Month: January 2020

HSTS Strict-Transport-Security

Testing your website:
https://hstspreload.org/

 

The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP.

Header typeResponse header
Forbidden header nameno

Syntax

Strict-Transport-Security: max-age=<expire-time> Strict-Transport-Security: max-age=<expire-time>; includeSubDomains Strict-Transport-Security: max-age=<expire-time>; preload

Directives

max-age=<expire-time>
The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.
includeSubDomains Optional
If this optional parameter is specified, this rule applies to all of the site’s subdomains as well.
preload Optional
See Preloading Strict Transport Security for details. Not part of the specification.

Description

If a website accepts a connection through HTTP and redirects to HTTPS, visitors may initially communicate with the non-encrypted version of the site before being redirected, if, for example, the visitor types http://www.foo.com/ or even just foo.com. This creates an opportunity for a man-in-the-middle attack. The redirect could be exploited to direct visitors to a malicious site instead of the secure version of the original site.

The HTTP Strict Transport Security header informs the browser that it should never load a site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.

Note: The Strict-Transport-Security header is ignored by the browser when your site is accessed using HTTP; this is because an attacker may intercept HTTP connections and inject the header or remove it. When your site is accessed over HTTPS with no certificate errors, the browser knows your site is HTTPS capable and will honor the Strict-Transport-Security header.

An example scenario

You log into a free WiFi access point at an airport and start surfing the web, visiting your online banking service to check your balance and pay a couple of bills. Unfortunately, the access point you’re using is actually a hacker’s laptop, and they’re intercepting your original HTTP request and redirecting you to a clone of your bank’s site instead of the real thing. Now your private data is exposed to the hacker.

Strict Transport Security resolves this problem; as long as you’ve accessed your bank’s web site once using HTTPS, and the bank’s web site uses Strict Transport Security, your browser will know to automatically use only HTTPS, which prevents hackers from performing this sort of man-in-the-middle attack.

How the browser handles it

The first time your site is accessed using HTTPS and it returns the Strict-Transport-Security header, the browser records this information, so that future attempts to load the site using HTTP will automatically use HTTPS instead.

When the expiration time specified by the Strict-Transport-Security header elapses, the next attempt to load the site via HTTP will proceed as normal instead of automatically using HTTPS.

Whenever the Strict-Transport-Security header is delivered to the browser, it will update the expiration time for that site, so sites can refresh this information and prevent the timeout from expiring. Should it be necessary to disable Strict Transport Security, setting the max-age to 0 (over a https connection) will immediately expire the Strict-Transport-Security header, allowing access via http.

Preloading Strict Transport Security

Google maintains an HSTS preload service. By following the guidelines and successfully submitting your domain, browsers will never connect to your domain using an insecure connection. While the service is hosted by Google, all browsers have stated an intent to use (or actually started using) the preload list. However, it is not part of the HSTS specification and should not be treated as official.

Examples

All present and future subdomains will be HTTPS for a max-age of 1 year. This blocks access to pages or sub domains that can only be served over HTTP.

Strict-Transport-Security: max-age=31536000; includeSubDomains

In the following example, max-age is set to 2 years, raised from what was a former limit max-age of 1 year. Note that 1 year is acceptable for a domain to be included in browsers’ HSTS preload lists. 2 years is, however, the recommended goal as a website’s final HSTS configuration as explained on https://hstspreload.org. It also suffixed with preload which is necessary for inclusion in most major web browsers’ HSTS preload lists, e.g. Chromium, Edge, & Firefox.

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

Specifications

SpecificationStatusComment
HTTP Strict Transport Security (HSTS)IETF RFCInitial definition

 

Source :
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

The Worst Cyberattacks and Data Breaches of 2019

Put your email address in the have i been pwned? website and see what results you get. How secure do you feel? By 2020, it’s safe to assume that most people with an online presence have had a least some of their Personally Identifiable Information (PII) compromised in a data breach.

