkit, the malware infects the system through a coding vulnerability, then creates a back channel, or a command-and-control channel, which affords the attacker privileged access to a system – often leading to stolen information.

Distributed Denial of Service

Another cyberthreat often employed by APTs is the DDoS attack. Such aggressions have made headlines in recent years thanks in no small part to the hacktivist group Anonymous. The hackers made the news as recently as this weekend, when they supposedly launched a DDoS attack against the CIA’s website, forcing it to shut down for several hours.

DDoS attacks are typically carried out by a group of computers known as botnets. In a botnet, the attacker – often an APT – has control over thousands of malware-infected computers. In a DDoS attack, these machines are used to flood the bandwidth of an organization’s website with external communication requests, preventing the servers from being able to respond to legitimate requests. The end result is either a significantly slowed website or a complete shutdown.

Three-layer security

So now that we have a basic understanding of some well-known cyberthreats, it’s important to know what you can do to protect against them. For this, we introduce the data security pyramid.

The pyramid consists of three layers. At the base, we have Defend. This represents your first line of defense – antivirus software, firewalls and other measures that prevent attackers from breaking into the network.

In the middle, there’s the Comply layer. This is necessary for identifying persistent threats and putting a stop to them before they get out of hand.

At the top of the pyramid is the Containment layer. Every security measure has its flaws. Firewalls have holes and monitoring tools miss something every now and then. If you take this approach to data security, you recognize the importance of containing your entire environment, so even if the system is compromised the data remains safe and out of the hands of cyberattackers and ne’er-do-wells.

There is no way to guarantee network security, and there are a lot of ins and outs that are best addressed by the company and its service provider. However, with a basic understanding of cyberthreats, businesses should be better prepared to guard against any situation that arises.

What is more of a mystery is why exactly this is happening and what it all means.

In a nutshell, the U.S. Department of Defense, some 35 years ago, decided to introduce a standard that would allow a little more than 4 billion network addresses to connect to the internet. The standard, known as IPv4, uses 32-bit addresses and is basically a means to identify each device that connects the internet. Web-enabled machines are given identifiers that are most commonly written in dot-decimal notation (127.0.0.1, for example).

In 1977, when IPv4 was launched, 4 billion addresses seemed like more than enough room to support all the devices that would connect to the internet. Of course, this was in a time before smartphones, tablets, multi-PC households, web-enabled TVs, e-readers and all those other gadgets that get us through the day.

But as the internet became a bigger part of our daily lives, the number of IP addresses began to dwindle. Though 4 billion may seem massive, it doesn’t even account for every one of earth’s 7 billion inhabitants having one device. This trend has become especially evident as the expansion of the internet has hit Asia, rapidly consuming the available IPv4 addresses.

For those that get anxious about such things, the Internet Corporation for Assigned Names and Numbers – the organization that allocates IP addresses to the various industries in various regions around the world – announced last February that it had assigned the last of the IPv4 address blocks, meaning the internet protocol is quickly coming to an end.

Now, it’s important to note that this is not another Y2K moment. No one needs to plan for the technology apocalypse. Fortunately, the fact that IPv4 wouldn’t be sustainable was realized years ago, and the transition to IPv6 is already occurring across industries.

Unlike IPv4, the new internet protocol is based on 128-bit addresses, meaning it can support a virtually unlimited number of servers, routers, PCs, websites, gaming consoles and so on.

Many software giants, like Apple and Microsoft, have been planning for IPv6 for years, and most major operating systems are already compatible with the new protocol. Last June, companies across industries participated in World IPv6 Day, when they switched their main websites to support IPv6 for 24 hours.

The telecom industry has been among those leading the charge to IPv6; trying to make sure the transition is as seamless as possible for businesses and consumers. Though the jump to IPv6 is inevitable, telecoms realize that people aren’t going to want to just hand over their older devices. So most telecoms will continue supporting both protocols for some time to ensure service isn’t disrupted even on outdated systems.

Still, switching to IPv6 sooner rather than later can be advantageous for a company. To do so, a business should identify hardware and software that needs to be upgraded to the new protocol. Companies might also test their technology-readiness by running IPv6 periodically throughout the year.

Not all businesses will have the necessary resources or the know-how to handle the transition to IPv6 on their own. For businesses – or individuals – with questions about IPv6, it may be wise to ask your managed services or internet provider about what needs to be done to ensure that the move to IPv6 is simple, seamless and stress-free.

Consider the enforcement

Any policy written isn’t fully useful if it isn’t enforced and reiterated.  All users should know the policies upon hire.  Also, keeping the policies relevant by communicating them on a regular basis is important.  These policies should be treated the same way that HR policies are developed and referenced.

