Top 5 Security Misconfigurations Causing Data Breaches in 2023

Edward Kost
updated May 15, 2023

Security misconfigurations are a common and significant cybersecurity issue that can leave businesses vulnerable to data breaches. According to the latest data breach investigation report by IBM and the Ponemon Institute, the average cost of a breach has peaked at US$4.35 million. Many data breaches are caused by avoidable errors like security misconfiguration. By following the tips in this article, you could identify and address a security error that could save you millions of dollars in damages.

Learn how UpGuard can help you detect data breach risks >

What is a Security Misconfiguration?

A security misconfiguration occurs when a system, application, or network device’s settings are not correctly configured, leaving it exposed to potential cyber threats. This could be due to default configurations left unchanged, unnecessary features enabled, or permissions set too broadly. Hackers often exploit these misconfigurations to gain unauthorized access to sensitive data, launch malware attacks, or carry out phishing attacks, among other malicious activities.

What Causes Security Misconfigurations?

Security misconfigurations can result from various factors, including human error, lack of awareness, and insufficient security measures. For instance, employees might configure systems without a thorough understanding of security best practices, security teams might overlook crucial security updates due to the growing complexity of cloud services and infrastructures.

Additionally, the rapid shift to remote work during the pandemic has increased the attack surface for cybercriminals, making it more challenging for security teams to manage and monitor potential vulnerabilities.

List of Common Types of Security Configurations Facilitating Data Breaches

Some common types of security misconfigurations include:

1. Default Settings

With the rise of cloud solutions such as Amazon Web Services (AWS) and Microsoft Azure, companies increasingly rely on these platforms to store and manage their data. However, using cloud services also introduces new security risks, such as the potential for misconfigured settings or unauthorized access.

A prominent example of insecure default software settings that could have facilitated a significant breach is the Microsoft Power Apps data leak incident of 2021. By default, Power Apps portal data feeds were set to be accessible to the public.

Unless developers specified for OData feeds to be set to private, virtually anyone could access the backend databases of applications built with Power Apps. UpGuard researchers located the exposure and notified Microsoft, who promptly addressed the leak. UpGuard’s detection helped Microsoft avoid a large-scale breach that could have potentially compromised 38 million records.

Read this whitepaper to learn how to prevent data breaches >

2. Unnecessary Features

Enabling features or services not required for a system’s operation can increase its attack surface, making it more vulnerable to threats. Some examples of unnecessary product features include remote administration tools, file-sharing services, and unused network ports. To mitigate data breach risks, organizations should conduct regular reviews of their systems and applications to identify and disable or remove features that are not necessary for their operations.

Additionally, organizations should practice the principle of least functionality, ensuring that systems are deployed with only the minimal set of features and services required for their specific use case.

3. Insecure Permissions

Overly permissive access controls can allow unauthorized users to access sensitive data or perform malicious actions. To address this issue, organizations should implement the principle of least privilege, granting users the minimum level of access necessary to perform their job functions. This can be achieved through proper role-based access control (RBAC) configurations and regular audits of user privileges. Additionally, organizations should ensure that sensitive data is appropriately encrypted both in transit and at rest, further reducing the risk of unauthorized access.

4. Outdated Software

Failing to apply security patches and updates can expose systems to known vulnerabilities. To protect against data breaches resulting from outdated software, organizations should have a robust patch management program in place. This includes regularly monitoring for available patches and updates, prioritizing their deployment based on the severity of the vulnerabilities being addressed, and verifying the successful installation of these patches.

Additionally, organizations should consider implementing automated patch management solutions and vulnerability scanning tools to streamline the patching process and minimize the risk of human error.

5. Insecure API Configurations

APIs that are not adequately secured can allow threat actors to access sensitive information or manipulate systems. API misconfigurations – like the one that led to T-Mobile’s 2023 data breach, are becoming more common. As more companies move their services to the cloud, securing these APIs and preventing the data leaks they facilitate is becoming a bigger challenge.

To mitigate the risks associated with insecure API configurations, organizations should implement strong authentication and authorization mechanisms, such as OAuth 2.0 or API keys, to ensure only authorized clients can access their APIs. Additionally, organizations should conduct regular security assessments and penetration testing to identify and remediate potential vulnerabilities in their API configurations.

Finally, adopting a secure software development lifecycle (SSDLC) and employing API security best practices, such as rate limiting and input validation, can help prevent data breaches stemming from insecure APIs.

Learn how UpGuard protects against third-party breaches >

How to Avoid Security Misconfigurations Impacting Your Data Breach Resilience

To protect against security misconfigurations, organizations should:

1. Implement a Comprehensive Security Policy

Implement a cybersecurity policy covering all system and application configuration aspects, including guidelines for setting permissions, enabling features, and updating software.

2. Implement a Cyber Threat Awareness Program

An essential security measure that should accompany the remediation of security misconfigurations is employee threat awareness training. Of those who recently suffered cloud security breaches, 55% of respondents identified human error as the primary cause.

With your employees equipped to correctly respond to common cybercrime tactics that preceded data breaches, such as social engineering attacks and social media phishing attacks, your business could avoid a security incident should threat actors find and exploit an overlooked security misconfiguration.

Phishing attacks involve tricking individuals into revealing sensitive information that could be used to compromise an account or facilitate a data breach. During these attacks, threat actors target account login credentials, credit card numbers, and even phone numbers to exploit Multi-Factor authentication.

Learn the common ways MFA can be exploited >

Phishing attacks are becoming increasingly sophisticated, with cybercriminals using automation and other tools to target large numbers of individuals. 

Here’s an example of a phishing campaign where a hacker has built a fake login page to steal a customer’s banking credentials. As you can see, the fake login page looks almost identical to the actual page, and an unsuspecting eye will not notice anything suspicious.

Real Commonwealth Bank Login Page
Real Commonwealth Bank Login Page.
Fake Commonwealth Bank Login Page
Fake Commonwealth Bank Login Page

Because this poor cybersecurity habit is common amongst the general population, phishing campaigns could involve fake login pages for social media websites, such as LinkedIn, popular websites like Amazon, and even SaaS products. Hackers implementing such tactics hope the same credentials are used for logging into banking websites.

Cyber threat awareness training is the best defense against phishing, the most common attack vector leading to data breaches and ransomware attacks.

Because small businesses often lack the resources and expertise of larger companies, they usually don’t have the budget for additional security programs like awareness training. This is why, according to a recent report, 61% of small and medium-sized businesses experienced at least one cyber attack in the past year, and 40% experienced eight or more attacks.

Luckily, with the help of ChatGPT, small businesses can implement an internal threat awareness program at a fraction of the cost. Industries at a heightened risk of suffering a data breach, such as healthcare, should especially prioritize awareness of the cyber threat landscape.

Learn how to implement an internal cyber threat awareness campaign >

3. Use Multi-Factor Authentication

MFA and strong access management control to limit unauthorized access to sensitive systems and data.

Previously compromised passwords are often used to hack into accounts. MFA adds additional authentication protocols to the login process, making it difficult to compromise an account, even if hackers get their hands on a stolen password

4. Use Strong Access Management Controls

Identity and Access Management (IAM) systems ensure users only have access to the data and applications they need to do their jobs and that permissions are revoked when an employee leaves the company or changes roles.

The 2023 Thales Dara Threat Report found that 28% of respondents found IAM to be the most effective data security control preventing personal data compromise.

5. Keep All Software Patched and Updated

Keep all environments up-to-date by promptly applying patches and updates. Consider patching a “golden image” and deploying it across your environment. Perform regular scans and audits to identify potential security misconfigurations and missing patches.

An attack surface monitoring solution, such as UpGuard, can detect vulnerable software versions that have been impacted by zero-days and other known security flaws.

6. Deploy Security Tools

Security tools, such as intrusion detection and prevention systems (IDPS) and security information and event management (SIEM) solutions, to monitor and respond to potential threats.

It’s essential also to implement tools to defend against tactics often used to complement data breach attempts, for example. DDoS attacks – a type of attack where a server is flooded with fake traffic to force it offline, allowing hackers to exploit security misconfigurations during the chaos of excessive downtime.

Another important security tool is a data leak detection solution for discovering compromised account credentials published on the dark web. These credentials, if exploited, allow hackers to compress the data breach lifecycle, making these events harder to detect and intercept.

Dara leaks compressing the data breach lifecycle.

Learn how to detect and prevent data leaks >

7. Implement a Zero-Trust Architecture

One of the main ways that companies can protect themselves from cloud-related security threats is by implementing a Zero Trust security architecture. This approach assumes all requests for access to resources are potentially malicious and, therefore, require additional verification before granting access.

Learn how to implement a Zero-Trust Architecture >

A Zero-Trust approach to security assumes that all users, devices, and networks are untrustworthy until proven otherwise.

8. Develop a Repeatable Hardening Process

Establish a process that can be easily replicated to ensure consistent, secure configurations across production, development, and QA environments. Use different passwords for each environment and automate the process for efficient deployment. Be sure to address IoT devices in the hardening process. 

These devices tend to be secured with their default factory passwords, making them highly vulnerable to DDoS attacks.

9. Implement a Secure Application Architecture

Design your application architecture to obfuscate general access to sensitive resources using the principle of network segmentation.

Learn more about network segmentation >

Cloud infrastructure has become a significant cybersecurity issue in the last decade. Barely a month goes by without a major security breach at a cloud service provider or a large corporation using cloud services.

10. Maintain a Structured Development Cycle

Facilitate security testing during development by adhering to a well-organized development process. Following cybersecurity best practices this early in the development process sets the foundation for a resilient security posture that will protect your data even as your company scales.

Implement a secure software development lifecycle (SSDLC) that incorporates security checkpoints at each stage of development, including requirements gathering, design, implementation, testing, and deployment. Additionally, train your development team in secure coding practices and encourage a culture of security awareness to help identify and remediate potential vulnerabilities before they make their way into production environments.

11. Review Custom Code

If using custom code, employ a static code security scanner before integrating it into the production environment. These scanners can automatically analyze code for potential vulnerabilities and compliance issues, reducing the risk of security misconfigurations.

Additionally, have security professionals conduct manual reviews and dynamic testing to identify issues that may not be detected by automated tools. This combination of automated and manual testing ensures that custom code is thoroughly vetted for security risks before deployment.

12. Utilize a Minimal Platform

Remove unused features, insecure frameworks, and unnecessary documentation, samples, or components from your platform. Adopt a “lean” approach to your software stack by only including components that are essential for your application’s functionality.

This reduces the attack surface and minimizes the chances of security misconfigurations. Furthermore, keep an inventory of all components and their associated security risks to better manage and mitigate potential vulnerabilities.

13. Review Cloud Storage Permissions

Regularly examine permissions for cloud storage, such as S3 buckets, and incorporate security configuration updates and reviews into your patch management process. This process should be a standard inclusion across all cloud security measures. Ensure that access controls are properly configured to follow the principle of least privilege, and encrypt sensitive data both in transit and at rest.

Implement monitoring and alerting mechanisms to detect unauthorized access or changes to your cloud storage configurations. By regularly reviewing and updating your cloud storage permissions, you can proactively identify and address potential security misconfigurations, thereby enhancing your organization’s data breach resilience.

How UpGuard Can Help

UpGuard’s IP monitoring feature monitors all IP addresses associated with your attack surface for security issues, misconfigurations, and vulnerabilities. UpGuard’s attack surface monitoring solution can also identify common misconfigurations and security issues shared across your organization and its subsidiaries, including the exposure of WordPress user names, vulnerable server versions, and a range of attack vectors facilitating first and third data breaches.

UpGuard's Risk Profile feature displays security vulnerabilities associated with end-of-life software.
UpGuard’s Risk Profile feature displays security vulnerabilities associated with end-of-life software.

To further expand its mitigation of data breach threat categories, UpGuard offersa data leak detection solution that scans ransomware blogs on the dark web for compromised credentials, and any leaked data could help hackers breach your network and sensitive resources.

UpGuard's ransomware blog detection feature.
UpGuard’s ransomware blog detection feature.

Source :
https://www.upguard.com/blog/security-misconfigurations-causing-data-breaches

How to Build Network Security for Your Business in 2023

28.06.2023

Network security is paramount for businesses of all sizes. With the ever-evolving threat landscape and increasing cyber-attacks, it is crucial to implement robust network security measures to safeguard sensitive data, protect customer information, and ensure uninterrupted operations.

Read on to discover the concept of network security for businesses in 2023. We will also discuss various strategies, tools, and best practices to build secure network infrastructure.

What is Network Security for Businesses?

Network security for businesses refers to a set of measures and practices implemented to protect a company’s computer network from unauthorized access, data breaches, and other cyber threats.

It involves safeguarding the network infrastructure, including hardware, software, and data, by implementing layers of security controls.

Network security also aims to maintain the confidentiality, integrity, and availability of the network, ensuring that only authorized users can access resources and sensitive information while preventing malicious actors from compromising the system. 

The following points cover what you need to know about network security:

How Does Network Security Work? 

Network security operates on multiple layers and employs numerous technologies and protocols to safeguard the network infrastructure. 

For example:

  • Firewalls act as a barrier between an internal network and external networks, monitoring and controlling incoming and outgoing network traffic based on predefined security rules. They examine data packets, filter out potential threats, and prevent unauthorized access to the network. 
  • Virtual Private Networks (VPNs) establish secure, encrypted connections over public networks, such as the Internet, allowing remote users to access the company’s network resources securely. By encrypting data transmitted between the user and the network, business VPNs protect sensitive information from interception and unauthorized access. 
  • Intrusion Detection Systems/Intrusion Prevention Systems (IDS/IPS) tools monitor network traffic in real-time, identifying, and alerting administrators about potential security breaches, anomalies, or malicious activities. IDS identifies threats, while IPS actively blocks or mitigates attacks. 
  • Secure Web Gateways (SWGs) provide secure web browsing by filtering internet traffic, blocking malicious websites, preventing malware downloads, and enforcing acceptable use policies. They protect users from web-based threats and help maintain a secure browsing environment.
  • Zero Trust assumes that no user or device within or outside the network is inherently trustworthy. It enforces strict access controls, verifies identities, and continuously evaluates trustworthiness, even for users and devices inside the network perimeter. Zero Trust architecture reduces the attack surface and enhances overall network security. 

These are just a few examples of the mechanisms employed in network security. Businesses often implement a combination of technologies and strategies tailored to their specific needs and risk profiles.

The key is to establish multiple layers of security controls that work together to detect, prevent, and mitigate threats to the network infrastructure.

Benefits of Network Security For Businesses

Implementing robust network security measures, as outlined in the provided sources, offers several benefits to businesses as follows:

  • Protection of sensitive data: As mentioned above, network security measures, such as firewalls, VPNs, and encryption, play a vital role in safeguarding sensitive data. They help protect customer information, financial records, and proprietary data from unauthorized access, data breaches, and theft. By implementing these measures, businesses can ensure the confidentiality and integrity of their data, preserving customer trust and complying with data protection regulations.
  • Continuity of operations: Network security measures contribute to the smooth functioning of business operations. By detecting and mitigating potential risks and threats, businesses can prevent disruptions caused by malware, DDoS attacks, or unauthorized access attempts. This leads to improved productivity, reduced downtime, and minimized financial losses associated with network outages or data breaches. Network security solutions, such as SIEM systems and intrusion detection/prevention systems, enable businesses to proactively monitor and respond to security incidents, maintaining operational continuity 
  • Meeting regulatory requirements: compliance with industry-specific standards, such as HIPAA for healthcare or GDPR for data privacy, is crucial for avoiding penalties and maintaining the trust of customers and partners. Implementing robust network security measures, including vulnerability scanning and regular software updates, helps businesses adhere to these standards and protect sensitive information.

In summary, the implementation of strong network security measures, as recommended by the provided sources, ensures the protection of sensitive data, maintains operational continuity, and facilitates regulatory compliance for businesses. These benefits contribute to the overall security posture of the organization and help build trust with customers and partners.

Potential Dangers to Business Network Security

Business network security faces numerous potential dangers today. Cyber-attacks pose a significant threat, with attackers employing techniques such as phishing, malware, and ransomware to gain unauthorized access, compromise data, and disrupt operations.

Insider threats from internal employees or contractors can also jeopardize network security, ranging from accidental data breaches to intentional malicious activities. Weak passwords and authentication practices create vulnerabilities, allowing attackers to exploit credentials.

Additionally, the explosion of Bring Your Own Device (BYOD) policies and mobile devices introduces new risks, including device loss or theft. Cloud security is another concern, as misconfigurations or vulnerabilities in cloud platforms can lead to data breaches.

Understanding and addressing these potential dangers is vital for businesses to protect their assets, maintain operational continuity, and safeguard their reputation. Lastly, implementing robust cloud security measures such as encryption, access controls, and regular security assessments helps safeguard data and applications in the cloud.

By understanding and proactively addressing these potential dangers, businesses can fortify their network security defenses and mitigate risks effectively.

Some of the main threats to consider are:

Viruses

Viruses are malicious software programs designed to replicate themselves and infect other files or systems. They can spread via email attachments, infected websites, or removable storage devices.

Once a virus infects a business network, it can cause major damage, including data corruption, system crashes, and unauthorized access.

Viruses often exploit software vulnerabilities or user actions, such as clicking on infected links or downloading malicious files.

To protect against viruses, businesses should deploy up-to-date antivirus software that can detect and remove known viruses. Regular software updates, employee training on safe browsing habits, and caution when opening email attachments or downloading files are essential preventive measures.

Spyware

Spyware is software that secretly gathers information about a user’s activities, usually without their knowledge or consent. Spyware can monitor keystrokes, capture login credentials, track web browsing habits, and collect sensitive data.

It can be installed through malicious downloads, infected websites, and even bundled with legitimate software. Once installed, spyware operates in the background, compromising user privacy and potentially exposing sensitive business information.

Preventive measures against spyware include using reputable antivirus and anti-spyware software, regularly scanning systems for malware, and educating employees about safe online practices. Firewalls and web filters can also help block access to malicious websites known for distributing spyware.

Worms

Worms are self-replicating malware that spread through computer networks without requiring user intervention. They work by exploiting vulnerabilities in network protocols or software to gain unauthorized access and propagate rapidly.

Worms can consume network bandwidth, disrupt system performance, and deliver payloads such as additional malware or remote-control functionality. To defend against worms, businesses should regularly update operating systems and software to patch known vulnerabilities.

Network segmentation and strong access controls limit the spread of worms within the network. Intrusion detection and prevention systems (IDS/IPS) help detect and block worm-related activities, and firewalls can be configured to filter incoming and outgoing traffic to prevent worm propagation.

Adware

Adware is software that displays unwanted advertisements, often in the form of pop-ups, on a user’s device. Today, adware is commonly bundled with free software or downloaded unknowingly from malicious websites.

It can slow down system performance, consume network bandwidth, and compromise user privacy. In some cases, adware may even track user behavior and collect personal information for targeted advertising purposes.

Preventing adware requires implementing robust security measures such as using reputable antivirus software, exercising caution when downloading software from unfamiliar sources, and regularly scanning devices for malware.

Browser extensions or plugins that block or filter unwanted advertisements can also help mitigate the risks associated with adware.

Trojans

Trojans (taken from the concept of Trojan horses) are deceptive programs that masquerade as legitimate software or files to fool users into executing them. Once activated, these Trojans can grant unauthorized access to attackers, enabling them to steal sensitive data, install additional malware, or control the infected system remotely.

Trojans are often spread through email attachments, malicious downloads, or compromised websites. To protect against Trojans, businesses need to implement strong email security measures, including spam filters and email authentication protocols.

Regularly updating software, using reputable antivirus software, and educating employees about safe browsing habits and email hygiene are crucial in preventing Trojan infections.

Ransomware

Ransomware is a type of malware that encrypts a user’s files or entire systems, rendering them inaccessible until a ransom is paid to the attacker. Ransomware attacks can have severe consequences, including financial loss, operational disruption, and reputational damage.

Attackers often exploit vulnerabilities in software or use social engineering techniques to trick users into downloading or executing the malware.

Preventing ransomware requires a multi-layered approach, including regular backups of critical data, implementing strong email security measures, keeping systems and software up to date, and educating employees about phishing techniques and safe computing practices.

Network segmentation and robust access controls help limit the spread of ransomware within the network, and security solutions such as advanced endpoint protection and behavior-based detection can aid in early detection and mitigation.

By understanding the potential dangers posed by viruses, spyware, worms, adware, Trojans, and ransomware, businesses can implement comprehensive security measures to mitigate these risks.

Regular software updates, employee training, strong access controls, and deploying reputable security solutions are essential in maintaining a secure network environment and protecting sensitive business data.

Types of Network Security Solutions

As you have already read, protecting your business network from cyber threats is of paramount importance. Various types of network security solutions have emerged to safeguard organizations’ sensitive data and critical systems. From access control to cloud network security, these solutions form the foundation of a robust network defense strategy.

