Our friend, Kevin Lancaster from ID Agent, continues in his weekly posting of the week in breaches and phishing attacks. This is important- not just for enterprises, but also for small and medium sized businesses. Attacks are coming in from all directions- here are some highlights from his post:

Protection from Hacks

Two-factor Authentication Hackable?
Our friends at KnowBe4 show 2 Factor may not be enough in some cases.

Student of The Month in California!
Phish Teacher, Change Grades, Get Felony!  You can’t make this stuff up!

Good on ya Mate, Good on ya!
Crikey! Australians appear to have better password hygiene than the rest of us?


What we’re listening to this week:   

Security Now – Hosted by Steve Gibson, Leo Laporte

Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)

Small Business, Big Marketing – Australia’s #1 Marketing Show!


Highlights from The Week in Breach

  • Retail Point of Sale Systems (POS) can’t catch a break! can’t get their s*** together.
  • Healthcare insider threat strikes again.
  • Your legal case may have been closed… or deleted.
  • Your personality is revealing and, it may have been revealed.

Chili’s Restaurants
Retail

Small Business Risk: High (Malware/ Forensics, Brand Reputation/ Loyalty)
Exploit: Malware-based Point of Sale Exploit
Risk to Individuals: Moderate (Replacement of Credit/ Debit Cards with limited liability)

What you need to know:  Small business retailers should take the time to educate themselves on POS exploits and how they typically occur. Since most systems do not reside within the traditional network environment, processing systems are most commonly exploited via compromised trusted 3rdparty vendors, common credential stuffing and exploit kits delivered via email.

Chili’s Restaurants

Date Occurred/Discovered March-April 2018 / Discovered 5/11/18
Date Disclosed 5/14/18
Data Compromised Preliminary investigation indicates that malware was used to gather payment card information, including credit and debit card numbers, as well as names of cardholders who made in-restaurant purchases.
How it was Compromised Malware
Customers Impacted Chili’s has not disclosed the restaurants impacted and/or the number of customers impacted.
Attribution/Vulnerability Undisclosed at this time.

http://time.com/money/5276047/chilis-data-breach-2018/

Note: Breaches have huge repercussions, often resulting in customers losing trust in the brands. According to a study from KPMG, 19% percent of consumers said they would stop shopping at a breached retailer, and 33% would take a long-term break.

https://www.sfgate.com/technology/businessinsider/article/Chili-s-restaurants-were-hit-by-a-data-breach-12911248.php

Nuance Communications
Healthcare

Small Business Risk: High (PII Exposure, Brand Damage, Compliance Violation & Fines)
Exploit: Former Employee/ Insider Knowledge Exploit.  System and security control failure
Risk to Individuals: Moderate (Compromised Data Contained and not posted for exploit)

What you need to know:  Coming on the heels of a costly malware outbreak in 2017, it seems that Nuance had the limited ability to detect on-network anomalous behavior. With such a large percentage of its target market comprised of organizations that operate in regulated industries including Healthcare, Nuance should have invested in aggressive insider threat/insider mishap detection.

Organizations operating in regulated markets should take a more aggressive approach to both inside threat detection and threats originating within the supply chain as was demonstrated in this case.

Nuance Communications (speech recognition software)

Date Occurred/Discovered 11/20/17 – 12/9/17
Date Disclosed 5/14/18
Data Compromised Exposed data included names, birth dates, medical record and patient numbers, as well as service details such as patient conditions, assessments, treatments, care plans and dates of service. The incident did not include information such as social security number, driver’s license number or financial account numbers.
How it was Compromised An unauthorized third party, possibly a former Nuance employee, accessed one of its medical transcription platforms, exposing 45,000 individuals’ records.
Customers Impacted Personal information of thousands of individuals from several contracted clients, including the San Francisco Department of Public Health. The Justice Department said that it does not appear that any of the information taken was used or sold for any purpose. All the data has been recovered from the former employee.
Attribution/Vulnerability  Unknown/undisclosed at this time.

Note: News of the data breach follows the company having been hit by the NotPetya malware outbreak in June 2017. Earlier this year, Nuance reported that the outbreak cost it $92 million. “For fiscal year 2017, we estimate that we lost approximately $68 million in revenues, primarily in our healthcare segment, due to the service disruption and the reserves we established for customer refund credits related to the malware incident,” Nuance reported in a Feb. 9 form 10-Q filing to the SEC. “Additionally, we incurred incremental costs of approximately $24 million for fiscal year 2017 as a result of our remediation and restoration efforts, as well as incremental amortization expenses.”

The incident is a reminder that Insider breaches remain one of the most difficult kinds of improper access attacks to defend against. There are a variety of tools and methods to monitor which resources an employee accesses, but preventing insiders from stealing data or intellectual property remains challenging.

https://www.bankinfosecurity.com/nuance-communications-breach-affected-45000-patients-a-11002

Mason Law Office
Legal

Small Business Risk: High (Compliance Violation & Fines, Brand/ Reputation Damage)
Exploit: Apparent Credential- based, account take-over exploit
Risk to Individuals: High: Sensitive PII and Legal Information loss and/ or deletion  

What you need to know:  It’s not 100% clear that this was an insider threat-based exploit. Regardless, Mason Law Office suffered an all-too-common account-based takeover compromise.  Legal firms leveraging 3rd party case management systems should take the time to review their security controls and procedure.  They should also conduct a full audit to determine who has access to what data within these 3rd party systems and make the required corrections.