Consider the devices

When we look at the new devices that have been introduced to the market – and in turn into your users’ daily lives – we see that these devices have much more in common with a computer than with the voice-and-SMS-only cellular phones of just a few years ago.  These devices have the potential to connect to both your internal network as well as third-party data sharing sites.  When developing policies, keep in mind the type of access a user will need to your network as well as any other networks they are able to connect to.  Also, decide which devices will be supported.  Consider the difference between personal devices and corporate issued devices.

In order to develop a comprehensive and effective policy, all capabilities of a device need to be considered. For example, you might want to start your AUP employee communication with a statement such as the following:

“This policy applies to any mobile device issued by <Company> or used for performing business on behalf of <Company>, which may or may not contain stored data owned by <Company>.”

Consider the data: Who owns it, who is responsible for it

Do your users need access to webmail only?  Do they need to access your internal network via a VPN?  Do you need to track and retain data for e-discovery?  Before any policy can be written, all access needs to be accounted for and addressed.  Maybe some users will only have access to email, while a VP will have access to the internal network. 

The AUP will need to address the behavior that is expected and acceptable for each access method.  Maybe deleting emails from a mobile device is expected, but deleting network-shared files from a mobile device is not acceptable.  Device encryption is a good requirement to minimize any data leakage.  Also, secure passwords with screen locks should be enforced.  Here’s an example of how this can be documented in your AUP communication to employees:

“All employees are expected to assist in protecting any issued devices and any stored data belonging to <Company>.  Encryption of your device is required, where available.  Further, we will require a device password with screen lock.  It is forbidden to take any action to avert these and any security measures required by <Company>.”

Consider the users

Users will need education on mobile security, any policies and expectations.  Maybe you will expect that users will change their device password on a regular basis.  Make sure the users know the access that IT has into their device.  They will need to understand and acknowledge that attaching to your mail server will allow your IT staff to remotely wipe their device.  When a user is terminated – or a device is lost or stolen – what action will the company take?  This information will be critical to any policies, and can be communicated to end users as follows:

“The Company reserves the right to wipe all data from a device (personal or company issued) that is syncing with any systems belonging to <Company>.  This wipe may or may not include personal data, applications, contacts, etc.  This wipe will restore the device to factory settings.”

January is upon us and once again, it is time for the Pacific Telecommunications Council‘s annual conference — PTC’12.  On its 34^th year, this event is a strategic springboard for the global telecommunications industry.

“Harnessing Disruption: Global, Mobile, Social and Local” was the theme of this year’s PTC.  Set against a backdrop of what has been characterized as one of the most difficult years for the telecommunication industry, the epic rise of social media, wireless technology and insatiable global demand for broadband access has created unprecedented opportunities for Cloud Services.  Widely viewed as the industry’s technological direction, PTC ’12 dedicated multiple conference sessions to various aspects of cloud infrastructure and access technologies.

Virtela’s contribution to the PTC’12 discourse was a panel discussion on “The ‘Local’ Movement: Why Cloud Has Made Local Internet Critical to Carrier Success” moderated by our Vice President of Global Access Strategy, Andy Funk.  Joined by industry subject matter experts with diverse perspectives, the panel featured a spirited discussion on why local internet routing is increasingly important as cloud popularity swells.

More than a major industry event, the annual PTC conference affords Virtela a valuable opportunity to meet, reconnect and share its technology with partners and friends from 54 APAC countries in one single week.  We look forward to this event each year – not only for its paradisiacal location – it is the perfect way to kick off a new year and new discussions.

The next step? Build your strategy. Here are a few things to consider:

Determine who will be allowed to bring their own devices
Many companies choose to slow roll BYOD, enabling only certain groups of employees in the first round and then opening it up to more employees at a later date. This allows them to test the waters before they dive right in.

Determine what devices employees will be allowed to bring
Too restrictive of a policy will cause frustration and turn the IT staff into enforcers. Too liberal of a policy can create headaches for the IT staff in terms of technical support and security. We typically see corporations limiting access to the most popular 3-5 OSs and associated smart devices.

You should also consider allowing only devices with security features such as device encryption. And if you are using Mobile Device Management (MDM) to assist with your BYOD efforts, make sure the solution you choose covers not only the top OSs but also has a history of quickly adapting to changes in the device and OS market.

Determine what corporate access to allow
What applications will you allow access to from employee-owned smartphones and tablets – i.e. just email, specific corporate applications, the entire corporate LAN? How will you ensure the security of that access and will access vary by employee type?