Below, we explore the most commonly available network security solutions, each addressing specific vulnerabilities and providing unique protective measures.

Access Control

Access control is the foundation of network security, ensuring that only authorized individuals can access sensitive resources and information. By implementing user authentication mechanisms such as strong passwords, multi-factor authentication, and access privilege management, businesses can enforce strict control over network access and reduce the risk of unauthorized entry.

Application Security

Application security focuses on protecting software and web applications from vulnerabilities and exploitation. This involves implementing secure coding practices, regularly updating applications, and utilizing web application firewalls (WAFs) to detect and block potential threats. By securing applications, businesses can prevent breaches that exploit application weaknesses.

Anti-Virus and Anti-Malware

To combat the evolving landscape of malware and viruses, businesses should deploy robust anti-virus and anti-malware solutions. These software applications scan files, emails, and websites for malicious code and remove or quarantine any detected threats. Regular updates and real-time scanning help ensure protection against the latest malware strains.

Firewalls

Firewalls are the most common first line of defense for network security. They monitor and control both incoming and outgoing network traffic based on predefined security rules. They also establish a barrier between trusted internal networks and external networks, effectively blocking unauthorized access and potentially malicious connections.

Intrusion Prevention Systems (IPS)

IPS solutions detect and prevent unauthorized access attempts and network attacks in real time. By monitoring network traffic for known attack signatures or anomalous behavior, IPS systems can take immediate action to block and mitigate potential threats, enhancing network security.

Network Segmentation

Network segmentation involves dividing a network into smaller, isolated segments, creating barriers that limit unauthorized access and the lateral movement of threats. By implementing network segmentation, businesses can contain breaches, reduce the impact of successful attacks, and protect critical resources.

Mobile Security

Mobile security measures include implementing mobile device management (MDM) solutions, enforcing strong passwords, encrypting data, and deploying remote wipe capabilities to protect sensitive information if a device is lost or stolen.

VPN (Virtual Private Network)

VPN creates a secure, encrypted connection over a public network, enabling users to access the company’s network resources remotely. By utilizing a VPN, businesses can ensure that data transmitted between remote users and the network remains secure, protecting sensitive information from interception.

Web Security

Web security solutions protect businesses from web-based threats, such as malicious websites, phishing attempts, and drive-by downloads. These solutions include web filtering, content scanning, and URL categorization, effectively preventing employees from accessing dangerous websites and reducing the risk of infection.

Data Loss Prevention

Data loss prevention (DLP) solutions help businesses protect sensitive information from unauthorized access, accidental exposure, or intentional data theft. By implementing DLP measures, such as encryption, access controls, and content monitoring, organizations can identify, monitor, and prevent the unauthorized transmission or storage of sensitive data. This can help dramatically reduce the risk of data breaches and compliance violations.

Behavioral Analytics

Behavioral analytics utilizes machine learning (ML) and artificial intelligence (AI) algorithms to detect anomalous user behavior within a network. By establishing baselines of normal behavior, these solutions can identify deviations that may indicate insider threats or compromised accounts.

Behavioral analytics enhances network security by providing real-time threat detection and response capabilities.

Zero Trust Network Access (ZTNA)

Zero Trust Network Access (ZTNA) is a security model that assumes no trust, even for users and devices within the network perimeter. It verifies each user and device, granting access only to authorized resources based on granular policies. ZTNA enhances network security by reducing the attack surface and providing secure access control, regardless of the user’s location or network connection.

Sandboxing

Sandboxing involves isolating potentially malicious files, programs, or activities in a controlled environment to analyze their behavior without risking harm to the network. By executing files within a sandbox, businesses can detect and mitigate threats such as zero-day exploits, malware, and ransomware before they can cause damage.

Hyperscale Network Security

Hypersecale network security refers to security measures designed to protect highly scalable and distributed network architectures, such as those found in cloud environments. It involves implementing security measures that can scale dynamically to accommodate the ever-changing demands of large-scale networks, ensuring robust protection against cyber threats.

Cloud Network Security

Cloud network security involves implementing security controls and solutions specifically designed for cloud environments. It includes measures such as encryption, access controls, data loss prevention, and security monitoring to safeguard data and applications hosted in the cloud.

Email Security

Email remains a common entry point for cyber-attacks. Email security solutions include spam filters, anti-phishing measures, attachment scanning, and encryption. By implementing robust email security measures, businesses can prevent malicious emails from reaching users’ inboxes and protect against email-based threats such as phishing and malware.

In conclusion: by considering and implementing a comprehensive range of network security solutions, businesses can significantly enhance their defenses against modern cyber threats. However, it is essential to tailor these solutions to your organization’s specific needs and regularly update and test them to ensure their effectiveness in safeguarding your network, data, and sensitive assets.

With a proactive and layered approach to network security, businesses can mitigate risks and maintain a secure digital environment.

How to Build Your Network Security

Building a strong network security infrastructure is crucial in order to establish comprehensive security measures that address potential vulnerabilities and safeguard against cyber threats.  

Here are 12 best practices for how to go about it:

Monitor Traffic

  • Implement network monitoring tools to gain visibility into network traffic.
  • Analyze and identify abnormal and/or suspicious activities indicative of potential security breaches.
  • Monitor both inbound and outbound traffic to detect and respond to threats promptly.

Run Network Audits Regularly

  • Conduct regular network audits to assess the overall security posture of your network.
  • Identify and address any vulnerabilities, misconfigurations, or outdated security protocols.
  • Review access controls, firewall rules, and network segmentation to ensure they align with your security requirements.

Stay Informed on New Threats

  • Stay updated with the latest security trends, vulnerabilities, and attack techniques.
  • Subscribe to security bulletins, follow reputable security blogs, and participate in industry forums to stay informed.
  • Regularly assess your network security measures against emerging threats and adapt your defenses accordingly.

Build and Update Your Firewall and Antivirus

  • Deploy a robust firewall solution to monitor and control network traffic based on predefined security policies.
  • Regularly update firewall rules to incorporate new security requirements and address emerging threats.
  • Utilize reputable anti-virus software and keep it up to date to protect against malware, viruses, and other malicious software.

Use MFA (Multi-Factor Authentication)

  • Implement multi-factor authentication to add an extra layer of security to user login processes.
  • Require users to provide additional verification factors, such as a unique code or biometric information, along with their credentials.
  • MFA significantly reduces the risk of unauthorized access even if passwords are compromised.

Implement Single Sign-On (SSO)

  • Deploy a single sign-on solution to streamline user authentication across multiple applications and services.
  • SSO reduces the number of passwords users need to remember, simplifies access management, and enhances security by enforcing strong authentication practices.

Train Employees Regularly

  • Provide regular security awareness training to employees to educate them about common security threats and best practices.
  • Train employees on identifying phishing emails, handling sensitive information, and practicing secure browsing habits.
  • Encourage employees to report any security incidents or suspicious activities promptly.

Create Secure Passwords

  • Educate employees about the importance of strong passwords and enforce password policies.
  • Encourage the use of complex passwords with a mix of uppercase and lowercase letters, numbers, and special characters.
  • Implement password management tools to securely store and manage passwords.

Disable File Sharing Outside of File Servers

  • Restrict file sharing to designated file servers or secure collaboration platforms.
  • Disable or restrict file-sharing features on endpoints to prevent unauthorized access or accidental exposure of sensitive data.

Backup Your Data

  • Regularly back up your critical data to a secure, offsite location.
  • Implement automated backup solutions to ensure data availability in the event of a system failure, natural disaster, or cyber-attack.
  • Test data restoration processes periodically to ensure the integrity and reliability of backups.

Update Router Firmware

  • Keep your router’s firmware up to date to address security vulnerabilities and take advantage of the latest security features.
  • Enable automatic firmware updates or establish a regular schedule to ensure timely updates.

Create Data Recovery Plans

  • Develop comprehensive data recovery plans to outline procedures for restoring data and resuming operations after a security incident or system failure.
  • Test and refine these plans regularly to ensure they are effective

Make Your Business a Fortress Against Cyber Threats

Businesses today absolutely must prioritize network security. By implementing a multi-layered approach, embracing emerging technologies, educating employees, and maintaining regular security practices, organizations can build a strong fortress against cyber threats.

This ongoing commitment to network security not only protects sensitive data and ensures operational continuity but also fosters trust with customers and partners. Need a hand? Book a demo today!

FAQs

How is network security used in business? 

Network security involves implementing a range of security measures, such as firewalls, intrusion detection systems, encryption, access controls, and user authentication, to safeguard networks from unauthorized access, data breaches, malware, and other cyber threats. Network security also plays a vital role in regulatory compliance and maintaining the trust of customers and partners.

How do I secure my business network?

Securing a business network involves implementing a combination of technical and organizational measures. Here are some essential steps to secure your business network:

– Use strong network security solutions, such as firewalls, antivirus software, and intrusion detection systems.
– Implement strong access controls, including strong passwords, multi-factor authentication (MFA), and role-based access controls.
– Regularly update software and firmware to patch vulnerabilities and address security flaws.
– Train employees on security best practices, such as identifying phishing emails, practicing safe browsing habits, and protecting sensitive data.
– Segment your network to isolate critical systems and limit the impact of a potential breach.
– Encrypt sensitive data both in transit and at rest to protect it from unauthorized access.
– Conduct regular network assessments and audits to identify vulnerabilities and address them promptly.
– Develop an incident response plan to effectively respond to and mitigate security incidents.
– Regularly back up critical data and test data restoration procedures to ensure data availability and quick recovery in case of a breach or system failure.
– Stay informed about the latest security threats and trends and adapt your security measures accordingly.

What are the 5 types of network security?

The five types of network security are:

1. Perimeter Security: This includes measures such as firewalls, intrusion detection systems, and virtual private networks (VPNs) to protect the network’s perimeter from unauthorized access and external threats.

2. Endpoint Security: Endpoint security focuses on securing individual devices connected to the network, such as laptops, smartphones, and IoT devices. It involves implementing antivirus software, patch management, and encryption to protect endpoints from malware and unauthorized access.

3. Network Access Control (NAC): NAC ensures that only authorized devices and users can connect to the network. It verifies the identity and security posture of devices before granting network access, enforcing security policies, and minimizing the risk of unauthorized or compromised devices accessing the network.

4. Data Security: Data security involves protecting sensitive information from unauthorized access, alteration, or theft. It includes encryption, access controls, data loss prevention (DLP), and backup and recovery strategies to safeguard critical data.

5. Security Monitoring and Incident Response: This type of security focuses on detecting and responding to security incidents. It includes security monitoring tools, intrusion detection and prevention systems (IDPS), security information and event management (SIEM), and incident response plans to identify, mitigate, and recover from security breaches.

What are the 3 elements of network security?

The three elements of network security are commonly referred to as the CIA triad, which stands for:

1. Confidentiality: Confidentiality ensures that sensitive data is protected from unauthorized access and disclosure. Encryption, access controls, and secure transmission protocols are used to maintain the confidentiality of information.

2. Integrity: Integrity ensures that data remains unaltered and trustworthy throughout its lifecycle. Data integrity measures, such as digital signatures, checksums, and access controls, prevent unauthorized modifications or tampering of data.

3. Availability: Availability ensures that network resources and services are accessible and operational when needed. Network security measures, such as redundancy, load balancing, and disaster recovery plans, are implemented to minimize downtime and ensure continuous availability.

Source :
https://www.perimeter81.com/blog/network/network-security-for-business

What is Firewall Design?

27.07.2023

firewall is a network security device designed to monitor and control network traffic flow based on predetermined security rules. It acts as a barrier, selectively allowing or blocking incoming and outgoing network connections to protect the internal network from external threats. Essentially, a firewall ensures that only authorized and secure connections are made by filtering network traffic based on defined criteria.

Firewalls operate using a combination of rule-based filtering and packet inspection techniques. When network traffic passes through a firewall, it undergoes scrutiny based on various parameters, including source and destination IP addresses, ports, protocols, and the state of connections.

The Importance of Firewall Design for Network Security

So how does firewall design impact your network security? Here are the top reasons.

Protecting Against Unauthorized Access

One of the primary functions of firewall design is to prevent unauthorized access to an organization’s network resources. Firewalls act as gatekeepers, examining incoming and outgoing network traffic and enforcing access control policies based on predefined rules.

Identifying and configuring firewalls carefully will help organizations prevent unauthorized access by ensuring that only legitimate connections are allowed.

Mitigating Cyber Threats

Firewalls employ packet filtering, deep packet inspection, and stateful inspection to analyze network traffic and identify potential threats. They can detect and block suspicious or malicious traffic. Organizations can reduce the risk of successful attacks and protect their networks and sensitive information.

Preventing Data Breaches

Data breaches can severely affect organizations, resulting in financial losses, reputational damage, and legal liabilities. Firewall design prevents data breaches by monitoring and controlling network traffic. Also, firewall design principles advocate for network segmentation, which helps contain potential breaches and limit the impact on critical assets.

Enforcing Security Policies

Firewall design allows organizations to enforce and manage their security policies effectively. Organizations can align firewall configurations with security objectives and compliance requirements by defining rules and access controls.

Firewall policies can be customized based on traffic, user roles, and data sensitivity. Regular review and updates of firewall policies can ensure the effectiveness of their security measures.

Compliance with Regulations

Compliance with industry regulations and data protection laws is crucial for organizations across various sectors. Firewall design plays a significant role in achieving compliance by implementing security controls and access restrictions mandated by regulatory frameworks.

Organizations can demonstrate their commitment to protecting sensitive data by enforcing policies in line with GDPR, HIPAA, or PCI DSS regulations.

Characteristics of a Firewall

1. Physical Barrier

A firewall is a physical barrier between an internal network and the external world. It inspects incoming and outgoing network traffic, allowing or blocking connections based on predetermined security rules. By serving as a protective boundary, a firewall helps safeguard the internal network from unauthorized access and potential threats.

2. Multi-Purpose

A firewall is a versatile security tool that performs various functions beyond basic network traffic filtering. It can support additional security features, such as intrusion detection/prevention systems, VPN connectivity, antivirus scanning, content filtering, and more. This multi-purpose nature enables firewalls to provide comprehensive security measures tailored to an organization’s needs.

3. Security Platform

Firewalls serve as a security platform by integrating different security mechanisms into a unified system. They combine packet filtering, stateful inspection, application-level gateways, and other security technologies to protect against cyber threats. By functioning as a consolidated security platform, firewalls offer a layered defense strategy against potential attacks.

4. Flexible Security Policies

Firewalls offer flexible security policy implementation, allowing organizations to define and enforce customized rules and access controls. These policies can be based on various factors, including source/destination IP addresses, ports, protocols, user identities, and time of day.

With the ability to tailor security policies to specific requirements, organizations can effectively manage network traffic and adapt to evolving security needs.

5. Access Handler

A firewall acts as an access handler by controlling and managing network access permissions. It determines what connections are allowed or denied using predefined rules and policies. By regulating access to network resources, a firewall ensures that only authorized users and devices can establish connections, reducing the risk of unauthorized access and potential data breaches.

Firewall Design Principles

It is important to remember certain principles when designing a firewall to ensure its effectiveness in safeguarding network security. These principles serve as guidelines for architects and administrators, helping them design robust firewall architectures that protect against unauthorized access and potential threats.

  • Defense-in-Depth Approach: A fundamental principle in firewall design is adopting a defense-in-depth strategy. Rather than relying solely on a single firewall, organizations should deploy multiple firewalls, intrusion detection/prevention systems, and other security measures to create a layered defense architecture. 
  • Least Privilege Principle: The principle of least privilege is crucial in firewall design to minimize the potential attack surface. It advocates granting the minimum level of privileges and access necessary for users and systems to perform their required functions. This minimizes exposure to potential threats and reduces the risk of unauthorized access or malicious activities.
  • Rule Set Optimization: Firewall rule set optimization is another important design principle. As firewalls employ rule-based filtering mechanisms, regularly reviewing and optimizing the rule sets is essential. This involves removing unnecessary or redundant rules, consolidating overlapping rules, and organizing rules logically and efficiently. 
  • Secure Default Configurations: Firewall design should prioritize secure default configurations to ensure a strong foundation for network security. Default settings often allow all traffic, leaving the network vulnerable to attacks. Secure defaults are a starting point for designing effective firewall policies and help prevent misconfigurations that may lead to security gaps.
  • Regular Monitoring and Updates: Monitoring and updating firewalls are critical principles in firewall design. Regular monitoring allows organizations to promptly detect and respond to security incidents, identify unauthorized access attempts, and analyze network traffic patterns. 

7 Steps to Designing the Perfect Firewall For Your Business

Designing an effective firewall for your business requires careful planning and consideration of specific requirements. This section presents a step-by-step approach to creating the perfect firewall. 

1. Identify Requirements

The first step in designing a firewall is to identify the specific requirements of your business. This involves understanding the network topology, the types of applications and services in use, the security objectives, and any regulatory or compliance requirements.

2. Outline Policies

The next step is to outline the firewall policies based on the requirements. You can decide which traffic is allowed or denied for each source and destination address, port, protocol, and role using rules and access controls.

3. Set Restrictions

Setting restrictions involves configuring the firewall to enforce the outlined policies. This may include blocking certain types of traffic, implementing intrusion prevention mechanisms, enabling VPN connectivity, or configuring content filtering rules.

4. Identify the Deployment Location

This involves determining whether the firewall will be placed at the network perimeter, between internal segments, or within a demilitarized zone (DMZ), depending on the network architecture and security requirements.

5. Identify Firewall Enforcement Points

Identifying firewall enforcement points involves determining where the firewall will be implemented within the network topology. This includes considering factors such as the location of critical assets, the flow of network traffic, and the points where the firewall can effectively inspect and control the traffic.

6. Identify Permitted Communications

As part of the design process, it is important to identify the permitted communications the firewall will allow. This includes identifying the necessary communication channels for business-critical applications, remote access requirements, and any specific exceptions to the firewall policies.

7. Launch

Lastly, launch the firewall and ensure all configurations are correct. This includes testing the firewall’s functionality, monitoring its performance, and conducting regular audits to ensure compliance with security policies and industry best practices.

Safeguarding Networks with Strong Firewall Design – Protect Your Business Today

Take charge of your network security today and safeguard your business from cyber threats. Don’t wait for a security breach to occur—proactively design and deploy a powerful firewall that acts as a shield, protecting your network and ensuring the continuity of your operations.

Take the first step towards a secure network—consult with experts, assess your requirements, and design a robust firewall solution that suits your business needs. Protect your valuable assets, preserve customer trust, and stay one step ahead of potential threats with a well-designed firewall architecture. Safeguard your network and fortify your business with Perimeter 81’s Firewall as a Service.

FAQs

What are 3 common firewall designs?

– Packet Filtering Firewalls: They inspect packets based on rules, operating at Layer 3 of the OSI model.
– Stateful Inspection Firewalls: These track network connections and analyze entire network packets.
– Next-Generation Firewalls (NGFW): NGFWs combine traditional firewall features with intrusion prevention, application awareness, and deep packet inspection.

What are the four basic types of firewall rules?

1. Allow: This rule permits specific traffic to pass through the firewall based on defined criteria, such as source/destination IP addresses, ports, and protocols.
2. Deny: This rule blocks specific traffic from passing through the firewall based on defined criteria. Denied traffic is typically dropped or rejected.
3. NAT (Network Address Translation): NAT rules modify network packets’ source or destination IP addresses.
4. Session Control: These rules define how the firewall handles and manages sessions.

What are the 4 common architectural implementations of firewalls?

1. Network-based Firewalls: Positioned at the network’s edge, they offer centralized security, filtering and monitoring all inbound and outbound traffic.
2. Host-based Firewalls: These are installed directly on devices like servers or workstations, providing tailored protection and control over device-specific traffic.
3. Virtual Firewalls: They ensure security within virtualized environments. Apart from protecting virtual machines, they control and isolate network traffic between VMs.
4. Cloud-based Firewalls: Positioned within cloud environments, they ensure robust security for cloud-based applications and infrastructure, balancing scalability and centralized control.

Source :
https://www.perimeter81.com/blog/network/firewall-design

Exploring Firewall Design Principles for Secure Networks

27.07.2023

Firewall design principles are the bedrock of network security, providing a robust defense mechanism against both internal and external threats. These principles help in developing a security policy that can enforce stringent rulesets and offer layered protection for your private network.

Firewall design principles are crucial for maintaining a secure network. There are different types of firewalls like packet filter firewalls, stateful inspection firewalls, and proxy firewalls along with their unique features.

If you want to be able to design your firewall the right way you need to master the different key components in firewall design such as policies, rulesets, and interfaces, and learn the advanced features like Intrusion Prevention Systems (IPS) and Deep Packet Inspection (DPI) and be aware of best practices to implement these designs effectively. 

