Simon Heron – SecureNet

Redscan proactively monitors and maintains Network Box security solutions on behalf of its customers in Europe and is part of a network of similar operations centres Worldwide. These products generate extensive statistics that provide a unique view into what is happening in the real world. This article examines the statistics collected in 2011 and explains what they reveal.

There is a great deal that can be gleaned from customer systems. When statistics from many different organisations, of different sizes, from different industries, in different countries are amalgamated and analysed, they provide a useful insight into the true nature of security threats. These trends are not only interesting to observe, but are also invaluable in helping companies to determine future security policies. The statistics gathered in 2011 reveal:

• A new security signature was released every 8.1 seconds
• Malware attacks escalated by 68.1% in 2011, as compared to 2010
• Attacks using firewall technology increased by 13.1% on the previous year
• Small businesses – not just large organisations – were targeted with denial of service (DoS) and distributed denial of service (DDoS) attacks
• A larger proportion of IT managers are imposing restrictions on web site usage

In 2011, Network Box Security Response PUSHed out 7,125 updates which was down 39.2% on 2010. However the number of signatures grew 25.9% to 3,880,267. This strange statistic reflected the continued move to cloud-based signature systems (such as the Network Box’s Z-Scan and NBCP content categorisation systems). So the number of signatures per update fell, while the number of signatures released increased. This is a trend that is destined to continue, as traditional signatures continue to be the most effective against the depth and breadth of malware, whilst cloud-based signatures are emerging as the most effective solution for zero-day outbreaks. The result is that there was approximately one new signature every 8.1 seconds in 2011.

During the year, the average Network Box blocked 208,081 spams which is down 55.8% from 2010, but malware is up 68.1% on 2010 to 8,008. The reduction in overall spam volume is due to the large-scale takedown operations against botnets and their owners that have occurred, as botnets are the single biggest source of spam. However, the reduction in spam volume is somewhat masked by the increased use of pre-scan filtering such as RBL blocks at the envelope stage and recipient address verification (for an explanation of envelopes, click here). Such envelope-stage blocks are effective against a huge amount of spam (currently estimated at around 35%, globally). Messages, both spam and malware, blocked at the envelope stage do not appear in our reported figures for ‘messages blocked as spam and malware’.

The 2011 statistics reveal that the average Network Box blocked 9,191,536 attacks during the year using firewall technology. Such attacks were up 13.1% on 2010, which could indicate that hackers believe that firewalls can be badly configured and are worth probing for vulnerabilities, either in the firewall itself or just as a way of accessing the network behind. Intrusions were down 18.3%. It should be noted, however, that such network-level attacks are an unavoidable consequence of being connected to the global Internet.

The trend away from attacks composed of mass-mailed spam and malware towards attacks of targeted/mass vulnerability exploit continued during 2011. One worrying new pattern was the increase in relatively low-impact denial of service (DoS) and distributed denial of service (DDoS) attacks. In the past, DoS and DDoS have used hundreds of megabits of bandwidth, but 2011 saw a large number of such attacks in the tens of megabit category targeting small organisations. Whilst larger enterprises have deployed protection against this form of attack, many smaller companies haven’t and are therefore vulnerable.

In 2011, the average Network Box blocked 1,663,284 websites due to company content filtering policy, which is up a massive 45.5% on 2010. When this is compared with the 45,838,221 website URLs visited on average over the year (which is only up 12.8% compared with 2010) this indicates that IT managers are imposing more controls to implement their company’s policy. The growth in bandwidth usage – and web usage, in particular – continues, driven by the increase in web-based applications, social networking, cloud-based solutions and smart mobile devices.

January is a good time of the year to look ahead and consider how emerging new technologies and solutions might impact your business.  Redscan’s Simon Heron describes eight key trends that could have serious implications for IT security.

As always, the pace of technological innovation is fast and getting faster.  Yet, at the same time, the work place is changing significantly, driven by organisations’ need to become more competitive and efficient.  These two factors together mean that there is a lot of change on the horizon for 2012.

As the New Year progresses, IT professionals will need to be prepared for the following emerging trends and technologies:

Bring Your Own

The increase of Bring You Own (BYO) devices, where employees are allowed to use their tablets, smart phones and laptops on the company network, is not going to stop.  The need to smear the boundary between work and leisure is compelling, not just from the new generation Y coming into the work place, but as a way for companies to maximise the use of their workforce in the light of international competition from the Far East.  This will create a problem for IT departments, as they work out how to protect their organisations.