SonicWall has been tracking and reporting on major data breaches throughout 2019 and we’ve compiled a list of not necessarily the biggest cyberattacks and data breaches of 2019, but the ones with the worst overall impact, giving us insight into the direction cyberattacks are heading in 2020.

Notable cyberattacks of 2019

Quest Diagnostics

Breaches that result in the loss of medical data can be damaging due to the possibility of highly personal information being released, whether that data is medical records themselves or identifiable data like Social Security numbers that could aid a cybercriminal in carrying out identity theft, or even blackmail. With this in mind, 2019 unfortunately set breach records in this category, with the biggest single breach likely being Quest Diagnostics, where 11.9 million patients were affected. Data taken included credit card numbers, medical information and personally identifiable data but, small consolation prize, lab results were not included.

Fortnite

The gaming industry is now bigger than both the entire music industry and Hollywood combined, making it a prime target for cybercriminals. It should come as no surprise then that cyberattackers would aim squarely for one of the biggest games on the planet.

In January 2019, a vulnerability found in Fortnite’s login system allowed hackers to impersonate real players, including viewing chat logs and other in-game details. More worryingly, the vulnerability allowed malicious users to purchase in-game currency using credit cards on file. This currency could then be siphoned off to other, legitimate, accounts — essentially money-laundering.

It is unclear how many accounts were affected, but considering there were over 80 million people logging in to Fortnite a week at the time the vulnerability was discovered, the number of players impacted is potentially huge. The vulnerability was quickly fixed but a class-action lawsuit was launched in August, the same month that a known exploit in Fortnite was used to install ransomware.

The Fortnite vulnerabilities serve as a warning to gamers and the wider gaming industry: you are a target.

US Customs and Border Protection

When U.S. Customs and Border Protection officials announced in June that a federal subcontractor had been hacked, 100,000 global travelers joined the ranks of people who have had their personal information and photos exposed. The hack included a large cache of images of car license plates, often including the face of the driver. The incident stands out as one of the more distinctive cyberattacks on U.S. public institutions in 2019, a year in which the most high-profile attacks were a rash of ransomware attacks on Texas government agencies that temporarily brought the state’s municipal infrastructure to a standstill.

Capital One

Over 100 million Americans and 6 million Canadians were affected by the Capital One data breach, where the data taken stretched from 2019 all the way back to 2005. Names, addresses, ZIP codes/postal codes, phone numbers, email addresses, dates of birth and self-reported income were taken in most cases. In addition, 140,000 Social Security numbers, 80,000 linked bank account numbers and 1 million Canadian Social Insurance numbers were all stolen. One estimate of the damage to the financial giant put the cost of the data breach at more than $300 million.

Facebook

As one of the most ubiquitous and data-packed websites on the internet, Facebook is under constant scrutiny. In April and September of 2019, two privacy breaches were discovered that exposed the personal information of around 2 million Facebook users, including phone numbers and passwords. Neither of these events were related to a cyberattack, however, and they were both discovered by security researchers looking for vulnerabilities in the Facebook web architecture. In December, Facebook again made the headlines when security expert Bob Diachenko discovered an exposed database containing names, phone numbers and Facebook IDs of more than 267 million Facebook users. In this case, the data was already posted to a hacker forum for download before the internet service provider could take action and remove access.

Magecart

Magecart makes our list as one of the most widely-distributed malware attacks in 2019. A recent count of active Magecart infections claims the malware is affecting over 18,000 website hosts, remarkable considering it’s an infection that’s been around in one form or another for nearly a decade. Magecart is a supply-chain attacker than hijacks the digital cart-system on websites when users make orders, stealing financial information as the order is processed. Major breaches caused by Magecart in 2019 included British Airways, Ticketmaster UK, Newegg.com and even the Sesame Street store.