This comprehensive understanding of firewall design principles will empower you to make informed decisions about your organization’s network security infrastructure.

What are Firewall Design Principles?

The realm of network security is complex and vast, with firewalls serving as the critical line of defense against cyber threats. They’re like the bouncers of the internet, keeping the bad guys out and letting the good guys in.

The basic concept behind firewall design principles

A firewall’s primary role is to be the gatekeeper of your network, deciding who gets in and who stays out. It’s like having a very selective doorman at an exclusive venue, only allowing those with the right credentials to enter.

The fundamental principle behind firewall design is simple: filter, filter, filter. The firewall looks at things like IP addresses, domain names, and protocols to decide if a data packet is worthy of entering your network.

Why understanding firewall design principles is essential for network security

In today’s digital age, where cyber threats are increasingly common, having a solid firewall is a must. 

Understanding firewall design principles is like having a secret weapon in your security arsenal. It’s like knowing all the tricks of the trade, so you can configure your firewall to be a fortress against cyber attacks. 

Staying ahead of malicious actors is possible if you understand their strategies and configure your firewall in a way that best protects against cyber threats.

No single approach will suffice when it comes to firewalls; you need to tailor yours to suit your individual needs. Take the time to understand the core firewall design principles and make your firewall the ultimate defender of your network.

Five Principles of Firewall Design

Firewall design principles are critical to protect your private network and to maximize your network security. Here are five principles you can use when establishing your firewall and implementing security policies.

1. Develop a Solid Security Policy

Having a proper security policy is an essential part of designing your firewall. Without it in place, it’s a headache to allow users to navigate the company network and restrict intruders. This proper security policy will also help you know the proper protocol if there is a security breach.

A properly developed security policy can protect you. A solid security policy includes guidance on proper internet protocol, preventing users from using devices on public networks, and recognizing external threats.

Don’t overlook a properly developed security policy! Also, remember that simply having a security policy is only the first step. In addition to establishing security policies, you should have frequent training and refreshers for all employees. Have policies in place for reporting security threats and hold everyone in the organization accountable. 

2. Use a Simple Design

Keep it simple. If you have a complex design, you’ll need to find complex solutions anytime a problem arises. A simple design helps alleviate some of the pain you may feel when a problem comes up (and it inevitably will at some point). Also, complex designs are more prone to configuration errors that can open paths for external attacks.

3. Choose the Right Device

You need to have the right tools to do the job. If you use the wrong device, you have the wrong tools and are at a disadvantage from the start. Using the right part that fits your design will help you create the best firewall for your network.

4. Build a Layered Defense

Firewalls should have layers to properly protect your network. A multi-layered defense creates a complicated protection system that hackers can’t easily break through. Creating layers builds an effective defense and will keep your network safe.

5. Build Protection Against Internal Threats

Don’t just focus on attacks from external sources. A large percentage of data breaches are the result of internal threats and carelessness. Mistakes made by those internally can open your network to attacks from outside sources. Implementing proper security solutions for your internal network can help prevent this from happening.

Something as simple as accessing a web server can expose your network if you aren’t protected internally as well as you are externally.

As you design your firewall, remember these firewall design principles: have a properly developed security policy, keep it simple, use the right tools, build a layered defense, and protect yourself from internal threats.

Types of Firewalls

Different firewalls have varying characteristics and applications, so it’s essential to understand them in order to select the most suitable firewall for your network. Knowing these differences is crucial for picking the right firewall for your network’s needs.

Packet-Filtering Firewalls: Basic but Effective

A packet-filtering or packet-filter firewall does what it says—filters data packets based on predetermined rules. It checks packet headers to see what’s allowed in. 

Simple, but not enough against fancy cyber threats.

Circuit-level Gateways

A circuit-level gateway can be a stand-alone system or it can be a function performed as a gateway for certain applications. A circuit-level gateway does not allow for end-to-end connection but rather sets up two connections with an inner host and a user with an outer host. 

Stateful Inspection Firewalls

Stateful inspection firewalls go beyond packet headers. They keep track of active connections and use that info to validate packets. It remembers who and what is allowed – efficient and effective.

Application-level Gateways (a.k.a. Proxy Firewalls)

Proxy firewalls (also known as application-level gateways) act as intermediaries between internal networks and the Internet. They hide internal IP addresses and offer content filtering. 

The choice among these types depends on your network’s needs relating to size, complexity, and sensitivity. Remember, they often work together in layers; just make sure they’re properly configured and regularly updated. 

Next-Gen Firewalls

Next-gen firewalls are the next step in firewall security. These can protect against advanced malware and application-layer attacks. They typically include:

  • Firewall capabilities like stateful inspection.
  • Integrated intrusion prevention.
  • Application awareness and control to see risky apps.
  • Threat intelligence sources.
  • Upgrade paths to include future information feeds.
  • Techniques to continue evolving.

Now, we’ll explore constructing an efficient firewall.

Key Components in Firewall Design

When it comes to designing a firewall, there are certain key components that should be taken into account. Let’s break it down:

Importance of Policies

Security policies are like the rulebook for your firewall. They decide what traffic gets in and what gets blocked. You want to make sure only the right traffic makes it through.

A proper security policy will help you in both the short term and long term. Make sure to enforce security policies to keep yourself protected.

Rulesets – Defining What Gets Through

Rulesets are like the enforcers of the policies. They make sure the regulations are met. Visualize a vigilant sentry, patrolling your network for any untoward activity and taking swift action when needed. Rulesets often include elements like source address, source port, destination address, and destination port.

Interfaces – Connecting Networks Securely

Interfaces are the gateways between networks. They’re like the bridges that connect different parts of your network. Make sure these bridges are secure, so no unwanted guests can sneak in.

To recap, when it comes to firewall design, policies, rulesets, and interfaces are the key players. They work together to keep your network safe and sound.

Advanced Features in Modern Firewall Designs

In the ever-evolving world of cybersecurity, firewalls have leveled up to tackle sophisticated threats. 

Let’s dive into two cool advancements: Intrusion Prevention Systems (IPS) and Deep Packet Inspection (DPI).

Intrusion Prevention Systems (IPS): Proactive Defense Mechanism

An Intrusion Prevention System (IPS) is like a superhero embedded in modern firewalls. It doesn’t just detect and block known threats; it goes the extra mile.

IPS keeps a watchful eye on network traffic, sniffing out any suspicious activity or weird anomalies. When it spots trouble, it swiftly shuts it down.

Deep Packet Inspection (DPI): Detailed Threat Analysis

Deep Packet Inspection (DPI) adds an extra layer of security by giving data packets a thorough check-up.

  • DPI looks at both the header info and the payload content of each packet.
  • It’s like a detective, figuring out the nature of incoming traffic.
  • If it finds anything fishy, like malware or protocol non-compliance, it sounds the alarm so you can take action.

These advanced features make modern firewalls tougher than traditional ones. But remember, no single solution can guarantee complete security. 

They’re advanced elements of your security squad, but they need backup from a solid information security policy management strategy.

Four Types of Access Control

There are four techniques that firewalls generally use to control access and security policy. 

  • User Control: Control access to a service according to which user is attempting to access the service.
  • Service Control: Determines what services can be accessed to keep your network secure.
  • Direction Control: Determines in which direction a service can be accessed, both inbound and outbound.
  • Behavior Control: Controls how services are accessed and used.

Advantages of Firewalls

There are several advantages of implementing a firewall to protect your network. Here are some of the biggest benefits you’ll see:

Block Infected Files

You come across threats when you browse the internet, or you might even have them delivered to your mailbox. Firewalls help block those files from breaking through your system.

Stop Unwanted Visitors

You don’t want anyone snooping through your system. This can lead to long-term security problems. Your firewall will detect unwanted visitors and keep them out.

Accessing public networks can put you at a higher risk of security breaches, but having a firewall can block access to your sensitive data.

Safeguards Your IP Address

This will protect your network as you browse the internet on a web server so you aren’t exposed to those who want to cause problems for your network. This can be set up with a virtual private network (or VPN) which acts as a network security device to keep your network secure.

Prevents Email Spamming

Security policies should help protect the employees on your network from malware or phishing attempts, but in case a mistake is made, a proper firewall can help prevent spam emails from getting through your system.

Stops Spyware

When using a web server, you can come across files that will install spyware on your system. A firewall will easily block access so you don’t have to worry about being exposed to outside threats.

Limitations of Firewalls

For as many advantages as you gain from having a firewall, there are still some limitations it will create on your server.

Internal Loose Ends

As a firewall can easily block access to external threats, it can struggle to prevent internal attacks. If you have an employee who accidentally cooperates with an attacker, you may still be exposed internally.

Infected Files

Because of the sheer number of files your network may come across, it’s impossible for every file to be reviewed by your network security device. 

Cost

It can be expensive to set up a firewall that protects your system, and the bigger your network gets, the more expensive it can become. That said, even a single large data breach could cost your company dearly, so having the proper protection in place is an investment worth making.

User Restriction

Sometimes firewalls can make it more difficult for users to access the systems they need to do their work. This can impact productivity when certain users need to access multiple applications.

System Performance

Implementing a firewall takes up a lot of bandwidth and using the RAM and power supply that may need to go to other devices can impact your system’s performance.

Firewall Delivery Methods

There are several different delivery methods for a firewall. Here are some of the most common delivery methods that are used:

  • Software firewalls: A software firewall is a type of software that runs on your computer. It is mainly used to protect your specific device.
  • Hardware firewalls: This is a device that is specifically used to implement a firewall. This can protect your entire network.
  • Cloud firewalls: These firewalls are hosted in the cloud and are also called firewall-as-a-service (FWaaS).

Boost Your Firewall Design with Perimeter 81

Understanding firewall design principles is crucial for network security. Different types of firewalls and their key components help create a strong defense against cyber threats. 

Packet filtering firewalls provide a basic yet effective approach, while stateful inspection firewalls consider the context of network traffic. Proxy firewalls bridge the gap between internal and external networks.

When implementing firewall designs, follow best practices like applying the least privilege principle and regularly updating configurations. Advanced features like intrusion prevention systems (IPS) and deep packet inspection (DPI) enhance your proactive defense mechanism. 

Incorporating these firewall design principles protects networks from unauthorized access and potential security breaches. Learn more about Perimeter 81’s Firewall as a Service.

FAQs

What are the four characteristics used by firewalls?

The four basic types of firewall rules include – allow all (permissive), block all (restrictive), specific permission-based access controls, and content filters

What are the 5 steps of firewall protection?

The five steps of firewall protection include – securing your firewall, building firewall zones & IP addresses, configuring access, configuring firewall services, testing the configuration.

What is the architecture of a firewall?

The four most commonly implemented architectures in firewall design principles include packet-filtering routers, application gateways, circuit-level gateways, and multilayer inspection firewalls. 

How do you design firewall architecture?

The principles of firewall design include clear policies, traffic control rulesets, secure network connections, and advanced features like Intrusion Prevention Systems (IPS) and Deep Packet Inspection (DPI). 

How many layers do firewalls have?

It’s common to see 3-layer or 7-layer firewalls. A 3-layer firewall is used for a network while a 7-layer firewall is used for applications.

Source :
https://www.perimeter81.com/blog/network/firewall-design-principles

What is a Cloud Firewall?

27.07.2023

In the past when fires were fought, people used traditional means like fire extinguishers and water hoses.

Translating this to the virtual world of computing — a cloud firewall is akin to the digital ‘fire extinguisher’ and ‘hose.’ It is a tool designed to stopslow, or prevent unauthorized access to or from a private network.

It inspects incoming and outgoing traffic, based on predetermined security rules. They can be a standalone system or incorporated into other network components.

In technical words, it acts as a barrier between on-premises networks and external networks.

Cloud firewalls are often deployed in a ‘perimeter’ security model — where they act as the first line of defense against cyber threats. This includes protection against DDoS attacks, SQL injections, and cross-site scripting.

The Benefits of Using a Cloud Firewall

In this section, we’ll discuss the benefits of using a cloud firewall over traditional ones.

Scalability

Traditional firewalls can’t keep pace as your network grows — their hardware limitations bound them.

On the other hand, a cloud firewall can easily adapt and expand in line with your business needs. Because it’s cloud-based, scaling does not require any additional hardware investment or complex configurations.

Be it on-site installation, maintenance, or upgrading, cloud firewalls wipe out all those physical processes, saving you time and resources.

Availability

Unlike traditional firewalls that rely on singular hardware systems and can fail, cloud firewalls are designed for high availability. Their decentralization means that even if one part fails, the rest continue to operate, ensuring constant protection.

Being cloud-based, they can also balance the load during peak traffic times to prevent slowdowns or outages.

For instance — during an attack like DDoS when the traffic dramatically increases, a cloud firewall can distribute the traffic across multiple servers. This ensures that your systems remain accessible and functional.

Extensibility

Cloud-based firewalls are not just scalable and highly available — they are also highly extensible.

This means that you can easily integrate them with other security features or services — such as Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and Secure Web Gateways (SWG) — to create a solid security system.

Release updates and patches can be applied automatically, ensuring that the security is always up-to-date.

Identity Protection

When it comes to identity protection, cloud firewalls reign supreme.

They can identify and control application access on a per-user basis. This means that if unauthorized access is attempted, it can be immediately identified and blocked, providing extra security to your sensitive information.

Along with that, they can also provide an audit trail so that attempted breaches can be traced back to their origins. This info is beneficial for investigating cyber crimes and strengthening your cybersecurity strategy in the long run.

Performance Management

Sometimes, it’s not just about blocking harmful traffic, but also about prioritizing useful traffic.

Cloud firewalls enable performance management by prioritizing network traffic and providing quality of service (QoS) capabilities.

This can be handy during peak usage times or when certain services require higher bandwidth.

For instance, a cloud firewall can prioritize the traffic for certain high-demand resources, ensuring uninterrupted access and excellent performance. As a result, end users experience less lag and appreciate better service.

Moreover, the firewall can be programmed to give a higher priority to certain types of workloads or specific applications, like Voice over Internet Protocol (VoIP) or video streaming services.

Secure Access Parity

Remote work is another area where cloud firewalls shine.

Cloud firewalls enable a consistent security policy across all locations and users, no matter where they’re accessing from. This ensures that remote workers are just as protected as on-site ones.

Also, you get comprehensive visibility and control over all network traffic, and thanks to their cloud nature — updates can be pushed globally.

Migration Security

Migration — in particular to the cloud — can be a risky process in terms of security. The necessity to move data from one place to another can expose it to potential threats. Cloud firewalls eliminate these concerns.

Due to their inherent design, they provide end-to-end security during data migration. The data is protected at the source, during transit, and at the destination. This ensures a secure and seamless cloud migration process.

It’s like having a secure convoy for your data as it travels.

Types of Cloud Firewalls

There are four major types of cloud firewalls which can be broadly categorized as — SaaS Firewalls/Firewall as a service (FWaaS), Next-generation Firewall (NGFW), Public Cloud Firewall, and Web Application Firewall (WAF).

SaaS Firewalls/Firewall as a Service (FWaaS)

SaaS Firewalls, or Firewall as a Service, operate directly in the cloud. Offering security as a service — they are a scalable, flexible, and cost-effective solution.

  • Flexibility: Being cloud-based, these firewalls can rapidly adapt to changes in network traffic and configuration.
  • Scalability: FWaaS can comfortably scale up or down based on the needs without harming performance.
  • Cost-effective: As a subscription-based service, FWaaS can be adjusted to fit any budget and eliminates the need for expensive hardware and software maintenance.
  • Integrated approach: FWaaS offers a comprehensive, integrated approach to security, so you have complete visibility and control over network traffic and user activity.
  • Ease of deployment: Require less administrative effort and minimize human error.

Next-Generation Firewall (NGFW)

Next-Generation Firewalls represent the evolution in firewall technology, designed to go beyond traditional firewall functions.

  • Deep packet inspection: NGFWs are capable of examining the payload of a packet, crucial for detecting advanced threats within seemingly legitimate traffic.
  • Application awareness: NGFWs offer application-level control, significantly enhancing the granularity of security policies.
  • Threat detection: Their advanced threat detection capabilities protect organizations from a broad range of attacks, including zero-day vulnerabilities.
  • Integrated IPS: They feature an integrated Intrusion Prevention System that can identify and block potential security breaches, adding a layer of protection.
  • User identification: Unlike traditional firewalls, NGFWs can identify users and devices, not just IP addresses. This helps in creating more targeted, effective security policies.

Public Cloud Firewall

Public cloud firewalls are built within public cloud infrastructures like AWS, Google Cloud, and Azure to provide a layer of security control.

  • Seamless integration: These firewalls integrate seamlessly with other cloud services, infrastructure, and applications.
  • Autoscaling: Being cloud-native, they can scale dynamically with the workload, managing a substantial increase in network traffic without compromising performance.
  • Cloud-specific rulesets: These firewalls enable cloud-specific packet filtering, applying rules to cloud-native as well as hybrid and multi-cloud environments.
  • Compatibility: Public Cloud Firewalls are compatible with the automatic deployment mechanisms of their respective cloud platforms. This compatibility reduces the overhead of manual configurations.
  • Resilience: With a distributed, highly available architecture, they provide resilience — ensuring that the firewall is operational even if individual components fail.

Web Application Firewall (WAF)

A Web Application Firewall specifically protects web applications by filtering, monitoring, and blocking HTTP traffic that could exploit vulnerabilities in these applications.

  • Web app protection: WAFs stop attacks targeting web applications, including SQL injection, cross-site scripting (XSS), and others.
  • Custom policies: Customizable Policies in WAFs allow for tailored protection suited to the individual needs of every web application.
  • Inspection: They offer a thorough inspection of HTTP/S traffic, ensuring no harmful requests reach the web applications.
  • Bot control: WAFs can discern harmful bots from legitimate traffic, granting access only to authorized users and services.
  • API security: Security for APIs against attacks such as DDoS, improving overall protection.

Using Cloud Firewall vs Other Network Security Approaches

How do cloud firewalls compare to other network security approaches? See how they compare to virtual firewall appliances, IP-based network security policies, and security groups.

Virtual Firewall Appliances

Despite brands like Cisco, Juniper, and Fortinet making a strong push for them, virtual firewall appliances don’t fit in a work environment that is heavily cloud-based.

  • Not scalable: Virtual appliances have limitations in scaling. When traffic increases, they struggle to keep pace, affecting performance.
  • Operational inefficiency: They require manual configurations and adjustments, which can lead to operational inefficiencies and potential mistakes.
  • Limited visibility: They usually provide limited visibility into network traffic and, in some cases, can’t even offer granular control at the application level.
  • Architectural complexity: These appliances often introduce architectural complexity, as they need to intercept and secure network traffic at different points.
  • High cost: Acquiring, maintaining, and upgrading a virtual firewall appliance can be expensive, especially when compared to subscription-based cloud firewalls.
  • Limited extensibility: Be it AWS transit gateways, Gateway Load Balancers, or VPC/VNet peering — virtual appliances usually struggle to integrate with these advanced cloud-native services.

IP-Based Network Security Policy

IP-based network security policies have traditionally been used in many organizations. However, they also have shortcomings when compared to cloud firewalls.

  • Dynamic IP difficulties: These policies are primarily based on static IP addresses, triggering issues when dealing with dynamic IPs — such as those used in today’s highly scalable, distributed infrastructures.
  • Granularity problems: IP-based policies offer less granular control over access to applications and data, compared to cloud firewalls.
  • Security loopholes: Because they rely heavily on IP addresses for identification, they can be vulnerable to IP spoofing, creating potential security loopholes.
  • Inefficient management: IP-based policies can be tedious to manage, especially when dealing with larger, more complex network infrastructures.
  • Limited scalability: Like virtual appliances, IP-based policies struggle when it comes to handling a significant increase in network traffic.
  • Dependency on IP reputation: These policies depend on the reputation of IP addresses, which can be unreliable and manipulated. Also, legitimate IP addresses can be compromised, creating a potential avenue for attacks.

Security Groups

Lastly, security groups, while being a crucial part of network security in a cloud-based environment, fall short compared to cloud firewalls on several fronts.

  • Scope limitation: Security groups usually have a limited scope — often only applicable within a single instance or VPC. This might not be adequate for enterprises with large-scale or diverse cloud deployments.
  • Manual administration: This can lead to potential errors and security risks, more so in large and complex environments.
  • Lack of visibility: Security groups don’t provide comprehensive visibility into network traffic or robust logging and audit capabilities — both of which are fundamental for troubleshooting and regulatory compliance.
  • Limited flexibility: Security groups lack the flexibility to adapt quickly to changes in network configuration or traffic patterns. This can hinder performance and affect user experience.
  • Dependencies: Security groups are dependent on the underlying cloud service. This means that they can be impacted by any disruptions or changes to that service. So, the level of independence and control tends to be on the lower end.

