Blog - Page 98 of 102 - Appunti dalla rete

Smarter Cybersecurity: How SecOps Can Simplify Security Management, Oversight & Real-Time Decision-Making

Organizations continue to be alarmed by how easily cybercriminals can circumvent security defenses as malware, ransomware, cryptojacking and phishing attacks make headline news.

In addition, security operations lack visibility and awareness of unsafe network and user activities, network traffic irregularities, and unusual data access and utilization. This exacerbates the situation and creates a dangerous condition where security teams are too late or unable to:

Respond to security alerts or incidents at the speed and accuracy they need
Conduct thorough and effective investigations
Find answers fast enough to take corrective actions

Through close engagements with our top channel partners and key customers, SonicWall learned and understood these challenges first-hand. And through that collaboration, SonicWall developed and introduced the SonicWall Capture Security Center and two powerful risk management tools — Analytics and Risk Meters — to help customers solve these difficult problems.

Govern, comply and manage risk

The Capture Security Center is grounded on three core objectives:

‘Govern Centrally’ focuses on improving operational efficiencies and reducing overhead, while ‘Compliance’ and ‘Risk Management’ concentrate on the business value. These core objectives are interdependent as each leverages a common set of information, processes and technologies that help SecOps establish and deliver a strong, federated security defense and response services at the core of their security program.

Work faster and smarter — with less effort

Capture Security Center is a cloud solution organizations use to avoid operational overhead associated with software and hardware installation, upgrades and maintenance. This solution provides SecOps teams secure single sign-on (SSO) access to license, provision and manage their entire SonicWall security suite, including network, wireless, endpoint, email, mobile and cloud security products and services.

Think of it as a high-productivity tool that provides authorized users access to all available security services based on their role and access rules. The command console is assessible from any location and from any web-enabled PC. Once signed in, users are automatically granted access to everything — and are able do everything securely — using one cloud app.

The different tiles (shown below) are exactly what you’ll see when you log in to your Capture Security Center account. Users can easily navigate between tenants presented on the left panel and, on the right panel, manage any licensed cloud services registered to that tenant.

Available in January 2020, Capture Security Center version 1.8 adds capabilities for security teams to:

Access and manage SonicWall Email Security, Web Application Firewall (WAF) and Secure Mobile Access (SMA) products centrally
Push pre-defined configurations and security policies automatically to all zero-touch-enabled firewalls and wireless devices at scale to multiple sites globally

Study risks and threats in real time with real-world data

SonicWall Risk Meters is a threat monitoring and risk-rating tool we’ve integrated into the Capture Security Center. The tool is available to all SonicWall Capture Security Center customers at no additional cost.

Risk Meters, shown below, gives a direct line of sight into the cyberattacks affecting your security posture. Threat vectors are represented by colored arrows while threat types are shown as icons.

Clicking on an icon pops up an information panel that provides a detailed description of the threat. A tenant drop-down list allows you to view threat metrics at the tenant level. Visibility into the attacks targeting various defense layers helps guide your response to where immediate defensive actions are needed for a specific environment.

The first defense layer captures attacks blocked by the firewalls, Capture Advanced Threat Protection (ATP) sandbox and WAF.

The second defense layer reveals attacks targeting your SaaS appliances and email environments.

The third defense layer shows threats attacking your users’ devices. The DEFCON and Shield Level ratings displayed at the top-right corner provide the computed risk scores based on existing defense layers. Scores are adjusted as you toggle to activate or deactivate available services.

Taking this a step further, Risk Meters gains several important improvements in Capture Security Center 1.8. A new control panel presents users with customization functionalities to run analysis on a variety of threat data.

This new feature allows for experimenting “what-if” simulations at a more granular level to see how the risk score dynamically changes when sub-components of certain layer or multiple layers are added or removed.

Up until this release, risk scores were calculated based solely on security services from SonicWall. To give a more accurate account of customer security environments, CSC now factors in all security controls when calculating the risk scores, including non-SonicWall services.

The Risk Meters Control Panel allows users to configure and weigh third-party security controls into the calculated risk scores. Users can now review trends of different threat types and then compare them against regional and global averages to help identify which threat vectors to focus on and where to prepare their defenses.

Transforming threat data into decisions, decisions into actions

In conjunction with Capture Security Center 1.8, SonicWall releases Analytics 2.5 to introduce a new user-based analytics and reporting function to helps security teams visualize and conduct investigations into users’ actions and application and data usage.

Security teams can monitor or drill-down into the security data for more details about the user network traffic, access and connections, and what applications are being used and websites are frequently visited.

Also, security teams can investigate attacks that target a certain group of users and bandwidth costs associated with resource utilization to determine if policy-tuning or added configurations are needed to reduce their risk profile or optimize network performance.

About the SonicWall Capture Security Center

Capture Security Center is a scalable cloud security management system that’s a built-in and ready-to-use component of your SonicWall product or service. It features single-sign-on and ‘single-pane-of-glass’ management. It integrates the functionality of the Capture Cloud Platform to deliver robust security management, analytics and real-time threat intelligence for your entire portfolio of network, email, endpoint, mobile and cloud security resources.

