Trendmicro : Keep Your Smart Home Safe

Keep Your Smart Home Safe: Here’s What You Can Do Today to Secure Your Products

The Internet of Things (IoT) is transforming the way we live, work and play. You can find it in the fitness trackers you might be wearing to monitor step count and heart rate. Or the car you may be driving. But more than anywhere else, you’ll see IoT at home in an increasing array of gadgets: from voice-activated smart speakers to internet-connected baby monitors.

It’s estimated that 14.2 billion connected “things” like these are in use globally in 2019, which will rise to 25 billion in a couple of years’ time. There’s just one problem: if not properly secured, they could present hackers with new opportunities to sneak into your smart home through the cyber-front door.

So what are the risks—and how can you protect your home?

Governments take action

First, some good news: as consumers’ homes fill with ever-greater numbers of smart gadgets, governments are aware of the growing risks of cyber-attacks. In the US, California is leading the way with new legislation designed to force manufacturers to improve the security of their products. SB-327introduces minimum requirements such as forcing each user to set a unique device password the first time they connect.

Following hot on the heels of the Golden State is the federal government. Introduced in March, the bipartisan Internet of Things (IoT) Cybersecurity Improvement Act of 2019 doesn’t cover all IoT makers, only ones which sell products to the government. However, it is hoped that the law will have a knock-on effect with the wider industry, encouraging other manufacturers to raise their standards.

But it’s not only the US that is making moves to safeguard IoT users. The UK in May introduced a proposed new law designed to force manufacturers to adhere to key security requirements, covering things like unique passwords and security updates. In addition, retailers will only be allowed to sell devices with a clear label telling consumers how secure they are.

While Trend Micro welcomes any government moves to make smart home gadgets more secure, the truth is that it will take a while for these laws to take effect—and even longer for them to have an impact on the firms designing and building our connected devices. The US federal proposal will require a separate standards body to hunker down and draw up its requirements first, which could take months. There’s also a risk that when new laws take effect, the hackers will simply move on to use new tactics not legislated for.

That’s why consumers must act now to secure their smart home. Below we list some of the key threats and how to take action.

What’s the problem?

The more smart gadgets there are in your home, the greater the number of potential targets for hackers. Devices could be hijacked if attackers manage to guess or crack the passwords protecting them, or exploit flaws in the underlying software (firmware) that runs them.

This is made easier because some devices don’t require a user to install a password; they simply run with an easy-to-guess factory default. Many manufacturers also don’t issue regular updates (patches) either, or if they do, it’s hard for users to find out about and install them. And unlike your laptop/desktop and mobile devices, these IoT endpoints are typically too small to install AV on, further exposing them.

Finally, it’s not just the devices themselves that are at risk, but also the complex, underlying automation systems that link them together behind the scenes. This complexity creates gaps that bad guys are adept at exploiting.

So, to simplify, there are three main threat vectors facing home networks:

	1) Physical danger

Devices could be remotely controlled by attackers to surveil the family. For example, by hijacking feeds from smart security cameras, or other sensors around the house such as smart door and window locks, burglars could work out when the property is empty. They could even remotely unlock doors or windows, if these are internet-connected — for example by cloning the owner’s voice and playing commands via your home assistant.

Cases have been reported in the past of hackers remotely monitoring smart homes. In one incident, a baby monitor was hacked and used to broadcast threats to the parents; while more extensive hacks of home security cameras have had their video content streamed online.

	2) Data loss and malware

These same devices are also a potential gateway into the home network, which could allow hackers to grab passwords for your key online accounts like banking and email. Any data they collect on you can be sold on the dark web and used for future identity fraud. The router is in many ways the digital gateway to your smart home — the place where all your internet traffic passes through. That makes it particularly vulnerable to these kinds of attack. As well as data theft, hackers could be looking to spread malware such as ransomware and banking trojans.

One major router threat spotted in 2018 was VPNFilter—information-stealing malware which infected at least half a million routers globally by exploiting vulnerabilities in the devices.

	3) Hijacked devices become botnets

In another scenario, your smart home gadgets and router are hijacked and remotely controlled not to install ransomware or steal data from your family, but to use in attacks on others. Typically, they become part of a botnet of controlled machines which are programmed to do the bidding of the hackers. This could range from launching denial-of-service (DoS) attacks on businesses to illegally mining for crypto-currency.