It’s evident, compared to the other network security approaches, cloud firewalls provide superior flexibility, scalability, visibility, and control.

How does a Cloud-Based Firewall Fit into a SASE Framework?

SASE is a concept introduced by Gartner that stands for Secure Access Service Edge. It combines network security and wide area networking (WAN) capabilities in a single cloud-based service.

Cloud-based firewalls fit wonderfully into this framework as they provide network security enforcement. Below’s how.

  • Unified security and networking: By integrating with other SASE components, cloud-based firewalls facilitate unified security and networking. They ensure that security controls and networking capabilities are not siloed but work together seamlessly.
  • Location-agnostic: Being cloud-based, these firewalls offer location-agnostic security. This is important in a SASE framework which is designed to support securely connected, geographically-dispersed endpoints.
  • Dynamic scaling: The dynamism of cloud-based firewalls aligns with the scalable nature of SASE. So, the security scales with network requirements.
  • Policy enforcement: They provide efficient enforcement of security policies across a distributed network, aiding in consistent security compliance.
  • Visibility and control: In a SASE framework, cloud-based firewalls offer enriched visibility and control over network traffic and user activity. This aids in improved threat detection and response times.
  • Data protection: They provide encryption and decryption, protecting sensitive data transmitted across the network. This capability is pivotal for data protection in a SASE architecture.
  • Fast deployment: Enjoy operational simplicity as they can be seamlessly deployed across multiple locations.
  • Easier management: Management becomes easier as there is a single point of control allowing for unified threat management.
  • Lower costs: Reduced capital expenditure as the need for on-premise hardware decreases significantly.
  • Highly available: These firewalls offer high availability and resilience, adhering to the SASE principle of continual access and service regardless of location. Thus, enhancing the overall security posture in an ever-increasing remote work landscape.

Secure your network with firewall-as-a-service today!

Organizations across the globe are transitioning to a cloud-first strategy. Perimeter 81 can assist you in this journey. Our Firewall-as-a-Service model provides security, scalability, and simplicity that is unmatched in the industry. Learn more here!

FAQs

What is the disadvantage of cloud firewall?

Reliance on the availability of the FaaS provider is a potential disadvantage of cloud firewalls.

Why do you need a cloud firewall?

Just like you need a security gate to prevent unauthorized entry into your house, a cloud firewall acts as a barrier to block malicious traffic from entering your network. It provides real-time protection and security monitoring — making it crucial in today’s world where cyber threats are rampant.

What is the main reason to operate a public cloud firewall?

Application visibility and control is the primary reason to operate a public cloud firewall. And unlike traditional firewalls, cloud firewalls allow for extensive network traffic logging and reporting, providing a thorough overview of your application’s security status.

What is cloud vs hardware firewall?

A cloud firewall, also known as a Firewall-as-a-Service (FaaS), is a firewall hosted in the cloud, providing scalability, cost efficiency, and real-time updates. Hardware firewalls, on the other hand, are physical devices installed in the infrastructure of a network. While cloud firewall is software-based, traditional ones can be both software and hardware-based.

Is a cloud-based firewall more secure?

Cloud-based firewall comes with the same level of security as a traditional or on-premises firewall but with advanced access policy, encryption, connection management, and filtering between servers.

What is the difference between a next-generation firewall and a cloud firewall?

While next-generation firewalls (NGFWs) offer advanced security capabilities such as intrusion prevention systems (IPS), deep packet inspection, and application awareness— they can be limiting when it comes to scalability and flexibility, especially in a dynamic, cloud-based environment. That’s where cloud firewalls excel.

Source :
https://www.perimeter81.com/blog/network/cloud-based-firewall

The five-day job: A BlackByte ransomware intrusion case study

July 6, 2023

As ransomware attacks continue to grow in number and sophistication, threat actors can quickly impact business operations if organizations are not well prepared. In a recent investigation by Microsoft Incident Response (previously known as Microsoft Detection and Response Team – DART) of an intrusion, we found that the threat actor progressed through the full attack chain, from initial access to impact, in less than five days, causing significant business disruption for the victim organization.

Our investigation found that within those five days, the threat actor employed a range of tools and techniques, culminating in the deployment of BlackByte 2.0 ransomware, to achieve their objectives. These techniques included:

  • Exploitation of unpatched internet-exposed Microsoft Exchange Servers
  • Web shell deployment facilitating remote access
  • Use of living-off-the-land tools for persistence and reconnaissance
  • Deployment of Cobalt Strike beacons for command and control (C2)
  • Process hollowing and the use of vulnerable drivers for defense evasion
  • Deployment of custom-developed backdoors to facilitate persistence
  • Deployment of a custom-developed data collection and exfiltration tool
BlackByte 2.0 ransomware attack chain by order of stages: initial access and privilege escalation, persistence and command and control, reconnaissance, credential access, lateral movement, data staging and exfiltration, and impact.
Figure 1. BlackByte 2.0 ransomware attack chain

In this blog, we share details of our investigation into the end-to-end attack chain, exposing security weaknesses that the threat actor exploited to advance their attack. As we learned from Microsoft’s tracking of ransomware attacks and the cybercriminal economy that enables them, disrupting common attack patterns could stop many of the attacker activities that precede ransomware deployment. This case highlights that common security hygiene practices go a long way in preventing, identifying, and responding to malicious activity as early as possible to mitigate the impact of ransomware attacks. We encourage organizations to follow the outlined mitigation steps, including ensuring that internet-facing assets are up to date and configured securely. We also share indicators of compromise, detection details, and hunting guidance to help organizations identify and respond to these attacks in their environments.  

Forensic analysis

Initial access and privilege escalation

To obtain initial access into the victim’s environment, the threat actor was observed exploiting the ProxyShell vulnerabilities CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 on unpatched Microsoft Exchange Servers. The exploitation of these vulnerabilities allowed the threat actor to:

  • Attain system-level privileges on the compromised Exchange host
  • Enumerate LegacyDN of users by sending Autodiscover requests, including SIDs of users
  • Construct a valid authentication token and use it against the Exchange PowerShell backend
  • Impersonate domain admin users and create a web shell by using the New-MailboxExportRequest cmdlet
  • Create web shells to obtain remote control on affected servers

The threat actor was observed operating from the following IP to exploit ProxyShell and access the web shell:

  • 185.225.73[.]244

Persistence

Backdoor

After gaining access to a device, the threat actor created the following registry run keys to run a payload each time a user signs in:

Registry keyValue nameValue data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run  MsEdgeMsErundll32 C:\Users\user\Downloads\api-msvc.dll,Default  
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run  MsEdgeMsErundll32 C:\temp\api-msvc.dll,Default  
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run  MsEdgeMsErundll32 C:\systemtest\api-system.png,Default

The file api-msvc.dll (SHA-256: 4a066569113a569a6feb8f44257ac8764ee8f2011765009fdfd82fe3f4b92d3e) was determined to be a backdoor capable of collecting system information, such as the installed antivirus products, device name, and IP address. This information is then sent via HTTP POST request to the following C2 channel:

  • hxxps://myvisit[.]alteksecurity[.]org/t

The organization was not using Microsoft Defender Antivirus, which detects this malware as Trojan:Win32/Kovter!MSR, as the primary antivirus solution, and the backdoor was allowed to run.

An additional file, api-system.png, was identified to have similarities to api-msvc.dll. This file behaved like a DLL, had the same default export function, and also leveraged run keys for persistence.

Cobalt Strike Beacon

The threat actor leveraged Cobalt Strike to achieve persistence. The file sys.exe (SHA-256: 5f37b85687780c089607670040dbb3da2749b91b8adc0aa411fd6280b5fa7103), detected by Microsoft Defender Antivirus as Trojan:Win64/CobaltStrike!MSR, was determined to be a Cobalt Strike Beacon and was downloaded directly from the file sharing service temp[.]sh:

  • hxxps://temp[.]sh/szAyn/sys.exe

This beacon was configured to communicate with the following C2 channel:

  • 109.206.243[.]59:443

AnyDesk

Threat actors leverage legitimate remote access tools during intrusions to blend into a victim network. In this case, the threat actor utilized the remote administration tool AnyDesk, to maintain persistence and move laterally within the network. AnyDesk was installed as a service and was run from the following paths:

  • C:\systemtest\anydesk\AnyDesk.exe
  • C:\Program Files (x86)\AnyDesk\AnyDesk.exe
  • C:\Scripts\AnyDesk.exe

Successful connections were observed in the AnyDesk log file ad_svc.trace involving anonymizer service IP addresses linked to TOR and MULLVAD VPN, a common technique that threat actors employ to obscure their source IP ranges.

Reconnaissance

We found the presence and execution of the network discovery tool NetScan being used by the threat actor to perform network enumeration using the following file names:

  • netscan.exe (SHA-256:1b9badb1c646a19cdf101ac4f6fdd23bc61eaab8c9f925eb41848cea9fd0738e)
  • netapp.exe (SHA-256:1b9badb1c646a19cdf101ac4f6fdd23bc61eaab8c9f925eb41848cea9fd0738e)

Additionally, execution of AdFind (SHA-256: f157090fd3ccd4220298c06ce8734361b724d80459592b10ac632acc624f455e), an Active Directory reconnaissance tool, was observed in the environment.

Credential access

Evidence of likely usage of the credential theft tool Mimikatzwas also uncovered through the presence of a related log file mimikatz.log. Microsoft IR assesses that Mimikatz was likely used to attain credentials for privileged accounts.

Lateral movement

Using compromised domain admin credentials, the threat actor used Remote Desktop Protocol (RDP) and PowerShell remoting to obtain access to other servers in the environment, including domain controllers.

Data staging and exfiltration

In one server where Microsoft Defender Antivirus was installed, a suspicious file named explorer.exe was identified, detected as Trojan:Win64/WinGoObfusc.LK!MT, and quarantined. However, because tamper protection wasn’t enabled on this server, the threat actor was able to disable the Microsoft Defender Antivirus service, enabling the threat actor to run the file using the following command:

explorer.exe P@$$w0rd

After reverse engineering explorer.exe, we determined it to be ExByte, a GoLang-based tool developed and commonly used in BlackByte ransomware attacks for collection and exfiltration of files from victim networks. This tool is capable of enumerating files of interest across the network and, upon execution, creates a log file containing a list of files and associated metadata. Multiple log files were uncovered during the investigation in the path:

  • C:\Exchange\MSExchLog.log

Analysis of the binary revealed a list of file extensions that are targeted for enumeration.

Figure-2.-Binary-analysis-showing-file-extensions-enumerated-by-explorer.exe_
Figure 2. Binary analysis showing file extensions enumerated by explorer.exe

Forensic analysis identified a file named data.txt that was created and later deleted after ExByte execution. This file contained obfuscated credentials that ExByte leveraged to authenticate to the popular file sharing platform Mega NZ using the platform’s API at:

  • hxxps://g.api.mega.co[.]nz
Figure 3. Binary analysis showing explorer.exe functionality for connecting to file sharing service MEGA NZ

We also determined that this version of Exbyte was crafted specifically for the victim, as it contained a hardcoded device name belonging to the victim and an internal IP address.

ExByte execution flow

Upon execution, ExByte decodes several strings and checks if the process is running with privileged access by reading \\.\PHYSICALDRIVE0:

  • If this check fails, ShellExecuteW is invoked with the IpOperation parameter RunAs, which runs explorer.exe with elevated privileges.

After this access check, explorer.exe attempts to read the data.txt file in the current location:

  • If the text file doesn’t exist, it invokes a command for self-deletion and exits from memory:
C:\Windows\system32\cmd.exe /c ping 1.1.1.1 -n 10 > nul & Del <PATH>\explorer.exe /F /Q
  • If data.txt exists, explorer.exe reads the file, passes the buffer to Base64 decode function, and then decrypts the data using the key provided in the command line. The decrypted data is then parsed as JSON below and fed for login function:
{    “a”:”us0”,    “user”:”<CONTENT FROM data.txt>”}

Finally, it forms a URL for sign-in to the API of the service MEGA NZ:

  • hxxps://g.api.mega.co[.]nz/cs?id=1674017543

Data encryption and destruction

On devices where files were successfully encrypted, we identified suspicious executables, detected by Microsoft Defender Antivirus as Trojan:Win64/BlackByte!MSR, with the following names:

  • wEFT.exe
  • schillerized.exe

The files were analyzed and determined to be BlackByte 2.0 binaries responsible for encryption across the environment. The binaries require an 8-digit key number to encrypt files.

Two modes of execution were identified:

  • When the -s parameter is provided, the ransomware self-deletes and encrypts the machine it was executed on.
  • When the -a parameter is provided, the ransomware conducts enumeration and uses an Ultimate Packer Executable (UPX) packed version of PsExec to deploy across the network. Several domain admin credentials were hardcoded in the binary, facilitating the deployment of the binary across the network.

Depending on the switch (-s or -a), execution may create the following files:

  • C:\SystemData\M8yl89s7.exe (UPX-packed PsExec with a random name; SHA-256: ba3ec3f445683d0d0407157fda0c26fd669c0b8cc03f21770285a20b3133098f)
  • C:\SystemData\wEFT.exe (Additional BlackByte binary)
  • C:\SystemData\MsExchangeLog1.log (Log file)
  • C:\SystemData\rENEgOtiAtES (A vulnerable (CVE-2019-16098) driver RtCore64.sys used to evade detection by installed antivirus software; SHA-256: 01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd)
  • C:\SystemData\iHu6c4.ico (Random name – BlackBytes icon)
  • C:\SystemData\BB_Readme_file.txt (BlackByte ReadMe file)
  • C:\SystemData\skip_bypass.txt (Unknown)

BlackByte 2.0 ransomware capabilities

Some capabilities identified for the BlackByte 2.0 ransomware were:

  • Antivirus bypass
    • The file rENEgOtiAtES created matches RTCore64.sys, a vulnerable driver (CVE-2049-16098) that allows any authenticated user to read or write to arbitrary memory
    • The BlackByte binary then creates and starts a service named RABAsSaa calling rENEgOtiAtES, and exploits this service to evade detection by installed antivirus software
  • Process hollowing
    • Invokes svchost.exe, injects to it to complete device encryption, and self-deletes by executing the following command:
      • cmd.exe /c ping 1.1.1.1 -n 10 > Nul & Del “PATH_TO_BLACKBYTE” /F /Q
  • Modification / disabling of Windows Firewall
    • The following commands are executed to either modify existing Windows Firewall rules, or to disable Windows Firewall entirely:
      • cmd /c netsh advfirewall set allprofiles state off
      • cmd /c netsh advfirewall firewall set rule group=”File and Printer Sharing” new enable=Yes
      • cmd /c netsh advfirewall firewall set rule group=”Network Discovery” new enable=Yes
  • Modification of volume shadow copies
    • The following commands are executed to destroy volume shadow copies on the machine:
      • cmd /c vssadmin Resize ShadowStorge /For=B:\ /On=B:\ /MaxSize=401MB
      • cmd /c vssadmin Resize ShadowStorage /For=B:\ /On=B:\ /MaxSize=UNBOUNDED
  • Modification of registry keys/values
    • The following commands are executed to modify the registry, facilitating elevated execution on the device:
      • cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
      • cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
      • cmd /c reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f
  • Additional functionality
    • Ability to terminate running services and processes
    • Ability to enumerate and mount volumes and network shares for encryption
    • Perform anti-forensics technique timestomping (sets the file time of encrypted and ReadMe file to 2000-01-01 00:00:00)
    • Ability to perform anti-debugging techniques

Recommendations

To guard against BlackByte ransomware attacks, Microsoft recommends the following:

  • Ensure that you have a patch management process in place and that patching for internet-exposed devices is prioritized; Understand and assess your cyber exposure with advanced vulnerability and configuration assessment tools like Microsoft Defender Vulnerability Management
  • Implement an endpoint detection and response (EDR) solution like Microsoft Defender for Endpoint to gain visibility into malicious activity in real time across your network
  • Ensure antivirus protections are updated regularly by turning on cloud-based protection and that your antivirus solution is configured to block threats
  • Enable tamper protection to prevent components of Microsoft Defender Antivirus from being disabled
  • Block inbound traffic from IPs specified in the indicators of compromise section of this report
  • Block inbound traffic from TOR exit nodes
  • Block inbound access from unauthorized public VPN services
  • Restrict administrative privileges to prevent authorized system changes

Conclusion

BlackByte ransomware attacks target organizations that have infrastructure with unpatched vulnerabilities.  As outlined in the Microsoft Digital Defense Report, common security hygiene practices, including keeping systems up to date, could protect against 98% of attacks.

As new tools are being developed by threat actors, a modern threat protection solution like Microsoft 365 Defender is necessary to prevent and detect the multiple techniques used in the attack chain, especially where the threat actor attempts to evade or disable specific defense mechanisms. Hunting for malicious behavior should be performed regularly in order to detect potential attacks that could evade detections, as a complementary activity for continuous monitoring from security tools alerts and incidents.

To understand how Microsoft can help you secure your network and respond to network compromise, visit https://aka.ms/MicrosoftIR.

Microsoft 365 Defender detections

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects this threat as the following malware:

  • Trojan:Win32/Kovter!MSR
  • Trojan:Win64/WinGoObfusc.LK!MT
  • Trojan:Win64/BlackByte!MSR
  • HackTool:Win32/AdFind!MSR
  • Trojan:Win64/CobaltStrike!MSR

Microsoft Defender for Endpoint

The following alerts might indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

  • ‘CVE-2021-31207’ exploit malware was detected
  • An active ‘NetShDisableFireWall’ malware in a command line was prevented from executing.
  • Suspicious registry modification.
  • ‘Rtcore64’ hacktool was detected
  • Possible ongoing hands-on-keyboard activity (Cobalt Strike)
  • A file or network connection related to a ransomware-linked emerging threat activity group detected
  • Suspicious sequence of exploration activities
  • A process was injected with potentially malicious code
  • Suspicious behavior by cmd.exe was observed
  • ‘Blackbyte’ ransomware was detected

Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in this threat:

  • CVE-2021-34473
  • CVE-2021-34523
  • CVE-2021-31207
  • CVE-2019-16098

Hunting queries

Microsoft 365 Defender

Microsoft 365 Defender customers can run the following query to find related activity in their networks:

ProxyShell web shell creation events

DeviceProcessEvents| where ProcessCommandLine has_any ("ExcludeDumpster","New-ExchangeCertificate") and ProcessCommandLine has_any ("-RequestFile","-FilePath")

Suspicious vssadmin events

DeviceProcessEvents| where ProcessCommandLine has_any ("vssadmin","vssadmin.exe") and ProcessCommandLine has "Resize ShadowStorage" and ProcessCommandLine has_any ("MaxSize=401MB"," MaxSize=UNBOUNDED")

Detection for persistence creation using Registry Run keys

DeviceRegistryEvents | where ActionType == "RegistryValueSet" | where (RegistryKey has @"Microsoft\Windows\CurrentVersion\RunOnce" and RegistryValueName == "MsEdgeMsE")      or (RegistryKey has @"Microsoft\Windows\CurrentVersion\RunOnceEx" and RegistryValueName == "MsEdgeMsE")    or (RegistryKey has @"Microsoft\Windows\CurrentVersion\Run" and RegistryValueName == "MsEdgeMsE")| where RegistryValueData startswith @"rundll32"| where RegistryValueData endswith @".dll,Default"| project Timestamp,DeviceId,DeviceName,ActionType,RegistryKey,RegistryValueName,RegistryValueData

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here:  https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy

Microsoft Sentinel also has a range of detection and threat hunting content that customers can use to detect the post exploitation activity detailed in this blog in addition to Microsoft 365 Defender detections list above.

Indicators of compromise

The table below shows IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.

IndicatorTypeDescription
4a066569113a569a6feb8f44257ac8764ee8f2011765009fdfd82fe3f4b92d3eSHA-256api-msvc.dll (Backdoor installed through RunKeys)
5f37b85687780c089607670040dbb3da2749b91b8adc0aa411fd6280b5fa7103SHA-256sys.exe (Cobalt Strike Beacon)
01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fdSHA-256rENEgOtiAtES (Vulnerable driver RtCore64.sys created by BlackByte binary)
ba3ec3f445683d0d0407157fda0c26fd669c0b8cc03f21770285a20b3133098fSHA-256[RANDOM_NAME].exe (UPX Packed PsExec created by BlackByte binary)
1b9badb1c646a19cdf101ac4f6fdd23bc61eaab8c9f925eb41848cea9fd0738eSHA-256“netscan.exe”, “netapp.exe (Netscan network discovery tool)
f157090fd3ccd4220298c06ce8734361b724d80459592b10ac632acc624f455eSHA-256AdFind.exe (Active Directory information gathering tool)
hxxps://myvisit[.]alteksecurity[.]org/tURLC2 for backdoor api-msvc.dll
hxxps://temp[.]sh/szAyn/sys.exeURLDownload URL for sys.exe
109.206.243[.]59IP AddressC2 for Cobalt Strike Beacon sys.exe
185.225.73[.]244IP AddressOriginating IP address for ProxyShell exploitation and web shell interaction

NOTE: These indicators should not be considered exhaustive for this observed activity.