Capture Security Center delivers a valuable team resource to help organizations control assets and defend entire networks from cyberattacks. Unify and synchronize updates and support, monitor security risks and fulfill regulatory compliance — all with greater clarity, precision and speed.

source :
https://blog.sonicwall.com/en-us/2019/12/smarter-cybersecurity-how-secops-can-simplify-security-management/

Cisco Umbrella’s Top 10 Cybersecurity Tips

By Lorraine Bellon
December 4, 2019

As the holidays are approaching, everyone is getting busier, and to-do lists keep getting longer. It feels like there’s never enough time in the day, and it’s easy to get distracted when time is in short supply. We’ve heard it all before — security should always be at the top of your to-do list — but we know that’s not always the case.

The weakest link in any security system is always the same — people. No matter how comprehensive, effective, or expensive your security tools are, it can all come crashing down if a single careless user makes one simple mistake. Every time someone decides to click on an unfamiliar link or open a suspicious email attachment, your organization could be facing massive data loss and significant disruption to your business.

Most IT professionals know how to stay safe online, but most users aren’t experts. To help you stay protected, we’ve compiled a list of things everyone should be thinking about whenever they’re using the Internet.

To help strengthen your organization’s cyber security practices, you can share this blog post with your users, or use these tips as a starting point for a security refresher training. You’ve probably heard many or all of these tips before, but repetition doesn’t hurt.

Here is our list of top 10 cybersecurity tips for anyone on the Internet (hint: that means you!).

Realize that you are an attractive target to attackers, and it can happen to anyone, anytime, anywhere, on any device. Don’t ever say “It won’t happen to me.”
Practice good password management. Use a strong mix of characters, and don’t use the same password for multiple sites. Don’t share your password with others and don’t write it down — no post-it note attached to your monitor! If you have trouble remembering your passwords, consider using a secure password vault. Then you only have to remember one (very strong) password.
Never leave your devices unattended. If you need to leave your computer, phone, or tablet for any length of time — no matter how short — lock the screen so no one can use it while you’re gone. If you keep sensitive information on a flash drive or external hard drive, make sure to lock those up as well.
Always be careful when clicking on attachments or links in email. If an email is unexpected or suspicious for any reason, don’t click on it. Even if it seems like it’s from your company CEO! Scammers can look up that information online and use it to target individuals in your company. Double check the URL of the website to see if it looks legitimate. Bad actors will often take advantage of spelling mistakes to direct you to a harmful domain.
Sensitive browsing, such as banking or shopping, should only be done on a device that belongs to you, on a network that you trust. Whether you’re using a friend’s phone, a public computer, or free Wi-Fi at a coffee shop — your data could be copied or stolen.
Back up your data regularly. Make sure your antivirus software is always turned on and up to date.
Be conscientious of what you plug in to your computer. Malware can be spread through infected flash drives, external hard drives, and even smartphones. You might want to help someone find their lost item, but end up falling into a trap.
Watch what you’re sharing on social networks. Criminals can find you and easily gain access to a shocking amount of information — where you go to school, where you work, when you’re on vacation — that could help them gain access to more valuable data.
Be wary of social engineering, where someone attempts to gain information from you through manipulation. If someone calls or emails you asking for sensitive information like login information or passwords, it’s okay to say no. You can always call the company directly to verify credentials before giving out any information.
Be sure to monitor your accounts for any suspicious activity. If you see something unfamiliar, it could be a sign that you’ve been compromised. Don’t be afraid to speak up and tell your IT team if you notice anything unusual. Remember, you’re the victim of the attack, and you’re not in trouble!

Share this list with your users and help them understand what IT teams already do — that cyber security is a team sport.

Of course, it’s important to have strong security tools to protect your users too. But how do you know if your current set of tools is enough? Check out our infographic to learn about 3 red flags you’re not getting what you were promised from your security stack.

There’s no substitute for educating your users, but defense matters too. Nothing is more important than your first line of defense. Because it’s built into the foundation of the internet, Cisco Umbrella can protect your network from malware, ransomware, malicious cryptomining, and other advanced threats by blocking connections at the DNS layer. Your users may never thank you, but your security operations team will!

Source
https://umbrella.cisco.com/blog/2019/12/04/cisco-umbrella-top-10-cybersecurity-tips/

Amazon Echo Hacked at Pwn2Own Tokyo 2019 and Ransomware Attacks Hit Spanish Companies

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about a ransomware that is attacking Spanish companies and how nearly 50 adware apps were found on Google Play. Also, read about how an Amazon Echo was hacked on the first day of Pwn2Own Tokyo 2019.

Read on:

Facebook Portal Survives Pwn2Own Hacking Contest, Amazon Echo Got Hacked

Amazon Echo speakers, Samsung and Sony smart TVs, the Xiaomi Mi9 phone, and Netgear and TP-Link routers were all hacked on the first day of ZDI’s Pwn2Own Tokyo 2019 hacking contest.