The most famous example of this kind of attack came in 2016, when the Mirai campaign managed to hijack tens of thousands of IoT devices by scanning for any exposed to the internet and protected only with factory default passwords. In an infamous attack, it managed to take out a key online provider, resulting in outages at some of the biggest sites on the internet, including Twitter and Netflix.

What to do next

All that said, there are some simple steps you can take today to help reduce your exposure to IoT threats. It should begin with taking time out to understand how your devices work. Are they password protected? How are they updated? Are they running unnecessary services which may expose them to attackers? A bit of research before you buy and install them will also go a long way to keeping you safe.

Here are a few best practice tips to get you started:

Change factory default passwords to strong and unique credentials.
Switch on two-factor authentication for even more log-in protection, if offered.
Regularly check for firmware updates and apply as soon as they’re available. This may require you to visit the manufacturer’s website from time-to-time.
Use WPA2 on your routers for encrypted Wi-Fi.
Disable UPnP and any remote management features.
Set up a guest network on your router, which will help protect your main network, its devices and data, from network worms and other malware inadvertently introduced by guests.
Protect your computers and smartphones with AV and only download legitimate smart home apps.

How Trend Micro can help

Trend Micro is here to offer you peace-of-mind when it comes to protecting your smart home. The first step is diagnostic: download our Housecall™ for Home Networks tool to check your network. It will run a comprehensive scan on all your smart home gadgets, highlighting any vulnerabilities and other risks, and providing helpful advice for keeping your network and devices secure.

Next up, install Trend Micro Home Network Security (HNS) for comprehensive protection on all your home devices. It blocks dangerous file downloads and malicious websites, protects your personal/financial data from theft, and will keep ransomware, phishing and other threats at bay. HNS provides instant threat notifications, lets you disconnect any unwanted devices from your network, and offers full control over your devices from your Android or iOS smartphone with the paired HNS monitoring app.

Watch our Trend Micro Home Network Security videos to find out more about how HNS helps protect your network.

Source:
https://blog.trendmicro.com/keep-your-smart-home-safe-heres-what-you-can-do-today-to-secure-your-products/

Ubiquiti Telnet Commands

telnet/ssh commands

UniFi Command Line Interface – Ubiquiti Networks info                      display AP information
set-default               restore to factory default
set-inform <inform_url>   attempt inform URL (e.g. set-inform http://192.168.0.8:8080/inform)
upgrade <firmware_url>    upgrade firmware (e.g. upgrade http://192.168.0.8/unifi_fw.bin)
reboot                    reboot the APsource:
https://community.ubnt.com/t5/UniFi-Wireless/Telnet-commands/td-p/1338536

Dropbox Uninstall via Batch Script

Dropbox Removal via Batch Script (works for SCCM or other management systems)

Download

UninstallDropbox.bat

I recently ran into a security issue at work where we had a number of users installing and using Dropbox on their machines. Well this is an issue becuase they can take company files and upload them. So I was assigned the task of removing Dropbox and blocking it. Blocking it was simple enough but removing it not so much. My first thought was that I would use SCCM. However, when I went to look for a way to uninstall off multiple machines at once I found this was not supported. So I created a batch file that will perform the removal. Now I will say it is a little sloppy as it leaves behind the icon and shortcuts and I am still currntly looking for a way to remove those too but for now the concern is taken care of as this removes and prevents users from using Dropbox. Feel free to comment any ways I can inprove on this. I would love to hear it and anything we come up with together will also be submitted to the Dropbox community.

You should download the Offline Installer.exe from Dropbox and create an application out of it but set the uninstall program field to reference the "UninstallDropbox.bat"

Then when you deploy set it to Action:Uninstall Purpose:Required

Removal:

I have attached the script

Detection Method:

File

C:\Program Files (x86)\Dropbox\

Client

The File System Setting Must Exist on the Target System to Indicate Pressence of the Application

Registry

HKLM

SOFTWARE\Classes\Dropbox.Gdoc

<Check> Use (Default) Registry key value for detection

This registry setting must exist on the target system to indicate pressence of the application

Platform verified

Windows 10	Yes
Windows Server 2012	No
Windows Server 2012 R2	No
Windows Server 2008 R2	No
Windows Server 2008	No
Windows Server 2003	No
Windows Server 2016	No
Windows 8	Yes
Windows 7	No
Windows Vista	No
Windows XP	No
Windows 2000	No

Source:
https://gallery.technet.microsoft.com/Dropbox-Removal-via-SCCM-063fdd08#content

OpenDns setup on IOS 11 devices

This Knowledge Base article will show you how to set up your IOS device in order to use OpenDNS.