Appendix

File extensions targeted by BlackByte binary for encryption:

.4dd.4dl.accdb.accdc.accde.accdr.accdt.accft
.adb.ade.adf.adp.arc.ora.alf.ask
.btr.bdf.cat.cdb.ckp.cma.cpd.dacpac
.dad.dadiagrams.daschema.db.db-shm.db-wal.db3.dbc
.dbf.dbs.dbt.dbv. dbx. dcb. dct. dcx
. ddl. dlis. dp1. dqy. dsk. dsn. dtsx. dxl
. eco. ecx. edb. epim. exb. fcd. fdb. fic
. fmp. fmp12. fmpsl. fol.fp3. fp4. fp5. fp7
. fpt. frm. gdb. grdb. gwi. hdb. his. ib
. idb. ihx. itdb. itw. jet. jtx. kdb. kexi
. kexic. kexis. lgc. lwx. maf. maq. mar. masmav
. mdb. mpd. mrg. mud. mwb. myd. ndf. nnt
. nrmlib. ns2. ns3. ns4. nsf. nv. nv2. nwdb
. nyf. odb. ogy. orx. owc. p96. p97. pan
. pdb. pdm. pnz. qry. qvd. rbf. rctd. rod
. rodx. rpd. rsd. sas7bdat. sbf. scx. sdb. sdc
. sdf. sis. spg. sql. sqlite. sqlite3. sqlitedb. te
. temx. tmd. tps. trc. trm. udb. udl. usr
. v12. vis. vpd. vvv. wdb. wmdb. wrk. xdb
. xld. xmlff. abcddb. abs. abx. accdw. and. db2
. fm5. hjt. icg. icr. kdb. lut. maw. mdn
. mdt       

Shared folders targeted for encryption (Example: \\[IP address]\Downloads):

UsersBackupVeeamhomeshome
mediacommonStorage ServerPublicWeb
ImagesDownloadsBackupDataActiveBackupForBusinessBackups
NAS-DCDCBACKUPDirectorFilesshare 

File extensions ignored:

.ini.url.msilog.log.ldf.lock.theme.msi
.sys.wpx.cpl.adv.msc.scr.key.ico
.dll.hta.deskthemepack.nomedia.msu.rtp.msp.idx
.ani.386.diagcfg.bin.mod.ics.com.hlp
 .spl.nls.cab.exe.diagpkg.icl.ocx.rom
.prf.thempack.msstyles.icns.mpa.drv.cur.diagcab
.cmd.shs      

Folders ignored:

windowsbootprogram files (x86)windows.oldprogramdata
intelbitdefendertrend microwindowsappsappdata
application datasystem volume informationperflogsmsocache 

Files ignored:

bootnxtntldrbootmgrthumbs.db
ntuser.datbootsect.bakautoexec.baticoncache.db
bootfont.bin   

Processes terminated:

teracopyteamviewernsservicensctrluranium
processhackerprocmonpestudioprocmon64x32dbg
x64dbgcff explorerprocexppslisttcpview
tcpvcondbgviewrammaprammap64vmmap
ollydbgautorunsautorunsscfilemonregmon
idaqidaq64immunitydebuggerwiresharkdumpcap
hookexplorerimportrecpetoolslordpesysinspector
proc_analyzersysanalyzersniff_hitwindbgjoeboxcontrol
joeboxserverresourcehackerfiddlerhttpdebuggerdumpit
rammaprammap64vmmapagntsvccntaosmgr
dbeng50dbsnmpencsvcinfopathisqlplussvc
mbamtraymsaccessmsftesqlmspubmydesktopqos
mydesktopservicemysqldmysqld-ntmysqld-optNtrtscan
ocautoupdsocommocssdonenoteoracle
outlookPccNTMonpowerpntsqbcoreservicesql
sqlagentsqlbrowsersqlservrsqlwritersteam
synctimetbirdconfigthebatthebat64thunderbird
tmlistenvisiowinwordwordpadxfssvccon
zoolz    

Services terminated:

CybereasonRansomFreevnetdbpcdSamSsTeraCopyService
msftesqlnsServiceklvssbridge64vapiendpointShMonitor
SmcinstSmcServiceSntpServicesvcGenericHostSwi_
TmCCSFtmlistenTrueKeyTrueKeySchedulerTrueKeyServiceHelper
WRSVCMcTaskManagerOracleClientCache80mfefirewbengine
mfemmsRESvcmfevtpsacsvrSAVAdminService
SepMasterServicePDVFSServiceESHASRVSDRSVCFA_Scheduler
KAVFSKAVFS_KAVFSGTkavfsslpklnagentmacmnsvc
masvcMBAMServiceMBEndpointAgentMcShieldaudioendpointbuilder
AntivirusAVPDCAgentbedbgEhttpSrv
MMSekrnEPSecurityServiceEPUpdateServicentrtscan
EsgShKernelmsexchangeadtopologyAcrSch2SvcMSOLAP$TPSAMAIntel(R) PROSet Monitoring
msexchangeimap4ARSMunistoresvc_1af40aReportServer$TPSMSOLAP$SYSTEM_BGC
W3SvcMSExchangeSRSReportServer$TPSAMAZoolz 2 ServiceMSOLAP$TPS
aphidmonitorserviceSstpSvcMSExchangeMTAReportServer$SYSTEM_BGCSymantec System Recovery
UI0DetectMSExchangeSAMSExchangeISReportServerMsDtsServer110
POP3SvcMSExchangeMGMTSMTPSvcMsDtsServerIisAdmin
MSExchangeESEraserSvc11710Enterprise Client ServiceMsDtsServer100NetMsmqActivator
stc_raw_agentVSNAPVSSPDVFSServiceAcrSch2SvcAcronis
CASAD2DWebSvcCAARCUpdateSvcMcAfeeavpsusDLPAgentService
mfewcBMR Boot ServiceDefWatchccEvtMgrccSetMgr
SavRoamRTVsc screenconnectransomsqltelemetrymsexch
vncteamviewermsolapveeambackup
sqlmemtasvsssophossvc$
mepocswuauserv   

Drivers that Blackbyte can bypass:

360avflt.sys360box.sys360fsflt.sys360qpesv.sys5nine.cbt.sys
a2acc.sysa2acc64.sysa2ertpx64.sysa2ertpx86.sysa2gffi64.sys
a2gffx64.sysa2gffx86.sysaaf.sysaalprotect.sysabrpmon.sys
accessvalidator.sysacdriver.sysacdrv.sysadaptivaclientcache32.sysadaptivaclientcache64.sys
adcvcsnt.sysadspiderdoc.sysaefilter.sysagentrtm64.sysagfsmon.sys
agseclock.sysagsyslock.sysahkamflt.sysahksvpro.sysahkusbfw.sys
ahnrghlh.sysaictracedrv_am.sysairship-filter.sysajfsprot.sysalcapture.sys
alfaff.sysaltcbt.sysamfd.sysamfsm.sysamm6460.sys
amm8660.sysamsfilter.sysamznmon.sysantileakfilter.sysantispyfilter.sys
anvfsm.sysapexsqlfilterdriver.sysappcheckd.sysappguard.sysappvmon.sys
arfmonnt.sysarta.sysarwflt.sysasgard.sysashavscan.sys
asiofms.sysaswfsblk.sysaswmonflt.sysaswsnx.sysaswsp.sys
aszfltnt.sysatamptnt.sysatc.sysatdragent.sysatdragent64.sys
aternityregistryhook.sysatflt.sysatrsdfw.sysauditflt.sysaupdrv.sys
avapsfd.sysavc3.sysavckf.sysavfsmn.sysavgmfi64.sys
avgmfrs.sysavgmfx64.sysavgmfx86.sysavgntflt.sysavgtpx64.sys
avgtpx86.sysavipbb.sysavkmgr.sysavmf.sysawarecore.sys
axfltdrv.sysaxfsysmon.sysayfilter.sysb9kernel.sysbackupreader.sys
bamfltr.sysbapfecpt.sysbbfilter.sysbd0003.sysbddevflt.sys
bdfiledefend.sysbdfilespy.sysbdfm.sysbdfsfltr.sysbdprivmon.sys
bdrdfolder.sysbdsdkit.sysbdsfilter.sysbdsflt.sysbdsvm.sys
bdsysmon.sysbedaisy.sysbemk.sysbfaccess.sysbfilter.sys
bfmon.sysbhdrvx64.sysbhdrvx86.sysbhkavka.sysbhkavki.sys
bkavautoflt.sysbkavsdflt.sysblackbirdfsa.sysblackcat.sysbmfsdrv.sys
bmregdrv.sysboscmflt.sysbosfsfltr.sysbouncer.sysboxifier.sys
brcow_x_x_x_x.sysbrfilter.sysbrnfilelock.sysbrnseclock.sysbrowsermon.sys
bsrfsflt.sysbssaudit.sysbsyaed.sysbsyar.sysbsydf.sys
bsyirmf.sysbsyrtm.sysbsysp.sysbsywl.sysbwfsdrv.sys
bzsenspdrv.sysbzsenth.sysbzsenyaradrv.syscaadflt.syscaavfltr.sys
cancelsafe.syscarbonblackk.syscatflt.syscatmf.syscbelam.sys
cbfilter20.syscbfltfs4.syscbfsfilter2017.syscbfsfilter2020.syscbsampledrv.sys
cdo.syscdrrsflt.syscdsgfsfilter.syscentrifyfsf.syscfrmd.sys
cfsfdrvcgwmf.syschange.syschangelog.syschemometecfilter.sys
ciscoampcefwdriver.sysciscoampheurdriver.sysciscosam.sysclumiochangeblockmf.syscmdccav.sys
cmdcwagt.syscmdguard.syscmdmnefs.syscmflt.syscode42filter.sys
codex.sysconduantfsfltr.syscontainermonitor.syscpavfilter.syscpavkernel.sys
cpepmon.syscrexecprev.syscrncache32.syscrncache64.syscrnsysm.sys
cruncopy.syscsaam.syscsaav.syscsacentr.syscsaenh.sys
csagent.syscsareg.syscsascr.syscsbfilter.syscsdevicecontrol.sys
csfirmwareanalysis.syscsflt.syscsmon.syscssdlp.sysctamflt.sys
ctifile.sysctinet.sysctrpamon.sysctx.syscvcbt.sys
cvofflineflt32.syscvofflineflt64.syscvsflt.syscwdriver.syscwmem2k64.sys
cybkerneltracker.syscylancedrv64.syscyoptics.syscyprotectdrv32.syscyprotectdrv64.sys
cytmon.syscyverak.syscyvrfsfd.syscyvrlpc.syscyvrmtgn.sys
datanow_driver.sysdattofsf.sysda_ctl.sysdcfafilter.sysdcfsgrd.sys
dcsnaprestore.sysdeepinsfs.sysdelete_flt.sysdevmonminifilter.sysdfmfilter.sys
dgedriver.sysdgfilter.sysdgsafe.sysdhwatchdog.sysdiflt.sys
diskactmon.sysdkdrv.sysdkrtwrt.sysdktlfsmf.sysdnafsmonitor.sys
docvmonk.sysdocvmonk64.sysdpmfilter.sysdrbdlock.sysdrivesentryfilterdriver2lite.sys
drsfile.sysdrvhookcsmf.sysdrvhookcsmf_amd64.sysdrwebfwflt.sysdrwebfwft.sys
dsark.sysdsdriver.sysdsfemon.sysdsflt.sysdsfltfs.sys
dskmn.sysdtdsel.sysdtpl.sysdwprot.sysdwshield.sys
dwshield64.syseamonm.syseaseflt.syseasyanticheat.syseaw.sys
ecatdriver.sysedevmon.sysednemfsfilter.sysedrdrv.sysedrsensor.sys
edsigk.syseectrl.syseetd32.syseetd64.syseeyehv.sys
eeyehv64.sysegambit.sysegfilterk.sysegminflt.sysegnfsflt.sys
ehdrv.syselock2fsctldriver.sysemxdrv2.sysenigmafilemondriver.sysenmon.sys
epdrv.sysepfw.sysepfwwfp.sysepicfilter.sysepklib.sys
epp64.sysepregflt.syseps.sysepsmn.sysequ8_helper.sys
eraser.sysesensor.sysesprobe.sysestprmon.sysestprp.sys
estregmon.sysestregp.sysestrkmon.sysestrkr.syseventmon.sys
evmf.sysevscase.sysexcfs.sysexprevdriver.sysfailattach.sys
failmount.sysfam.sysfangcloud_autolock_driver.sysfapmonitor.sysfarflt.sys
farwflt.sysfasdriverfcnotify.sysfcontrol.sysfdrtrace.sys
fekern.sysfencry.sysffcfilt.sysffdriver.sysfildds.sys
filefilter.sysfileflt.sysfileguard.sysfilehubagent.sysfilemon.sys
filemonitor.sysfilenamevalidator.sysfilescan.sysfilesharemon.sysfilesightmf.sys
filesystemcbt.sysfiletrace.sysfile_monitor.sysfile_protector.sysfile_tracker.sys
filrdriver.sysfim.sysfiometer.sysfiopolicyfilter.sysfjgsdis2.sys
fjseparettifilterredirect.sysflashaccelfs.sysflightrecorder.sysfltrs329.sysflyfs.sys
fmdrive.sysfmkkc.sysfmm.sysfortiaptfilter.sysfortimon2.sys
fortirmon.sysfortishield.sysfpav_rtp.sysfpepflt.sysfsafilter.sys
fsatp.sysfsfilter.sysfsgk.sysfshs.sysfsmon.sys
fsmonitor.sysfsnk.sysfsrfilter.sysfstrace.sysfsulgk.sys
fsw31rj1.sysgagsecurity.sysgbpkm.sysgcffilter.sysgddcv.sys
gefcmp.sysgemma.sysgeprotection.sysggc.sysgibepcore.sys
gkff.sysgkff64.sysgkpfcb.sysgkpfcb64.sysgofsmf.sys
gpminifilter.sysgroundling32.sysgroundling64.sysgtkdrv.sysgumhfilter.sys
gzflt.syshafsnk.syshbflt.syshbfsfltr.syshcp_kernel_acq.sys
hdcorrelatefdrv.syshdfilemon.syshdransomoffdrv.syshdrfs.sysheimdall.sys
hexisfsmonitor.syshfileflt.syshiofs.syshmpalert.syshookcentre.sys
hooksys.syshpreg.syshsmltmon.syshsmltwhl.syshssfwhl.sys
hvlminifilter.sysibr2fsk.sysiccfileioad.sysiccfilteraudit.sysiccfiltersc.sys
icfclientflt.sysicrlmonitor.sysiderafilterdriver.sysielcp.sysieslp.sys
ifs64.sysignis.sysiguard.sysiiscache.sysikfilesec.sys
im.sysimffilter.sysimfilter.sysimgguard.sysimmflex.sys
immunetprotect.sysimmunetselfprotect.sysinisbdrv64.sysino_fltr.sysintelcas.sys
intmfs.sysinuse.sysinvprotectdrv.sysinvprotectdrv64.sysionmonwdrv.sys
iothorfs.sysipcomfltr.sysipfilter.sysiprotect.sysiridiumswitch.sys
irongatefd.sysisafekrnl.sysisafekrnlmon.sysisafermonisecureflt.sys
isedrv.sysisfpdrv.sysisirmfmon.sysisregflt.sysisregflt64.sys
issfltr.sysissregistry.sysit2drv.sysit2reg.sysivappmon.sys
iwdmfs.sysiwhlp.sysiwhlp2.sysiwhlpxp.sysjdppsf.sys
jdppwf.sysjkppob.sysjkppok.sysjkpppf.sysjkppxk.sys
k7sentry.syskavnsi.syskawachfsminifilter.syskc3.syskconv.sys
kernelagent32.syskewf.syskfac.syskfileflt.syskisknl.sys
klam.sysklbg.sysklboot.syskldback.syskldlinf.sys
kldtool.sysklfdefsf.sysklflt.sysklgse.sysklhk.sys
klif.sysklifaa.sysklifks.sysklifsm.sysklrsps.sys
klsnsr.sysklupd_klif_arkmon.syskmkuflt.syskmnwch.syskmxagent.sys
kmxfile.syskmxsbx.sysksfsflt.sysktfsfilter.sysktsyncfsflt.sys
kubwksp.syslafs.syslbd.syslbprotect.syslcgadmon.sys
lcgfile.syslcgfilemon.syslcmadmon.syslcmfile.syslcmfilemon.sys
lcmprintmon.sysldsecdrv.syslibwamf.syslivedrivefilter.sysllfilter.sys
lmdriver.syslnvscenter.syslocksmith.syslragentmf.syslrtp.sys
magicbackupmonitor.sysmagicprotect.sysmajoradvapi.sysmarspy.sysmaxcryptmon.sys
maxproc64.sysmaxprotector.sysmbae64.sysmbam.sysmbamchameleon.sys
mbamshuriken.sysmbamswissarmy.sysmbamwatchdog.sysmblmon.sysmcfilemon32.sys
mcfilemon64.sysmcstrg.sysmearwfltdriver.sysmessage.sysmfdriver.sys
mfeaack.sysmfeaskm.sysmfeavfk.sysmfeclnrk.sysmfeelamk.sys
mfefirek.sysmfehidk.sysmfencbdc.sysmfencfilter.sysmfencoas.sys
mfencrk.sysmfeplk.sysmfewfpk.sysminiicpt.sysminispy.sys
minitrc.sysmlsaff.sysmmpsy32.sysmmpsy64.sysmonsterk.sys
mozycorpfilter.sysmozyenterprisefilter.sysmozyentfilter.sysmozyhomefilter.sysmozynextfilter.sys
mozyoemfilter.sysmozyprofilter.sysmpfilter.sysmpkernel.sysmpksldrv.sys
mpxmon.sysmracdrv.sysmrxgoogle.sysmscan-rt.sysmsiodrv4.sys
msixpackagingtoolmonitor.sysmsnfsflt.sysmspy.sysmssecflt.sysmtsvcdf.sys
mumdi.sysmwac.sysmwatcher.sysmwfsmfltr.sysmydlpmf.sys
namechanger.sysnanoavmf.sysnaswsp.sysndgdmk.sysneokerbyfilter
netaccctrl.sysnetaccctrl64.sysnetguard.sysnetpeeker.sysngscan.sys
nlcbhelpi64.sysnlcbhelpx64.sysnlcbhelpx86.sysnlxff.sysnmlhssrv01.sys
nmpfilter.sysnntinfo.sysnovashield.sysnowonmf.sysnpetw.sys
nprosec.sysnpxgd.sysnpxgd64.sysnravwka.sysnrcomgrdka.sys
nrcomgrdki.sysnregsec.sysnrpmonka.sysnrpmonki.sysnsminflt.sys
nsminflt64.sysntest.sysntfsf.sysntguard.sysntps_fa.sys
nullfilter.sysnvcmflt.sysnvmon.sysnwedriver.sysnxfsmon.sys
nxrmflt.sysoadevice.sysoavfm.sysoczminifilter.sysodfsfilter.sys
odfsfimfilter.sysodfstokenfilter.sysoffsm.sysomfltlh.sysosiris.sys
ospfile_mini.sysospmon.sysparity.syspassthrough.syspath8flt.sys
pavdrv.syspcpifd.syspctcore.syspctcore64.syspdgenfam.sys
pecfilter.sysperfectworldanticheatsys.syspervac.syspfkrnl.syspfracdrv.sys
pgpfs.syspgpwdefs.sysphantomd.sysphdcbtdrv.syspkgfilter.sys
pkticpt.sysplgfltr.sysplpoffdrv.syspointguardvista64f.syspointguardvistaf.sys
pointguardvistar32.syspointguardvistar64.sysprocmon11.sysproggerdriver.syspsacfileaccessfilter.sys
pscff.syspsgdflt.syspsgfoctrl.syspsinfile.syspsinproc.sys
psisolator.syspwipf6.syspwprotect.syspzdrvxp.sysqdocumentref.sys
qfapflt.sysqfilter.sysqfimdvr.sysqfmon.sysqminspec.sys
qmon.sysqqprotect.sysqqprotectx64.sysqqsysmon.sysqqsysmonx64.sys
qutmdrv.sysranpodfs.sysransomdefensexxx.sysransomdetect.sysreaqtor.sys
redlight.sysregguard.sysreghook.sysregmonex.sysrepdrv.sys
repmon.sysrevefltmgr.sysreveprocprotection.sysrevonetdriver.sysrflog.sys
rgnt.sysrmdiskmon.sysrmphvmonitor.sysrpwatcher.sysrrmon32.sys
rrmon64.sysrsfdrv.sysrsflt.sysrspcrtw.sysrsrtw.sys
rswctrl.sysrswmon.sysrtologon.sysrtw.sysruaff.sys
rubrikfileaudit.sysruidiskfs.sysruieye.sysruifileaccess.sysruimachine.sys
ruiminispy.sysrvsavd.sysrvsmon.sysrw7fsflt.sysrwchangedrv.sys
ryfilter.sysryguard.syssafe-agent.syssafsfilter.syssagntflt.sys
sahara.syssakfile.syssakmfile.syssamflt.syssamsungrapidfsfltr.sys
sanddriver.syssanta.syssascan.syssavant.syssavonaccess.sys
scaegis.sysscauthfsflt.sysscauthiodrv.sysscensemon.sysscfltr.sys
scifsflt.syssciptflt.syssconnect.sysscred.syssdactmon.sys
sddrvldr.syssdvfilter.sysse46filter.syssecdodriver.syssecone_filemon10.sys
secone_proc10.syssecone_reg10.syssecone_usb.syssecrmm.syssecufile.sys
secure_os.syssecure_os_mf.syssecurofsd_x64.syssefo.syssegf.sys
segiraflt.syssegmd.syssegmp.syssentinelmonitor.sysserdr.sys
serfs.syssfac.syssfavflt.syssfdfilter.syssfpmonitor.sys
sgresflt.sysshdlpmedia.sysshdlpsf.syssheedantivirusfilterdriver.syssheedselfprotection.sys
shldflt.syssi32_file.syssi64_file.syssieflt.syssimrep.sys
sisipsfilefiltersk.sysskyamdrv.sysskyrgdrv.sysskywpdrv.sys
slb_guard.syssld.syssmbresilfilter.syssmdrvnt.syssndacs.sys
snexequota.syssnilog.syssnimg.syssnscore.syssnsrflt.sys
sodatpfl.syssoftfilterxxx.syssoidriver.syssolitkm.syssonar.sys
sophosdt2.syssophosed.syssophosntplwf.syssophossupport.sysspbbcdrv.sys
spellmon.sysspider3g.sysspiderg3.sysspiminifilter.sysspotlight.sys
sprtdrv.syssqlsafefilterdriver.syssrminifilterdrv.syssrtsp.syssrtsp64.sys
srtspit.sysssfmonm.sysssrfsf.sysssvhook.sysstcvsm.sys
stegoprotect.sysstest.sysstflt.sysstkrnl64.sysstoragedrv.sys
strapvista.sysstrapvista64.syssvcbt.sysswcommfltr.sysswfsfltr.sys
swfsfltrv2.sysswin.syssymafr.syssymefa.syssymefa64.sys
symefasi.syssymevent.syssymevent64x86.syssymevnt.syssymevnt32.sys
symhsm.syssymrg.syssysdiag.syssysmon.syssysmondrv.sys
sysplant.sysszardrv.sysszdfmdrv.sysszdfmdrv_usb.sysszedrdrv.sys
szpcmdrv.systaniumrecorderdrv.systaobserveflt.systbfsfilt.systbmninifilter.sys
tbrdrv.systdevflt.systedrdrv.systenrsafe2.systesmon.sys
tesxnginx.systesxporter.systffregnt.systfsflt.systgfsmf.sys
thetta.systhfilter.systhreatstackfim.systkdac2k.systkdacxp.sys
tkdacxp64.systkfsavxp.systkfsavxp64.systkfsft.systkfsft64.sys
tkpcftcb.systkpcftcb64.systkpl2k.systkpl2k64.systksp2k.sys
tkspxp.systkspxp64.systmactmon.systmcomm.systmesflt.sys
tmevtmgr.systmeyes.systmfsdrv2.systmkmsnsr.systmnciesc.sys
tmpreflt.systmumh.systmums.systmusa.systmxpflt.sys
topdogfsfilt.systrace.systrfsfilter.systritiumfltr.systrpmnflt.sys
trufos.systrustededgeffd.systsifilemon.systss.syststfilter.sys
tstfsredir.syststregredir.systsyscare.systvdriver.systvfiltr.sys
tvmfltr.systvptfile.systvspfltr.systwbdcfilter.systxfilefilter.sys
txregmon.sysuamflt.sysucafltdriver.sysufdfilter.sysuncheater.sys
upguardrealtime.sysusbl_ifsfltr.sysusbpdh.sysusbtest.sysuvmcifsf.sys
uwfreg.sysuwfs.sysv3flt2k.sysv3flu2k.sysv3ift2k.sys
v3iftmnt.sysv3mifint.sysvarpffmon.sysvast.sysvcdriv.sys
vchle.sysvcmfilter.sysvcreg.sysveeamfct.sysvfdrv.sys
vfilefilter.sysvfpd.sysvfsenc.sysvhddelta.sysvhdtrack.sys
vidderfs.sysvintmfs.sysvirtfile.sysvirtualagent.sysvk_fsf.sys
vlflt.sysvmwvvpfsd.sysvollock.sysvpdrvnt.sysvradfil2.sys
vraptdef.sysvraptflt.sysvrarnflt.sysvrbbdflt.sysvrexpdrv.sys
vrfsftm.sysvrfsftmx.sysvrnsfilter.sysvrsdam.sysvrsdcore.sys
vrsdetri.sysvrsdetrix.sysvrsdfmx.sysvrvbrfsfilter.sysvsepflt.sys
vsscanner.sysvtsysflt.sysvxfsrep.syswats_se.syswbfilter.sys
wcsdriver.syswdcfilter.syswdfilter.syswdocsafe.syswfp_mrt.sys
wgfile.syswhiteshield.syswindbdrv.syswindd.syswinfladrv.sys
winflahdrv.syswinfldrv.syswinfpdrv.syswinload.syswinteonminifilter.sys
wiper.syswlminisecmod.syswntgpdrv.syswraekernel.syswrcore.sys
wrcore.x64.syswrdwizfileprot.syswrdwizregprot.syswrdwizscanner.syswrdwizsecure64.sys
wrkrn.syswrpfv.syswsafefilter.syswscm.sysxcpl.sys
xendowflt.sysxfsgk.sysxhunter1.sysxhunter64.sysxiaobaifs.sys
xiaobaifsr.sysxkfsfd.sysxoiv8x64.sysxomfcbt8x64.sysyahoostorage.sys
yfsd.sysyfsd2.sysyfsdr.sysyfsrd.syszampit_ml.sys
zesfsmf.syszqfilter.syszsfprt.syszwasatom.syszwpxesvr.sys
zxfsfilt.syszyfm.syszzpensys.sys  