New Exploit Kit Capesand Reuses Old and New Public Exploits and Tools, Blockchain Ruse

In October 2019, Trend Micro discovered a new exploit kit named Capesand, which attempts to exploit recent vulnerabilities in Adobe Flash and Microsoft Internet Explorer. Based on our investigation, it also exploits a 2015 vulnerability for Internet Explorer.

Inside the Microsoft Team Tracking the World’s Most Dangerous Hackers

Microsoft’s latest win over cloud rival Amazon for the lucrative military contact means that an intelligence-gathering apparatus among the most important in the world is based in the woods outside Seattle. Now in this corner of Washington state, dozens of engineers and intelligence analysts are watching and stopping the government-sponsored hackers proliferating around the world.

Halloween Exploits Scare: BlueKeep, Chrome’s Zero-Days in the Wild

On October 31, Chrome posted that a stable channel security update for Windows, Mac, and Linux versions of Chrome will be rolled out in order to fix two use-after-free flaws in audio and PDFium. The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has released a statement advising users and administrators to apply the updates.

A Stranger’s TV Went on Spending Spree with My Amazon Account – and Web Giant Did Nothing About it for Months

After a fraudster exploited a bizarre weakness in Amazon’s handling of customer devices to hijack an account and go on spending sprees with their bank cards, it was discovered that it is possible to add a non-Amazon device to your Amazon customer account and it won’t show up in the list of gadgets associated with the profile.

Ransomware Attacks Hit Spanish Companies, Paralyzes Government Services in Canadian Territory of Nunavut

A ransomware campaign recently hit companies in Spain, including Cadena Sociedad Española de Radiodifusión (SER), the country’s largest radio network. In another part of the globe, threat actors managed to infect government systems with ransomware in the Canadian territory of Nunavut.

Amazon’s Ring Video Doorbell Lets Attackers Steal Your Wi-Fi Password

Security researchers at Bitdefender have discovered a high-severity security vulnerability in Amazon’s Ring Video Doorbell Pro devices that could allow nearby attackers to steal your WiFi password and launch a variety of cyberattacks using MitM against other devices connected to the same network.

Unpatched Remote Code Execution rConfig Flaws Could Affect Millions of Servers and Network Devices

Details on the proof-of-concept (PoC) exploit for two unpatched, critical remote code execution (RCE) vulnerabilities in the network configuration management utility rConfig have recently been disclosed. At least one of the flaws could allow remote compromise of servers and connected network devices.

California DMV Data Breach Exposed Thousands of Drivers’ Information, Agency Says

A data breach at the California Department of Motor Vehicles may have exposed some drivers’ Social Security number information to seven government entities, according to the DMV. The breach affects about 3,200 individuals over at least the last four years, the agency said in a statement.

49 Disguised Adware Apps with Optimized Evasion Features Found on Google Play

Trend Micro recently found 49 new adware apps on Google Play, disguised as games and stylized cameras. These apps are no longer live, but before they were taken down by Google, the total number of downloads was more than 3 million. This Trend Micro blog discusses solutions and security recommendations for protecting against adware apps.

CVE-2019-2114: Patched Android Bug That Allows Possible Installation of Malicious Apps

An Android bug that could allow threat actors to bypass devices’ security mechanisms was discovered by Nightwatch Cybersecurity. Successful abuse of the bug can allow threat actors to transfer a malicious application to a nearby Near Field Communication (NFC)-enabled device via the Android Beam. The bug affects Android version 8 (Oreo) or higher.

Surprised by the devices that were hacked on the first day of Pwn2Own Tokyo 2019? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay. Source :
https://blog.trendmicro.com/this-week-in-security-news-amazon-echo-hacked-at-pwn2own-tokyo-2019-and-ransomware-attacks-hit-spanish-companies/

How to Protect Multi-Cloud Environments with a Virtual Firewall

Virtualization technology is powering a momentous revolution in today’s modern data centers and clouds, leading to designs that are commonly a mix of private, public and hybrid cloud computing environments.

International Data Corporation (IDC) research predicts that more than 90% of organizations will have some portion of their applications or infrastructure running in the cloud by the end of 2024.

As multi-cloud migration happens and organizations embrace technologies, such as containers, network virtualization must expand to adequately secure highly dynamic environments ranging from public clouds to private clouds to data centers. Otherwise, organizations face the risks of visibility blind spots and control challenges.

To circumvent this, organizations are implementing cloud security solutions that operate together and are easily managed. The benefits of cloud computing are well-known and significant. However, so are the security challenges, exemplified by the many recent high-profile data breaches. Whether stored in a physical data center or in a public, private or hybrid cloud, your data is the hacker’s goal.

Securing the cloud introduces a range of challenges, including a lack of network traffic visibility, unpredictable security functionality and the struggle to keep pace with the rate of change commonly found in cloud computing environments. To be efficacious, organizations need a cloud security solution that:

Identifies and controls network traffic within the cloud based on identity, not the ports and protocols they may use.
Stops malware from gaining access to and moving laterally within the cloud.
Determines who should be allowed to use the applications, and grants access based on need and credentials.
Streamlines deployment and gets a new instance up and running with a click. You do not want to configure each virtual firewall, since that is time-consuming. Ideally, you have a pre-defined configuration pushed to the device and it is up and running.
Cost-effectively replaces expensive WAN connection technologies, such as MPLS, with secure SD-WAN.
Simplifies administration and minimizes the security policy delay as virtual machines (VM) are added, removed or moved within the cloud environment.