Mason Law Office – Sacramento, CA (mycase.com)

Date Occurred/Discovered Discovered 5/5/18
Date Disclosed 5/14/18
Data Compromised Client data was potentially accessed, client case information was deleted, and other administrative changes were made to the system. Generally, any information uploaded to mycase.com was potentially accessed, and information has been deleted. Information potentially accessed includes client names, social security numbers, driver’s license numbers, phone numbers, email addresses, as well as legally privileged/protected information, including legal documents, case notes, disclosures, financial statements, evidence, photos, invoices, transcripts, trust balances, and attorney-client communications.
How it was Compromised The firm discovered evidence of unauthorized access to mycase.com by an unknown individual or group of individuals. It is unclear how this access was made.
Customers Impacted Clients of Mason Law Firm using mycase.com.
Attribution/Vulnerability Unknown/undisclosed at this time.

https://www.databreaches.net/mason-law-office-notifies-clients-of-hack-involving-mycase-com/

myPersonality app
Information Technology / Lifestyle

Small Business Risk: High (Forensic, Data Loss via GitHub Post, Brand / Reputation Damage, Fines and Damages)

Exploit: Application security misconfiguration resulting in credential-based exploit

Risk to Individuals: High (PII, Psychological Characteristics & Profile,)

What you need to know: The developers of the personality app failed committed several major blunders in this case.

  1. Poor website/application security allowed for easy and unmonitored access to their website and underlying datasets.
  2. They failed to notice that their data set had been sitting out in the open for 4 years.
  3. The data stored within the platform was easily unkeyed and de-anonymized.

myPersonality app

Date Occurred/Discovered Exact dates unknown – 2014 – 2018
Date Disclosed 5/14/18
Data Compromised The data was highly sensitive, revealing personal details of Facebook users, such as the results of psychological tests. The credentials gave access to the “Big Five” personality scores of 3.1 million users. These scores are used in psychology to assess people’s characteristics, such as conscientiousness, agreeableness and neuroticism. The credentials also allowed access to 22 million status updates from over 150,000 users, alongside details such as age, gender and relationship status from 4.3 million people.
How it was Compromised Academics at the University of Cambridge distributed the data from the personality quiz app myPersonality to hundreds of researchers via a website with insufficient security provisions, which led to it being left vulnerable to access for four years. Each user in the data set was given a unique ID, which tied together data such as their age, gender, location, status updates, results on the personality quiz and more. With that much information, de-anonymizing the data can be done very easily.
Customers Impacted 3 million users of the app
Attribution/Vulnerability Publicly available credentials allowed access to the data. For the last four years, a working username and password has been available online that could be found from a single web search. Anyone who wanted access to the data set could have found the key to download it in less than a minute. The publicly available username and password were sitting on the code-sharing website GitHub. They had been passed from a university lecturer to some students for a course project on creating a tool for processing Facebook data. Uploading code to GitHub is very common in computer science as it allows others to reuse parts of your work, but the students included the working login credentials too.

 

https://www.databreaches.net/mypersonality-app-data-leak-exposed-intimate-details-of-3m-users/

https://www.newscientist.com/article/2168713-huge-new-facebook-data-leak-exposed-intimate-details-of-3m-users/

 

Advertisements

Your Step by Step Guide to Mitigating and Preventing a Ransomware Virus in your Small/Medium Business

With the recent epidemic of ransomware viruses (up over 600% in 2016 and with the newest batch of exploits wreaking havoc internationally), I thought it would be a good idea to go through the basic guidelines for mitigating and containing ransomware for your small to mid sized business. There are plenty of additional pieces to putting this together completely so please reach out to me if you would like some assistance. Some of these are simple recommendations and this is by no means a complete list. But, then again, eat healthy, exercise regularly and don’t smoke are simple recommendations – and if you don’t follow them, you know what to expect.

  1. Use a reputable multi vector end point security – Use anti virus programs like Webroot/Kaspersky/McAfee/Avast. Don’t be penny wise and pound foolish. Buy a proper license for each machine. Keep it updated for all new definitions. Keep it current and get one that is constantly being updated. No one program is going to be 100% effective. Also, make sure that you have a program that detects malware. Malwarebytes Premium is my favorite. Again – go for the full paid version and don’t try to cut corners on freemium or freeware versions. An ounce of prevention is worth a pound of cure.  You need protection that is going to detect phishing from spam, detect unsafe websites and web browser protection.
  2. Put strong back up procedures in place– you should have back ups in place with a return point objective that you can live with. That means that you should have back ups both onsite on a device and in the cloud. Both of the back ups should be constantly tested for verification and the process should be monitored. When this is successfully in place, in case of an outbreak, you can restore to the last back up that was unaffected. Please note: tape drives, USB sticks, and removable hard drives are not adequate for business applications. You need a proper belt and suspenders- a properly sized on premise device that is backed up to the cloud.
  3. Make sure that you are updating your operating system and plug ins regularly – the current round of ransomware is exploiting unpatched and un-updated Windows vulnerabilities. We update our clients with whitelisted patches and updates from Microsoft. Make sure that you are constantly updating your operating system. Make sure that you are scheduling your updates properly- for all of your computers and all of your devices. Make sure you update all of your computers- even those that you may use less frequently. For example, we use micro pc’s in our conference room- for use with our large screen monitors. All of those units must be updated regularly.
  4. Make sure that your firewall is regularly updated and maintained– your firewall should be under contract and updated with the very latest definitions. Your firewall is all that stands between you and the virus filled Internet. We recommend Watchguard because it is constantly being updated and maintained – and it includes best of breed components that would be too expensive to buy separately bundled in.
  5. Disable autorun- make sure that you disable autorun for everyone!!Yes, autorun is useful. Yes, it is also used by viruses and malware to propagate itself throughout a network. In these dangerous times, disable it.
  6. Stop making everyone an Admin!! – administrators should be admins. However, if you give everyone admin rights, you open yourself up to more damage. User should be users and admins should be admins. Period.
  7. Enforce secure passwords– believe it or not, people use stupid passwords. Enough with stupid. If you want to get infected, use a simple password. If you don’t use a secure password (strong with characters, alphanumeric and symbols). Better yet, have your users get a password manager app.
  8. When relevant, encourage the use of two factor authorization– if you have compliance requirements (HIPAA or PCI) definitely use two factor authorization.
  9. Disable RDP– remote desktop protocol is used by all sorts of viruses and malware to gain access. If you don’t need it or don’t know what it is, disable it.
  10. Educate EVERYBODY– even if your office is a handful of people- but especially if you have less sophisticated users- education of the threat is important. Your staff should know what phishing, spear phishing and how to recognize and avoid suspicious emails. Incorporate this into your onboarding of new employees or have a meeting about this. If you would like a recommendation for videos, send me an email and I will send you a recommended list. Along with that, add pertinent sections to your employee manual about bringing your own device onto the network, using “free”USB drives, and clicking on links in emails.