Further reading

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on Twitter at https://twitter.com/MsftSecIntel.

Source :
https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/

8 Essential Tips for Data Protection and Cybersecurity in Small Businesses

Michelle Quill — June 6, 2023

Small businesses are often targeted by cybercriminals due to their lack of resources and security measures. Protecting your business from cyber threats is crucial to avoid data breaches and financial losses.

Why is cyber security so important for small businesses?

Small businesses are particularly in danger of cyberattacks, which can result in financial loss, data breaches, and damage to IT equipment. To protect your business, it’s important to implement strong cybersecurity measures.

Here are some tips to help you get started:

One important aspect of data protection and cybersecurity for small businesses is controlling access to customer lists. It’s important to limit access to this sensitive information to only those employees who need it to perform their job duties. Additionally, implementing strong password policies and regularly updating software and security measures can help prevent unauthorized access and protect against cyber attacks. Regular employee training on cybersecurity best practices can also help ensure that everyone in the organization is aware of potential threats and knows how to respond in the event of a breach.

When it comes to protecting customer credit card information in small businesses, there are a few key tips to keep in mind. First and foremost, it’s important to use secure payment processing systems that encrypt sensitive data. Additionally, it’s crucial to regularly update software and security measures to stay ahead of potential threats. Employee training and education on cybersecurity best practices can also go a long way in preventing data breaches. Finally, having a plan in place for responding to a breach can help minimize the damage and protect both your business and your customers.

Small businesses are often exposed to cyber attacks, making data protection and cybersecurity crucial. One area of particular concern is your company’s banking details. To protect this sensitive information, consider implementing strong passwords, two-factor authentication, and regular monitoring of your accounts. Additionally, educate your employees on safe online practices and limit access to financial information to only those who need it. Regularly backing up your data and investing in cybersecurity software can also help prevent data breaches.

Small businesses are often at high risk of cyber attacks due to their limited resources and lack of expertise in cybersecurity. To protect sensitive data, it is important to implement strong passwords, regularly update software and antivirus programs, and limit access to confidential information.

It is also important to have a plan in place in case of a security breach, including steps to contain the breach and notify affected parties. By taking these steps, small businesses can better protect themselves from cyber threats and ensure the safety of their data.

Tips for protecting your small business from cyber threats and data breaches are crucial in today’s digital age. One of the most important steps is to educate your employees on cybersecurity best practices, such as using strong passwords and avoiding suspicious emails or links.

It’s also important to regularly update your software and systems to ensure they are secure and protected against the latest threats. Additionally, implementing multi-factor authentication and encrypting sensitive data can add an extra layer of protection. Finally, having a plan in place for responding to a cyber-attack or data breach can help minimize the damage and get your business back on track as quickly as possible.

Small businesses are attackable to cyber-attacks and data breaches, which can have devastating consequences. To protect your business, it’s important to implement strong cybersecurity measures. This includes using strong passwords, regularly updating software and systems, and training employees on how to identify and avoid phishing scams.

It’s also important to have a data backup plan in place and to regularly test your security measures to ensure they are effective. By taking these steps, you can help protect your business from cyber threats and safeguard your valuable data.

To protect against cyber threats, it’s important to implement strong data protection and cybersecurity measures. This can include regularly updating software and passwords, using firewalls and antivirus software, and providing employee training on safe online practices. Additionally, it’s important to have a plan in place for responding to a cyber attack, including backing up data and having a designated point person for handling the situation.

In today’s digital age, small businesses must prioritize data protection and cybersecurity to safeguard their operations and reputation. With the rise of remote work and cloud-based technology, businesses are more vulnerable to cyber attacks than ever before. To mitigate these risks, it’s crucial to implement strong security measures for online meetings, advertising, transactions, and communication with customers and suppliers. By prioritizing cybersecurity, small businesses can protect their data and prevent unauthorized access or breaches.

Here are 8 essential tips for data protection and cybersecurity in small businesses.

8 Essential Tips for Data Protection and Cybersecurity in Small Businesses

1. Train Your Employees on Cybersecurity Best Practices

Your employees are the first line of defense against cyber threats. It’s important to train them on cybersecurity best practices to ensure they understand the risks and how to prevent them. This includes creating strong passwords, avoiding suspicious emails and links, and regularly updating software and security systems. Consider providing regular training sessions and resources to keep your employees informed and prepared.

2. Use Strong Passwords and Two-Factor Authentication

One of the most basic yet effective ways to protect your business from cyber threats is to use strong passwords and two-factor authentication. Encourage your employees to use complex passwords that include a mix of letters, numbers, and symbols, and to avoid using the same password for multiple accounts. Two-factor authentication adds an extra layer of security by requiring a second form of verification, such as a code sent to a mobile device, before granting access to an account. This can help prevent unauthorized access even if a password is compromised.

3. Keep Your Software and Systems Up to Date

One of the easiest ways for cybercriminals to gain access to your business’s data is through outdated software and systems. Hackers are constantly looking for vulnerabilities in software and operating systems, and if they find one, they can exploit it to gain access to your data. To prevent this, make sure all software and systems are kept up-to-date with the latest security patches and updates. This includes not only your computers and servers but also any mobile devices and other connected devices used in your business. Set up automatic updates whenever possible to ensure that you don’t miss any critical security updates.

4. Use Antivirus and Anti-Malware Software

Antivirus and anti-malware software are essential tools for protecting your small business from cyber threats. These programs can detect and remove malicious software, such as viruses, spyware, and ransomware before they can cause damage to your systems or steal your data. Make sure to install reputable antivirus and anti-malware software on all devices used in your business, including computers, servers, and mobile devices. Keep the software up-to-date and run regular scans to ensure that your systems are free from malware.

5. Backup Your Data Regularly

One of the most important steps you can take to protect your small business from data loss is to back up your data regularly. This means creating copies of your important files and storing them in a secure location, such as an external hard drive or cloud storage service. In the event of a cyber-attack or other disaster, having a backup of your data can help you quickly recover and minimize the impact on your business. Make sure to test your backups regularly to ensure that they are working properly and that you can restore your data if needed.

6. Carry out a risk assessment

Small businesses are especially in peril of cyber attacks, making it crucial to prioritize data protection and cybersecurity. One important step is to assess potential risks that could compromise your company’s networks, systems, and information. By identifying and analyzing possible threats, you can develop a plan to address security gaps and protect your business from harm.

For Small businesses making data protection and cybersecurity is a crucial part. To start, conduct a thorough risk assessment to identify where and how your data is stored, who has access to it, and potential threats. If you use cloud storage, consult with your provider to assess risks. Determine the potential impact of breaches and establish risk levels for different events. By taking these steps, you can better protect your business from cyber threats

7. Limit access to sensitive data

One effective strategy is to limit access to critical data to only those who need it. This reduces the risk of a data breach and makes it harder for malicious insiders to gain unauthorized access. To ensure accountability and clarity, create a plan that outlines who has access to what information and what their roles and responsibilities are. By taking these steps, you can help safeguard your business against cyber threats.

8. Use a firewall

For Small businesses, it’s important to protect the system from cyber attacks by making data protection and reducing cybersecurity risk. One effective measure is implementing a firewall, which not only protects hardware but also software. By blocking or deterring viruses from entering the network, a firewall provides an added layer of security. It’s important to note that a firewall differs from an antivirus, which targets software affected by a virus that has already infiltrated the system.

Small businesses can take steps to protect their data and ensure cybersecurity. One important step is to install a firewall and keep it updated with the latest software or firmware. Regularly checking for updates can help prevent potential security breaches.

Conclusion

Small businesses are particularly vulnerable to cyber attacks, so it’s important to take steps to protect your data. One key tip is to be cautious when granting access to your systems, especially to partners or suppliers. Before granting access, make sure they have similar cybersecurity practices in place. Don’t hesitate to ask for proof or to conduct a security audit to ensure your data is safe.

Source :
https://onlinecomputertips.com/support-categories/networking/tips-for-cybersecurity-in-small-businesses/

Introducing the Cloudflare Radar Internet Quality Page

23/06/2023

Internet connections are most often marketed and sold on the basis of “speed”, with providers touting the number of megabits or gigabits per second that their various service tiers are supposed to provide. This marketing has largely been successful, as most subscribers believe that “more is better”. Furthermore, many national broadband plans in countries around the world include specific target connection speeds. However, even with a high speed connection, gamers may encounter sluggish performance, while video conference participants may experience frozen video or audio dropouts. Speeds alone don’t tell the whole story when it comes to Internet connection quality.

Additional factors like latency, jitter, and packet loss can significantly impact end user experience, potentially leading to situations where higher speed connections actually deliver a worse user experience than lower speed connections. Connection performance and quality can also vary based on usage – measured average speed will differ from peak available capacity, and latency varies under loaded and idle conditions.

The new Cloudflare Radar Internet Quality page

A little more than three years ago, as residential Internet connections were strained because of the shift towards working and learning from home due to the COVID-19 pandemic, Cloudflare announced the speed.cloudflare.com speed test tool, which enabled users to test the performance and quality of their Internet connection. Within the tool, users can download the results of their individual test as a CSV, or share the results on social media. However, there was no aggregated insight into Cloudflare speed test results at a network or country level to provide a perspective on connectivity characteristics across a larger population.

Today, we are launching these long-missing aggregated connection performance and quality insights on Cloudflare Radar. The new Internet Quality page provides both country and network (autonomous system) level insight into Internet connection performance (bandwidth) and quality (latencyjitter) over time. (Your Internet service provider is likely an autonomous system with its own autonomous system number (ASN), and many large companies, online platforms, and educational institutions also have their own autonomous systems and associated ASNs.) The insights we are providing are presented across two sections: the Internet Quality Index (IQI), which estimates average Internet quality based on aggregated measurements against a set of Cloudflare & third-party targets, and Connection Quality, which presents peak/best case connection characteristics based on speed.cloudflare.com test results aggregated over the previous 90 days. (Details on our approach to the analysis of this data are presented below.)

Users may note that individual speed test results, as well as the aggregate speed test results presented on the Internet Quality page will likely differ from those presented by other speed test tools. This can be due to a number of factors including differences in test endpoint locations (considering both geographic and network distance), test content selection, the impact of “rate boosting” by some ISPs, and testing over a single connection vs. multiple parallel connections. Infrequent testing (on any speed test tool) by users seeking to confirm perceived poor performance or validate purchased speeds will also contribute to the differences seen in the results published by the various speed test platforms.

And as we announced in April, Cloudflare has partnered with Measurement Lab (M-Lab) to create a publicly-available, queryable repository for speed test results. M-Lab is a non-profit third-party organization dedicated to providing a representative picture of Internet quality around the world. M-Lab produces and hosts the Network Diagnostic Tool, which is a very popular network quality test that records millions of samples a day. Given their mission to provide a publicly viewable, representative picture of Internet quality, we chose to partner with them to provide an accurate view of your Internet experience and the experience of others around the world using openly available data.

Connection speed & quality data is important

While most advertisements for fixed broadband and mobile connectivity tend to focus on download speeds (and peak speeds at that), there’s more to an Internet connection, and the user’s experience with that Internet connection, than that single metric. In addition to download speeds, users should also understand the upload speeds that their connection is capable of, as well as the quality of the connection, as expressed through metrics known as latency and jitter. Getting insight into all of these metrics provides a more well-rounded view of a given Internet connection, or in aggregate, the state of Internet connectivity across a geography or network.

The concept of download speeds are fairly well understood as a measure of performance. However, it is important to note that the average download speeds experienced by a user during common Web browsing activities, which often involves the parallel retrieval of multiple smaller files from multiple hosts, can differ significantly from peak download speeds, where the user is downloading a single large file (such as a video or software update), which allows the connection to reach maximum performance. The bandwidth (speed) available for upload is sometimes mentioned in ISP advertisements, but doesn’t receive much attention. (And depending on the type of Internet connection, there’s often a significant difference between the available upload and download speeds.) However, the importance of upload came to the forefront in 2020 as video conferencing tools saw a surge in usage as both work meetings and school classes shifted to the Internet during the COVID-19 pandemic. To share your audio and video with other participants, you need sufficient upload bandwidth, and this issue was often compounded by multiple people sharing a single residential Internet connection.

Latency is the time it takes data to move through the Internet, and is measured in the number of milliseconds that it takes a packet of data to go from a client (such as your computer or mobile device) to a server, and then back to the client. In contrast to speed metrics, lower latency is preferable. This is especially true for use cases like online gaming where latency can make a difference between a character’s life and death in the game, as well as video conferencing, where higher latency can cause choppy audio and video experiences, but it also impacts web page performance. The latency metric can be further broken down into loaded and idle latency. The former measures latency on a loaded connection, where bandwidth is actively being consumed, while the latter measures latency on an “idle” connection, when there is no other network traffic present. (These specific loaded and idle definitions are from the device’s perspective, and more specifically, from the speed test application’s perspective. Unless the speed test is being performed directly from a router, the device/application doesn’t have insight into traffic on the rest of the network.) Jitter is the average variation found in consecutive latency measurements, and can be measured on both idle and loaded connections. A lower number means that the latency measurements are more consistent. As with latency, Internet connections should have minimal jitter, which helps provide more consistent performance.

Our approach to data analysis

The Internet Quality Index (IQI) and Connection Quality sections get their data from two different sources, providing two different (albeit related) perspectives. Under the hood they share some common principles, though.

IQI builds upon the mechanism we already use to regularly benchmark ourselves against other industry players. It is based on end user measurements against a set of Cloudflare and third-party targets, meant to represent a pattern that has become very common in the modern Internet, where most content is served from distribution networks with points of presence spread throughout the world. For this reason, and by design, IQI will show worse results for regions and Internet providers that rely on international (rather than peering) links for most content.

IQI is also designed to reflect the traffic load most commonly associated with web browsing, rather than more intensive use. This, and the chosen set of measurement targets, effectively biases the numbers towards what end users experience in practice (where latency plays an important role in how fast things can go).

For each metric covered by IQI, and for each ASN, we calculate the 25th percentile, median, and 75th percentile at 15 minute intervals. At the country level and above, the three calculated numbers for each ASN visible from that region are independently aggregated. This aggregation takes the estimated user population of each ASN into account, biasing the numbers away from networks that source a lot of automated traffic but have few end users.