Determine what to do in the event a device is lost or stolen
Most MDM solutions include tools that allow employees and/or the IT department to find lost phones via GPS or cell tower triangulation. You will want to determine what action to take when a device is lost or stolen, whether that means locking the phone, wiping the entire phone back to factory defaults, or wiping specific files and corporate apps.

Design an Acceptable Use Policy (AUP)
AUPs serve as a means for employees to know what they can and cannot do with their smart devices. This helps IT managers minimize support costs and security threats, while maximizing employee productivity. AUPs can be constructed using criteria such as the following:

• Application black or white lists
• Required encryption of the device
• What to do if the device has been jailbroken or rooted – jailbreaking or rooting a phone circumvents the built-in security and protection of the operating system, potentially opening up the phone to malware
• Device type and OS rev – prohibit devices and/or OS revs that may be less secure
• What to do if a device hasn’t checked in for a predetermined time frame – may be an indication the device was lost or stolen

 As part of your BYOD strategy, you should also determine what to do if the AUP is violated. For example, an alert might be sent to the end user and their access to corporate applications restricted until remediation occurs.

I’ve raised a lot of questions in this blog with no right or wrong answers. To achieve a successful implementation, you will need to take a look at what you are trying to accomplish with your BYOD program and then create a strategy specific to your corporation.

Two statistics that I found especially interesting were:

• 91% [of respondents] use their smartphones for work, compared to 69% in 2010.
• 58% of mobile employees are provisioned smartphones by their companies; this is down from nearly two-thirds a year ago. 42% of employees have individually liable smartphones.

Smart phones have become a de facto work tool, however fewer of those smartphones are being provided by the corporation. Instead of carrying around multiple phones/tablets, we dual purpose our personal devices for work.

In order to reign in these employee-owned devices to control access and security, IT managers look to Mobile Device Management (MDM) solutions. 

MDM solutions vary, with some being more “big brother” than others. IT managers need to formulate a Bring Your Own Device (BYOD) strategy that meets their specific business needs, and effectively document and communicate that policy among employees so they are not caught unaware.

Employees need to know what personal information is visible to their corporate IT staff using MDM tools. They want to know if the corporation can see every phone call they’ve made, track where they’ve been, read their text messages, view their contacts list, photos, apps, etc.

Employees also need to know what they can and cannot do, as well as the consequences. Are they allowed to download applications on their devices? Jailbreak the device? Delete an app that is deemed critical to the corporation? Upload data to iCloud? Access iTunes? What info is wiped when an employee leaves the company?  All of these things will vary depending on the type of business, compliance concerns, and the capabilities of the MDM tools.

How do you decide what type of BYOD program to put in place? You can start with the following:

• Assess your risk tolerance – are you in a heavily regulated industry such as finance, healthcare, or government?  If so, then you’ll likely opt for a more locked down strategy.
• Define the program goals – for example, do you want to increase employee productivity, increase security, decrease IT support requirements?
• Involve stakeholders in your program development – this could include legal, HR, finance, or executive level sponsor for funding purposes

Up Next: What to Consider When Building a BYOD Strategy

“We are growing and need more bandwidth.”
“We’ll need to double the bandwidth as we are over-utilizing the existing pipe.”

These are common complaints – or requirements – of CIOs and Network/IT managers. Upgrading bandwidth to meet business demands is critical. But equally important is the need to know what traffic types are flowing across the network. Are users making right use of the current bandwidth?  Is a DS3 being fully utilized with production or business traffic? 

Most companies do not identify their traffic flow due to lack of time, resources, or skill. Budget is commonly available to upgrade the bandwidth but not to analyze the traffic, which is rarely considered a necessity under the assumption that all traffic is legitimate traffic.  As a result, it’s comparatively easy to make a business case to upgrade bandwidth than it is to invest in identifying the traffic.

There are consequences to increasing network bandwidth without fully understanding traffic flow. Investing in bandwidth upgrades without knowledge of traffic is like filling a bucket with a leaking hole –if users are not making the right use of bandwidth, further investments will likely be needed. It’s wise to identify the network traffic first before considering bandwidth upgrades to ensure bandwidth usage maps to business usage.

So what’s involved in identifying traffic and filtering out leisure traffic?

NetFlow can be used to identify the traffic flowing across the network.  Traffic profiles on firewalls along with protocol/content filtering is a good idea to block the traffic at the ingress point of the WAN.  Once ingress filtering points are identified correctly, it ensures bandwidth is available for the legitimate production traffic. 

The sooner you get to know your traffic the better. Increasing bandwidth is fine but only if it’s for the right traffic. Network managers must address the cause of insufficient bandwidth, as opposed to addressing just the symptoms.

The Philippines Global Operations Center (GOC) works in full tandem with counterparts in Denver, Colorado and Mumbai, India to provide 24x7x365 customer support.