Like I said, this is by no means a comprehensive list. I have learned Mark Twain may have had the last word. “It’s not what you know that gets you in trouble, it’s what you know for sure that just ain’t so”. The world of viruses and malware is changing. Yesterday’s method may be overcome in an instant and you have to keep on top of it. If you need help- just let me know!

 

Prime Telecommunications Leverages State-of-the-Art Cybersecurity Techniques and Tools to Protect Customers

Prime Telecommunications, Inc., a leading provider of unified communications, announced today that the company is leveraging state-of-the-art cyber security techniques and tools to protect customers from cyber attacks that have become a daily occurrence in the small to mid-sized business marketplace. The company has been at the forefront of cybersecurity for many years and has taken their expertise to an entirely new level, well beyond their competition. Prime Telecommunications protects businesses from several key cybersecurity threats.

The first threat facing organizations is phishing. Phishing is essentially, using fake links to lure users into offering up sensitive information, by posing as an authority. Hackers can embed malicious links into emails, attachments or images, which usually lead to another page that requests the sensitive information, which will later be used against the user. One of the most creative ways hackers have found to attack SMBs is to call in and impersonate IT staff or Network Administrators, asking for specific information off the employee’s computer to resolve a potential “virus.” The employee will usually comply and supply the information, giving the hacker the exact keys they need to infiltrate the system.

The next area of concern is mobile security. As web traffic continues to migrate from PC to mobile, hackers have followed suit by redirecting their efforts to mobile attacks, as well. At an organization, whereby users are encouraged to BYOD (bring-your-own-device) to the network, this increases the exposure for network attack exponentially. SMBs need to be on the lookout for attacks from third party apps, mobile malware and unsecured public Wi-Fi locations. For example, employees will use their phone at an unsecured Wi-Fi hotspot to work but they won’t realize that the network is rigged to enable hackers with easy access to sensitive apps, data and information on any phones connected to that particular unsecured Wi-Fi hotspot. In many cases, users will be attacked without even realizing that the attack has happened.

The last area for an SMB to monitor is malvertising. This threat is where hackers embed malware within advertisements, landing pages or even directly on reputable websites. Sites that offer advertising on a massive scale, such as Facebook, have a tough time regulating online security throughout the buying process. Facebook can do its best to ensure that the links on Facebook aren’t malicious; however, they have no access to monitoring the pages that those advertisements lead to, once the user has left Facebook. Malvertisers can embed a code on an advertisement which leads to a dummy checkout page or a fake application page, which phishes all of the sensitive information that the hacker needs to launch an attack.

“These threats all point to the importance of SMBs consulting with an expert in the cybersecurity field,” stated Vic Levinson, President at Prime Telecommunications. “We are well-equipped to deal with threats like these, in addition to the new threats that will undoubtedly arise over the coming years. For any business that leverages technology as one of its key productivity drivers, it pays to have a team like Prime Telecommunications to face the hackers of the world.”

The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations

U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

 

09/06/2016 06:29 PM EDT
Original release date: September 06, 2016 | Last revised: September 28, 2016

Systems Affected

Network Infrastructure Devices

Overview

The advancing capabilities of organized hacker groups and cyber adversaries create an increasing global threat to information systems. The rising threat levels place more demands on security personnel and network administrators to protect information systems. Protecting the network infrastructure is critical to preserve the confidentiality, integrity, and availability of communication and services across an enterprise.

To address threats to network infrastructure devices, this Alert provides information on recent vectors of attack that advanced persistent threat (APT) actors are targeting, along with prevention and mitigation recommendations.

Description

Network infrastructure consists of interconnected devices designed to transport communications needed for data, applications, services, and multi-media. Routers and firewalls are the focus of this alert; however, many other devices exist in the network, such as switches, load-balancers, intrusion detection systems, etc. Perimeter devices, such as firewalls and intrusion detection systems, have been the traditional technologies used to secure the network, but as threats change, so must security strategies. Organizations can no longer rely on perimeter devices to protect the network from cyber intrusions; organizations must also be able to contain the impact/losses within the internal network and infrastructure.

For several years now, vulnerable network devices have been the attack-vector of choice and one of the most effective techniques for sophisticated hackers and advanced threat actors. In this environment, there has never been a greater need to improve network infrastructure security. Unlike hosts that receive significant administrative security attention and for which security tools such as anti-malware exist, network devices are often working in the background with little oversight—until network connectivity is broken or diminished. Malicious cyber actors take advantage of this fact and often target network devices. Once on the device, they can remain there undetected for long periods. After an incident, where administrators and security professionals perform forensic analysis and recover control, a malicious cyber actor with persistent access on network devices can reattack the recently cleaned hosts. For this reason, administrators need to ensure proper configuration and control of network devices.

Proliferation of Threats to Information Systems

SYNful Knock

In September 2015, an attack known as SYNful Knock was disclosed. SYNful Knock silently changes a router’s operating system image, thus allowing attackers to gain a foothold on a victim’s network. The malware can be customized and updated once embedded. When the modified malicious image is uploaded, it provides a backdoor into the victim’s network. Using a crafted TCP SYN packet, a communication channel is established between the compromised device and the malicious command and control (C2) server. The impact of this infection to a network or device is severe and most likely indicates that there may be additional backdoors or compromised devices on the network. This foothold gives an attacker the ability to maneuver and infect other hosts and access sensitive data.

The initial infection vector does not leverage a zero-day vulnerability. Attackers either use the default credentials to log into the device or obtain weak credentials from other insecure devices or communications. The implant resides within a modified IOS image and, when loaded, maintains its persistence in the environment, even after a system reboot. Any further modules loaded by the attacker will only exist in the router’s volatile memory and will not be available for use after the device reboots. However, these devices are rarely or never rebooted.