Looking to 2020

As demonstrated throughout 2019, “cyberattack” and “data breach” are broad terms covering a huge range of activities, from poorly maintained databases found exposed online to well-oiled criminal enterprises selling their capabilities as a service. The data indicates that these events are not going to go away any time soon and cybersecurity needs to continue to be a top priority for businesses and organizations everywhere.

As 2020 starts and tensions between the U.S. and Iran have ratcheted up to a fever pitch, security researchers are highlighting the likelihood of cyberwarfare increasingly being used as an instrument of foreign policy. From disrupting elections to attacks on power grids and ransomware attacks targeting government agencies, cybersecurity is firmly establishing itself as the central concern for organizations everywhere.

SonicWall protects organizations from cyberattacks

The growing complexity of attack tactics and increasing areas of vulnerability mean that security professionals can no longer view insider threats and traditional phishing attacks as the primary attack vector for data compromise. Every organization needs to have a layered, defense-in-depth approach, something SonicWall can help with through our automated real-time breach detection and prevention platform.

Some general best practices include:

  • Ensure your cybersecurity strategy is scaled across wired, wireless, cloud and mobile networks, where applicable
  • Leverage next-generation firewalls to mitigate advanced cyber threats
  • Layer cybersecurity controls with cloud sandboxing, such as SonicWall Capture ATP
  • Secure your data in the cloud protect SaaS environments using SonicWall Cloud App Security
  • Deploy email security controls to help identify and block phishing attempts
  • Map network data to understand what’s most valuable

There’s no question that our list of the worst cyberattacks and data breaches of 2019 tell a dismal story of a rapidly expanding cyber threat landscape. However, by assessing your business’s cybersecurity strategy, ensuring you have a layered approach in place, and improving overall security behavior, it’s possible to protect your business from most data breaches.

 

Source :
https://blog.sonicwall.com/en-us/2020/01/worst-cyberattacks-and-data-breaches-of-2019/

Defend Yourself Now and in the Future Against Mobile Malware

The world has gone mobile and the US is leading the way. It’s estimated that that the number of smartphone users alone topped 257 million in the States in 2018. That means three-quarters (74%) of households now boast at least one mobile device. And in this new digital world, it’s mobile applications that really matter. They’re a one-click gateway to our favorite videos, live messaging, email, banking, social media and much more.

There are said to be around 2.8 million of these apps on the official Google Play Store today. But unfortunately, where there are users, there are also hackers looking to capitalize. And one of their favorite ways to make money is by tricking you into downloading a malicious app they’ve sneaked onto the marketplace.

Most recently, 42 such apps had to be removed after being installed eight million times over the period of a year, flooding victims’ screens with unwanted advertising. This is just the tip of the iceberg. As more of us turn to mobile devices as our primary internet gateway, the bad guys will follow suit. Trend Micro blocked over 86 million mobile threats in 2018, and we can expect this figure to increase into the future.

So how can you protect your devices and your data from hackers?

Adware ahoy

The latest bunch of 42 apps are from a class of malicious software known as adware. This follows a previous discovery by Trend Micro earlier this year of a further 85 adware-laden apps downloaded eight million times. Cyber-criminals fraudulently make money by displaying unwanted ads on the victim’s device. In the meantime, the user has to contend with annoying pop-ups which can run down the device’s battery and eat up computing resources. Some even silently gather user information.

Ones to watch

Unfortunately, it’s increasingly difficult to spot malicious apps on the Play Store. A popular tactic for hackers is to hide their malware in titles which impersonate legitimate applications. A recent two-year study found thousands of such counterfeits on the Play Store, exposing users unwittingly to malware. Banking apps are a particularly popular type of title to impersonate as they can provide hackers with highly lucrative log-ins to open users’ accounts.

Some malware, like the recently disclosed Agent Smith threat, works by replacing all the legitimate apps on a user’s device with malicious alter-egos.

So, as we hit 2020, what other threats hidden in legitimate-seeming apps should mobile users be looking out for?