Securing the cloud with SonicWall NSv virtual firewalls

Recently, SonicWall announced a new firmware, SonicOS 6.5.4, on its virtual firewall platforms to provide feature parity with its hardware firewall platform.

SonicWall Network Security virtual (NSv) firewalls now support secure SD-WAN, Zero-Touch Deployment, DNS security, Restful API and many more features that help solve the aforementioned problems.

SonicWall NSv firewalls help security teams reduce different types of security risks and vulnerabilities, which can cause serious disruption to business-critical services and operations.

With full-featured security tools and services, including reassembly-free deep packet inspection (RFDPI), security controls and networking services equivalent to what a SonicWall physical firewall provides, NSv effectively shields all critical components of your private/public cloud environments.

NSv is easily deployed and provisioned in a multi-tenant virtual environment, typically between virtual networks (VN). This allows it to capture communications and data exchanges between VMs for automated breach prevention, while establishing stringent access control measures for data confidentiality and VM safety and integrity.

Security threats (such as cross-virtual-machine or side-channel attacks and common network-based intrusions and application and protocol vulnerabilities) are neutralized successfully through SonicWall’s comprehensive suite of security services.

All VM traffic is subjected to multiple threat analysis engines, including intrusion prevention, gateway anti-virus and anti-spyware, cloud anti-virus, botnet filtering, application control and the Capture Advanced Threat Protection (ATP) multi-engine sandbox.

Soruce :
https://blog.sonicwall.com/en-us/2019/10/how-to-protect-multi-cloud-environments-with-a-virtual-firewall/

WSUS synchronization fails with SoapException

Applies to: WSUS – All versionsWindows Server 2016Windows Server 2012 R2Windows Server 2012 Less

Symptoms

Windows Server Update Services (WSUS) synchronization fails, and you receive the following error message:

SoapException: Fault occurred
at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at Microsoft.UpdateServices.ServerSyncWebServices.ServerSync.ServerSyncProxy.GetUpdateData(Cookie cookie, UpdateIdentity[] updateIds)
at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.WebserviceGetUpdateData(UpdateIdentity[] updateIds, List`1 allMetadata, List`1 allFileUrls, Boolean isForConfig)
at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.GetUpdateDataInChunksAndImport(List`1 neededUpdates, List`1 allMetadata, List`1 allFileUrls, Boolean isConfigData)
at Microsoft.UpdateServices.ServerSync.Cat

Additionally, an error message that resembles the following is logged in the WSUS log file (%ProgramFiles%Update ServicesLogFilesSoftwareDistribution.log) on the WSUS server:

<Date> <Time> Error WsusService.25 SoapUtilities.LogException USS ThrowException: Actor = https://fe2.update.microsoft.com/v6/ServerSyncWebService/ServerSyncWebService.asmx, Method = “http://www.microsoft.com/SoftwareDistribution/GetUpdateData”, ID=<ID>, ErrorCode=InternalServerError, Message=
at Microsoft.UpdateServices.Internal.SoapUtilities.LogException(SoapException e)
at Microsoft.UpdateServices.Internal.WebServiceCommunicationHelper.ProcessWebServiceProxyException(SoapHttpClientProtocol& webServiceObject, Exception exceptionInfo)
at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.WebserviceGetUpdateData(UpdateIdentity[] updateIds, List`1 allMetadata, List`1 allFileUrls, List`1& updatesWithSecureFileData, Boolean isForConfig)
at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.GetUpdateDataInChunksAndImport(List`1 neededUpdates, List`1 allMetadata, List`1 allFileUrls, Boolean isConfigData)
at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.GetAndSaveUpdateMetadata(List`1 updates)
at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.ExecuteSyncProtocol(Boolean allowRedirect)
at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.CatalogSyncThreadProcess()
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Threading.ThreadHelper.ThreadStart()
<Date> <Time> Error WsusService.25 SoapUtilities.LogException USS ThrowException: Actor = https://fe2.update.microsoft.com/v6/ServerSyncWebService/ServerSyncWebService.asmx, Method = “http://www.microsoft.com/SoftwareDistribution/GetUpdateData”, ID=<ID>, ErrorCode=InternalServerError, Message=
at Microsoft.UpdateServices.Internal.SoapUtilities.LogException(SoapException e)
at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.ExecuteSyncProtocol(Boolean allowRedirect)
at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.CatalogSyncThreadProcess()
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Threading.ThreadHelper.ThreadStart()

Cause

This issue occurs if the WSUS servers are configured to use the old synchronization endpoint, https://fe2.update.microsoft.com/v6. This endpoint was fully decommissioned and is no longer reachable after July 8, 2019.