IPv6 Uptake

The last of the IPv4 addresses have been handed out to local authorities and, in some areas, these have already been allocated.  Microsoft has bought 666,624 IP addresses belonging to Nortel at the liquidation sale for US$7.5 million, which put the cost at US$11.25 per IP address.  This suggests that the price of IPv4 addresses is set to rise.

In 2012, this issue will affect websites that host their content on IPv4-only servers, and smart businesses will want to get an IPv6 address in addition to an IPv4 address, so that when the transition to IPv6 does come, they will be prepared.  IPv6 isn’t backward-compatible with IPv4, but companies could “dual stack” their servers.  However, a more cost effective approach will be to install firewalls that can be configured to offer IPv6 on the external, internet-facing side, and IPv4 on the LAN or Demilitarised Zone (DMZ) side, hence not disturbing the company network and minimising costs, as organisations can leave legacy systems in place that only deal with IPv4.

Web-Based Attacks

As more and more systems move “into the cloud”, web-based attacks (such as XSS, SQL injection and DDOS etc) will continue to gain ground.  Companies increasingly depend on their websites, and these ‘shop windows’ allow prospective customers to browse and hopefully, buy their products or services.  If this web site becomes infected or unavailable, the company suffers not just from the immediate loss of business, but from a much longer term loss of trust.  Will customers ever want to buy from a site that has been infected or leave their credit or debit card details on a site where they might be abused or buy with the fear that the products or services might not be delivered?  In 2012, the focus will be on more testing and stronger defences.

Facebook and Twitter Accounts

It seems that more and more sites are presenting the option of logging in through Facebook or Twitter accounts.  In some cases, it is becoming exclusive.  If you want a Spotify account, you need to get a Facebook account first.  Turntable.fm is another music-sharing service that requires a Facebook account, but even sites that are not exclusive make it difficult to find out how to login without using either Facebook or Twitter.  If this trend continues, then one username/password pair will access multiple accounts – and this is something that has traditionally been considered a bad policy.  However, perhaps more of a concern is that Twitter and Facebook have been hacked in the past and it is likely that they will be targeted again in the future.  Just how much fun a hacker will have with this is something that is a worry.

Near Field Communication

Near field communication (NFC) technology for mobile payments or peer-to-peer networking makes it easier to do everything from paying for your burger to exchanging data.  But there have been a number of vulnerabilities, including poor algorithms and bad implementations, and thieves have been able to use services they have not paid for or take money from unsuspecting users.

Currently, you can buy the Google Nexus S phone, which carries an NFC chip and the Google Wallet companion app for syncing your credit cards to your phone and making mobile payments at participating vendors.  Meanwhile, RIM is putting NFC chips into newer phones such as the BlackBerry 9900, and recently it introduced Tag, a RIM-specific feature that allows BlackBerry users to transfer contact information and documents.  Will this allow data leakage or IP theft?

The latest version of Android, Ice Cream Sandwich, is built to let app developers take advantage of the many uses for NFC, such as setting up peer-to peer connections between phones simply by tapping the phones’ backs to each other. So without a doubt, in 2012 you’ll see more phones with these chips built into them, as well as more apps that employ the technology.

Processing in the Cloud

Some devices such as smartphones, tablets and even cameras have the ability to process complex information on remote servers.  Apple’s Siri is a good example where this virtual assistant sends the voice request input from an iPhone 4S to Apple’s data centres which then process the audio, identify what is required and send the answer back to the phone.  Google does this with pictures taken by the user.  A picture of a book or landmark taken by a user is sent to and analysed at a Google data centre, which returns a search page relevant to the image.

This way of enhancing the processing power of the smart device is only going to increase with more information being ‘invisibly’ sent to the cloud for processing.  The boundaries of where data is allowed to reside will, as a result, expand without the explicit knowledge of the data owner, and this could mean that a company becomes non-compliant with industry regulations.

HTML 5

Hopefully the take up of HTML 5 will mark an improvement in website security.  It will remove the need for using Adobe Flash with all the vulnerabilities that this application has introduced over the years.  In November 2011, Adobe announced it would no longer develop its mobile Flash Player, because HTML 5 has been better received.  In some cases, HTML 5 will replace the need for apps, and this can only improve the security landscape.  Furthermore, this technology should make it easier and cheaper for developers to introduce interactivity into browsers as they no longer need to buy and install proprietary plug-ins to create click-responsive graphics or to embed video.

Reduction in the Use of Optical-Disc Drives

How often are optical discs used these days, given that a movie can be downloaded in two minutes at any airport or coffee shop?  The answer is: not often.  What is more, when optical discs are used, these tasks frequently could have been done in a number of alternative ways.  So in 2012, there will be fewer laptops with optical drives, which means that at least one way of infecting the network is going to be removed.  This is not a huge benefit, but something positive in light of the usual glum predictions!

Fewer Tablet Manufacturers

Another bit of good news, given the trend towards BYO, is that the number of tablet manufacturers is likely to reduce.  Whilst there is a good market for tablets, there is currently a huge number of companies trying to get into the space with tablets that are no match for Apple’s iPad.  However, a few will get it right and will be able to compete in the long term; the others will fall by the wayside, simplifying the network landscape.

Generally, data is considered to be either ‘at rest’, ‘in transit’ or ‘in use.’ When putting data security measures in place, it is important to consider data in all three of these states and address the particular risks associated with each. This article examines data at rest and proposes strategies to minimise the dangers inherent to data in this state.

The Information Commissioner’s Office (ICO) has been given the ability to fine organisations up to £500,000 if it deems that they are not taking data security seriously. Consequently, IT managers must ensure that they don’t overlook the potential risks associated with data at rest.

The first precaution is to simply not collect data that is not required. This seems obvious but it is surprising how much data is stored needlessly increasing the risk profile for a company.

Another is to actually locate data. It is common place for companies to discover data that had been totally forgotten about when they carry out data discovery. By ‘shredding’ data that is not required, the task is simplified from an infrastructure point of view, as well as security and compliance.

Data classification is a good step in understanding data, but it can be a difficult task to determine what is confidential and what is not. Frequently, what appears harmless can give a hacker or social engineer an advantage. The basic defence here is full disk encryption (FDE) and embedding the process in the company procedures. FDE will go a long way to protect against data going missing. It is not a panacea; users will forget their password, will use the same password everywhere, will choose a simple password or write down a complex one and stick it on their monitor. However, as evidenced in many news stories this year, this simple precaution would have saved so many companies to date from data loss when laptops and digital media go missing.

There are a number of other strategies to make data at rest safer. A classic approach is to split the data across a number of servers (called secret sharing) so that a hacker would have to hack all the relevant servers before accessing the data. Another way of improving security is split-key cryptography. In this situation, instead of reassembling the key to use it, part of the cryptographic calculation gets run on one computer with part of the key, then the document gets moved to a second computer where the second half of the calculation is carried out with the second part of the key. The challenge with split-key cryptography is making it part of the work flow, so that administrators and users find it transparent.

A novel solution against both insider and outsider attacks is to inflate all data to many times its actual size, so a database that would have normally occupied 10 gigabytes of storage would then use 10 to 20 terabytes. Any thief would immediately run into problems of scale copying or downloading this data. Even if attackers just try to access a small portion of the data, they will still have issues, as the real data is probably stored across a number of shares, effectively implementing secret sharing. This approach does mean that the owner has to have a large infrastructure, but for companies considering this strategy, the cost of hard drives is not going to be significant against the value of the data.

One strongly recommended precaution is to keep the encryption appliances separate from the database server. This again ensures that a hacker has to compromise two machines rather than just one. There is not much point in encrypting data if the key to decrypt it is easily at hand.

It is also important to consider the security of any backups taken and make sure that they are fully encrypted. Frequently, backups are kept off site and with a third party whose security may not match the company’s, so whilst off-site backup is very important, it provides another way to access that data. However, with encrypted backup, the trustworthiness of the individuals at the remote site is a lesser concern than with unencrypted backups. Obviously, the desired position is that the third party shares the same security posture as its customer.

Finally, organisations should review the security at their data centres and take into account the full lifecycle of their hardware. Hard discs eventually leave data centres, can be stolen, lost, retired, repurposed or broken. In all these cases, they will have data on them that may be sensitive. Company policies must be written and enforced to ensure that data cannot fall into the wrong hands in this way.