Note:

These instructions only work for Wi-Fi connections because iOS does not allow you to change the DNS servers when connected to cellular networks. Also, the changes are network specific, so you'll need to change the DNS servers every time you connect to a new wireless network. The good news is that iOS remembers the settings, so you won't have to repeat these changes whenever you reconnect to a known network.

Also, this works the same on all iOS devices.

Changing your IOS device DNS settings:

From the IOS device home screen, tap Settings.
Tap Wi-Fi, ensure it is enabled and your wireless network is connected.
Click the symbol next to your wireless network, as shown below.
The screen shown below appears. Tap the Configure DNS field.
Ensure Manual is selected and delete the current DNS servers by tapping on the symbol.
Tap Add Server and enter OpenDNS resolvers 208.67.222.222. Repeat this process to add another DNS server as follows 208.67.220.220, as shown below.
Tap Save to exit the menu.

That's it! You've updated your IOS device DNS servers!

source:
https://support.opendns.com/hc/en-us/articles/228008947-IOS-11-Configuration-for-OpenDNS

OpenDns setup on Windows Server 2012 and 2012 R2

Setting up DNS Forwarding for Windows Server 2012 and 2012 R2

The basic instructions are as follows, with screenshots of what you should expect to see included below.

1. From the Start menu, start typing DNS, then select DNS from the search results.

2. Choose the server you want to edit, then select Forwarders.

3. Click the edit button.

4. Add OpenDNS addresses in the IP address list.

Please write down your current DNS settings before switching to OpenDNS, in case you want to return to your old settings for any reason.

The addresses for Open DNS are:

208.67.222.222
208.67.220.220
208.67.222.220
208.67.220.222

Then click OK.

6. Click OK once more

source:

https://support.opendns.com/hc/en-us/articles/228008907-Windows-Server-2012-and-2012-R2