  • More intrusive adware.
  • Cryptocurrency mining malware. This will run in the background, eating up your device battery and computing power. Trend Micro noted a 450% increase in infections from 2017 to 2018.
  • Banking Trojans designed to harvest your log-ins so hackers can get their hands on your savings. Our detections of this malware soared 98% between 2017-18.
  • These attacks have evolved from simple screen lockers to malware designed to encrypt all the files on your device.
  • Premium rate services. Some malware will covertly text or call premium rate SMS numbers under the control of the hacker, thus making them money and costing you potentially significant sums. ExpensiveWall malware, for example, was found in 50 Google Play apps and downloaded millions of times, charging victims’ accounts for fake services.
  • Information theft. Some malware will allow hackers to eavesdrop on your conversations, and/or hoover up your personal data, including phone number, email address, and account log-ins. This data can then be sold on the dark web and used in follow-on identity fraud attempts.

Is Google helping?

The Android ecosystem has always and remains to be a bigger threat than iOS because it’s relatively easier for developers to get their applications onto the official marketplace. Now, it’s true that Google carries out some vetting of the apps on its Play Store and it is getting better and quicker at spotting and blocking malware. It says the number of rejected app submissions grew by over 55% in 2018 while app suspensions increased by over 66%.

However, Google’s Play Protect, which is pre-installed on Android devices, has garnered less than favorable reviews. This anti-malware solution is intended to scan for malicious apps to prevent you downloading them. However, it has received poor reviews for its “terrible malware protection.”

In fact, in independent tests run in July by German organization AV-TEST, Google Play Protect found just 44% of the 3,347 “real-time” online malware threats, and just 55% of the 3,433 malware samples that were collected in the previous month. According to Tom’s Guide, “these scores are all well below the industry averages, which were always 99.5% or above in both categories for all three rounds.”

How do I stay safe?

So how can mobile users ensure their personal data and devices are secure from the growing range of app-based threats?

Consider the following:

  • Only visit official app stores. Even though Google Play has a malware problem, it is more secure than third-party app stores. In fact, you are 23 times more likely to install a potentially harmful application (PHA) outside Play, according to Google.
  • Ensure you’re on the latest operating system version.
  • Do not root your device as this can expose it to threats.
  • Be cautious. If the app is requesting an excessive number of permissions, it may be malicious.
  • Install on-device AV from a reputable third-party provider like Trend Micro.

How Trend Micro Mobile Security helps

Trend Micro Mobile Security (TMMS) offers customers comprehensive anti-malware capabilities via its real-time Security Scan function. Security Scan alerts you to any malware hidden in apps before they are installed and suggests legitimate versions. It can also be manually run on devices to detect and remove malicious apps, including ransomware, that may already have been installed.

To use the manual scan, simply:

1. Tap the Security Scan panel in the TMMS Console. The Security Scan settings screen appears, with the Settings tab active by default.

2. Tap Scan Now to conduct a security scan. The result appears.

3. In the example shown, “Citibank” has been detected as a fake banking app, installed on the device before Mobile Security was installed. Apps are recommended for you to remove or to trust.

4. Tap Uninstall to uninstall the fake app. A Details screen defines the security threats.

5. Tap Uninstall A popup will ask if you want to uninstall the app.

6. Tap Uninstall once more to uninstall it. The app will uninstall.

7. If there are more potentially unwanted apps, tap the panel for Apps Removal Recommended to show the list of apps recommended for removal. The Removal Recommended list will show apps to Remove or Trust.

8. You can configure settings via Security Scan > Settings This will allow you to choose protection strength (Low, Normal, and High).

9. In Settings, check the Pre-Installation Scan, which is disabled by default, to block malware from Google Play before it’s installed. It sets up a virtual private network (VPN) and enables the real-time scan.