To prevent the size of the image from changing, the malware overwrites several legitimate IOS functions with its own executable code. The attacker examines the functionality of the router and determines functions that can be overwritten without causing issues on the router. Thus, the overwritten functions will vary upon deployment.

The attacker can utilize the secret backdoor password in three different authentication scenarios. In these scenarios the implant first checks to see if the user input is the backdoor password. If so, access is granted. Otherwise, the implanted code will forward the credentials for normal verification of potentially valid credentials. This generally raises the least amount of suspicion. Cisco has provided an alert on this attack vector. For more information, see the Cisco SYNful Knock Security Advisory.

Other attacks against network infrastructure devices have also been reported, including more complicated persistent malware that silently changes the firmware on the device that is used to load the operating system so that the malware can inject code into the running operating system. For more information, please see Cisco’s description of the evolution of attacks on Cisco IOS devices.

Cisco Adaptive Security Appliance (ASA)

A Cisco ASA device is a network device that provides firewall and Virtual Private Network (VPN) functionality. These devices are often deployed at the edge of a network to protect a site’s network infrastructure, and to give remote users access to protected local resources.

In June 2016, NCCIC received several reports of compromised Cisco ASA devices that were modified in an unauthorized way. The ASA devices directed users to a location where malicious actors tried to socially engineer the users into divulging their credentials.

It is suspected that malicious actors leveraged CVE-2014-3393 to inject malicious code into the affected devices. The malicious actor would then be able to modify the contents of the Random Access Memory Filing System (RAMFS) cache file system and inject the malicious code into the appliance’s configuration. Refer to the Cisco Security Advisory Multiple Vulnerabilities in Cisco ASA Software for more information and for remediation details.

In August 2016, a group known as “Shadow Brokers” publicly released a large number of files, including exploitation tools for both old and newly exposed vulnerabilities. Cisco ASA devices were found to be vulnerable to the released exploit code. In response, Cisco released an update to address a newly disclosed Cisco ASA Simple Network Management Protocol (SNMP) remote code execution vulnerability (CVE-2016-6366). In addition, one exploit tool targeted a previously patched Cisco vulnerability (CVE-2016-6367). Although Cisco provided patches to fix this Cisco ASA command-line interface (CLI) remote code execution vulnerability in 2011, devices that remain unpatched are still vulnerable to the described attack. Attackers may target vulnerabilities for months or even years after patches become available.

Impact

If the network infrastructure is compromised, malicious hackers or adversaries can gain full control of the network infrastructure enabling further compromise of other types of devices and data and allowing traffic to be redirected, changed, or denied. Possibilities of manipulation include denial-of-service, data theft, or unauthorized changes to the data.

Intruders with infrastructure privilege and access can impede productivity and severely hinder re-establishing network connectivity. Even if other compromised devices are detected, tracking back to a compromised infrastructure device is often difficult.

Malicious actors with persistent access to network devices can reattack and move laterally after they have been ejected from previously exploited hosts.

Solution

1.    Segregate Networks and Functions

Proper network segmentation is a very effective security mechanism to prevent an intruder from propagating exploits or laterally moving around an internal network. On a poorly segmented network, intruders are able to extend their impact to control critical devices or gain access to sensitive data and intellectual property. Security architects must consider the overall infrastructure layout, segmentation, and segregation. Segregation separates network segments based on role and functionality. A securely segregated network can contain malicious occurrences, reducing the impact from intruders, in the event that they have gained a foothold somewhere inside the network.

Physical Separation of Sensitive Information

Local Area Network (LAN) segments are separated by traditional network devices such as routers. Routers are placed between networks to create boundaries, increase the number of broadcast domains, and effectively filter users’ broadcast traffic. These boundaries can be used to contain security breaches by restricting traffic to separate segments and can even shut down segments of the network during an intrusion, restricting adversary access.

Recommendations:
  • Implement Principles of Least Privilege and need-to-know when designing network segments.
  • Separate sensitive information and security requirements into network segments.
  • Apply security recommendations and secure configurations to all network segments and network layers.
Virtual Separation of Sensitive Information        

As technologies change, new strategies are developed to improve IT efficiencies and network security controls. Virtual separation is the logical isolation of networks on the same physical network. The same physical segmentation design principles apply to virtual segmentation but no additional hardware is required. Existing technologies can be used to prevent an intruder from breaching other internal network segments.

Recommendations:
  • Use Private Virtual LANs to isolate a user from the rest of the broadcast domains.
  • Use Virtual Routing and Forwarding (VRF) technology to segment network traffic over multiple routing tables simultaneously on a single router.
  • Use VPNs to securely extend a host/network by tunneling through public or private networks.

2.    Limit Unnecessary Lateral Communications

Allowing unfiltered workstation-to-workstation communications (as well as other peer-to-peer communications) creates serious vulnerabilities, and can allow a network intruder to easily spread to multiple systems. An intruder can establish an effective “beach head” within the network, and then spread to create backdoors into the network to maintain persistence and make it difficult for defenders to contain and eradicate.

Recommendations:
  • Restrict communications using host-based firewall rules to deny the flow of packets from other hosts in the network. The firewall rules can be created to filter on a host device, user, program, or IP address to limit access from services and systems.
  • Implement a VLAN Access Control List (VACL), a filter that controls access to/from VLANs. VACL filters should be created to deny packets the ability to flow to other VLANs.
  • Logically segregate the network using physical or virtual separation allowing network administrators to isolate critical devices onto network segments.

3.    Harden Network Devices

A fundamental way to enhance network infrastructure security is to safeguard networking devices with secure configurations. Government agencies, organizations, and vendors supply a wide range of resources to administrators on how to harden network devices. These resources include benchmarks and best practices. These recommendations should be implemented in conjunction with laws, regulations, site security policies, standards, and industry best practices. These guides provide a baseline security configuration for the enterprise that protects the integrity of network infrastructure devices. This guidance supplements the network security best practices supplied by vendors.