Resolution

To fix the issue, change the synchronization endpoint in WSUS configuration to https://sws.update.microsoft.com.

To do this, follow these steps on the topmost WSUS server that connects directly to Microsoft Update, such as the root WSUS server in a WSUS hierarchy:

Close all WSUS consoles.
At an elevated PowerShell command prompt, run the following PowerShell scripts. Note Don’t run the scripts on a WSUS server that’s not the topmost server. If the server isn’t connected to the Internet, synchronization may fail.
For WSUS version 3.x: [void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration") $server = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer() $config = $server.GetConfiguration() # Check current settings before you change them $config.MUUrl $config.RedirectorChangeNumber # Update the settings if MUUrl is https://fe2.update.microsoft.com/v6 $config.MUUrl = "https://sws.update.microsoft.com" $config.RedirectorChangeNumber = 4002 $config.Save(); iisreset Restart-Service *Wsus* -v
Note WSUS servers that are running Windows Server 2008 (without the latest update) or earlier versions may be using the https://update.microsoft.com/v6 or https://www.update.microsoft.com synchronization endpoints. Because these versions of Windows don’t support SHA256 certificate authentication, use the following settings in the PowerShell scripts:
$config.MUUrl = " https://sws1.update.microsoft.com"
$config.RedirectorChangeNumber = 3011
For WSUS on Windows Server 2012 and later versions: $server = Get-WsusServer $config = $server.GetConfiguration() # Check current settings before you change them $config.MUUrl $config.RedirectorChangeNumber # Update the settings if MUUrl is https://fe2.update.microsoft.com/v6 $config.MUUrl = "https://sws.update.microsoft.com" $config.RedirectorChangeNumber = 4002 $config.Save() iisreset Restart-Service *Wsus* -v
Verify that WSUS synchronization succeeds.

More Information

For more information about how to run PowerShell scripts, see PowerShell Scripting.

Source:
https://support.microsoft.com/en-us/help/4482416/wsus-synchronization-fails-with-soapexception

Deprecating Support for TLS 1.0 / 1.1 – Improving Encryption Strength and your Security Posture

TLS Background

Transport Layer Security or TLS provides privacy and data integrity for applications communicating over the Internet. It can be used in many Internet services today such as VPN, Email Exchange, and most commonly, Web Services (HTTPS). There have been 2 released versions of Secure Sockets Layer (SSL) and 4 versions of TLS spanning the last 25 years of security advancements. Each successive release addresses security vulnerabilities or weaknesses in a prior release:

SSLv2 documented in RFC 6176, released in 1995
SSLv3 documented in RFC 6101, released in 1996
TLS1.0 documented in RFC 2246, released in 1999
TLS1.1 documented in RFC 4346, released in 2006
TLS1.2 documented in RFC 5246, released in 2008
TLS1.3 documented in RFC 8446, released in 2018

Current TLS Support

Our mission within Cisco Umbrella has always been to provide powerful security solutions that are easy to deploy and simple to manage. To maintain the simplicity for our customers and provide for the most backwards compatibility for those running legacy or unpatched operating systems, Cisco Umbrella has previously chosen to continue supporting all TLS Protocols 1.0 or later, deprecating only specific weak / insecure ciphers.

What’s Changing?

Cisco Umbrella will deprecate support for all TLS / SSL versions prior to version 1.2 on March 31st, 2020. After this date customers will be unable to connect without leveraging a TLS1.2 compatible client.

Why change now?

There are a few compelling events that caused us to re-evaluate our risk evaluation of TLS1.0 / 1.1.

1 – Apple, Google, Microsoft, and Mozilla announced in October of 2018 that they will deprecate support for TLS1.1 and prior within their browsers, forcing all TLS communications to be TLS1.2 or higher on March 31st, 2020.

2 – As of June 2018, the Payment Card Industry Security Standards Council (PCI-SSC) officially began enforcement of a new policy requiring any sites certified under PCI-DSS to deprecate TLS1.0 and any SSLv2/v3 configurations. While they will allow TLS1.1, there is a strong recommendation to implement only TLS1.2 and later protocols.

3 – As of 2014, the National Institute of Standards and Technology (NIST) formalized policy 800-52 which requires US Government Agencies to adopt TLS1.2 and deprecate use of TLS1.1 and before.

Upon re-evaluation of the associated risks and certification landscape, Cisco determined that now is the time to complete deprecations for anything prior to TLS1.2.

Source:
https://umbrella.cisco.com/blog/2019/09/06/deprecating-support-for-tls-1-0-1-1-improving-encryption-strength-and-your-security-posture/

Offline install of .NET Framework 3.5 in Windows 10 using DISM

You can use the Deployment Image Servicing and Management (DISM) command-line tool to create a modified image to deploy .NET Framework 3.5.

Important

For images that will support more than one language, you must add .NET Framework 3.5 binaries before adding any language packs. This order ensures that .NET Framework 3.5 language resources are installed correctly in the reference image and available to users and applications.