Among its other features, Trend Micro Mobile Security also:

  • Blocks dangerous websites from loading in any browsing app with Web Guard
  • Checks if public WiFi connections are safe with Wi-Fi Checker
  • Guards financial and commercial apps with Pay Guard Mobile
  • Optimizes your device’s performance System Tuner and App Manager
  • Protects your kids’ devices with Parental Controls
  • Protects your privacy on social media with Social Network Privacy
  • Provides Lost Device Protection.

 

Source :
https://blog.trendmicro.com/defend-yourself-now-and-in-the-future-against-mobile-malware/

Introducing Google Cloud’s Secret Manager

Many applications require credentials to connect to a database, API keys to invoke a service, or certificates for authentication. Managing and securing access to these secrets is often complicated by secret sprawl, poor visibility, or lack of integrations.

Secret Manager is a new Google Cloud service that provides a secure and convenient method for storing API keys, passwords, certificates, and other sensitive data. Secret Manager provides a central place and single source of truth to manage, access, and audit secrets across Google Cloud.

Secret Manager offers many important features:

  • Global names and replication: Secrets are project-global resources. You can choose between automatic and user-managed replication policies, so you control where your secret data is stored.
  • First-class versioning: Secret data is immutable and most operations take place on secret versions. With Secret Manager, you can pin a secret to specific versions like 42 or floating aliases like latest.
  • Principles of least privilege: Only project owners have permissions to access secrets. Other roles must explicitly be granted permissions through Cloud IAM.
  • Audit logging: With Cloud Audit Logging enabled, every interaction with Secret Manager generates an audit entry. You can ingest these logs into anomaly detection systems to spot abnormal access patterns and alert on possible security breaches.
  • Strong encryption guarantees: Data is encrypted in transit with TLS and at rest with AES-256-bit encryption keys. Support for customer-managed encryption keys (CMEK) is coming soon.
  • VPC Service Controls: Enable context-aware access to Secret Manager from hybrid environments with VPC Service Controls.

The Secret Manager beta is available to all Google Cloud customers today. To get started, check out the Secret Manager Quickstarts. Let’s take a deeper dive into some of Secret Manager’s functionality.

Global names and replication

Early customer feedback identified that regionalization is often a pain point in existing secrets management tools, even though credentials like API keys or certificates rarely differ across cloud regions. For this reason, secret names are global within their project.

While secret names are global, the secret data is regional. Some enterprises want full control over the regions in which their secrets are stored, while others do not have a preference. Secret Manager addresses both of these customer requirements and preferences with replication policies.

  • Automatic replication: The simplest replication policy is to let Google choose the regions where Secret Manager secrets should be replicated.
  • User-managed replication: If given a user-managed replication policy, Secret Manager replicates secret data into all the user-supplied locations. You don’t need to install any additional software or run additional services—Google handles data replication to your specified regions. Customers who want more control over the regions where their secret data is stored should choose this replication strategy.

First-class versioning

Versioning is a core tenet of reliable systems to support gradual rollout, emergency rollback, and auditing. Secret Manager automatically versions secret data using secret versions, and most operations—like access, destroy, disable, and enable—take place on a secret version.

Production deployments should always be pinned to a specific secret version. Updating a secret should be treated in the same way as deploying a new version of the application. Rapid iteration environments like development and staging, on the other hand, can use Secret Manager’s latest alias, which always returns the most recent version of the secret.

Integrations

In addition to the Secret Manager API and client libraries, you can also use the Cloud SDK to create secrets:

$ gcloud beta secrets create "my-secret" --replication-policy "automatic" --data-file "/tmp/my-secret.txt"

and to access secret versions:

$ gcloud beta secrets versions access "latest" --secret "my-secret"

Discovering secrets

As mentioned above, Secret Manager can store a variety of secrets. You can use Cloud DLP to help find secrets using infoType detectors for credentials and secrets. The following command will search all files in a source directory and produce a report of possible secrets to migrate to Secret Manager:

$ find . -type f | xargs -n1 gcloud alpha dlp text inspect --info-types="AUTH_TOKEN,ENCRYPTION_KEY,GCP_CREDENTIALS,PASSWORD" --content-file

If you currently store secrets in a Cloud Storage bucket, you can configure a DLP job to scan your bucket in the Cloud Console.