Recommendations:
  • Disable unencrypted remote admin protocols used to manage network infrastructure (e.g., Telnet, FTP).
  • Disable unnecessary services (e.g. discovery protocols, source routing, HTTP, SNMP, BOOTP).
  • Use SNMPv3 (or subsequent version) but do not use SNMP community strings.
  • Secure access to the console, auxiliary, and VTY lines.
  • Implement robust password policies and use the strongest password encryption available.
  • Protect router/switch by controlling access lists for remote administration.
  • Restrict physical access to routers/switches.
  • Backup configurations and store offline. Use the latest version of the network device operating system and update with all patches.
  • Periodically test security configurations against security requirements.
  • Protect configuration files with encryption and/or access controls when sending them electronically and when they are stored and backed up.

4.    Secure Access to Infrastructure Devices

Administrative privileges on infrastructure devices allow access to resources that are normally unavailable to most users and permit the execution of actions that would otherwise be restricted. When administrator privileges are improperly authorized, granted widely, and/or not closely audited, intruders can exploit them. These compromised privileges can enable adversaries to traverse a network, expanding access and potentially allowing full control of the infrastructure backbone. Unauthorized infrastructure access can be mitigated by properly implementing secure access policies and procedures.

Recommendations:
  • Implement Multi-Factor Authentication – Authentication is a process to validate a user’s identity. Weak authentication processes are commonly exploited by attackers. Multi-factor authentication uses at least two identity components to authenticate a user’s identity. Identity components include something the user knows (e.g., password); an object the user has possession of (e.g., token); and a trait unique to the specific person (e.g., biometric).
  • Manage Privileged Access – Use an authorization server to store access information for network device management. This type of server will enable network administrators to assign different privilege levels to users based on the principle of least privilege. When a user tries to execute an unauthorized command, it will be rejected. To increase the strength and robustness of user authentication, implement a hard token authentication server in addition to the AAA server, if possible. Multi-factor authentication increases the difficulty for intruders to steal and reuse credentials to gain access to network devices.
  • Manage Administrative Credentials – Although multi-factor authentication is highly recommended and a best practice, systems that cannot meet this requirement can at least improve their security level by changing default passwords and enforcing complex password policies. Network accounts must contain complex passwords of at least 14 characters from multiple character domains including lowercase, uppercase, numbers, and special characters. Enforce password expiration and reuse policies. If passwords are stored for emergency access, keep these in a protected off-network location, such as a safe.

5.    Perform Out-of-Band Management

Out-of-Band (OoB) management uses alternate communication paths to remotely manage network infrastructure devices. These dedicated paths can vary in configuration to include anything from virtual tunneling to physical separation. Using OoB access to manage the network infrastructure will strengthen security by limiting access and separating user traffic from network management traffic. OoB management provides security monitoring and can implement corrective actions without allowing the adversary who may have already compromised a portion of the network to observe these changes.

OoB management can be implemented physically or virtually, or through a hybrid of the two. Building additional physical network infrastructure is the most secure option for the network managers, although it can be very expensive to implement and maintain. Virtual implementation is less costly, but still requires significant configuration changes and administration. In some situations, such as access to remote locations, virtual encrypted tunnels may be the only viable option.

Recommendations:
  • Segregate standard network traffic from management traffic.
  • Enforce that management traffic on devices only comes from the OoB.
  • Apply encryption to all management channels.
  • Encrypt all remote access to infrastructure devices such as terminal or dial-in servers.
  • Manage all administrative functions from a dedicated host (fully patched) over a secure channel, preferably on the OoB.
  • Harden network management devices by testing patches, turning off unnecessary services on routers and switches, and enforcing strong password policies. Monitor the network and review logs Implement access controls that only permit required administrative or management services (SNMP, NTP SSH, FTP, TFTP).

6.    Validate Integrity of Hardware and Software

Products purchased through unauthorized channels are often known as “counterfeit,” “secondary,” or “grey market” devices. There have been numerous reports in the press regarding grey market hardware and software being introduced into the marketplace. Grey market products have not been thoroughly tested to meet quality standards and can introduce risks to the network. Lack of awareness or validation of the legitimacy of hardware and software presents a serious risk to users’ information and the overall integrity of the network environment. Products purchased from the secondary market run the risk of having the supply chain breached, which can result in the introduction of counterfeit, stolen, or second-hand devices. This could affect network performance and compromise the confidentiality, integrity, or availability of network assets. Furthermore, breaches in the supply chain provide an opportunity for malicious software or hardware to be installed on the equipment. In addition, unauthorized or malicious software can be loaded onto a device after it is in operational use, so integrity checking of software should be done on a regular basis.

Recommendations:
  • Maintain strict control of the supply chain; purchase only from authorized resellers.
  • Require resellers to implement a supply chain integrity check to validate hardware and software authenticity.
  • Inspect the device for signs of tampering.
  • Validate serial numbers from multiple sources.
  • Download software, updates, patches, and upgrades from validated sources.
  • Perform hash verification and compare values against the vendor’s database to detect unauthorized modification to the firmware.
  • Monitor and log devices, verifying network configurations of devices on a regular schedule.
  • Train network owners, administrators, and procurement personnel to increase awareness of grey market devices.

 

Shadow Broker Exploits
Vendor CVE Exploit Name Vulnerability
Fortinet CVE-2016-6909 EGREGIOUSBLUNDER Authentication cookie overflow
WatchGuard CVE-2016-7089 ESCALATEPLOWMAN Command line injection via ipconfig
Cisco CVE-2016-6366 EXTRABACON SNMP remote code execution
Cisco CVE-2016-6367 EPICBANANA Command line injection remote code execution
Cisco CVE-2016-6415 BENIGNCERTAIN/PIXPOCKET Information/memory leak
TOPSEC N/A ELIGIBLEBACHELOR Attack vector unknown, but has an XML-like payload
beginning with <?tos length=”001e.%8.8x”?
TOPSEC N/A ELIGIBLEBOMBSHELL HTTP cookie command injection
TOPSEC N/A ELIGIBLECANDIDATE HTTP cookie command injection
TOPSEC N/A ELIGIBLECONTESTANT HTTP POST parameter injection

 

References

Revision History

  • September 6, 2016: Initial release
  • September 13, 2016: Added additional references

Prime Telecommunications Offers Innovative Cloud Disaster Recovery Solutions

Prime Telecommunications, Inc., a leader in unified communications, announced today that it has launched a program that focuses on cloud-based data safety. This program is aimed to help small to mid-sized businesses (SMBs) to effectively store, manage, and transfer their critical business files seamlessly while simultaneously increasing the overall security of all of their business files. Whether employees are utilizing files on their servers, laptops, workstations or smartphones, this Cloud Disaster Recovery Program will change the way that business owners handle their sensitive corporate and financial information.