Using DISM with Internet connectivity

Requirements

Internet connection
Access to Windows Update. If the PC or server is behind a firewall or uses a proxy server, see KB900935 – How the Windows Update client determines which proxy server to use to connect to the Windows Update Web site.
Windows 8, Windows Server 2012, or the Windows Assessment and Deployment Kit (ADK) tools.
Installation media
Administrator user rights. The current user must be a member of the local Administrators group to add or remove Windows features.

For an online reference image that can access Windows Update

Open a command prompt with administrator user rights (Run as Administrator) in Windows 8 or Windows Server 2012.
To Install .NET Framework 3.5 feature files from Windows Update, use the following command: DISM /Online /Enable-Feature /FeatureName:NetFx3 /All Use /All to enable all parent features of the specified feature. For more information on DISM arguments, see Enable or Disable Windows Features Using DISM.
On Windows 8 PCs, after installation .NET Framework 3.5 is displayed as enabled in Turn Windows features on or off in Control Panel. For Windows Server 2012 systems, feature installation state can be viewed in Server Manager.

For an offline reference image

Run the following DISM command (image mounted to the c:testoffline folder and the installation media in the D:drive) to install .NET 3.5: DISM /Image:C:testoffline /Enable-Feature /FeatureName:NetFx3 /All /LimitAccess /Source:D:sourcessxs
Use /All to enable all parent features of the specified feature.

Use /LimitAccess to prevent DISM from contacting Windows Update/WSUS.

Use /Source to specify the location of the files that are needed to restore the feature.
To use DISM from an installation of the Windows ADK, locate the Windows ADK servicing folder and navigate to this directory. By default, DISM is installed at C:Program Files (x86)Windows Kits8.0Assessment and Deployment KitDeployment Tools. You can install DISM and other deployment and imaging tools, such as Windows System Image Manager (Windows SIM), on another supported operating system from the Windows ADK. For information about DISM-supported platforms, see DISM Supported Platforms.
Run the following command to look up the status of .NET Framework 3.5 (offline image mounted to c:testoffline): DISM /Image:c:testoffline /Get-Features /Format:Table A status of Enable Pending indicates that the image must be brought online to complete the installation.

Using DISM with no Internet connectivity

You can use DISM to add .NET Framework 3.5 and provide access to the sourcesSxS folder on the installation media to an installation of Windows that is not connected to the Internet.

Warning

If you’re not relying on Windows Update as the source for installing the .NET Framework 3.5, make sure to use sources from the same corresponding Windows operating system version. Using a source path that doesn’t correspond to the same version of Windows won’t prevent a mismatched version of .NET Framework 3.5 from being installed. This can cause the system to be in an unsupported and unserviceable state.

Requirements

Windows 8, Windows Server 2012, or the Windows ADK tools.
Installation media
Administrator user rights. The current user must be a member of the local Administrators group to add or remove Windows features.

Steps

Open a command prompt with administrator user rights (Run as Administrator).
To install .NET Framework 3.5 from installation media located on the D: drive, use the following command: DISM /Online /Enable-Feature /FeatureName:NetFx3 /All /LimitAccess /Source:d:sourcessxs
Use /All to enable all parent features of the specified feature.

Use /LimitAccess to prevent DISM from contacting Windows Update/WSUS.

Use /Source to specify the location of the files that are needed to restore the feature.
For more information on DISM arguments, see Enable or Disable Windows Features Using DISM.

On Windows 8 PCs, after installation, .NET Framework 3.5 is displayed as enabled in Turn Windows features on or off in Control Panel.

Source:
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/deploy-net-framework-35-by-using-deployment-image-servicing-and-management–dism

Full Download Offline installer:

Direct link to the .Net-3.5-Full-Setup

http://download.microsoft.com/download/6/0/f/60fc5854-3cb8-4892-b6db-bd4f42510f28/dotnetfx35.exe

Direct link to the .Net-3.5-SP1-Full-Setup

http://download.microsoft.com/download/2/0/e/20e90413-712f-438c-988e-fdaa79a8ac3d/dotnetfx35.exe

Cyberattack Lateral Movement Explained

[Lightly edited transcript of the video above]

Hi there, Mark Nunnikhoven from Trend Micro Research, I want to talk to you about the concept of lateral movement.

And the reason why I want to tackle this today is because I’ve had some conversations in the last few days that have really kind of hit that idea bulb that people don’t truly understand how cybercriminals get away with their crimes in the organization. Specifically how they launch their attacks.

Now don’t get me wrong, this isn’t to blame on defenders. This isn’t to blame of the general public. I’m going to go with Hollywood’s to blame a little bit here, because we’re watching movies in Hollywood inevitably…you know the hackers in their dark hat and with no lighting, underground, Lord knows where they find these places to hack from and they are attacking directly through.

You see a bunch of text go across the screen and they penetrate through the first firewall, through the second firewall in into the data. That’s not how it works at all.

That’s ridiculous. It’s absurd.