The Connection Quality section gets its data from the Cloudflare Speed Test tool, which exercises a user’s connection in order to see how well it is able to perform. It measures against the closest Cloudflare location, providing a good balance of realistic results and network proximity to the end user. We have a presence in 285 cities around the world, allowing us to be pretty close to most users.

Similar to the IQI, we calculate the 25th percentile, median, and 75th percentile for each ASN. But here these three numbers are immediately combined using an operation called the trimean — a single number meant to balance the best connection quality that most users have, with the best quality available from that ASN (users may not subscribe to the best available plan for a number of reasons).

Because users may choose to run a speed test for different motives at different times, and also because we take privacy very seriously and don’t record any personally identifiable information along with test results, we aggregate at 90-day intervals to capture as much variability as we can.

At the country level and above, the calculated trimean for each ASN in that region is aggregated. This, again, takes the estimated user population of each ASN into account, biasing the numbers away from networks that have few end users but which may still have technicians using the Cloudflare Speed Test to assess the performance of their network.

The new Internet Quality page includes three views: Global, country-level, and autonomous system (AS). In line with the other pages on Cloudflare Radar, the country-level and AS pages show the same data sets, differing only in their level of aggregation. Below, we highlight the various components of the Internet Quality page.

Global

The top section of the global (worldwide) view includes time series graphs of the Internet Quality Index metrics aggregated at a continent level. The time frame shown in the graphs is governed by the selection made in the time frame drop down at the upper right of the page, and at launch, data for only the last three months is available. For users interested in examining a specific continent, clicking on the other continent names in the legend removes them from the graph. Although continent-level aggregation is still rather coarse, it still provides some insight into regional Internet quality around the world.

Further down the page, the Connection Quality section presents a choropleth map, with countries shaded according to the values of the speed, latency, or jitter metric selected from the drop-down menu. Hovering over a country displays a label with the country’s name and metric value, and clicking on the country takes you to the country’s Internet Quality page. Note that in contrast to the IQI section, the Connection Quality section always displays data aggregated over the previous 90 days.

Country-level

Within the country-level page (using Canada as an example in the figures below), the country’s IQI metrics over the selected time frame are displayed. These time series graphs show the median bandwidth, latency, and DNS response time within a shaded band bounded at the 25th and 75th percentile and represent the average expected user experience across the country, as discussed in the Our approach to data analysis section above.

Below that is the Connection Quality section, which provides a summary view of the country’s measured upload and download speeds, as well as latency and jitter, over the previous 90 days. The colored wedges in the Performance Summary graph are intended to illustrate aggregate connection quality at a glance, with an “ideal” connection having larger upload and download wedges and smaller latency and jitter wedges. Hovering over the wedges displays the metric’s value, which is also shown in the table to the right of the graph.

Below that, the Bandwidth and Latency/Jitter histograms illustrate the bucketed distribution of upload and download speeds, and latency and jitter measurements. In some cases, the speed histograms may show a noticeable bar at 1 Gbps, or 1000 ms (1 second) on the latency/jitter histograms. The presence of such a bar indicates that there is a set of measurements with values greater than the 1 Gbps/1000 ms maximum histogram values.

Autonomous system level

Within the upper-right section of the country-level page, a list of the top five autonomous systems within the country is shown. Clicking on an ASN takes you to the Performance page for that autonomous system. For others not displayed in the top five list, you can use the search bar at the top of the page to search by autonomous system name or number. The graphs shown within the AS level view are identical to those shown at a country level, but obviously at a different level of aggregation. You can find the ASN that you are connected to from the My Connection page on Cloudflare Radar.

Exploring connection performance & quality data

Digging into the IQI and Connection Quality visualizations can surface some interesting observations, including characterizing Internet connections, and the impact of Internet disruptions, including shutdowns and network issues. We explore some examples below.

Characterizing Internet connections

Verizon FiOS is a residential fiber-based Internet service available to customers in the United States. Fiber-based Internet services (as opposed to cable-based, DSL, dial-up, or satellite) will generally offer symmetric upload and download speeds, and the FiOS plans page shows this to be the case, offering 300 Mbps (upload & download), 500 Mbps (upload & download), and “1 Gig” (Verizon claims average wired speeds between 750-940 Mbps download / 750-880 Mbps upload) plans. Verizon carries FiOS traffic on AS701 (labeled UUNET due to a historical acquisition), and in looking at the bandwidth histogram for AS701, several things stand out. The first is a rough symmetry in upload and download speeds. (A cable-based Internet service provider, in contrast, would generally show a wide spread of download speeds, but have upload speeds clustered at the lower end of the range.) Another is the peaks around 300 Mbps and 750 Mbps, suggesting that the 300 Mbps and “1 Gig” plans may be more popular than the 500 Mbps plan. It is also clear that there are a significant number of test results with speeds below 300 Mbps. This is due to several factors: one is that Verizon also carries lower speed non-FiOS traffic on AS701, while another is that erratic nature of in-home WiFi often means that the speeds achieved on a test will be lower than the purchased service level.

Traffic shifts drive latency shifts

On May 9, 2023, the government of Pakistan ordered the shutdown of mobile network services in the wake of protests following the arrest of former Prime Minister Imran Khan. Our blog post covering this shutdown looked at the impact from a traffic perspective. Within the post, we noted that autonomous systems associated with fixed broadband networks saw significant increases in traffic when the mobile networks were shut down – that is, some users shifted to using fixed networks (home broadband) when mobile networks were unavailable.

Examining IQI data after the blog post was published, we found that the impact of this traffic shift was also visible in our latency data. As can be seen in the shaded area of the graph below, the shutdown of the mobile networks resulted in the median latency dropping about 25% as usage shifted from higher latency mobile networks to lower latency fixed broadband networks. An increase in latency is visible in the graph when mobile connectivity was restored on May 12.

Bandwidth shifts as a potential early warning sign

On April 4, UK mobile operator Virgin Media suffered several brief outages. In examining the IQI bandwidth graph for AS5089, the ASN used by Virgin Media (formerly branded as NTL), indications of a potential problem are visible several days before the outages occurred, as median bandwidth dropped by about a third, from around 35 Mbps to around 23 Mbps. The outages are visible in the circled area in the graph below. Published reports indicate that the problems lasted into April 5, in line with the lower median bandwidth measured through mid-day.

Submarine cable issues cause slower browsing

On June 5, Philippine Internet provider PLDT Tweeted an advisory that noted “One of our submarine cable partners confirms a loss in some of its internet bandwidth capacity, and thus causing slower Internet browsing.” IQI latency and bandwidth graphs for AS9299, a primary ASN used by PLDT, shows clear shifts starting around 06:45 UTC (14:45 local time). Median bandwidth dropped by half, from 17 Mbps to 8 Mbps, while median latency increased by 75% from 37 ms to around 65 ms. 75th percentile latency also saw a significant increase, nearly tripling from 63 ms to 180 ms coincident with the reported submarine cable issue.

Conclusion

Making network performance and quality insights available on Cloudflare Radar supports Cloudflare’s mission to help build a better Internet. However, we’re not done yet – we have more enhancements planned. These include making data available at a more granular geographical level (such as state and possibly city), incorporating AIM scores to help assess Internet quality for specific types of use cases, and embedding the Cloudflare speed test directly on Radar using the open source JavaScript module.

In the meantime, we invite you to use speed.cloudflare.com to test the performance and quality of your Internet connection, share any country or AS-level insights you discover on social media (tag @CloudflareRadar on Twitter or @radar@cloudflare.social on Mastodon), and explore the underlying data through the M-Lab repository or the Radar API.

Watch on Cloudflare TV

https://customer-rhnwzxvb3mg4wz3v.cloudflarestream.com/debcbed2114d086c870059ac604eca49/iframe?preload=true&poster=https%3A%2F%2Fcustomer-rhnwzxvb3mg4wz3v.cloudflarestream.com%2Fdebcbed2114d086c870059ac604eca49%2Fthumbnails%2Fthumbnail.jpg%3Ftime%3D1s%26height%3D600

We protect entire corporate networks, help customers build Internet-scale applications efficiently, accelerate any website or Internet applicationward off DDoS attacks, keep hackers at bay, and can help you on your journey to Zero Trust.

Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you’re looking for a new career direction, check out our open positions.

 Discuss on Hacker News

Source :
https://blog.cloudflare.com/introducing-radar-internet-quality-page/

Content Delivery Networks (CDNs)

  • Article
  • 02/17/2023
  • 7 contributors

Feedback

In this article

  1. What exactly is a CDN?
  2. How do CDNs make services work faster?
  3. The Microsoft 365 CDN
  4. Other Microsoft CDNs

Show 11 more

This article applies to Microsoft 365 Enterprise.

CDNs help keep Microsoft 365 fast and reliable for end users. Cloud services like Microsoft 365 use CDNs to cache static assets closer to the browsers requesting them to speed up downloads and reduce perceived end user latency. The information in this topic will help you learn about Content Delivery Networks (CDNs) and how they’re used by Microsoft 365.

What exactly is a CDN?

A CDN is a geographically distributed network consisting of proxy and file servers in datacenters connected by high-speed backbone networks. CDNs are used to reduce latency and load times for a specified set of files and objects in a web site or service. A CDN may have many thousands of endpoints for optimal servicing of incoming requests from any location.

CDNs are commonly used to provide faster downloads of generic content for a web site or service such as Javascript files, icons and images, and can also provide private access to user content such as files in SharePoint Online document libraries, streaming media files, and custom code.

CDNs are used by most enterprise cloud services. Cloud services like Microsoft 365 have millions of customers downloading a mix of proprietary content (such as emails) and generic content (such as icons) at one time. It’s more efficient to put images everyone uses, like icons, as close to the user’s computer as possible. It isn’t practical for every cloud service to build CDN datacenters that store this generic content in every metropolitan area, or even in every major Internet hub around the world, so some of these CDNs are shared.

How do CDNs make services work faster?

Downloading common objects like site images and icons over and over again can take up network bandwidth that can be better used for downloading important personal content, like email or documents. Because Microsoft 365 uses an architecture that includes CDNs, the icons, scripts, and other generic content can be downloaded from servers closer to client computers, making the downloads faster. This means faster access to your personal content, which is securely stored in Microsoft 365 datacenters.

CDNs help to improve cloud service performance in several ways:

  • CDNs shift part of the network and file download burden away from the cloud service, freeing up cloud service resources for serving user content and other services by reducing the need to serve requests for static assets.
  • CDNs are purpose built to provide low-latency file access by implementing high performance networks and file servers, and by leveraging updated network protocols such as HTTP/2 with highly efficient compression and request multiplexing.
  • CDN networks use many globally distributed endpoints to make content available as close as possible to users.

The Microsoft 365 CDN

The built-in Microsoft 365 Content Delivery Network (CDN) allows Microsoft 365 administrators to provide better performance for their organization’s SharePoint Online pages by caching static assets closer to the browsers requesting them, which helps to speed up downloads and reduce latency. The Microsoft 365 CDN uses the HTTP/2 protocol for improved compression and download speeds.

 Note

The Microsoft 365 CDN is only available to tenants in the Production (worldwide) cloud. Tenants in the US Government, China and Germany clouds do not currently support the Microsoft 365 CDN.

The Microsoft 365 CDN is composed of multiple CDNs that allow you to host static assets in multiple locations, or origins, and serve them from global high-speed networks. Depending on the kind of content you want to host in the Microsoft 365 CDN, you can add public origins, private origins or both.

Microsoft 365 CDN conceptual diagram.

Content in public origins within the Microsoft 365 CDN is accessible anonymously, and can be accessed by anyone who has URLs to hosted assets. Because access to content in public origins is anonymous, you should only use them to cache non-sensitive generic content such as Javascript files, scripts, icons and images. The Microsoft 365 CDN is used by default for downloading generic resource assets like the Microsoft 365 client applications from a public origin.

Private origins within the Microsoft 365 CDN provide private access to user content such as SharePoint Online document libraries, sites and proprietary images. Access to content in private origins is secured with dynamically generated tokens so it can only be accessed by users with permissions to the original document library or storage location. Private origins in the Microsoft 365 CDN can only be used for SharePoint Online content, and you can only access assets through redirection from your SharePoint Online tenant.

The Microsoft 365 CDN service is included as part of your SharePoint Online subscription.

For more information about how to use the Microsoft 365 CDN, see Use the Microsoft 365 content delivery network with SharePoint Online.

To watch a series of short videos that provide conceptual and HOWTO information about using the Microsoft 365 CDN, visit the SharePoint Developer Patterns and Practices YouTube channel.

Other Microsoft CDNs

Although not a part of the Microsoft 365 CDN, you can use these CDNs in your Microsoft 365 tenant for access to SharePoint development libraries, custom code and other purposes that fall outside the scope of the Microsoft 365 CDN.

Azure CDN

 Note

Beginning in Q3 2020, SharePoint Online will begin caching videos on the Azure CDN to support improved video playback and reliability. Popular videos will be streamed from the CDN endpoint closest to the user. This data will remain within the Microsoft Purview boundary. This is a free service for all tenants and it does not require any customer action to configure.

You can use the Azure CDN to deploy your own CDN instance for hosting custom web parts, libraries and other resource assets, which allows you to apply access keys to your CDN storage and exert greater control over your CDN configuration. Use of the Azure CDN isn’t free, and requires an Azure subscription.

For more information on how to configure an Azure CDN instance, see Quickstart: Integrate an Azure storage account with Azure CDN.

For an example of how the Azure CDN can be used to host SharePoint web parts, see Deploy your SharePoint client-side web part to Azure CDN.

For information about the Azure CDN PowerShell module, see Manage Azure CDN with PowerShell.

Microsoft Ajax CDN

Microsoft’s Ajax CDN is a read-only CDN that offers many popular development libraries including jQuery (and all of its other libraries), ASP.NET Ajax, Bootstrap, Knockout.js, and others.

To include these scripts in your project, simply replace any references to these publicly available libraries with references to the CDN address instead of including it in your project itself. For example, use the following code to link to jQuery:

HTMLCopy

<script src=https://ajax.aspnetcdn.com/ajax/jquery-2.1.1.js> </script>

For more information about how to use the Microsoft Ajax CDN, see Microsoft Ajax CDN.

How does Microsoft 365 use content from a CDN?

Regardless of what CDN you configure for your Microsoft 365 tenant, the basic data retrieval process is the same.

  1. Your client (a browser or Office client application) requests data from Microsoft 365.
  2. Microsoft 365 either returns the data directly to your client or, if the data is part of a set of content hosted by the CDN, redirects your client to the CDN URL.a. If the data is already cached in a public origin, your client downloads the data directly from the nearest CDN location to your client.b. If the data is already cached in a private origin, the CDN service checks your Microsoft 365 user account’s permissions on the origin. If you have permissions, SharePoint Online dynamically generates a custom URL composed of the path to the asset in the CDN and two access tokens, and returns the custom URL to your client. Your client then downloads the data directly from the nearest CDN location to your client using the custom URL.
  3. If the data isn’t cached at the CDN, the CDN node requests the data from Microsoft 365 and then caches the data for time after your client downloads the data.

The CDN figures out the closest datacenter to the user’s browser and, using redirection, downloads the requested data from there. CDN redirection is quick, and can save users a lot of download time.

How should I set up my network so that CDNs work best with Microsoft 365?

Minimizing latency between clients on your network and CDN endpoints is the key consideration for ensuring optimal performance. You can use the best practices outlined in Managing Microsoft 365 endpoints to ensure that your network configuration permits client browsers to access the CDN directly rather than routing CDN traffic through central proxies to avoid introducing unnecessary latency.

You can also read Microsoft 365 Network Connectivity Principles to understand the concepts behind optimizing Microsoft 365 network performance.

Is there a list of all the CDNs that Microsoft 365 uses?

The CDNs in use by Microsoft 365 are always subject to change and in many cases there are multiple CDN partners configured in the event one is unavailable. The primary CDNs used by Microsoft 365 are:

CDNCompanyUsageLink
Microsoft 365 CDNMicrosoft AzureGeneric assets in public origins, SharePoint user content in private originsMicrosoft Azure CDN
Azure CDNMicrosoftCustom code, SharePoint Framework solutionsMicrosoft Azure CDN
Microsoft Ajax CDN (read only)MicrosoftCommon libraries for Ajax, jQuery, ASP.NET, Bootstrap, Knockout.js etc.Microsoft Ajax CDN

What performance gains does a CDN provide?

There are many factors involved in measuring specific differences in performance between data downloaded directly from Microsoft 365 and data downloaded from a specific CDN, such as your location relative to your tenant and to the nearest CDN endpoint, the number of assets on a page that are served by the CDN, and transient changes in network latency and bandwidth. However, a simple A/B test can help to show the difference in download time for a specific file.

The following screenshots illustrate the difference in download speed between the native file location in Microsoft 365 and the same file hosted on the Microsoft Ajax Content Delivery Network. These screenshots are from the Network tab in the Internet Explorer 11 developer tools. These screenshots show the latency on the popular library jQuery. To bring up this screen, in Internet Explorer, press F12 and select the Network tab, which is symbolized with a Wi-Fi icon.

Screenshot of F12 Network.

This screenshot shows the library uploaded to the master page gallery on the SharePoint Online site itself. The time it took to upload the library is 1.51 seconds.

Screenshot of load time 1.51s.

The second screenshot shows the same file delivered by Microsoft’s CDN. This time the latency is around 496 milliseconds. This is a large improvement and shows that a whole second is shaved off the total time to download the object.

Screenshot of load times in 469 ms.

Is my data safe?

We take great care to protect the data that runs your business. Data stored in the Microsoft 365 CDN is encrypted both in transit and at rest, and access to data in the Microsoft 365 SharePoint CDN is secured by Microsoft 365 user permissions and token authorization. Requests for data in the Microsoft 365 SharePoint CDN must be referred (redirected) from your Microsoft 365 tenant or an authorization token won’t be generated.

To ensure that your data remains secure, we recommend that you never store user content or other sensitive data in a public CDN. Because access to data in a public CDN is anonymous, public CDNs should only be used to host generic content such as web script files, icons, images and other non-sensitive assets.

 Note

3rd party CDN providers may have privacy and compliance standards that differ from the commitments outlined by the Microsoft 365 Trust Center. Data cached through the CDN service may not conform to the Microsoft Data Processing Terms (DPT), and may be outside of the Microsoft 365 Trust Center compliance boundaries.

For in-depth information about privacy and data protection for Microsoft 365 CDN providers, visit the following:

How can I secure my network with all these 3rd party services?

Using an extensive set of partner services allows Microsoft 365 to scale and meet availability requirements and enhance the user experience when using Microsoft 365. The 3rd party services Microsoft 365 leverages include both certificate revocation lists; such as crl.microsoft.com or sa.symcb.com, and CDNs; such as r3.res.outlook.com. Every CDN FQDN generated by Microsoft 365 is a custom FQDN for Microsoft 365. If you’re sent to a FQDN at the request of Microsoft 365, you can be assured that the CDN provider controls the FQDN and the underlying content at that location.

For customers that want to segregate requests destined for a Microsoft 365 datacenter from requests that are destined for a 3rd party, we’ve written up guidance on Managing Microsoft 365 endpoints.

Is there a list of all the FQDNs that leverage CDNs?

The list of FQDNs and how they leverage CDNs change over time. Refer to our published Microsoft 365 URLs and IP address ranges page to get up to date on the latest FQDNs that leverage CDNs.

You can also use the Microsoft 365 IP Address and URL Web service to request the current Microsoft 365 URLs and IP address ranges formatted as CSV or JSON.

Can I use my own CDN and cache content on my local network?

We’re continually looking for new ways to support our customers’ needs and are currently exploring the use of caching proxy solutions and other on-premises CDN solutions.

Although it isn’t a part of the Microsoft 365 CDN, you can also use the Azure CDN for hosting custom web parts, libraries and other resource assets, which allows you to apply access keys to your CDN storage and exert greater control over your CDN configuration. Use of the Azure CDN isn’t free, and requires an Azure subscription. For more information on how to configure an Azure CDN instance, see Quickstart: Integrate an Azure storage account with Azure CDN.

I’m using Azure ExpressRoute for Microsoft 365, does that change things?

Azure ExpressRoute for Microsoft 365 provides a dedicated connection to Microsoft 365 infrastructure that is segregated from the public internet. This means that clients will still need to connect over non-ExpressRoute connections to connect to CDNs and other Microsoft infrastructure that isn’t explicitly included in the list of services supported by ExpressRoute. For more information about how to route specific traffic such as requests destined for CDNs, see Implementing ExpressRoute for Microsoft 365.

Can I use CDNs with SharePoint Server on-premises?