For those who aren’t yet familiar, disaster recovery, is a set of policies and procedures which enable the recovery or continuation of vital technology infrastructure and systems following a natural or human-induced disaster. The majority of enterprise-level organizations have recognized the blatant need for disaster recovery programs because they focus on strengthening the underlying IT or technology systems supporting critical business functions, especially in moments of need. For example, when an organization starts growing and adds on more staff, there are more possibilities for human-induced disasters or data theft. An accidental deleted or misplaced file can can cost companies dozens of hours in lost producitity. Futhermore, with more staff come more devices, which in an increasing BYOD (Bring Your Own Device) environment, means that there are more vulnerability points for hackers to enter the network. When businesses begin to scale, these productivity interruptions are no longer tolerable.

“When a business begins its growth trajectory, it’s easy to sit back and enjoy the success,” stated Vic Levinson, President at Prime Telecommunications. “We know that feeling. It’s so rewarding to see your business growth outpacing your operating expenses and all of the years of sacrifice make it completely worth it. It’s so easy to kick your feet up, relax and enjoy the fruits of your labor in that moment, however, this is precisely when businesses need to take the steps to protect themselves so they can continue to grow at that same rate. This is when they are most susceptible to virtual disasters and without a comprehensive disaster recovery plan and cloud technology that is engineered specifically to shrug off these types of disturbances, they are putting that stable growth at risk.”

In years prior, many businesses were hesitant to purchase cloud-based disaster recovery solutions because they required large, up-front capital expenditures. Prime Telecommunications’ cloud disaster recovery program breaks this pattern because its on a pay-as-you go model, so businesses only pay for what they use, enabling them to scale up and down their disaster recovery program in perfect sync with the pace of their businesses. It’s file syncing, syncing with business growth, syncing with a cost structure that makes this technology easy to implement into any growth-oriented SMB.

Prime Telecommunications Educates Customers on Ransomware

watchguard-1

Prime Telecommunications, Inc., a leader in unified communications, announced today that they have launched a ransomware awareness campaign. The purpose of the campaign is to quickly educate business owners in understanding one of the latest threats now facing small to mid-sized businesses (SMBs). Ransomware is a specific variation of malware, that is growing in popularity amongst hackers and Prime Telecommunications is doing its best to alert business owners of this new tactic. Prime Telecommunications’ existing customers are very well protected against this type of threat but many business owners may be unaware of the potential destruction this has on an organization.

While business owners have always understood the need to protect their businesses from malware, short for “malicious software”, ransomware is a new tactic that hackers are using to attack businesses in an especially wicked way. Essentially, an employee will receive an email with a deceptive link, labeled “See Resume Here” or “Download Report Now”, and then upon clicking the link, a ransomware application will be installed immediately on the computer. Then, the software can remain hidden for several days, until it is activated. At that moment, the ransomware application will hijack critical files, remove them from the network, encrypt them so no other computers can access them and then hackers will send an email demanding payment for the release of the missing files. The biggest problem with this type of cyber attack is that it leaves absolutely no leverage to the business owner. Even if they pay the “ransom”, hackers don’t necessarily unlock the files every time. “This is a huge problem that could have drastic impact on an organization and the craziest thing we notice is that there is such a simple solution,” stated Vic Levinson, President at Prime Telecommunications.

“These types of attacks happen far too often, and we take great pride in protecting our customers from threats like this,” added Levinson. “The first line of defense for these kinds of attacks is a technically educated staff. While the majority of these threats come in the form of suspicious email links, an educated staff can avoid these catastrophes simply through awareness. That’s one of the reasons why we issued this press release,” commented Levinson. “For business owners that see the value of peace of mind, we devise comprehensive solutions that thwart these types of attacks from every angle. We take a global approach that includes a combination of anti-virus software, anti-malware software, strong firewalls, employee education, data backup, and network redundancy. What we’ve noticed over the years is that every network has different exposure points and our job is to come in as a technology advisor and to proactively prevent not only ransomware attacks, but the myriad of others attacks that a business owner may face for years to come.”

Prime Telecommunications’ mission is to leave business owners in a more empowered position by serving as an educator of emergent technologies. “Our biggest aim with this campaign is to usher in a sense of urgency amongst business owners so they take action now, instead of waiting to be in a difficult, immutable situation later,” closed Levinson.

Who’s Stealing Your Bandwidth?

Prime Telecommunications, Inc., a leading provider in unified communications, announced today that the company is educating its customers on the recent expansion of bandwidth monitoring and management solutions. Essentially, bandwidth monitoring is the practice and policy of tracking the utilization of company bandwidth between all employees, software applications and desktops. The growth of bandwidth management solutions in recent years is due primarily to growth of company provided and personal devices (smart phones, tablets, etc.) connected to an organization’s network.

According to Vic Levinson, President of Prime Telecommunications, “Any company that provides cloud-devices, software or applications that run over a data network, need to ensure that bandwidth is being consumed properly.” This notion reflects the current state of most solutions, which are simply being strained to the point where many business owners notice that the devices, applications and software underperform. In essence, it’s like siphoning out all of the gas from a car, and then blaming the car for running on fumes. The problem lies with poor policy making and a lack of guidelines for employees on how to properly utilize the Internet at a place of business.