Sonicwall Zero Touch Deployment Firewall

SonicWall® Zero-Touch
Deployment Guide
March 2019
SonicWall network security appliances are Zero-Touch enabled. Zero-Touch makes
it easy to register your unit and add it to SonicWall Capture Security Center or
SonicWall GMS On-Premise for management and reporting. This document
describes the Zero-Touch deployment process.
Topics:
• Deploying with Zero-Touch (CSC Management)
• Deploying with Zero-Touch (GMS On-Premise)
Deploying with Zero-Touch (CSC Management)
1) Register:
• Point your browser to https://cloud.sonicwall.com and log into your MySonicWall account or create an
account.
• In Capture Security Center, click the mySonicWall tile to launch the MySonicWall Dashboard.
• Click the Add Product button to launch the QUICK REGISTER dialog and then type in the serial
number of your SonicWall appliance. Click Confirm.
You can find the serial number and authentication code on the shipping box or appliance label.
• In the REGISTER A PRODUCT dialog, fill in the Friendly name and Authentication code, and select the
Tenant Name. By default, all products are placed under SonicWall Products Tenant.
• Click Register.
2) Enable Zero-Touch and CSC Management and Reporting:
• MySonicWall recognizes your appliance model and displays the Zero Touch option. Enable Zero Touch
and then click Register again. A success message is displayed to indicate Zero-Touch readiness.
• In MySonicWall, navigate to Product Management > My Products, select the appliance, and click the Try
button to enable the license for CSC Management and Reporting (if not enabled already). A success
message displays.
3) Connect and Power On:
• For a wireless appliance, connect the antennas.
NOTE: The appliance must be able to obtain an IP address via DHCP from the WAN connection or ISP
modem. If you need to use a static IP address, refer to the Quick Start Guide for your appliance.
SonicWall Zero-Touch
Deployment Guide
2
• Connect the X1 interface to your WAN network.
• Power on the unit.
CSC Management automatically acquires the unit (it can take up to 30 minutes for initial acquisition). Once the
unit is acquired, you can begin management.
To view the status of your appliance:
• In MySonicWall, pull down the curtain for Capture Security Center.
• Using the same Tenant as you selected during registration, click the Management tile.
• Click the appliance serial number or friendly name under DEVICE MANAGER to display its status.
Getting the Latest Firmware for the Firewall
1 In Capture Security Center, click the mySonicWall tile.
2 Navigate to Resources & Support > My Downloads and select your product firmware from the Product
Type drop-down menu.
3 Click the link for the firmware you want and save the file to a location on your computer.
4 Pull down the curtain for Capture Security Center.
5 Using the same Tenant as you selected during registration, click the Management tile.
6 In DEVICE MANAGER, click on the appliance in the left pane.
7 In the center pane, go to the Register/Upgrades > Firmware Upgrade page.
8 Click the Choose File button to select the firmware you just downloaded, then click Upgrade from Local
File.
SonicWall Zero-Touch
Deployment Guide
3
Deploying with Zero-Touch (GMS On-Premise)
1) Register:
• Log into your MySonicWall account or create an account at www.mysonicwall.com.
• Click the Add Product button to launch the QUICK REGISTER dialog and then type in the serial
number of your SonicWall appliance. Click Confirm.
You can find the serial number and authentication code on the shipping box or appliance label.
• In the REGISTER A PRODUCT dialog, fill in the Friendly name and Authentication code, and select the
Tenant Name. By default, all products are placed under SonicWall Products Tenant.
• Click Register.
2) Enable Zero-Touch:
• MySonicWall recognizes your appliance model and displays the Zero Touch option. Enable Zero Touch.
• Select the desired GMS Public IP from the GMS Server Public IP/FQDN drop-down list. The ZeroTouch
Agent Public IP/FQDN field is populated with the associated IP address.
• Click Register.
3) Connect and Power On:
• For a wireless appliance, connect the antennas.
• Connect the X1 interface to your WAN network.
PREREQUISITE: GMS 8.7 or higher is required. Be sure that your GMS system is Zero-Touch enabled. Refer
to the knowledge base article at:
https://www.sonicwall.com/support/knowledge-base/?sol_id=190205183052590
IMPORTANT: Verify that both of these IP addresses are the same as those you configured during
the prerequisite process.
NOTE: The appliance must be able to obtain an IP address via DHCP from the WAN connection or ISP
modem. If you need to use a static IP address, refer to the Quick Start Guide for your appliance.
SonicWall Zero-Touch
Deployment Guide
4
• Power on the unit.
GMS automatically acquires the unit (it can take up to 30 minutes for initial acquisition). Once the unit is
acquired, you can begin management.
To view the status of your appliance:
• Log into GMS and navigate to the FIREWALL view.
• Click on the appliance in the left pane to display the status.
Getting the Latest Firmware for the Firewall
1 In a web browser, navigate to www.mysonicwall.com.
2 Navigate to Resources & Support > My Downloads and select your product firmware from the Product
Type drop-down menu.
3 Click the link for the firmware you want and save the file to a location on your computer.
4 In GMS, navigate to the FIREWALL view and click on the appliance in the left pane.
5 In the center pane, go to the Manage > Register/Upgrades > Firmware Upgrade page.
6 Click the Choose File button to select the firmware you just downloaded, then click Upgrade from Local
File.
SonicWall Zero-Touch
Deployment Guide
5
SonicWall Support
Technical support is available to customers who have purchased SonicWall products with a valid maintenance
contract and to customers who have trial versions.
The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a
day, 365 days a year. To access the Support Portal, go to https://www.sonicwall.com/support.
The Support Portal enables you to:
• View knowledge base articles and technical documentation
• View video tutorials
• Access MySonicWall
• Learn about SonicWall professional services
• Review SonicWall Support services and warranty information
• Register for training and certification
• Request technical support or customer service
To contact SonicWall Support, visit https://www.sonicwall.com/support/contact-support.

Source:
https://www.sonicwall.com/support/technical-documentation/zero-touch-deployment-guide.pdf

Configure Google Drive File Stream

Configure Drive File Stream

You can specify custom options for Drive File Stream, including the default drive letter on Windows, the mount point on macOS, the cache location, bandwidth limits, and proxy settings. These configurations can be set at the user or host level, and persist when Drive File Stream restarts.