Over time, native Secret Manager integrations will become available in other Google Cloud products and services.

What about Berglas?

Berglas is an open source project for managing secrets on Google Cloud. You can continue to use Berglas as-is and, beginning with v0.5.0, you can use it to create and access secrets directly from Secret Manager using the sm:// prefix.

$ berglas access sm://my-project/api-key

If you want to move your secrets from Berglas into Secret Manager, the berglas migrate command provides a one-time automated migration.

Accelerating security

Security is central to modern software development, and we’re excited to help you make your environment more secure by adding secrets management to our existing Google Cloud security product portfolio. With Secret Manager, you can easily manage, audit, and access secrets like API keys and credentials across Google Cloud.

To learn more, check out the Secret Manager documentation and Secret Manager pricing pages.

Source :
https://cloud.google.com/blog/products/identity-security/introducing-google-clouds-secret-manager

Spear-Phishing Attacks Targeting Office 365 Users, SaaS Applications

Over the course of the last 15 years, cyber threats have gone from urban myths and corporate ghost stories to as mainstream as carjackings and burglaries. There isn’t a business owner of a small restaurant chain or a CEO of a Fortune 500 company who doesn’t think about the fallout of being breached.

I’m not here to tell you how the threats are getting more sophisticated, or how state-sponsored hacker groups are getting more and more funding; you already know that. But what I do want to share with you is something that I’m seeing daily. Targeted threats that you may have already witnessed and, unfortunately, been personally a victim of or know someone who has: Spear-phishing.

Are you an Office 365 user? Do you have customers who are Office 365 users? Are you a managed security service provider (MSSP) that administrators Office 365 for your clients? You probably need a solution that applies effective Office 365 security capabilities and controls.

With close to 200 million global users, Office 365 is a target — a big target. And spear-phishing attempts are good. Really good. Recently, Forbes ran a summary of the threat. Alarmingly, today’s most advanced spear-phishing attempts look like they come from your CFO, boss or trusted vendor. They provide credibility to the target and, many times, users take the bait. Money gets wired. Access to accounts are provided. Confidential information is exposed.

Traditional email security isn’t enough protection. Out-of-the-box, cloud-native security services aren’t enough protection. A lean, effective and modern Office 365 security or SaaS security solution is required.

How to stop spear-phishing attacks, advanced cyber threats

SonicWall Cloud App Security (CAS) combines advanced security for Office 365, G Suite and other top SaaS applications to protect users and data within cloud applications, including email, messaging, file sharing and file storage. This approach delivers advanced threat protection against targeted email threats like phishing attacks, business email compromise, zero-day threats, data loss and account takeovers.

CAS also seamlessly integrates with sanctioned SaaS applications using native APIs. This helps organizations deploy email security and CASB functionalities that are critical to protecting the SaaS landscape and ensure consistent policies across cloud applications being used.

Explore the five key reasons CAS may be able to protect your organization from spear-phishing and other advanced attacks.

  • CAS delivers next-gen security for Office 365, protecting email, data and user credentials from advanced threats (including advanced phishing) while ensuring compliance in the cloud
  • Monitor SaaS accounts for IOCs, such data leakage, account takeover, business email compromise (BEC) and fraud attempts
  • Block malware propagation in malicious email attachments and files, whether they are at-rest or traversing a SaaS environment, internally or cloud-to-cloud
  • Prevent data breaches using machine learning and/or AI-based user profiling and behavior analytics for incident detections and automated responses
  • Leverage Shadow IT to monitor cloud usage in real time, and set policies to block unsanctioned applications

In my over 10 years of observing various attacks and sitting in rooms with customers (not mine, fortunately) who have been breached, I can tell you that you don’t want it ever to be you or your customers. This threat is having more success than any I’ve seen — and they are very recent.