Sunrise in Manila prompts the Philippine team to get in full gear, ready to perform a smooth handoff from the Denver GOC team. Shortly before Manila’s famed sunset, we pass on support functions to our Mumbai counterparts. As an integral part of Virtela’s global service delivery, the Virtela Philippines team is committed to a seamless transition in the never-ending follow-the-sun customer service support cycle.

Always excited to support advancing technology and the increasing needs of our customers, Virtela Philippine team members frequently travel to meet and train with our counterparts in Denver and Mumbai. It’s crucial that the engineers at all our GOCs are following the same processes and procedures and are equally adept in terms of technical skills, so if an open ticket is handed off to the next GOC team they continue to quickly resolve the issue.

Many of our customers are multinationals with locations around the world. Thus, IT support needs to be available 24-hours-a-day, and Virtela brings the added benefit of proactive support and predictive analytics capabilities, often informing customers of an issue before the customer has experienced any degradation in service.  

We fully understand the adverse impact of service aberrations to the business operations of our customers. In addition to resolving issues as quickly as possible, our highly-resilient network design minimizes downtime for customers. Partnering with 500+ carriers around the world to form our intelligent overlay network means we have fully redundant, automatic failover in place in the event of network performance issues.

It can be easily said that being in the frontline of customer support is not easy by any stretch. However, every time I see a thank you email from a customer or when Virtela wins another customer service award, all the hard work is justified.

Which brings us to the question: How is IT impacting your business?

As technology constantly evolves it’s becoming harder and harder for businesses to maintain an in-house IT staff that can provide the necessary expertise and service 24x7x365. Not to mention the ability to get new technology up and running in a matter of days versus months.

How many organizations today have the luxury – or patience – to wait months for a new technology or initiative to go live? Or how many would find an outage acceptable, especially if it affects the company’s ability to communicate with its customers (impact on service) or process orders (impact on revenue)? I’m guessing not too many.

An IT department that can become more strategic, utilizing technology to grow the business instead of focusing solely on operational cost savings, is well positioned to succeed. For many businesses that might be easier said than done, especially as we continue to see limited resources and budget constraints. But it’s not a long-shot.

Enter the managed service provider.

Let’s say you transfer the support and maintenance of your infrastructure to a managed service provider. You have the potential to save in both capex and opex. In fact, a recent CompTIA study revealed that among current users of managed services, 46% of firms have trimmed their annual IT expenditures by 25% or more as a result of their shift to managed services, including 13% that have slashed annual IT expenditures by 50% or more. An additional 50% of organizations have saved between 1-24% in IT costs annually.  Plus, IT is now free to focus on the core business while the service provider proactively manages the network.  The CompTIA study showed that, while costs savings are the top factor in deciding to use managed services, more than half of respondents indicated that they use an MSP to free up their internal IT staff to work on projects that fall into the business’ core competencies or revenue-generating activities.

With managed services, you also get faster time to service. Service or technology initiatives that used to take months to implement can be implemented in hours or days by a team of highly skilled specialists using best-of-breed technologies and vendors. What a tremendous competitive advantage to have experts in IT infrastructure management on your team to worry about the daily operational functions, while you focus on making IT one with the business.

So how is IT impacting your business? Hopefully it’s focused on making a positive impact on top line revenue. If you’re finding that hard to do, check out our slideshow on The Business Impact of IT.

In the managed services industry, the issue of trust is paramount. Customers must trust that the services provided – whether network, security, cloud, IT infrastructure management or otherwise – will be reliable and high-performing. Companies also need to trust that the MSP implements the best solution to meet their unique needs. Additionally, if problems occur, the customer must be confident that the MSP will do what it takes to resolve problems quickly; better yet, predict potential problems and fix them before they severely impact the health of the network.

These days, there is no shortage of companies offering IT network services. As is the case in any industry, trust is earned. When choosing a managed services provider, a business should vet its options carefully. Before making a perceived “safer” solution because of the MSP’s brand name, companies should think twice and carefully evaluate their choices.  Trust doesn’t come from having a brand name.  Trust comes from knowing the MSP’s track record and deeply understanding its business model and what they can truly do and not do.  Ask yourself… Do they have a track record of working with companies like mine? Do I have to settle with off-the-shelf solutions or can the MSP customize solutions for me? How flexible are the solutions – can I choose the best vendor, technology or even carrier on a location by location basis?  Can I get end-to-end, single-point-of-contact support for my entire global, multivendor implementation?  If I have an issue, will I be treated like a business partner or just another number in a long list of waiting callers? To help companies through this process, we’ve created a checklist for evaluating managed services that offers practical advice on how to select the right provider for your global needs.