[00:59]

It makes for interesting cinema, just like the red code/green code in CSI Cyber, but it’s not a reflection of reality and that’s a real challenge. Because a lot of people don’t have the experience of working with cybersecurity, working in cybersecurity, so their only perception is what they see either through media—you know TV, movies, books—or if they happen to run into somebody at in the industry. So there is an overwhelming amount of sort of information or misinformation.

Not even misinformation, just storytelling that tries to make it far more dramatic than it is. The reality is that cybercriminals are out for profit.

We know this time and time again—yes a bunch of nation-state stuff does happen but the vast majority of you are unaffected by it same with there’s

a massive amount of script-kiddie just sort of scanning random people with random tools that are just seeing what they can get away with that and

if you have solid, automated defenses that doesn’t really impact you.

What does impact you is the vast majority of organized cybercriminals who are out to make a profit. Trend Micro had a greatseries and continues to have a great series on the Underground, the Digital Underground that shows just how deep these profit motivations go.

This is very much a dark industry. And with that in mind we come back to the concept of lateral movement.

[02:22]

If an attacker breaches into your systems, whether they come in like a fourth of all attacks do via email whether they come in directly through a server compromise, which is about half of all breaches according to the Verizon data breach investigation report or one of the other methods that is commonly used…then they start to move around within your network.

That’s lateral movement.

We talk about north/south traffic with the network, which is basically inside the network to outside of the network, so out to the the internet and back. East/west is within the network itself. Most defenses, traditional defenses worry about that north/south traffic.

Not enough worry about the east/west and it’s breaking down finally. We are getting rid of this hard perimeter. “It’s mine, I defend everything inside” …and realizing that this is actually how cybercriminals work. Once they’re inside they move around. So we need to defend in-depth and have really great monitoring and protection tools within our networks because of this challenge of lateral movement.

[03:23]

Let me give you a little easier to digest analogy. Most of us in a home have a grocery list and maybe once a week—maybe twice–we head to the grocery store and we try to get everything we want off the list and then we come back. That just makes sense.

That’s how we do it. Right? You would never think of going, “Okay. Number one of the list is ketchup. I’m going to drive to the store to get ketchup. I’m going to buy it and I’m going to come back home.

I’m going to look at item number two. I need a loaf of bread. I’m going to drive back to the store. I’m going to buy a loaf of bread and I’m going to come back and we can go to item 3, and I’m going to go and I’m going to come back. I’m going to…” That’s just ridiculous, right? That’s absolutely absurd and cybercrimals agree.

Once they’ve driven to the store. They’re going to buy everything that they need and everything that they see as an opportunity, right? They are really susceptible to those end caps and impulse buys… and then they’re going to leave.

This is how they attack our organizations.

We know that, because of the average time to detect a breach is around 197 days right now and that stat has fluctuated maybe plus or minus 15 days for the last decade.

We also know that it takes almost three…it takes two and a half to three months actually contain a breach once you discover it and the reason for all of this is lateral movement.

Once you’re in as a cybercriminal, once you’ve made headway, once you gained a beachhead or a foothold within that network you’re going to do everything you can to expand it because it’s going to make you the most amount of money.

[04:55]

What do you think? Let us know in the comments below, hit us up on social @TrendMicro or you can reach me directly @marknca.

How are you handling lateral movement? How are you trying to reduce it? How are you looking for visibility across all of your systems?

Let’s continue this conversation because when we talk we all get better and more secure online.

source:
https://blog.trendmicro.com/cyberattack-lateral-movement-explained/

Mid-Year Update: 2019 SonicWall Cyber Threat Report

It’s almost cliché at this point, but the cyber arms race — and respective cybersecurity controls and technology — moves at an alarming pace.

For this reason, SonicWall Capture Labs threat researchers never stop investigating, analyzing and exploring new threat trends, tactics, strategies and attacks. They publish most of their findings — the data they can share publicly, anyway — in the annual SonicWall Cyber Threat Report.

But to ensure the industry and public are able to stay abreast of the quickly shifting threat landscape, the team offers a complementary mid-year update to the 2019 SonicWall Cyber Threat Report. Download the exclusive report to explore the stories, behaviors and trends that are shaping 2019 — as they are happening.

Malware volume dips in first half

In 2018, global malware volume hit a record-breaking 10.52 billion attacks, the most ever recorded by SonicWall Capture Labs threat researchers.

Fortunately, during the first six months of 2019, that trend slowed — at least somewhat. SonicWall recorded 4.8 billion* malware attacks, a 20% drop compared to the same time period last year.

Ransomware rising

Did you think ransomware was an outdated tactic? The latest 2019 data proves otherwise. Despite overall declines in malware volume, ransomware continues to pay dividends for cybercriminals.

All told, global ransomware volume reached 110.9 million for the first half of 2019, a 15% year-to-date increase. The exclusive mid-year update outlines which countries followed this trend and which were victimized by an increase in ransomware attacks.

Attacks against non-standard ports still a concern

As defined in the full 2019 SonicWall Cyber Threat Report, a ‘non-standard’ port means a service running on a port other than its default assignment, usually as defined by the IANA port numbers registry.

For the first half of 2019, 13% of all malware attacks came via non-standard ports, a slight dip due to below-normal activity in January (8%) and February (11%).