For more information, contact a SonicWall cybersecurity expert or explore the CAS solution in detail.

 

Source :
https://blog.sonicwall.com/en-us/2020/01/spear-phishing-attacks-targeting-office-365-users-saas-applications/

BlueCat’s DNS Edge Is Cisco Umbrella’s Newest Integration

 

Cisco Umbrella is widely recognized as one of the strongest products on the market for a secure and fast connection to the internet. And we are always looking for ways to deepen visibility and control for our customers. This is why we are teaming up with BlueCat, a leading provider of DNS, DHCP, and IPAM (DDI) management solutions.

Studies show that 91% of malware uses DNS to establish command and control callbacks, navigate through network pathways, and exfiltrate data. Cisco Umbrella fills this traditional gap in network security by blocking the outbound requests made to the malicious domains. When Umbrella customers point their network traffic to our resolvers they get visibility into the egress (external) IP address of their network. By leveraging capabilities such as the Umbrella roaming client, Umbrella virtual appliance or AnyConnect integration, customers can get additional attribution such as Active Directory user names, internal IP addresses and hostname of computers.

With the BlueCat DNS Edge integration, customers get greater visibility into the attribution of the external DNS query (ie. the source IP), as well as additional control with the use cases outlined below. This integration expands the use cases for DNS security into investigations of internal network traffic, restricting lateral movement, and decreasing forensic response times. The integration enables customers to get full visibility and protection for DNS traffic leaving your environment for users on and off network.

How It Works
DNS Edge deploys as a virtual machine at the “first hop” of any DNS query. This gives DNS Edge the ability to tie every request on the network to a specific device without the need for an agent. With the integration, BlueCat Edge sends additional attribution information (ie. internal client IP) for each external DNS query to Umbrella. This allows viewing of device-level data directly in Cisco Umbrella, providing more granular information into the source of network threats.

Expand network visibility and control with the Cisco Umbrella and BlueCat integration

Use Cases
Investigate internal, “east-west” traffic: BlueCat’s “first hop” position on the network provides visibility into internal, “east-west” traffic – that’s 60% of all network queries – which mostly go unmonitored today. You can investigate internal traffic within DNS Edge, or send it to a SIEM and correlate it with other threat indicators. Using DNS Edge to apply security policies to this internal traffic means that security teams can contain lateral movement associated with advanced persistent threats and malicious insiders.

BlueCat’s Integration with Cisco Umbrella is now available

This screenshot shows how internal traffic appears in DNS Edge. Searching by source IP, you can see all internal and external domains queried by that device, and refine the search further by subdomains or any other factor you choose. In this example, you can see how a query to a known bad domain then results in lateral movement to other internal resources. This expands your visibility beyond the external domain that is shown in Umbrella.

Investigate lateral movement from IoT devices without agents: The threats to Internet of Things (IoT) devices are well known but difficult to properly control at an enterprise level. Since many IoT devices lack the capacity for security agents or any external software, blocking DNS queries as they leave the device is both a more elegant and more operationally feasible way to control a fleet of sensors at the enterprise level.

BlueCat’s Integration with Cisco Umbrella is Now Available

Here’s an example of how a rogue IoT device would look in DNS Edge. This is a security camera which should only ever be hitting a single internal domain. When it unexpectedly connects to an external domain (in this case, easyridegolfcars.com), this is the first indicator of a compromise. Looking at the subsequent queries, you can see both lateral movement to internal domains as well as potential data exfiltration attempts to the same external site.

Improve forensic response time: With all of this new data at their disposal, security teams are cutting their response time significantly – from days to minutes. Forensic investigators and threat hunters no longer have to compile DNS logs from recursive servers to find a source device – the data is available right in Cisco Umbrella or can be exported directly to a SIEM for further analysis. The rich context available from internal DNS data adds a new dimension to that analysis as well, uncovering additional connections to malicious activity.