Where to update settings

To set the Drive File Stream options, you update registry keys (Windows) or use the defaults command (macOS). If you’re not familiar with making these updates, contact your administrator or check your operating system documentation. Additionally, administrators can choose to set override values that end users can't change.

Windows

Host-wide	`HKEY_LOCAL_MACHINE\Software\Google\DriveFS`
User only	`HKEY_CURRENT_USER\Software\Google\DriveFS`
Override	`HKEY_LOCAL_MACHINE\Software\Policies\Google\DriveFS`

macOS

Host-wide	`/Library/Preferences/com.google.drivefs.settings`
User only	`~/Library/Preferences/com.google.drivefs.settings`
Override	`/Library/Managed Preferences/com.google.drivefs.settings.plist`

macOS examples

Host-wide mount point:
sudo defaults write /Library/Preferences/com.google.drivefs.settings DefaultMountPoint '/Volumes/Google Drive File Stream'
Host-wide trusted certificates file:
sudo defaults write /Library/Preferences/com.google.drivefs.settings TrustedRootCertsFile /Library/MyCompany/DriveFileStream/MyProxyCert.pem
User maximum download bandwidth:
defaults write com.google.drivefs.settings BandwidthRxKBPS -int 100
User-enabled browser authentication:
defaults write com.google.drivefs.settings ForceBrowserAuth -bool true

Settings

Set these name/value pairs using the registry keys or defaults command, as described above. On Windows, create the registry keys if they don't already exist. On macOS, the defaults command maintains a plist file for settings. You should not modify the plist file directly, as some changes might not be applied.

Setting name	Value type	Value description
AutoStartOnLogin*	DWORD (Windows) Bool (macOS)	Start Drive File Stream automatically on session login.
BandwidthRxKBPS	DWORD (Windows) Number (macOS)	Maximum downstream kilobytes per second.
BandwidthTxKBPS	DWORD (Windows) Number (macOS)	Maximum upstream kilobytes per second.
ContentCachePath	String	Sets the path to the content cache location on a connected APFS, HFS+, or NTFS file system. When Drive File Stream restarts, local data in the old content cache will move to the new content cache location. If you delete your custom setting, data will move back to the default location. The default cache location is: Windows: `%LOCALAPPDATA%\Google\DriveFS` Mac: `~/Library/Application Support/Google/DriveFS`
ContentCacheMaxKbytes	QWORD (Windows) Number (macOS)	Sets the limit on content cache size in kilobytes. The limit is capped at 20% of the available space on the hard drive (regardless of the setting value).The setting does not apply to files made available offline or files that are in the process of uploading. This setting is only available for admins, as an override or host-wide setting.
DefaultMountPoint	String	Windows: Set the mounted drive letter. You can use an environment variable to specify the drive letter. macOS: Set the mounted drive path. You can include tilde (~) or environment variables in the path.
DisableRealTimePresence*	DWORD (Windows) Bool (macOS)	Disables real-time presence in Microsoft Office. This can also be disabled for organizational units from the Admin console. See step 3 of Deploy Drive File Stream.
ForceBrowserAuth*	DWORD (Windows) Bool (macOS)	Use browser authentication. If your organization uses security keys or SSO, this setting may resolve sign-in problems.
MinFreeDiskSpaceKBytes	QWORD (Windows) Number (macOS)	Controls the amount of local space used by Drive File Stream's cache. Stops writing content to the disk when free disk space gets below this threshold, in kilobytes.
Proxy settings:
DisableSSLValidation*	DWORD (Windows) Bool (macOS)	This disables validating SSL traffic. Traffic will still be encrypted, but we will not validate that the SSL certificates of the upstream servers are all valid. This is inherently insecure. It would allow a man-in-the-middle attack against traffic to Google Drive. Only settable host-wide.
TrustedRootCertsFile	String	This is the full path to an alternate file to use for validating host SSL certificates. It must be in Privacy Enhanced Mail (PEM) format. Set this if your users are on networks with decrypting proxies. The file should contain the contents of the `roots.pem` file shipped with Drive File Stream, plus the certificates used to authenticate your proxy. These additions should correspond to the proxy-signing certificates you added to the certificate stores in your fleet of machines. You can find `roots.pem` in: `\Program Files\Google\DriveFS\<version>\config\roots.pem` (Windows) or `/Applications/Google\ Drive\ File\ Stream.app/Contents/Resources/roots.pem` (macOS) Only settable host-wide.
DisableCRLCheck*	DWORD (Windows) Bool (macOS)	This disables checking Certificate Revocation Lists (CRLs) provided by certificate authorities. If not explicitly set, this defaults to `true` if TrustedRootCertsFile is provided, otherwise `false`. Sites that use self-signed certificates for their content inspection proxies typically don’t provide a CRL. Enterprises that specify a CRL in their proxy certificate can explicitly set DisableCRLCheck to `0` for the added check.