Redscan engineers recently carried out a test.  They installed a Sipera UC-Sec 100 appliance behind a firewall on our test network and left the SIP ports, TCP 5060 and 5061, open to the internet.

The aim was to see how long it would take for the system to be attacked.  Over a series of tests it was found that it took from 24 to 48 hours for the Sipera system to come under attack.  The usual approach was a “Registration” attack where the hacker or ‘bot’ attempts to authenticate itself with the PBX.  These attempts are reported as “Routing Failures” and can be seen below.

Log of Registration Attack

The Sipera UC-Sec 100 device is designed to withstand such attacks but many IP-PBX’s are not.  If these attacks had been launched against an undefended and vulnerable system, it would have been possible for the hacker  to register as an authorised user of the system.

Why is this a concern?  Toll Fraud is the primary threat.  A hacker who can register as a legitimate user can make telephone calls at the owner’s expense.  A typical scenario is a hacker in a remote country, say Azabaijan, registers with a PBX in the UK.  He or She then calls a primary rate number in a third country, Ethiopia, for instance.  The hacker owns this primary rate number and so every call they make to it, makes them money at the expense of the company under attack.  Over a weekend or a few evening, this can really mount up; £50,000 is not unusual.

This attack is very hard for a company to combat, first it is responsible for all calls made from an unsecured PBX, so they must pay their provider.  Second, if they want to prosecute, they have to identify where the hacker came from.  The source might be in Azabaijan but that could be a proxy for the hacker, they might well live in another country.  As for retrieving the money from the primary rate number provider, the calls were handled in good faith, it is unlikely any money will be returned!  The moral of this tale is “Buyer Beware”.

Despite federal prosecutors recent success against the infrastructure of DNS Changer and the prosecution of seven Eastern Europeans, it appears that the malware itself still survives.  With its ability to infect and change systems’ DNS so that users were then redirected to websites of the scammers choosing, DNS Changer allows criminals to make money through a series of ploys.  The method of choice of the seven accused being to exploit click ads.  It affects both Macs and Windows systems, it has been around for over five years and so it is a pretty serious threat.

So how do you find out if you are infected?  Check your DNS server settings.  On Windows open a command prompt and type “ipconfig /all”.  This returns a plethora of information but just look for the “DNS Server” entry.  On a Mac, in “System Preferences” select “Network”, and from there select “Advanced”.

Infected systems will show IP addresses in the following ranges (from the FBI):

• 85.255.112.0 – 85.255.127.255
• 67.210.0.0 – 67.210.15.255
• 93.188.160.0 – 93.188.167.255
• 77.67.83.0 – 77.67.83.255
• 213.109.64.0 – 213.109.79.255
• 64.28.176.0 – 64.28.191.255

Companies will need to check their servers and their routers to ensure they have not been compromised.

The data revolution gains pace and data is massively more accessible and transferable than ever before.  Not all data is equal, some data is more sensitive than others but the vast majority of data is sensitive in one way or another.  It might be regulations that require data to be held securely, or data that holds the company’s intellectual property or just communications between individuals that are not for public consumption.  The downside can range from embarrassment to increasingly large fines but they all threaten the viability of an institution.

The issue is that with so many applications able to transmit data, it is increasingly easy to make an irretrievable error.  Not that it necessarily has to be an unfortunate typo, it can just be ignorance of the risk an individual is taking, as highlighted recently by a medical student, presumably intelligent, copying encrypted data to an unencrypted USB memory stick and then losing that memory stick.  In addition, there is also the increased expectation of working from home and the loss of data that occurs whilst in transit and at home.

So technology has been created to try and prevent unintentional data leaks which implements an automated corporate policy that will help catch protected data before it leaves an organization, the increasingly ubiquitous Data Loss Prevention (DLP).   There are numerous technologies that can be used:

• Deep content inspection: looking at the payload in the packet to see if key data is present.  Regular expressions are used to provide some flexibility in what is searched for.
• Contextual Analysis: looking at more general aspects of the data, who is the originator, who is the recipient, is this communication allowed at this time and similar attributes.
• Data Dictionaries: providing standard algorithms (catching credit card and Social Security numbers for instance) or standard phrases and lists of words and their synonyms.
• Centralised management framework to allow company policy to be set.

The trouble is that the technology is just one element of the solution.  There is little doubt that whilst DLP software and devices can help, there is no single software solution that can encompass all aspects of DLP, as different types of data have different threats and hence need different controls.  As with so much security, the answer is not just the tin, it is the people and the processes put in place which count as much if not more so.  So before you invest in a system, make sure you are ready for it and it is appropriate to your organisation.

So what needs to be done?

The first step is a Risk Assessment: this should have already been done but if it hasn’t, then use this opportunity to carry one out.  It will define what your risks are and it may be that DLP is not the most urgent requirement.  If DLP is required, and it probably is, then this assessment should identify:

• The different types of data inside the company
• The value of the data
• The threats and vulnerabilities relating to that data
• What losses cannot be tolerated

The other important issue to consider is Regulatory Requirements.  Identify what regulations govern your industry with regard to data loss.  This may drive the requirement for DLP.  In the UK, the OFT has been given the power to fine companies significant amounts of money if it can be shown that the security of data was not taken seriously, though it has rarely done so.  However, it does take a dim view if there is no attempt to adhere to those regulations and it is wise to put in place the expected practices.  So consider what controls have to be put in place in light of these regulations.

If from this, you conclude that DLP is required, the next step is to identify the scope of the DLP project and define goals for each stage.  Most organisations have a lot of data and multiple avenues for leakage so DLP can be a large undertaking and may require a staged approach or targeting the most value or most frequent data loss first.

As part of this exercise, it is important to carry out data discovery and classification:

• Identify where the sensitive data is
• Where it should be
• Where it is allowed to be
• Classify your data – structured, unstructured, confidential, secret etc

This important step will enable you to define the rules for any application that you install.  It may sound obvious but many systems have rules that do not match requirements and when implemented produce major issues with the business.

Whilst you might hope that the people, procedures and technology you put in place will save you from data loss, it is important to plan for the worst.  The creation of an Incident Response plan is vital to define the strategy if data does go missing is essential.  It should be well defined and must be carried out swiftly should an incident occur.  It is also important to ensure that the workforce know their part in the plan.  People speaking out of turn can turn a manageable incident into a crisis.

Unfortunately, all these activities take time so you need to ensure that someone has the tiem to carry out these initial duties along with the on-going requirements to manage a DLP Program? Do you have the required expertise in house or will you need to out-source it go for training.  Be aware that if you bring this in house, your resource must have time to keep aware of issues and keep the policies up to date.

Finally, an ongoing budget will need to be allocated to this project.  This is very important if the decision is made in light of this work that one or more applications are required.  This budget will be required to cover not just the cost of the application(s) you identify as relevant but also for the training and on-going management that will be associated closely with them.

If you cannot commit to these steps then the purchase of DLP software may not be a wise option.  You supplier should be able to help you work through this but only you or your management will be able to say if DLP is going to produce a beneficial result.

Unified Communications (UC) if it doesn’t increase your company’s productivity and connectivity, it isn’t being used right.  So, let’s be clear, it is a good thing and the productivity element is something that is hard to really evaluate but once you use it, you don’t want to be without it.  However, UC can open up the possibility that you could be victim to an expensive scam: Toll Fraud. An unsecured PBX is an invitation for a hacker to re-route hundreds of premium-rate calls through your exchange, leaving you footing a bill that can easily run into tens of thousands before you even know it’s happened.

This is one threat that does not care how big or small your company is, it is just automated to find systems that are unsecured.  It means that you need to check that the system is not only working right but is also secured.  The problem is that technically you have been hacked but under current legislation the owner of an improperly secured PBX is responsible for any charges incurred by it.

We are seeing companies that have gone ahead without considering the security implications falling victim to this scam so in conjunction with Sipera we are giving a webinar.  It will obviously focus on Sipera’s solution which we believe is the best in class when it comes to security and total cost of ownership, however, it will provide information on the risks of Tool Fraud, discuss the threat of toll fraud and the devastation it can cause, and talk about how you can prevent it happening to your company.  If you want to join us on Wednesday 28th September at 3pm then please sign up here.

I was just ‘playing’ with a colleagues mobile phone and struggling with what seemed to me a slightly arcane and not entirely intuitive user interface.  However, that is UI’s for you, what seems obvious to one person seems hopeless to another.  It did make me think however about that scene in the Matrix (the first film, I never did see the others) where our hero Neo is on the run (again) and just grabs a phone off some bystander and is immediately able to cancel the existing call and dial a new one.  Seemed totally believable at the time.  I just wondered what the equivalent might be these days?  So here is how it might go…

He grabs the phone, at glance he can see it is a smart phone and now he has to look more closely and piles into a lamp post.  Picking himself up and undeterred he sprints off but has to divert his glance to find where  to cancel the current call which results in tripping over a small dog.  A smart roll and he is back on his feet and running again.  Having cancelled the call, he finds he is locked out, the call was an incoming call and the owner had applied a security code.  However, we all know that the password would be 1111, so he is back in business but he has carefully to enter the code but the sensitivity of the keypad and the arrangement of the screen keys means that he gets it wrong twice and both times has bowled into people and now has them chasing him as well as the ubiquitous Mr Smith.  He is not making any friends here.

Things are not getting any better but no problem, he stops and focuses and enters the keypad right and he is off again just before Smiths and bystanders catch up with him.  Great, but this is a smart phone and the phone functionality isn’t on the front page but if you swipe to the right there it is, however he had to look at the screen to do this and went straight into a fruit stall.  The stall owner joins the people who would like to have a word with him but he has got to the phone screen and rather than being presented with a dial pad,he has a list of favourites.  The keypad can be invoked using a key just to the left of the call key and just a quick inspection of the screen shows him where.  Great!

So, picking himself up off the little old lady he has just felled, feeling somewhat worse for the wear, and moving somewhat slower, he is off again.  However, now he has three Smiths, two bystanders, the stall owner and probably the grandson of the little old lady he bowled over rapidly catching up but he has made a call to his team and help is on hand.  Or is it, let us remember that smart phones are probably much more powerful than the computers that were around in the nineties and in the World of the Matrix, the computer is the Matrix so isn’t he just on the line to Mr Smith?

Thus ends the last great hope for mankind.  So what moral can we take from this sorry tale?  Beats me, all I know is that I still like MY smartphone, it just the others that are rubbish.  Oh and do use a more complex password than ’1111′.

The number of Internet-connected devices is multiplying rapidly. As a consequence of this, the world is running out of Internet Protocol (IP) addresses for IP version 4 (IPv4). While many companies are still reluctant to make the move to IPv6, the reality is that they may soon have to.

IPv6 offers several key advantages over IPv4. These include more available IP addresses and faster, automatic configuration capabilities, to name but two. From an IT security perspective, IPv6 also comes with in-built, mandatory IP Security (IPSec), which should result in the creation of a common network layer security infrastructure.

However, the enhancement to IPSec doesn’t mean that IPv6 will be invincible. This new protocol has a number of key vulnerabilities, and organisations will have to put measures in place to protect against them. Such threats stem from a combination of rogue traffic, rogue devices, tunnelling, spam filtering and multicast.

I have recently written an article in [In]Secure Magazine that describes these potential security threats in more detail. Click here to read it.

Here is an interesting article in the NYTimes - http://bits.blogs.nytimes.com/2011/06/21/f-b-i-seizes-web-servers-knocking-sites-offline passed to me by our USA CTO.  It makes you think about putting data in the cloud as when your data is “in the cloud” there is the clear and unmistakable risk that you could be sharing resources with not-so-ethical companies, who may suddenly end up under investigation.  And your data may end up being seized in the course of an investigation, without your knowledge.  Suddenly, you lose your server, you lose your data, your website goes offline without notice and without reason, bringing business to a halt.  If you are an online merchant that is of course especially damaging but for anyone putting their business in the cloud, this is reason for great concern.

The investigation in question is supposedly related to the Lulz hacking group.  This investigation is being conducted in conjunction with European authorities.  So the data and servers that were confiscated could become part of an investigation your company has no reason to be involved with at all.

When you approach the cloud, you need to think about these risks:

• What data do you put in the cloud
• Where are you actually putting it
• Who are your neighbours and
• What happens to your servers and especially your data in situations like the one described here

Your management may well want to be in on this decision!

This is not the first time that the FBI or other investigative agencies have done something like this.  If they continue operating in this manner, with an apparent disregard for the issues caused to the other, innocent, companies hosted in the same or even adjacent servers, they may end up causing a damage to the cloud in itself.  The result could be that more and more companies reconsider their options and decide that hosting that server in house is still the best option after all, even if it is more costly.