Improve network performance: Device-level DNS data is a critical source of intelligence on how networks are performing. With visibility into the source, type, and result of every DNS query across the network, operators can quickly spot DNS misconfigurations, architectural shortcomings, misbehaving clients, and a host of other issues that may be impacting network performance and client reliability.

Getting Started
With a few simple steps, you can connect Cisco Umbrella to DNS Edge and start applying security policies. This integration leverages the network device API integration available in Umbrella. This allows for additional attribution information to be sent from the BlueCat Edge device to Umbrella. This allows the investigating user to see the internal IP of the requesting client instead of just the egress IP that Umbrella would see in a traditional network deployment.

Follow the steps below to take advantage of this integration.

Start off by creating an API key in Cisco Umbrella – you’ll want to choose the “Umbrella Network Devices” option.
Add that API key into DNS Edge. To do this, go to the Cisco Umbrella Integration tab on the main menu of DNS Edge. Paste in the API key and the secret.
BlueCat’s Integration with Cisco Umbrella is Now Available

Once the API key is inserted, DNS Edge will appear as a network device within Cisco Umbrella. Initially, it will appear as “offline”, but will automatically switch to “active” once the data starts flowing.

BlueCat’s Integration with Cisco Umbrella is Now Available

3. Create a policy within Cisco Umbrella to handle external-facing traffic which comes from the DNS Edge service point (network device), just as you would do for any other network device.

BlueCat’s Integration with Cisco Umbrella is Now Available

When looking at the DNS queries in Umbrella you will now see additional attribution. For example, in the screenshot below we can see which Edge device the query came from, alongside the internal IP of who made that request.

BlueCat’s Integration with Cisco Umbrella is Now Available

WANT TO LEARN MORE?
Cisco and BlueCat recently presented this new integration at a Tech Field Day event. You can check out the session recording, as well as the Cisco Umbrella BlueCat integration data sheet to learn more.

This new integration with BlueCat adds one of the largest providers of DDI services to Umbrella’s integration arsenal, expanding on our existing integration with EfficientIP. If you’re heading to Cisco Live Barcelona next month be sure to stop by the BlueCat booth or La Taberna where Cisco Umbrella will be serving coffee and beer throughout the day. We would love to see you at the show!

Source :
https://umbrella.cisco.com/blog/2020/01/09/bluecats-dns-edge-is-cisco-umbrellas-newest-integration/

Change Product Key Windows Server 2019 – Windows 10 1809

When installing Windows Server 2019, as with previous versions of Windows, you are prompted to enter the product key during installation, however if you are waiting for licensing to arrive, you can skip this and continue building your server. Once the licensing arrives, you can enter the product key from the Settings app, but in my case, clicking the Change Product Key button resulted in absolutely nothing. The window did not pop up, no error in the event logs, nothing at all. In this article, I will show you how to enter your product key manually using command line utilities, then activating using the same utility.

  1. Click Start and type CMD in the Start Search menu
  2. Right Click and choose Run as administrator
  3. To remove any existing product key (in case you used a trial key), enter and run the command slmgr.vbs /upk .
  4. Clear the product key from registry by running slmgr.vbs /cpky
  5. To enter your new product key, use the command: slmgr.vbs /ipk xxxxx-xxxxx-xxxxx-xxxxx where the x’s are your actual product key.
  6. Lastly, activate Windows by entering the command slmgr.vbs /ato
  7. Windows is now activated.

From my research, this appears to be a fairly common issue. Some users reported completely reloading Windows and entering the key from the start to resolve the issue, but if you have already configured the server or workstation, that’s not really an option. After running the above commands, my servers were activated and running normally. So far, this is my only hiccup with Server 2019.

 

Source :
https://technogecko.net/guides/change-product-key-does-nothing-windows-server-2019-windows-10-1809/
Exit mobile version