“On many occasions, we’ve found that up to 40% of a company’s employees are choking bandwidth and making it harder for other people to do their work,” Levinson added. “We conduct quarterly reviews with our customers where we assess the performance of all of the technology that we provide. It gives our clients a global perspective on their network and what its performance is and how it can be better. Our overarching goal is to make sure that our customers’ businesses are performing at more productive levels and this is how we quantify productivity. This is why we lead these meetings with device performance audits. With bandwidth being the central resource upon which nearly every technology relies, we have to make sure that this is being consumed in accordance with best practices before any other steps are taken.”

In addition, to the underperformance of the network and the drain on productivity this can cause, many business owners appreciate technology audits, like the one provided by Prime Telecommunications, because they uncover how much time employees are spending on various sites that have nothing to do with their job. This gives tremendous insight on the productivity, or lack thereof, with certain employees. One of the quickest ways to immediately boost customer profitability is to restrict the bandwidth of employees to sites to those that are exclusively productive in nature, as opposed to entertainment-based sites.

“In some cases, employees simply don’t know that their bandwidth consumption is slowing the rest of the team down. New parents can put their children in day care and want to stream the video from time to time to see how their child is doing throughout the day. Inherently there’s nothing wrong with this, if done on occasion. However, when a parent leaves one of these streaming videos up while they begin working on other things, the rest of the team will notice the lag time that slows down their own desktop. The network is simply a shared resource that needs some guidelines in place, especially in the new employee handbook. With a comprehensive bandwidth consumption policy in place, business owners can rest assured that their software, hardware and online tools will all function at optimal levels.”

Cloud and Human Resources

Cloud computing is penetrating every corner of business, and this includes human resources. Human resources professionals can benefit greatly from effective communication, instant access to information and applications, and cloud-based systems. HR is often thought of as a pretty administrative job. With the implementation of cloud tools and resources, HR professionals can remove this administrative stress and instead turn their attention to the employees and the business. Here are some benefits of cloud computing for human resources:

Cloud Software for HR

There is a lot of HR cloud software available, and the best ones combine the many functions of HR into one central place. This software can help get a lot of tasks done, including tracking applications, searching resumes, generating reports, calculating payroll, tracking performance appraisals and maintaining data on current employees. This streamlines many HR processes, helping to boost productivity and communication. And the end environment remains familiar. Users might not even realize they’re working in the cloud.

Businesses and customers also get quick access to the software they need, as it can be installed company-wide in hours, rather than days. They will also receive access to the latest software updates automatically, which is a perk of a cloud software subscription.

Efficient Recruiting

Recruiting is a huge part of human resources, and today the pool of talent is increasingly competitive and complex. HR cloud solutions make it easier to create job postings and expand their reach to multiple platforms, while collecting candidate information. HR and talent acquisition professionals have to be able to grow their reach without needing to greatly expand resources. Luckily, cloud software can track, measure and report from various online databases that hold candidate information, helping HR professionals access more talent. And once they’ve accessed talent, big data can compare various candidates and provide both relevant and targeted results to HR professionals. This means that positions can be filled faster, reducing time between hires and costs of hiring.

A Mobile Workforce

You’ve probably heard it before, but we’ll say it again: cloud computing offers professionals the ability to access their data and applications on-demand via the Internet. This means they can work from any device, in any location, at any time. Yeah, that’s pretty hard to beat. This allows businesses to grow a mobile workforce. HR professionals can access their programs and data on the go. So if they’re off on a recruiting trip, these employees can still take advantage of cloud software and maintain communication with the folks back at the office.

An Affordable Solution

Cost concerns are always prevalent when considering new technology. Fortunately, cloud computing makes HR solutions affordable for any size business. The costs that often come with server space, extra in-house IT personnel, expensive software and licenses, and maintenance are eliminated. A provider like RapidScale comes in and manages the solutions, simply offering the business access to these resources.

Sophisticated Security

Like cost, security will always be top of mind when looking at new technology. Cloud security has greatly matured in recent years and HR professionals, who often work with sensitive information, get access to sophisticated security systems through their provider. Cloud provider’s depend on their reliability and reputation, so they go great lengths to ensure client information remains secure. This includes measures like in-flight and at-rest encryption, geographically diverse data centers, strong firewalls, 24×7 monitoring and support, strict SLAs, intense physical security and more.

 

This was written and published on the Rapidscale Blog by Sommer Figone. 

Hybrid Cloud: The Best of Both Worlds

Hybrid cloud is the solution that offers the best of both worlds – and by that, we mean it combines the benefits of the private and public cloud environments. This allows organizations to pick a strategy that works best with their workloads, demands and preferences, while still experiencing the flexibility of the cloud.

It’s no coincidence that by the end of 2017, nearly half of large enterprises will have hybrid cloud deployments (Gartner). This is the solution that allows businesses to embrace cloud technology while remaining comfortable with the security of their information. Let’s look further at why a hybrid environment is so beneficial.

Leverage Public and Private Cloud

The whole idea of the hybrid cloud is that it combines public and private cloud infrastructures. Businesses using a hybrid model get the best of both worlds, as certain data and workloads are better suited for either the public or private cloud. Organizations can decide which aspects of their business they want in each environment, allowing them to take advantage of all the benefits.

Companies can complete non-sensitive operations and collaboration in the public environment, while ensuring that critical data and applications remain secure in the private cloud. A business can rely on the cost efficiency and scalability of the public cloud, while looking to the private cloud for advanced security, control and flexibility. The hybrid model also allows you to place information according to any compliance requirements. The hybrid cloud is the most flexible IT environment for a business.

A hybrid model is best suited for businesses that experience business fluctuations but still deal with confidential information. For example, e-commerce organizations see constant traffic shifts, but also deal with personal and payment information. A hybrid cloud allows organizations like these to complete processing and basic operations upfront, without risking the confidentiality of important information.

Cost Efficiency

Hybrid cloud helps organizations move from a CapEx model to an OpEx one. Additionally, businesses see costs that reflect their actual demand, thanks to the pay-as-you-go pricing that is so popular. Organizations will see reduced total cost of ownership (TCO), and improved cost efficiency overall.