* For boolean values, use 1 for true and 0 for false (Windows), or use true and false (macOS).

Attackers Use Legacy IMAP Protocol to Bypass Multifactor Authentication in Cloud Accounts, Leading to Internal Phishing and BEC

Threats to cloud-based applications have been growing, and passwords — the traditional method used to secure accounts — are often no longer enough to protect users from the dangers that they potentially face. The need for more comprehensive security in cloud-based applications has led to vendors offering multifactor authentication (MFA) as an integral feature of their products and services. By using MFA, users limit the risk that an attacker will gain control of their accounts by spreading authentication across multiple devices.

However, while MFA provides an additional layer of security for protecting account access, it’s not a fool-proof feature. For example, a recent study from Proofpoint examined brute-force attacks against user accounts in major cloud services. The attacks reportedly took advantage of legacy email protocols, phishing, and credential dumps to bypass MFA.

Notably, attackers were able to abuse legacy protocols — most commonly the IMAP authentication protocol — to bypass even multifactor authentication. The study noted that the IMAP protocol can be abused under certain situations, such as when users employ third-party email clients that do not have modern authentication support. IMAP abuse can also be performed in two other cases: when the targets do not implement applications passwords and when it is done against shared email accounts where IMAP is not blocked and/or MFA cannot be used. The report also said these attacks can often go undetected, instead looking like failed logins rather than external attempts. Threat actors use these accounts as entry points into the system, after which lateral movement is carried out via internal phishing and BEC to expand their reach within the organization.

The six-month study saw over 72 percent of cloud tenants being targeted at least once by attackers, while 40 percent had at least one compromised account within their system. Even more concerning, 15 out of every 10,000 active user accounts were successfully breached. Hijacked servers and routers were used as the main attack platforms, with the network devices gaining access to approximately one new tenant every 2.5 days during a 50-day period.

Roughly 60 percent of the tenants involved in the study that were using Microsoft Office 365 and G Suite were targeted with the password-spraying attacks via IMAP, and 25 percent fell victim to a successful breach.

As more companies across industries adopt cloud-based services, it’s expected that cybercriminals will go after accounts for cloud-based platforms. Once an account has been compromised, whether through hacking or brute force, the account could be used to communicate with executives and their staff. Internal BEC emails could trick the targets into transferring funds and personal or corporate data or downloading malicious files. Compromised email accounts, for example, had been found replying to email threads to deliver malware. These BEC attempts can be difficult to detect given that they come from legitimate (though compromised) email accounts.

A feature such as MFA is only one part of an effective multilayered security implementation. Organizations looking to boost their security can start with these best practices:

Passwords still have a role to play as a component of multifactor authentication. Ensure that users have passwords that are strong and regularly changed to stay protected from brute-force attacks. This could mean includes using at least 12 characters with a mix of upper and lowercase letters, numbers, and special characters. Ask users to avoid common or easily-guessable passwords or passwords that show obvious information such as names or birthdates.
Educate employees on how to identify phishing attacks. Common indicators that an email is a phishing attempt include suspicious-looking email addresses and the presence of misspellings and typographical errors.
Furthermore, attackers often try to make their phishing attempts as convincing as possible. Thus, users should avoid giving out personal and company information unless they are absolutely certain that the person or group they are communicating with is legitimate.

Given that cybercriminals use compromised accounts and internal BEC emails, organizations should also consider the use of security solutions designed to combat the growing threat. Trend Micro’s existing BEC protection uses AI, including expert rules and machine learning to analyze email behavior and intention. The new and innovative Writing Style DNA technology goes further by using machine learning to recognize the DNA of an executive’s writing style based on past written emails. Designed for high-profile users who are prone to being spoofed, Writing Style DNA technology can detect forged emails when the writing style of an email does not match that of the supposed sender. The technology is used by Trend Micro™ Cloud App Security™ and ScanMail™ Suite for Microsoft® Exchange™ solutions to cross-match the email content’s writing style to the sender’s by taking into account the following criteria: capital letters, short words, punctuation marks, function words, word repeats, distinct words, sentence length, and blank lines, among 7,000 other writing characteristics.

Source
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/attackers-use-legacy-imap-protocol-to-bypass-multifactor-authentication-in-cloud-accounts-leading-to-internal-phishing-and-bec

Easier Wi-Fi Planning, Security and Management from the Cloud

Wi-Fi access is ubiquitous, but it’s not always easy to plan, deploy, secure and manage, especially for distributed businesses and enterprises.

SonicWall believes there’s an easier approach. Our product teams have revamped our Wi-Fi management solutions with innovation at its foundation. Top-of-mind during the entire process, our focus was on evolving our Wi-Fi technology in four key areas: security, performance, simplicity and intuitiveness.

On paper, those sound obvious. But we wanted to be sure the execution matched the vision — to remove all the complexity without impacting the end-user experience. The outcome of this effort is four new SonicWall wireless solutions:

SonicWall WiFi Cloud Manager
SonicWall SonicWave 200 Series Wireless Access Points
SonicWiFi Mobile App
SonicWall WiFi Planner

Intuitive wireless management for the next era

One of the constant nightmares for network admins is an unmanageable network. As your network expands, policies change and threats increase, it is often difficult to keep pace.

Discovering an outage only after it has happened — or malware after it has creeped into your network — is disastrous. SonicWall arms you with the right tool to gain insights into your network to keep pace with changing network requirements.

SonicWall WiFi Cloud Manager is an intuitive, scalable and centralized Wi-Fi network management system suitable for networks of any size. With simplified management, wireless analytics is richer and easily accessible from anywhere with an internet connection. The cloud-based management solution is designed to be user-friendly and resilient while simplifying access, control and troubleshooting capabilities.

With a fresh UI, WiFi Cloud Manager can be accessed via SonicWall Capture Security Center to deliver powerful features and simplified onboarding via the cloud from a single pane of glass. Centralized visibility and control over SonicWall’s wired and wireless networking hardware reduces complexity and the need for costly overlay management systems. It also can be deployed across multiple regions for greater network visibility into disturbed enterprises.

For network admins on the go, SonicWall introduces SonicWiFi mobile app to set up and monitor your network. Easily onboard your APs and setup mesh with this app. It is available on iOS and Android.

Advanced wireless security — with or without a firewall

Organizations, big and small, need secure wireless solutions for extending connectivity to employees, customers and guests. The new SonicWave 200 series wireless access points deliver enterprise-level performance and security with the range and reliability of 802.11ac Wave 2 technology at an affordable price.

Built on industry-leading next-gen security, these APs features a dedicated third radio for security scanning. In fact, advanced security features like Content Filtering Service (CFS) and the Capture Advanced Threat Protection (ATP) sandbox service can be performed on the AP itself, enabling organizations to mitigate cyberattacks even where firewalls aren’t deployed.

_{SonicWave 200 access points are available in three options, including 231c for indoor, 231o for outdoor and 224w for wall-mount requirements.}

Manage dozens or even thousands of SonicWave wireless access points from anywhere you have an internet connection via the cloud or through the firewalls, providing you ultimate flexibility.

The SonicWall WiFi Cloud Manager provides you a single-pane-of-glass view of your entire wireless network. SonicWave access points also support SonicWall Zero-Touch Deployment, which allows the access points to be automatically identified and registered. SonicWiFi mobile app also lets you set up, manage and keep track of your network.

SonicWave access points leverage mesh technology to negate complexity from wireless expansion, especially at remote or distributed locations. Mesh networks are easy to set up, effortless to expand, and require fewer cables and less manpower to deploy, reducing installation costs. The new push-and-snap mounting bracket further adds to the ease of installation.

Easily plan, deploy your wireless networks

IT administrators often hear complaints about unreliable Wi-Fi connectivity leading to poor user experiences. This is mostly because Wi-Fi networks are not designed correctly to begin with. AP placements could be wrong, there may be radio frequency barriers or there simply isn’t enough capacity and coverage.

SonicWall WiFi Planner is a simple, easy-to-use, advanced wireless site survey tool that enables you to optimally design and deploy a wireless network for enhanced wireless user experience.

This tool lets you customize your settings per your surroundings and requirements to obtain maximum coverage with the fewest number of access points. You can prevent interference in your deployment on a best-effort basis through auto-channel assignment.

With a cloud-based UI, you also have the flexibility to collaborate with global teams. It is ideal for new access point deployments or to ensure excellent coverage in your wireless network. Available at no added cost, SonicWall WiFi Planner is accessible through WiFi Cloud Manager.
Together, these products deliver a powerful wireless solution, paving way for the next era of wireless security. Welcome to the future of wireless security.

Source
https://blog.sonicwall.com/en-us/2019/02/easier-wi-fi-planning-security-management-from-the-cloud/

Use a Local Administrator Account for Remote Administration

Local administrator accounts are commonly configured with the same password across all devices in corporate environments, making it easy for attackers to own every device if the password is compromised. Microsoft’s security baseline templates block remote use of local accounts because until Local Administrator Password Solution (LAPS) was released in 2015, there was no mechanism for securely managing local administrator accounts. LAPS is a free tool from Microsoft that randomizes local admin passwords every 30 days and stores them securely in Active Directory for each computer account.

The risk posed by local administrator accounts can be managed by manually setting a random password on each device and then recording it in a spreadsheet. But that doesn’t address the issue of changing passwords periodically and requires you to make sure the spreadsheet isn’t accessed by malicious or unauthorized users. LAPS solves these problems, ensuring that local administrator accounts remain secure and can’t be used by hackers to laterally move around your network.

For more information on using LAPS, see Secure Local Administrator Accounts with the Local Administrator Password Solution (LAPS) Tool on Petri. Microsoft’s security baseline templates for Windows and Windows Server are available as part of the Security Compliance Toolkit.

Despite the convenience LAPS provides for managing local admin accounts, IT helpdesk staff often use a domain account that is granted administrator rights on each workstation in the domain. While this account doesn’t need to be a privileged domain account, i.e. not a member of Domain Admins or other privileged AD group, the account could still be used to compromise every workstation in the domain.

Local Accounts for Remote Administration

In a blog post by Aaron Margosis, Microsoft recommends that organizations consider unblocking remote use of local administrator accounts if LAPS or another password management solution in place, and if you want to use local accounts for remote administration. Otherwise you should continue to block remote use of local accounts.

Margosis says that if a helpdesk user wants to remotely access a workstation, it is more secure to retrieve the local administrator password from AD than to use a domain account. If the local admin password is compromised, any damage is limited to that device. Some remote access tools expose credentials when logging in to remote systems, so IT helpdesk account credentials could be compromised.

If you decide to unblock remote use of local accounts, there are three Group Policy settings that need to be changed:

Deny access to this computer from the network
Deny log on through Remote Desktop Services
Apply UAC restrictions to local accounts on network logon

The first two settings can be found under Windows Settings\Security Settings\Local Policies\User Rights Assignment and should be set to empty. The third is a custom setting that’s part of the baseline templates (SecGuide.admx). It can be found under Administrative Templates\MS Security Guide and should be set to Disabled.

As you can see, there are some definite advantages to using LAPS-managed local administrator accounts for remote access. The only drawbacks that I can see are that it requires some administrative effort for helpdesk staff to retrieve local admin passwords from AD every time they need to log in, as opposed to getting quick access with a domain account. Secondly, using an unnamed account to log in means we don’t have a record of who accessed the device with administrative privileges. You can work around this by enabling auditing of access to LAPS passwords in AD and resetting passwords after each use. Both these tasks can be accomplished using the PowerShell Set-AdmPwdAuditing and Reset-AdmPwdPassword cmdlets respectively.

Source
https://www.petri.com/use-a-local-administrator-account-for-remote-administration