Encrypted threats intensify

In 2018, SonicWall logged more than 2.8 million encrypted threats, which was already a 27% jump over the previous year. Through the first six months of 2019, SonicWall has registered a 76% year-to-date increase.

Machine learning, multi-engine sandboxes evolving to ‘must-have’ security

So far in 2019, the multi-engine SonicWall Capture Advanced Threat Protection (ATP) cloud sandbox has exposed 194,171 new malware variants — a pace of 1,078 new variant discoveries each day of the year.

IoT malware volume doubled YTD

The speed and ferocity in which IoT devices are being compromised to deliver malware payloads is alarming. In the first half of 2019, SonicWall Capture Labs threat researchers have already recorded 13.5 million IoT attacks, which outpaces the first two quarters of last year.

Bitcoin run keeping cryptojacking in play

Late 2018 data showed cryptojacking on the decline. But with the surging values of both bitcoin and Monero, cryptojacking rebounded in 2019. Cryptojacking volume hit 52.7 million for the first six months of the year.

How do cybercurrency prices influence cryptojacking volume? The exclusive mid-year update looks deeper into the numbers.

Source
https://blog.sonicwall.com/en-us/2019/07/mid-year-update-2019-sonicwall-cyber-threat-report/

Windows Server 2008 End of Support: Are you Prepared?

On July 14^th, 2015, Microsoft’s widely deployed Windows Server 2003 reached end of life after nearly 12 years of support. For millions of enterprise servers, this meant the end of security updates, leaving the door open to serious security risks. Now, we are fast approaching the end of life of another server operating system – Windows Server 2008 and Server 2008 R2, which will soon reach end of support on January 14, 2020.

Nevertheless, many enterprises still rely on Windows Server 2008 for core business functions such as Directory Server, File Server, DNS Server, and Email Server. Organizations depend on these workloads for critical business applications and to support their internal services like Active Directory, File Sharing, and hosting internal websites.

What does this mean for you?

End of support for an operating system like Windows Server 2008 introduces major challenges for organizations who are running their workloads on the platform. While a small number may be ready to fully migrate to a new system or to the cloud, the reality is that most organizations aren’t able to migrate this quickly due to time, budgetary, or technical constraints. Looking back at Windows Server 2003, even nine months after the official EOS, 42% of organizations indicated they would still be using Windows Server 2003 for 6 months or more, while the remaining 58% were still in the process of migrating off of Windows Server 2003 (Osterman Research, April 2016). The same is likely to occur with the Server 2008 EOS, meaning many critical applications will continue to reside on Windows Server 2008 for the next few years, despite the greatly increased security risks.

What are the risks?

The end of support means organizations must prepare to deal with missing security updates, compliance issues, defending against malware, as well as other non-security bugs. You will no longer receive patches for security issues, or notifications of new vulnerabilities affecting your systems. With constant discovery of new vulnerabilities and exploits – 1,450 0days disclosed by the ZDI in 2018 alone – it’s all but guaranteed that we will see additions to the more than 1300+ vulnerabilities faced by Windows Server 2008. The lack of notifications to help monitor and measure the risk associated with new vulnerabilities can leave a large security gap.

This was the case for many organizations in the wake of the 2017 global WannaCry ransomware attack, which affected over 230,000 systems worldwide, specifically leveraging the EternalBlue exploit present in older Windows operating systems. While Microsoft did provide a patch for this, many weren’t able to apply the patches in time due to the difficulty involved in patching older systems.

What can security and IT teams do?

The most obvious solution is to migrate to a newer platform, whether that’s on-premise or using a cloud infrastructure-as-a-service offering such as AWS, Azure, or Google Cloud.

However, we know many organizations will either delay migration or leave a portion of their workloads running in a Windows Server 2008 environment for the foreseeable future. Hackers are aware of this behavior, and often view out-of-support servers as an easy target for attacks. Security teams need to assess the risk involved with leaving company data on those servers, and whether or not the data is secure by itself. If not, you need to ensure you have the right protection in place to detect and stop attacks and meet compliance on your Windows Server 2008 environment.

How can Trend Micro help?

Trend Micro Deep Security delivers powerful, automated protection that can be used to secure applications and workloads across new and end of support systems. Deep Security’s capabilities include host-based intrusion prevention, which will automatically shield workloads from new vulnerabilities, applying an immediate ‘virtual patch’ to secure the system until an official patch is rolled out – or in the case of EOS systems – for the foreseeable future.

Deep Security also helps monitor for system changes with real-time integrity monitoring and application control, and will secure your workloads with anti-malware, powered by the Trend Micro Smart Protection Network’s global threat intelligence. Deep Security’s broad platform and infrastructure support allows you to seamlessly deploy security across your physical, virtualized, cloud, and containerized workloads, and protecting your end of life systems throughout and beyond your migration.

Learn how easy it is to deploy virtual patching to secure your enterprise and address patching issues.

Source
https://blog.trendmicro.com/windows-server-2008-end-of-support-are-you-prepared/