The hybrid environment successfully bridges the gap between a business’ old and new systems, meaning not everything has to be replaced. This efficiency saves a lot of money, as it utilizes much of what is already in place. Additionally, scaling is much easier as demand changes, as it can be done seamlessly and immediately, without having to invest in expensive new equipment.

Scalability

With a private cloud, businesses are responsible for significant investments in server and storage hardware, and when they face the need to scale up, these investments only grow. This isn’t necessary, as the public cloud avoids these costs with almost unlimited scalability. This is a major benefit that a hybrid cloud takes advantage of. When an organization needs to scale its resources, it’s quick and easy, and won’t put a burden on the budget.

Security

A huge draw of the hybrid environment is the ability to have greater control over security. It allows organizations to maintain in-house storage for sensitive information and operations, while still gaining the benefits of a public cloud. Many businesses see this as a way of avoiding security concerns.

Security is rightly a concern of most businesses, especially those that handle personal information and payments. Many organizations are simply not comfortable putting all of this information into a public cloud, but it’s also limiting to stick only to a private cloud. That’s why a hybrid model strikes the perfect balance. Businesses can ensure that data remains secure on dedicated servers, while still benefitting from scalability and cost efficiency. This creates an efficient, seamless, agile environment for an organization to run in.

The Right Way to Do It

Once you get the hang of the hybrid cloud concept, you might think you’re ready to just jump in. But hold on – there’s a right way to go about it.

By doing some self-evaluation, determine ahead of time which workloads will fit best in each environment. It’s important to ensure that you’re pairing the correct resources with the correct operations, data and applications. Additionally, don’t be afraid to start small! Once you’re used to the new cloud environment, you can scale up, and you’ll be much more prepared. This allows everyone, especially your IT team, to get comfortable with the new hybrid model.

Streamline Manufacturing in the Cloud

streamline manufacturing in the cloud

Today, manufacturers are already benefiting from the cloud. They use mobile reporting, online dashboards and automation. According to Mint Jutras, SaaS-based apps are already 22% of all manufacturing and distribution software installed today. This will grow to 45% within ten years. However, the use of the cloud in this production sector can go even further.

Today, manufacturing organizations face huge challenges that the cloud is ready to take on, including regulatory and compliance requirements, the introduction of big data, a pressure to innovate rapidly, a global marketplace, security, and much more. While manufacturers have made small moves towards the cloud, they can now fully embrace it.

Why cloud computing?

Manufacturers face many constant challenges. They are increasingly compared to competitors and face a pressure to increase accuracy, process speed, security, innovation and more.

Cloud computing is a popular solution today that is benefiting businesses in all industries – and manufacturing is no exception. The move to the cloud results in transferring many responsibilities and costs to the cloud provider, including hardware maintenance and software upgrades. With characteristics like scalability, cost efficiency, security, centralized data and flexibility, it’s no wonder that the cloud is proving to be such a powerful force in the business world.

By combining cloud computing and manufacturing, these organizations are able to streamline their operations and business. This not only benefits time to market, but it also frees up time, money and resources for innovation. The benefits of cloud in the manufacturing sector include reduced costs, rapid deployment, greater innovation, increased flexibility and improved security.

 

  1. Overall Reduced Costs

With cloud solutions in place, manufacturers are able to reduce both capital and operating costs significantly. These organizations, after moving to the cloud, use hardware that is managed, monitored and maintained by the cloud computing provider. Additionally, much of the up-front capital costs are replaced by lower, predictable operational costs, as businesses use a pay-as-you-go or subscription model in the cloud, which can be adjusted at any time. Manufacturers will undoubtedly see savings in IT labor, operating, space, computing resource, administrative, and management costs. As they see these savings, manufacturers will experience greater ease and innovation within their organization.

  1. Quick Deployment and Innovation

Not only does cloud lead to easier access and lower costs for the necessary infrastructure resources, but it also results in rapid deployment. Ultimately, this supports faster time to market. Setup for production infrastructure can happen in a matter of minutes or hours, instead of the weeks that are typical with traditional solutions. This rapid deployment supports quicker responses to dynamic demands from around the globe that manufacturers constantly face.

Furthermore, the quick setup cloud computing allows leads to increased innovation within an organization. Manufacturing companies can more quickly access new capabilities to easily experiment, share and collaborate. These innovations won’t result in the typical significant costs or disruption of resources. Instead, they may result in a step forward for the manufacturer.

  1. Operational Flexibility

Speaking of the dynamic demands manufacturers face, it’s clear that operational flexibility is extremely important for these organizations. With the immense scalability that cloud computing offers, manufacturing companies can easily and quickly free up the resources they need to accommodate demands. As demand fluctuates, it’s easy to scale or provision new capabilities.

But scalability isn’t the only way these companies can experience flexibility. Cloud computing makes it possible to access, use and share secure data from any location, on any device, at any time. This means employees around the globe can easily participate in remote operations by accessing centralized data and workflows, as well as collaborate with ease while avoiding travel and security issues. This brings geographically separate employees together, which ultimately benefits the manufacturing company.

  1. Full Security

While security continues to be the main factor standing in the way of cloud adoption, it has improved immensely. The cloud makes it possible for manufacturers to extend their existing security model into the cloud and add to it. Additionally, cloud security prepares an organization for multiple threats through authentication, authorization and encryption on both the application and infrastructure levels.

Cloud providers know that security is a top priority for the organizations they work with, and therefore have made it their own priority as well. Providers have the resources to hire security experts and dedicate personnel, time and money to client security. This is more than a manufacturer is able to do for itself, so more often than not, these organizations experience greater security after moving to the cloud.

Cloud computing can help streamline the operations of manufacturers, allowing them to focus on developing new products and increasing sales. While improving manufacturing in the above four ways, cloud also reduces the environmental impact of manufacturing and supports an enhanced customer experience.

Manufacturing isn’t the only industry that’s benefiting! See more about cloud’s impact on every sector right here.