Using CDNs only makes sense in a SharePoint Online context and should be avoided with SharePoint Server. This is because all of the advantages around geographic location don’t hold true if the server is located on-premises or geographically close anyway. Additionally, if there’s a network connection to the servers where it’s hosted, then the site may be used without an Internet connection and therefore can’t retrieve the CDN files. Otherwise, you should use a CDN if there’s one available and stable for the library and files you need for your site.

See also

Microsoft 365 Network Connectivity Principles

Assessing Microsoft 365 network connectivity

Managing Microsoft 365 endpoints

Microsoft 365 URLs and IP address ranges

Use the Microsoft 365 content delivery network with SharePoint Online

Microsoft Trust Center

Tune Microsoft 365 performance

Source :
https://learn.microsoft.com/en-us/microsoft-365/enterprise/content-delivery-networks?view=o365-worldwide

Microsoft Office 365 URLs and IP address ranges

  • Article
  • 06/29/2023

In this article

  1. Exchange Online
  2. SharePoint Online and OneDrive for Business
  3. Skype for Business Online and Microsoft Teams
  4. Microsoft 365 Common and Office Online
  5. Related Topics

Office 365 requires connectivity to the Internet. The endpoints below should be reachable for customers using Office 365 plans, including Government Community Cloud (GCC).

Office 365 Worldwide (+GCC) | Office 365 operated by 21 Vianet | Office 365 U.S. Government DoD | Office 365 U.S. Government GCC High |

NotesDownloadUse
Last updated: 06/29/2023 – RSS. Change Log subscriptionDownload: all required and optional destinations in one JSON formatted list.Use: our proxy PAC files

Start with Managing Office 365 endpoints to understand our recommendations for managing network connectivity using this data. Endpoints data is updated as needed at the beginning of each month with new IP Addresses and URLs published 30 days in advance of being active. This cadence allows for customers who don’t yet have automated updates to complete their processes before new connectivity is required. Endpoints may also be updated during the month if needed to address support escalations, security incidents, or other immediate operational requirements. The data shown on this page below is all generated from the REST-based web services. If you’re using a script or a network device to access this data, you should go to the Web service directly.

Endpoint data below lists requirements for connectivity from a user’s machine to Office 365. For detail on IP addresses used for network connections from Microsoft into a customer network, sometimes called hybrid or inbound network connections, see Additional endpoints for more information.

The endpoints are grouped into four service areas representing the three primary workloads and a set of common resources. The groups may be used to associate traffic flows with a particular application, however given that features often consume endpoints across multiple workloads, these groups can’t effectively be used to restrict access.

Data columns shown are:

  • ID: The ID number of the row, also known as an endpoint set. This ID is the same as is returned by the web service for the endpoint set.
  • Category: Shows whether the endpoint set is categorized as OptimizeAllow, or Default. This column also lists which endpoint sets are required to have network connectivity. For endpoint sets that aren’t required to have network connectivity, we provide notes in this field to indicate what functionality would be missing if the endpoint set is blocked. If you’re excluding an entire service area, the endpoint sets listed as required don’t require connectivity.You can read about these categories and guidance for their management in New Office 365 endpoint categories.
  • ER: This is Yes if the endpoint set is supported over Azure ExpressRoute with Office 365 route prefixes. The BGP community that includes the route prefixes shown aligns with the service area listed. When ER is No, this means that ExpressRoute is not supported for this endpoint set.Some routes may be advertised in more than one BGP community, making it possible for endpoints within a given IP range to traverse the ER circuit, but still be unsupported. In all cases, the value of a given endpoint set’s ER column should be respected.
  • Addresses: Lists the FQDNs or wildcard domain names and IP address ranges for the endpoint set. Note that an IP address range is in CIDR format and may include many individual IP addresses in the specified network.
  • Ports: Lists the TCP or UDP ports that are combined with listed IP addresses to form the network endpoint. You may notice some duplication in IP address ranges where there are different ports listed.

 Note

Microsoft has begun a long-term transition to providing services from the cloud.microsoft namespace to simplify the endpoints managed by our customers. If you are following existing guidance for allowing access to required endpoints as listed below, there’s no further action required from you.

Exchange Online

IDCategoryERAddressesPorts
1Optimize
Required
Yesoutlook.office.com, outlook.office365.com
13.107.6.152/31, 13.107.18.10/31, 13.107.128.0/22, 23.103.160.0/20, 40.96.0.0/13, 40.104.0.0/15, 52.96.0.0/14, 131.253.33.215/32, 132.245.0.0/16, 150.171.32.0/22, 204.79.197.215/32, 2603:1006::/40, 2603:1016::/36, 2603:1026::/36, 2603:1036::/36, 2603:1046::/36, 2603:1056::/36, 2620:1ec:4::152/128, 2620:1ec:4::153/128, 2620:1ec:c::10/128, 2620:1ec:c::11/128, 2620:1ec:d::10/128, 2620:1ec:d::11/128, 2620:1ec:8f0::/46, 2620:1ec:900::/46, 2620:1ec:a92::152/128, 2620:1ec:a92::153/128
TCP: 443, 80
UDP: 443
2Allow
Optional
Notes: POP3, IMAP4, SMTP Client traffic
Yes*.outlook.office.com, outlook.office365.com, smtp.office365.com
13.107.6.152/31, 13.107.18.10/31, 13.107.128.0/22, 23.103.160.0/20, 40.96.0.0/13, 40.104.0.0/15, 52.96.0.0/14, 131.253.33.215/32, 132.245.0.0/16, 150.171.32.0/22, 204.79.197.215/32, 2603:1006::/40, 2603:1016::/36, 2603:1026::/36, 2603:1036::/36, 2603:1046::/36, 2603:1056::/36, 2620:1ec:4::152/128, 2620:1ec:4::153/128, 2620:1ec:c::10/128, 2620:1ec:c::11/128, 2620:1ec:d::10/128, 2620:1ec:d::11/128, 2620:1ec:8f0::/46, 2620:1ec:900::/46, 2620:1ec:a92::152/128, 2620:1ec:a92::153/128
TCP: 587, 993, 995, 143
8Default
Required
No*.outlook.com, autodiscover.<tenant>.onmicrosoft.comTCP: 443, 80
9Allow
Required
Yes*.protection.outlook.com
40.92.0.0/15, 40.107.0.0/16, 52.100.0.0/14, 52.238.78.88/32, 104.47.0.0/17, 2a01:111:f400::/48, 2a01:111:f403::/48
TCP: 443
10Allow
Required
Yes*.mail.protection.outlook.com
40.92.0.0/15, 40.107.0.0/16, 52.100.0.0/14, 104.47.0.0/17, 2a01:111:f400::/48, 2a01:111:f403::/48
TCP: 25

SharePoint Online and OneDrive for Business

IDCategoryERAddressesPorts
31Optimize
Required
Yes*.sharepoint.com
13.107.136.0/22, 40.108.128.0/17, 52.104.0.0/14, 104.146.128.0/17, 150.171.40.0/22, 2603:1061:1300::/40, 2620:1ec:8f8::/46, 2620:1ec:908::/46, 2a01:111:f402::/48
TCP: 443, 80
32Default
Optional
Notes: OneDrive for Business: supportability, telemetry, APIs, and embedded email links
Nossw.live.com, storage.live.comTCP: 443
33Default
Optional
Notes: SharePoint Hybrid Search – Endpoint to SearchContentService where the hybrid crawler feeds documents
No*.search.production.apac.trafficmanager.net, *.search.production.emea.trafficmanager.net, *.search.production.us.trafficmanager.netTCP: 443
35Default
Required
No*.wns.windows.com, admin.onedrive.com, officeclient.microsoft.comTCP: 443, 80
36Default
Required
Nog.live.com, oneclient.sfx.msTCP: 443, 80
37Default
Required
No*.sharepointonline.com, spoprod-a.akamaihd.netTCP: 443, 80
39Default
Required
No*.svc.msTCP: 443, 80

Skype for Business Online and Microsoft Teams

IDCategoryERAddressesPorts
11Optimize
Required
Yes13.107.64.0/18, 52.112.0.0/14, 52.122.0.0/15, 2603:1063::/39UDP: 3478, 3479, 3480, 3481
12Allow
Required
Yes*.lync.com, *.teams.microsoft.com, teams.microsoft.com
13.107.64.0/18, 52.112.0.0/14, 52.122.0.0/15, 52.238.119.141/32, 52.244.160.207/32, 2603:1027::/48, 2603:1037::/48, 2603:1047::/48, 2603:1057::/48, 2603:1063::/39, 2620:1ec:6::/48, 2620:1ec:40::/42
TCP: 443, 80
13Allow
Required
Yes*.broadcast.skype.com, broadcast.skype.com
13.107.64.0/18, 52.112.0.0/14, 52.122.0.0/15, 52.238.119.141/32, 52.244.160.207/32, 2603:1027::/48, 2603:1037::/48, 2603:1047::/48, 2603:1057::/48, 2603:1063::/39, 2620:1ec:6::/48, 2620:1ec:40::/42
TCP: 443
15Default
Required
No*.sfbassets.comTCP: 443, 80
16Default
Required
No*.keydelivery.mediaservices.windows.net, *.streaming.mediaservices.windows.net, mlccdn.blob.core.windows.netTCP: 443
17Default
Required
Noaka.msTCP: 443
18Default
Optional
Notes: Federation with Skype and public IM connectivity: Contact picture retrieval
No*.users.storage.live.comTCP: 443
19Default
Optional
Notes: Applies only to those who deploy the Conference Room Systems
Noadl.windows.comTCP: 443, 80
22Allow
Optional
Notes: Teams: Messaging interop with Skype for Business
Yes*.skypeforbusiness.com
13.107.64.0/18, 52.112.0.0/14, 52.122.0.0/15, 52.238.119.141/32, 52.244.160.207/32, 2603:1027::/48, 2603:1037::/48, 2603:1047::/48, 2603:1057::/48, 2603:1063::/39, 2620:1ec:6::/48, 2620:1ec:40::/42
TCP: 443
27Default
Required
No*.mstea.ms, *.secure.skypeassets.com, mlccdnprod.azureedge.netTCP: 443
127Default
Required
No*.skype.comTCP: 443, 80
167Default
Required
No*.ecdn.microsoft.comTCP: 443
180Default
Required
Nocompass-ssl.microsoft.comTCP: 443

Microsoft 365 Common and Office Online

IDCategoryERAddressesPorts
41Default
Optional
Notes: Microsoft Stream
No*.microsoftstream.comTCP: 443
43Default
Optional
Notes: Microsoft Stream 3rd party integration (including CDNs)
Nonps.onyx.azure.netTCP: 443
44Default
Optional
Notes: Microsoft Stream – unauthenticated
No*.azureedge.net, *.media.azure.net, *.streaming.mediaservices.windows.netTCP: 443
45Default
Optional
Notes: Microsoft Stream
No*.keydelivery.mediaservices.windows.netTCP: 443
46Allow
Required
Yes*.officeapps.live.com, *.online.office.com, office.live.com
13.107.6.171/32, 13.107.18.15/32, 13.107.140.6/32, 52.108.0.0/14, 52.244.37.168/32, 2603:1063:2000::/38, 2620:1ec:c::15/128, 2620:1ec:8fc::6/128, 2620:1ec:a92::171/128, 2a01:111:f100:2000::a83e:3019/128, 2a01:111:f100:2002::8975:2d79/128, 2a01:111:f100:2002::8975:2da8/128, 2a01:111:f100:7000::6fdd:6cd5/128, 2a01:111:f100:a004::bfeb:88cf/128
TCP: 443, 80
47Default
Required
No*.office.netTCP: 443, 80
49Default
Required
No*.onenote.comTCP: 443
50Default
Optional
Notes: OneNote notebooks (wildcards)
No*.microsoft.comTCP: 443
51Default
Required
No*cdn.onenote.netTCP: 443
53Default
Required
Noajax.aspnetcdn.com, apis.live.net, officeapps.live.com, www.onedrive.comTCP: 443
56Allow
Required
Yes*.auth.microsoft.com, *.msftidentity.com, *.msidentity.com, account.activedirectory.windowsazure.com, accounts.accesscontrol.windows.net, adminwebservice.microsoftonline.com, api.passwordreset.microsoftonline.com, autologon.microsoftazuread-sso.com, becws.microsoftonline.com, ccs.login.microsoftonline.com, clientconfig.microsoftonline-p.net, companymanager.microsoftonline.com, device.login.microsoftonline.com, graph.microsoft.com, graph.windows.net, login.microsoft.com, login.microsoftonline.com, login.microsoftonline-p.com, login.windows.net, logincert.microsoftonline.com, loginex.microsoftonline.com, login-us.microsoftonline.com, nexus.microsoftonline-p.com, passwordreset.microsoftonline.com, provisioningapi.microsoftonline.com
20.20.32.0/19, 20.190.128.0/18, 20.231.128.0/19, 40.126.0.0/18, 2603:1006:2000::/48, 2603:1007:200::/48, 2603:1016:1400::/48, 2603:1017::/48, 2603:1026:3000::/48, 2603:1027:1::/48, 2603:1036:3000::/48, 2603:1037:1::/48, 2603:1046:2000::/48, 2603:1047:1::/48, 2603:1056:2000::/48, 2603:1057:2::/48
TCP: 443, 80
59Default
Required
No*.hip.live.com, *.microsoftonline.com, *.microsoftonline-p.com, *.msauth.net, *.msauthimages.net, *.msecnd.net, *.msftauth.net, *.msftauthimages.net, *.phonefactor.net, enterpriseregistration.windows.net, policykeyservice.dc.ad.msft.netTCP: 443, 80
64Allow
Required
Yes*.compliance.microsoft.com, *.protection.office.com, *.security.microsoft.com, compliance.microsoft.com, defender.microsoft.com, protection.office.com, security.microsoft.com
13.107.6.192/32, 13.107.9.192/32, 52.108.0.0/14, 2620:1ec:4::192/128, 2620:1ec:a92::192/128
TCP: 443
66Default
Required
No*.portal.cloudappsecurity.comTCP: 443
67Default
Optional
Notes: Security and Compliance Center eDiscovery export
No*.blob.core.windows.netTCP: 443
68Default
Optional
Notes: Portal and shared: 3rd party office integration. (including CDNs)
Nofirstpartyapps.oaspapps.com, prod.firstpartyapps.oaspapps.com.akadns.net, telemetryservice.firstpartyapps.oaspapps.com, wus-firstpartyapps.oaspapps.comTCP: 443
69Default
Required
No*.aria.microsoft.com, *.events.data.microsoft.comTCP: 443
70Default
Required
No*.o365weve.com, amp.azure.net, appsforoffice.microsoft.com, assets.onestore.ms, auth.gfx.ms, c1.microsoft.com, dgps.support.microsoft.com, docs.microsoft.com, msdn.microsoft.com, platform.linkedin.com, prod.msocdn.com, shellprod.msocdn.com, support.microsoft.com, technet.microsoft.comTCP: 443
71Default
Required
No*.office365.comTCP: 443, 80
72Default
Optional
Notes: Azure Rights Management (RMS) with Office 2010 clients
No*.cloudapp.netTCP: 443
73Default
Required
No*.aadrm.com, *.azurerms.com, *.informationprotection.azure.com, ecn.dev.virtualearth.net, informationprotection.hosting.portal.azure.netTCP: 443
75Default
Optional
Notes: Graph.windows.net, Office 365 Management Pack for Operations Manager, SecureScore, Azure AD Device Registration, Forms, StaffHub, Application Insights, captcha services
No*.sharepointonline.com, dc.services.visualstudio.com, mem.gfx.ms, staffhub.msTCP: 443
78Default
Optional
Notes: Some Office 365 features require endpoints within these domains (including CDNs). Many specific FQDNs within these wildcards have been published recently as we work to either remove or better explain our guidance relating to these wildcards.
No*.microsoft.com, *.msocdn.com, *.onmicrosoft.comTCP: 443, 80
79Default
Required
Noo15.officeredir.microsoft.com, officepreviewredir.microsoft.com, officeredir.microsoft.com, r.office.microsoft.comTCP: 443, 80
83Default
Required
Noactivation.sls.microsoft.comTCP: 443
84Default
Required
Nocrl.microsoft.comTCP: 443, 80
86Default
Required
Nooffice15client.microsoft.com, officeclient.microsoft.comTCP: 443
89Default
Required
Nogo.microsoft.comTCP: 443, 80
91Default
Required
Noajax.aspnetcdn.com, cdn.odc.officeapps.live.comTCP: 443, 80
92Default
Required
Noofficecdn.microsoft.com, officecdn.microsoft.com.edgesuite.netTCP: 443, 80
93Default
Optional
Notes: ProPlus: auxiliary URLs
No*.virtualearth.net, c.bing.net, excelbingmap.firstpartyapps.oaspapps.com, ocos-office365-s2s.msedge.net, peoplegraph.firstpartyapps.oaspapps.com, tse1.mm.bing.net, wikipedia.firstpartyapps.oaspapps.com, www.bing.comTCP: 443, 80
95Default
Optional
Notes: Outlook for Android and iOS
No*.acompli.net, *.outlookmobile.comTCP: 443
96Default
Optional
Notes: Outlook for Android and iOS: Authentication
Nologin.windows-ppe.netTCP: 443
97Default
Optional
Notes: Outlook for Android and iOS: Consumer Outlook.com and OneDrive integration
Noaccount.live.com, login.live.comTCP: 443
105Default
Optional
Notes: Outlook for Android and iOS: Outlook Privacy
Nowww.acompli.comTCP: 443
114Default
Optional
Notes: Office Mobile URLs
No*.appex.bing.com, *.appex-rf.msn.com, c.bing.com, c.live.com, d.docs.live.net, directory.services.live.com, docs.live.net, partnerservices.getmicrosoftkey.com, signup.live.comTCP: 443, 80
116Default
Optional
Notes: Office for iPad URLs
Noaccount.live.com, auth.gfx.ms, login.live.comTCP: 443, 80
117Default
Optional
Notes: Yammer
No*.yammer.com, *.yammerusercontent.comTCP: 443
118Default
Optional
Notes: Yammer CDN
No*.assets-yammer.comTCP: 443
121Default
Optional
Notes: Planner: auxiliary URLs
Nowww.outlook.comTCP: 443, 80
122Default
Optional
Notes: Sway CDNs
Noeus-www.sway-cdn.com, eus-www.sway-extensions.com, wus-www.sway-cdn.com, wus-www.sway-extensions.comTCP: 443
124Default
Optional
Notes: Sway
Nosway.com, www.sway.comTCP: 443
125Default
Required
No*.entrust.net, *.geotrust.com, *.omniroot.com, *.public-trust.com, *.symcb.com, *.symcd.com, *.verisign.com, *.verisign.net, apps.identrust.com, cacerts.digicert.com, cert.int-x3.letsencrypt.org, crl.globalsign.com, crl.globalsign.net, crl.identrust.com, crl3.digicert.com, crl4.digicert.com, isrg.trustid.ocsp.identrust.com, mscrl.microsoft.com, ocsp.digicert.com, ocsp.globalsign.com, ocsp.msocsp.com, ocsp2.globalsign.com, ocspx.digicert.com, secure.globalsign.com, www.digicert.com, www.microsoft.comTCP: 443, 80
126Default
Optional
Notes: Connection to the speech service is required for Office Dictation features. If connectivity is not allowed, Dictation will be disabled.
Noofficespeech.platform.bing.comTCP: 443
147Default
Required
No*.office.com, www.microsoft365.comTCP: 443, 80
152Default
Optional
Notes: These endpoints enables the Office Scripts functionality in Office clients available through the Automate tab. This feature can also be disabled through the Office 365 Admin portal.
No*.microsoftusercontent.comTCP: 443
153Default
Required
No*.azure-apim.net, *.flow.microsoft.com, *.powerapps.com, *.powerautomate.comTCP: 443
156Default
Required
No*.activity.windows.com, activity.windows.comTCP: 443
158Default
Required
No*.cortana.aiTCP: 443
159Default
Required
Noadmin.microsoft.comTCP: 443, 80
160Default
Required
Nocdn.odc.officeapps.live.com, cdn.uci.officeapps.live.comTCP: 443, 80
184Default
Required
No*.cloud.microsoft, *.static.microsoftTCP: 443, 80

 Note

For recommendations on Yammer IP addresses and URLs, see Using hard-coded IP addresses for Yammer is not recommended on the Yammer blog.

Additional endpoints not included in the Office 365 IP Address and URL Web service

Managing Office 365 endpoints

General Microsoft Stream endpoints

Monitor Microsoft 365 connectivity

Root CA and the Intermediate CA bundle on the third-party application system

Client connectivity

Content delivery networks

Microsoft Azure IP Ranges and Service Tags – Public Cloud

Microsoft Azure IP Ranges and Service Tags – US Government Cloud

Microsoft Azure IP Ranges and Service Tags – China Cloud

Microsoft Public IP Space

Service Name and Transport Protocol Port Number Registry

Source :
https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges