Category: Qnap

Key Insights into Healthcare Compliance in 2023

27.07.2023

Healthcare compliance in 2023 is being driven by a combination of increased regulatory scrutiny, technological advancements, and a growing focus on patient-centric care. As a result, organizations are increasingly expected to adhere to stringent regulations, safeguard patient data, maintain ethical practices, and ensure the delivery of high-quality care.

This necessitates a proactive approach to compliance, with healthcare providers and institutions striving to stay ahead by adopting robust systems, training staff, and embracing innovative solutions to mitigate risks and protect both patients and their reputation.

What is Healthcare Compliance?

Compliance is the adherence to regulations, guidelines, and ethical standards aimed at safeguarding patient privacy, data security, and overall quality of care. It involves staying up to date with evolving laws, implementing necessary measures, and ensuring organizational practices align with industry standards. 

Healthcare Compliance Regulations

Healthcare compliance regulations include:

  • The Health Insurance Portability and Accountability Act (HIPAA), which sets standards for protecting patient health information and establishes penalties for non-compliance.
  • The Affordable Care Act (ACA), which focuses on improving healthcare access and quality while combating fraud and abuse. 
  • The Centers for Medicare and Medicaid Services (CMS), which plays a crucial role by overseeing programs and regulations related to these government-sponsored healthcare services.

Compliance with these regulations is essential for healthcare organizations to maintain trust, avoid penalties, and provide high-quality care.

Who Regulates the Healthcare Industry?

The healthcare industry is regulated by several entities, including government agencies and regulatory bodies. In the United States, the primary regulators include:

  • The U.S. Department of Health and Human Services (HHS), which oversees several agencies responsible for healthcare regulation, such as the Centers for Medicare and Medicaid Services (CMS) and the Office for Civil Rights (OCR).
  • The Food and Drug Administration (FDA) who regulate drugs, medical devices, and food safety
  • The Drug Enforcement Administration (DEA) who monitor controlled substances. State health departments and professional boards.

What are the Most Important Healthcare Regulations?

Several regulations stand out as the most important in the healthcare industry as follows:

The Social Security Act 

The Social Security Act, enacted in 1935, is a landmark piece of legislation in the United States that established the Social Security program. It provides benefits to retirees, disabled individuals, and surviving family members, aiming to alleviate poverty and provide economic security.

The Health Insurance Portability and Accountability Act (HIPAA) 

The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, safeguards the privacy and security of individuals’ health information. It sets standards for the electronic exchange of health information, ensures the confidentiality of medical records, and grants patients certain rights over their health data.

The Health Information Technology for Economic and Clinical Health ACT (HITECH)

The Health Information Technology for Economic and Clinical Health Act (HITECH) was passed in 2009 as part of the American Recovery and Reinvestment Act. It promotes the adoption and meaningful use of electronic health records (EHRs) and strengthens privacy and security protections for health information.

The False Claims Act 

The False Claims Act is a federal law that dates back to the Civil War era. It allows private individuals, known as whistleblowers, to file lawsuits on behalf of the government against those who defraud federal programs, such as Medicare and Medicaid, by submitting false claims for payment.

The Anti-Kickback Statute 

The Anti-Kickback Statute prohibits the exchange of anything of value in return for referrals or generating business for federal healthcare programs. This law aims to prevent kickbacks and improper financial arrangements that could compromise medical judgment and inflate healthcare costs.

The Physician Self-Referral Law

The Physician Self-Referral Law, also known as the Stark Law, prohibits physicians from referring Medicare or Medicaid patients to entities in which they have a financial interest, with exceptions. This law prevents potential conflicts of interest that could influence medical decision-making and billing practices.

The Patient Protection and Affordable Care Act

The Patient Protection and Affordable Care Act (ACA), passed in 2010, is a comprehensive healthcare reform law. It expands access to health insurance, implements consumer protections, such as prohibiting denial of coverage due to pre-existing conditions, and introduces various cost-containment measures.

The Interoperability and Patient Access Final Rule 

The Interoperability and Patient Access Final Rule, issued in 2020, is part of the 21st Century Cures Act. It requires healthcare providers, health plans, and health information technology developers to improve interoperability and facilitate patient access to their electronic health information.

The Hospital Price Transparency Final Rule

The Hospital Price Transparency Final Rule, implemented in 2021, requires hospitals to disclose their standard charges for healthcare services in a machine-readable format. This rule aims to increase price transparency, empower patients to make informed decisions and promote competition in the healthcare market.

Why is Healthcare Compliance so Important?

Healthcare compliance is necessary due to the following main reasons:

First and foremost, it ensures that healthcare organizations operate in accordance with applicable laws, regulations, and industry standards. Compliance helps protect patient safety and privacy by ensuring that healthcare providers follow protocols for handling sensitive health information, maintaining secure systems, and implementing proper safeguards against data breaches.

By adhering to compliance regulations, healthcare organizations demonstrate their commitment to maintaining the highest standards of care and ethical practices.

Moreover, healthcare compliance helps mitigate legal and financial risks. Non-compliance can result in severe consequences, such as hefty fines, penalties, and legal actions, which can significantly impact an organization’s reputation and financial stability. By actively engaging in compliance efforts, healthcare organizations can minimize the risk of violations, protect their reputation, and avoid potential litigation.

Finally, healthcare compliance promotes a culture of integrity, accountability, and transparency. It encourages healthcare professionals to adhere to ethical guidelines, maintain accurate records, and engage in responsible billing practices.

Compliance programs also promote internal monitoring, auditing, and reporting mechanisms, fostering an environment where unethical or fraudulent activities are detected and addressed promptly. 

Ultimately, healthcare compliance helps ensure the delivery of high-quality care, protects patients’ rights, and maintains the trust of individuals seeking healthcare services.

Privacy & Quality Patient Care

Protecting patient privacy is essential for ensuring quality patient care. When patients trust that their personal health information will remain confidential, they are far more likely to share vital details with healthcare providers, leading to accurate diagnoses and tailored treatment plans.

By implementing robust privacy measures, healthcare organizations can uphold patient confidentiality, enhance trust, and maintain the integrity of the patient-provider relationship, improving the quality of care delivered.

Healthcare Worker Protection

By implementing measures such as appropriate staffing levels, comprehensive training, and access to personal protective equipment, healthcare organizations can protect their workers from occupational hazards, minimize the risk of injuries or infections, and promote a healthy work environment.

Safeguarding healthcare workers’ physical and mental well-being contributes to their ability to provide quality care and ensures the sustainability of the healthcare workforce.

Avoiding Fraud

Healthcare fraud involves deceptive practices such as submitting false claims, providing unnecessary services, or billing for services not rendered. By implementing robust fraud detection and prevention mechanisms, such as auditing processes and internal controls, healthcare organizations can identify and prevent fraudulent activities.

This helps protect valuable healthcare resources, ensure that funds are directed towards legitimate patient care, and maintain the public’s trust in the healthcare system.

Staying Compliant with Regulations

By staying compliant, healthcare organizations mitigate legal and financial risks, maintain their reputation, and demonstrate a commitment to providing high-quality care while upholding ethical standards. Regular monitoring, training, and robust compliance programs are key to achieving and maintaining regulatory compliance.

10 Best Practices for Creating a Healthcare Compliance Plan

By implementing key strategies, organizations can establish a strong foundation for compliance and risk management as follows:

1. Designate a Chief Compliance Officer

Designate a CCO who has the authority and resources to develop, implement, and oversee the compliance program, ensuring adherence to regulatory requirements and promoting a culture of compliance throughout the organization.

2. Educate the Employees

Employees should be knowledgeable about their roles and responsibilities in maintaining compliance, including privacy and security of patient information, ethical billing practices, and reporting mechanisms for potential compliance violations.

3. Build an Effective Compliance Reporting System

Clear reporting channels, such as hotlines or anonymous reporting mechanisms, should be in place to capture and address compliance-related issues promptly.

4. Build a Risk Mitigation Plan

Conduct regular risk assessments to proactively identify vulnerabilities, implement controls and mitigation strategies, and monitor ongoing compliance to minimize the likelihood of compliance breaches.

5. Ensure Cybersecurity at Every Level

Implement robust security measures, such as encryption, access controls, and regular security audits to safeguard electronic health records and other sensitive information from unauthorized access or breaches.

6. Make Sure Your Telemedicine Services Are Secure

Implement secure telemedicine platforms, encryption protocols, and HIPAA-compliant telehealth practices to maintain compliance while delivering remote care.

7. Use a Compliant Talent Acquisition Process

Establish a compliant talent acquisition process that includes thorough background checks, verification of licenses and credentials, and adherence to equal employment opportunity guidelines. By ensuring compliance in the hiring process, organizations can minimize the risk of employing individuals with a history of compliance violations.

8. Develop Very Clear Policies

Put clear and comprehensive policies and procedures in place that cover all aspects of healthcare compliance, including privacy, security, billing, and ethical conduct. Policies should be readily accessible, regularly reviewed, and updated to reflect changes in regulations or organizational practices.

9. Conduct Regular Compliance Audits

Carry out regular compliance audits to assess the effectiveness of the compliance program, identify areas for improvement, and ensure ongoing adherence to regulatory requirements. Audits should include internal reviews, assessments of documentation and procedures, and external audits if necessary.

10. Address Noncompliance Swiftly

Establish protocols for investigating and resolving compliance violations, implementing corrective actions, and ensuring accountability. Timely response and appropriate disciplinary measures demonstrate a commitment to compliance and discourage further non-compliance.

The Repercussions of Noncompliance

Noncompliance with healthcare regulations can have severe consequences which can include financial penalties, legal actions, damage to reputation, loss of trust, and potential harm to patients. Subsequently, it is essential for healthcare organizations to prioritize compliance and proactively mitigate risks. 

To help ensure your organization’s compliance, we recommend using a comprehensive compliance checklist our HIPAA Compliance Checklist.

Source :
https://www.perimeter81.com/blog/compliance/healthcare-compliance

What is Firewall Design?

27.07.2023

firewall is a network security device designed to monitor and control network traffic flow based on predetermined security rules. It acts as a barrier, selectively allowing or blocking incoming and outgoing network connections to protect the internal network from external threats. Essentially, a firewall ensures that only authorized and secure connections are made by filtering network traffic based on defined criteria.

Firewalls operate using a combination of rule-based filtering and packet inspection techniques. When network traffic passes through a firewall, it undergoes scrutiny based on various parameters, including source and destination IP addresses, ports, protocols, and the state of connections.

The Importance of Firewall Design for Network Security

So how does firewall design impact your network security? Here are the top reasons.

Protecting Against Unauthorized Access

One of the primary functions of firewall design is to prevent unauthorized access to an organization’s network resources. Firewalls act as gatekeepers, examining incoming and outgoing network traffic and enforcing access control policies based on predefined rules.

Identifying and configuring firewalls carefully will help organizations prevent unauthorized access by ensuring that only legitimate connections are allowed.

Mitigating Cyber Threats

Firewalls employ packet filtering, deep packet inspection, and stateful inspection to analyze network traffic and identify potential threats. They can detect and block suspicious or malicious traffic. Organizations can reduce the risk of successful attacks and protect their networks and sensitive information.

Preventing Data Breaches

Data breaches can severely affect organizations, resulting in financial losses, reputational damage, and legal liabilities. Firewall design prevents data breaches by monitoring and controlling network traffic. Also, firewall design principles advocate for network segmentation, which helps contain potential breaches and limit the impact on critical assets.

Enforcing Security Policies

Firewall design allows organizations to enforce and manage their security policies effectively. Organizations can align firewall configurations with security objectives and compliance requirements by defining rules and access controls.

Firewall policies can be customized based on traffic, user roles, and data sensitivity. Regular review and updates of firewall policies can ensure the effectiveness of their security measures.

Compliance with Regulations

Compliance with industry regulations and data protection laws is crucial for organizations across various sectors. Firewall design plays a significant role in achieving compliance by implementing security controls and access restrictions mandated by regulatory frameworks.

Organizations can demonstrate their commitment to protecting sensitive data by enforcing policies in line with GDPR, HIPAA, or PCI DSS regulations.

Characteristics of a Firewall

1. Physical Barrier

A firewall is a physical barrier between an internal network and the external world. It inspects incoming and outgoing network traffic, allowing or blocking connections based on predetermined security rules. By serving as a protective boundary, a firewall helps safeguard the internal network from unauthorized access and potential threats.

2. Multi-Purpose

A firewall is a versatile security tool that performs various functions beyond basic network traffic filtering. It can support additional security features, such as intrusion detection/prevention systems, VPN connectivity, antivirus scanning, content filtering, and more. This multi-purpose nature enables firewalls to provide comprehensive security measures tailored to an organization’s needs.

3. Security Platform

Firewalls serve as a security platform by integrating different security mechanisms into a unified system. They combine packet filtering, stateful inspection, application-level gateways, and other security technologies to protect against cyber threats. By functioning as a consolidated security platform, firewalls offer a layered defense strategy against potential attacks.

4. Flexible Security Policies

Firewalls offer flexible security policy implementation, allowing organizations to define and enforce customized rules and access controls. These policies can be based on various factors, including source/destination IP addresses, ports, protocols, user identities, and time of day.

With the ability to tailor security policies to specific requirements, organizations can effectively manage network traffic and adapt to evolving security needs.

5. Access Handler

A firewall acts as an access handler by controlling and managing network access permissions. It determines what connections are allowed or denied using predefined rules and policies. By regulating access to network resources, a firewall ensures that only authorized users and devices can establish connections, reducing the risk of unauthorized access and potential data breaches.

Firewall Design Principles

It is important to remember certain principles when designing a firewall to ensure its effectiveness in safeguarding network security. These principles serve as guidelines for architects and administrators, helping them design robust firewall architectures that protect against unauthorized access and potential threats.

  • Defense-in-Depth Approach: A fundamental principle in firewall design is adopting a defense-in-depth strategy. Rather than relying solely on a single firewall, organizations should deploy multiple firewalls, intrusion detection/prevention systems, and other security measures to create a layered defense architecture. 
  • Least Privilege Principle: The principle of least privilege is crucial in firewall design to minimize the potential attack surface. It advocates granting the minimum level of privileges and access necessary for users and systems to perform their required functions. This minimizes exposure to potential threats and reduces the risk of unauthorized access or malicious activities.
  • Rule Set Optimization: Firewall rule set optimization is another important design principle. As firewalls employ rule-based filtering mechanisms, regularly reviewing and optimizing the rule sets is essential. This involves removing unnecessary or redundant rules, consolidating overlapping rules, and organizing rules logically and efficiently. 
  • Secure Default Configurations: Firewall design should prioritize secure default configurations to ensure a strong foundation for network security. Default settings often allow all traffic, leaving the network vulnerable to attacks. Secure defaults are a starting point for designing effective firewall policies and help prevent misconfigurations that may lead to security gaps.
  • Regular Monitoring and Updates: Monitoring and updating firewalls are critical principles in firewall design. Regular monitoring allows organizations to promptly detect and respond to security incidents, identify unauthorized access attempts, and analyze network traffic patterns. 

7 Steps to Designing the Perfect Firewall For Your Business

Designing an effective firewall for your business requires careful planning and consideration of specific requirements. This section presents a step-by-step approach to creating the perfect firewall. 

1. Identify Requirements

The first step in designing a firewall is to identify the specific requirements of your business. This involves understanding the network topology, the types of applications and services in use, the security objectives, and any regulatory or compliance requirements.

2. Outline Policies

The next step is to outline the firewall policies based on the requirements. You can decide which traffic is allowed or denied for each source and destination address, port, protocol, and role using rules and access controls.

3. Set Restrictions

Setting restrictions involves configuring the firewall to enforce the outlined policies. This may include blocking certain types of traffic, implementing intrusion prevention mechanisms, enabling VPN connectivity, or configuring content filtering rules.

4. Identify the Deployment Location

This involves determining whether the firewall will be placed at the network perimeter, between internal segments, or within a demilitarized zone (DMZ), depending on the network architecture and security requirements.

5. Identify Firewall Enforcement Points

Identifying firewall enforcement points involves determining where the firewall will be implemented within the network topology. This includes considering factors such as the location of critical assets, the flow of network traffic, and the points where the firewall can effectively inspect and control the traffic.

6. Identify Permitted Communications

As part of the design process, it is important to identify the permitted communications the firewall will allow. This includes identifying the necessary communication channels for business-critical applications, remote access requirements, and any specific exceptions to the firewall policies.

7. Launch

Lastly, launch the firewall and ensure all configurations are correct. This includes testing the firewall’s functionality, monitoring its performance, and conducting regular audits to ensure compliance with security policies and industry best practices.

Safeguarding Networks with Strong Firewall Design – Protect Your Business Today

Take charge of your network security today and safeguard your business from cyber threats. Don’t wait for a security breach to occur—proactively design and deploy a powerful firewall that acts as a shield, protecting your network and ensuring the continuity of your operations.

Take the first step towards a secure network—consult with experts, assess your requirements, and design a robust firewall solution that suits your business needs. Protect your valuable assets, preserve customer trust, and stay one step ahead of potential threats with a well-designed firewall architecture. Safeguard your network and fortify your business with Perimeter 81’s Firewall as a Service.

FAQs

What are 3 common firewall designs?

– Packet Filtering Firewalls: They inspect packets based on rules, operating at Layer 3 of the OSI model.
– Stateful Inspection Firewalls: These track network connections and analyze entire network packets.
– Next-Generation Firewalls (NGFW): NGFWs combine traditional firewall features with intrusion prevention, application awareness, and deep packet inspection.

What are the four basic types of firewall rules?

1. Allow: This rule permits specific traffic to pass through the firewall based on defined criteria, such as source/destination IP addresses, ports, and protocols.
2. Deny: This rule blocks specific traffic from passing through the firewall based on defined criteria. Denied traffic is typically dropped or rejected.
3. NAT (Network Address Translation): NAT rules modify network packets’ source or destination IP addresses.
4. Session Control: These rules define how the firewall handles and manages sessions.

What are the 4 common architectural implementations of firewalls?

1. Network-based Firewalls: Positioned at the network’s edge, they offer centralized security, filtering and monitoring all inbound and outbound traffic.
2. Host-based Firewalls: These are installed directly on devices like servers or workstations, providing tailored protection and control over device-specific traffic.
3. Virtual Firewalls: They ensure security within virtualized environments. Apart from protecting virtual machines, they control and isolate network traffic between VMs.
4. Cloud-based Firewalls: Positioned within cloud environments, they ensure robust security for cloud-based applications and infrastructure, balancing scalability and centralized control.

Source :
https://www.perimeter81.com/blog/network/firewall-design

Exploring Firewall Design Principles for Secure Networks

27.07.2023

Firewall design principles are the bedrock of network security, providing a robust defense mechanism against both internal and external threats. These principles help in developing a security policy that can enforce stringent rulesets and offer layered protection for your private network.

Firewall design principles are crucial for maintaining a secure network. There are different types of firewalls like packet filter firewalls, stateful inspection firewalls, and proxy firewalls along with their unique features.

If you want to be able to design your firewall the right way you need to master the different key components in firewall design such as policies, rulesets, and interfaces, and learn the advanced features like Intrusion Prevention Systems (IPS) and Deep Packet Inspection (DPI) and be aware of best practices to implement these designs effectively. 

This comprehensive understanding of firewall design principles will empower you to make informed decisions about your organization’s network security infrastructure.

What are Firewall Design Principles?

The realm of network security is complex and vast, with firewalls serving as the critical line of defense against cyber threats. They’re like the bouncers of the internet, keeping the bad guys out and letting the good guys in.

The basic concept behind firewall design principles

A firewall’s primary role is to be the gatekeeper of your network, deciding who gets in and who stays out. It’s like having a very selective doorman at an exclusive venue, only allowing those with the right credentials to enter.

The fundamental principle behind firewall design is simple: filter, filter, filter. The firewall looks at things like IP addresses, domain names, and protocols to decide if a data packet is worthy of entering your network.

Why understanding firewall design principles is essential for network security

In today’s digital age, where cyber threats are increasingly common, having a solid firewall is a must. 

Understanding firewall design principles is like having a secret weapon in your security arsenal. It’s like knowing all the tricks of the trade, so you can configure your firewall to be a fortress against cyber attacks. 

Staying ahead of malicious actors is possible if you understand their strategies and configure your firewall in a way that best protects against cyber threats.

No single approach will suffice when it comes to firewalls; you need to tailor yours to suit your individual needs. Take the time to understand the core firewall design principles and make your firewall the ultimate defender of your network.

Five Principles of Firewall Design

Firewall design principles are critical to protect your private network and to maximize your network security. Here are five principles you can use when establishing your firewall and implementing security policies.

1. Develop a Solid Security Policy

Having a proper security policy is an essential part of designing your firewall. Without it in place, it’s a headache to allow users to navigate the company network and restrict intruders. This proper security policy will also help you know the proper protocol if there is a security breach.

A properly developed security policy can protect you. A solid security policy includes guidance on proper internet protocol, preventing users from using devices on public networks, and recognizing external threats.

Don’t overlook a properly developed security policy! Also, remember that simply having a security policy is only the first step. In addition to establishing security policies, you should have frequent training and refreshers for all employees. Have policies in place for reporting security threats and hold everyone in the organization accountable. 

2. Use a Simple Design

Keep it simple. If you have a complex design, you’ll need to find complex solutions anytime a problem arises. A simple design helps alleviate some of the pain you may feel when a problem comes up (and it inevitably will at some point). Also, complex designs are more prone to configuration errors that can open paths for external attacks.

3. Choose the Right Device

You need to have the right tools to do the job. If you use the wrong device, you have the wrong tools and are at a disadvantage from the start. Using the right part that fits your design will help you create the best firewall for your network.

4. Build a Layered Defense

Firewalls should have layers to properly protect your network. A multi-layered defense creates a complicated protection system that hackers can’t easily break through. Creating layers builds an effective defense and will keep your network safe.

5. Build Protection Against Internal Threats

Don’t just focus on attacks from external sources. A large percentage of data breaches are the result of internal threats and carelessness. Mistakes made by those internally can open your network to attacks from outside sources. Implementing proper security solutions for your internal network can help prevent this from happening.

Something as simple as accessing a web server can expose your network if you aren’t protected internally as well as you are externally.

As you design your firewall, remember these firewall design principles: have a properly developed security policy, keep it simple, use the right tools, build a layered defense, and protect yourself from internal threats.

Types of Firewalls

Different firewalls have varying characteristics and applications, so it’s essential to understand them in order to select the most suitable firewall for your network. Knowing these differences is crucial for picking the right firewall for your network’s needs.

Packet-Filtering Firewalls: Basic but Effective

A packet-filtering or packet-filter firewall does what it says—filters data packets based on predetermined rules. It checks packet headers to see what’s allowed in. 

Simple, but not enough against fancy cyber threats.

Circuit-level Gateways

A circuit-level gateway can be a stand-alone system or it can be a function performed as a gateway for certain applications. A circuit-level gateway does not allow for end-to-end connection but rather sets up two connections with an inner host and a user with an outer host. 

Stateful Inspection Firewalls

Stateful inspection firewalls go beyond packet headers. They keep track of active connections and use that info to validate packets. It remembers who and what is allowed – efficient and effective.

Application-level Gateways (a.k.a. Proxy Firewalls)

Proxy firewalls (also known as application-level gateways) act as intermediaries between internal networks and the Internet. They hide internal IP addresses and offer content filtering. 

The choice among these types depends on your network’s needs relating to size, complexity, and sensitivity. Remember, they often work together in layers; just make sure they’re properly configured and regularly updated. 

Next-Gen Firewalls

Next-gen firewalls are the next step in firewall security. These can protect against advanced malware and application-layer attacks. They typically include:

  • Firewall capabilities like stateful inspection.
  • Integrated intrusion prevention.
  • Application awareness and control to see risky apps.
  • Threat intelligence sources.
  • Upgrade paths to include future information feeds.
  • Techniques to continue evolving.

Now, we’ll explore constructing an efficient firewall.

Key Components in Firewall Design

When it comes to designing a firewall, there are certain key components that should be taken into account. Let’s break it down:

Importance of Policies

Security policies are like the rulebook for your firewall. They decide what traffic gets in and what gets blocked. You want to make sure only the right traffic makes it through.

A proper security policy will help you in both the short term and long term. Make sure to enforce security policies to keep yourself protected.

Rulesets – Defining What Gets Through

Rulesets are like the enforcers of the policies. They make sure the regulations are met. Visualize a vigilant sentry, patrolling your network for any untoward activity and taking swift action when needed. Rulesets often include elements like source address, source port, destination address, and destination port.

Interfaces – Connecting Networks Securely

Interfaces are the gateways between networks. They’re like the bridges that connect different parts of your network. Make sure these bridges are secure, so no unwanted guests can sneak in.

To recap, when it comes to firewall design, policies, rulesets, and interfaces are the key players. They work together to keep your network safe and sound.

Advanced Features in Modern Firewall Designs

In the ever-evolving world of cybersecurity, firewalls have leveled up to tackle sophisticated threats. 

Let’s dive into two cool advancements: Intrusion Prevention Systems (IPS) and Deep Packet Inspection (DPI).

Intrusion Prevention Systems (IPS): Proactive Defense Mechanism

An Intrusion Prevention System (IPS) is like a superhero embedded in modern firewalls. It doesn’t just detect and block known threats; it goes the extra mile.

IPS keeps a watchful eye on network traffic, sniffing out any suspicious activity or weird anomalies. When it spots trouble, it swiftly shuts it down.

Deep Packet Inspection (DPI): Detailed Threat Analysis

Deep Packet Inspection (DPI) adds an extra layer of security by giving data packets a thorough check-up.

  • DPI looks at both the header info and the payload content of each packet.
  • It’s like a detective, figuring out the nature of incoming traffic.
  • If it finds anything fishy, like malware or protocol non-compliance, it sounds the alarm so you can take action.

These advanced features make modern firewalls tougher than traditional ones. But remember, no single solution can guarantee complete security. 

They’re advanced elements of your security squad, but they need backup from a solid information security policy management strategy.

Four Types of Access Control

There are four techniques that firewalls generally use to control access and security policy. 

  • User Control: Control access to a service according to which user is attempting to access the service.
  • Service Control: Determines what services can be accessed to keep your network secure.
  • Direction Control: Determines in which direction a service can be accessed, both inbound and outbound.
  • Behavior Control: Controls how services are accessed and used.

Advantages of Firewalls

There are several advantages of implementing a firewall to protect your network. Here are some of the biggest benefits you’ll see:

Block Infected Files

You come across threats when you browse the internet, or you might even have them delivered to your mailbox. Firewalls help block those files from breaking through your system.

Stop Unwanted Visitors

You don’t want anyone snooping through your system. This can lead to long-term security problems. Your firewall will detect unwanted visitors and keep them out.

Accessing public networks can put you at a higher risk of security breaches, but having a firewall can block access to your sensitive data.

Safeguards Your IP Address

This will protect your network as you browse the internet on a web server so you aren’t exposed to those who want to cause problems for your network. This can be set up with a virtual private network (or VPN) which acts as a network security device to keep your network secure.

Prevents Email Spamming

Security policies should help protect the employees on your network from malware or phishing attempts, but in case a mistake is made, a proper firewall can help prevent spam emails from getting through your system.

Stops Spyware

When using a web server, you can come across files that will install spyware on your system. A firewall will easily block access so you don’t have to worry about being exposed to outside threats.

Limitations of Firewalls

For as many advantages as you gain from having a firewall, there are still some limitations it will create on your server.

Internal Loose Ends

As a firewall can easily block access to external threats, it can struggle to prevent internal attacks. If you have an employee who accidentally cooperates with an attacker, you may still be exposed internally.

Infected Files

Because of the sheer number of files your network may come across, it’s impossible for every file to be reviewed by your network security device. 

Cost

It can be expensive to set up a firewall that protects your system, and the bigger your network gets, the more expensive it can become. That said, even a single large data breach could cost your company dearly, so having the proper protection in place is an investment worth making.

User Restriction

Sometimes firewalls can make it more difficult for users to access the systems they need to do their work. This can impact productivity when certain users need to access multiple applications.

System Performance

Implementing a firewall takes up a lot of bandwidth and using the RAM and power supply that may need to go to other devices can impact your system’s performance.

Firewall Delivery Methods

There are several different delivery methods for a firewall. Here are some of the most common delivery methods that are used:

  • Software firewalls: A software firewall is a type of software that runs on your computer. It is mainly used to protect your specific device.
  • Hardware firewalls: This is a device that is specifically used to implement a firewall. This can protect your entire network.
  • Cloud firewalls: These firewalls are hosted in the cloud and are also called firewall-as-a-service (FWaaS).

Boost Your Firewall Design with Perimeter 81

Understanding firewall design principles is crucial for network security. Different types of firewalls and their key components help create a strong defense against cyber threats. 

Packet filtering firewalls provide a basic yet effective approach, while stateful inspection firewalls consider the context of network traffic. Proxy firewalls bridge the gap between internal and external networks.

When implementing firewall designs, follow best practices like applying the least privilege principle and regularly updating configurations. Advanced features like intrusion prevention systems (IPS) and deep packet inspection (DPI) enhance your proactive defense mechanism. 

Incorporating these firewall design principles protects networks from unauthorized access and potential security breaches. Learn more about Perimeter 81’s Firewall as a Service.

FAQs

What are the four characteristics used by firewalls?

The four basic types of firewall rules include – allow all (permissive), block all (restrictive), specific permission-based access controls, and content filters

What are the 5 steps of firewall protection?

The five steps of firewall protection include – securing your firewall, building firewall zones & IP addresses, configuring access, configuring firewall services, testing the configuration.

What is the architecture of a firewall?

The four most commonly implemented architectures in firewall design principles include packet-filtering routers, application gateways, circuit-level gateways, and multilayer inspection firewalls. 

How do you design firewall architecture?

The principles of firewall design include clear policies, traffic control rulesets, secure network connections, and advanced features like Intrusion Prevention Systems (IPS) and Deep Packet Inspection (DPI). 

How many layers do firewalls have?

It’s common to see 3-layer or 7-layer firewalls. A 3-layer firewall is used for a network while a 7-layer firewall is used for applications.

Source :
https://www.perimeter81.com/blog/network/firewall-design-principles

What is a Cloud Firewall?

27.07.2023

In the past when fires were fought, people used traditional means like fire extinguishers and water hoses.

Translating this to the virtual world of computing — a cloud firewall is akin to the digital ‘fire extinguisher’ and ‘hose.’ It is a tool designed to stopslow, or prevent unauthorized access to or from a private network.

It inspects incoming and outgoing traffic, based on predetermined security rules. They can be a standalone system or incorporated into other network components.

In technical words, it acts as a barrier between on-premises networks and external networks.

Cloud firewalls are often deployed in a ‘perimeter’ security model — where they act as the first line of defense against cyber threats. This includes protection against DDoS attacks, SQL injections, and cross-site scripting.

The Benefits of Using a Cloud Firewall

In this section, we’ll discuss the benefits of using a cloud firewall over traditional ones.

Scalability

Traditional firewalls can’t keep pace as your network grows — their hardware limitations bound them.

On the other hand, a cloud firewall can easily adapt and expand in line with your business needs. Because it’s cloud-based, scaling does not require any additional hardware investment or complex configurations.

Be it on-site installation, maintenance, or upgrading, cloud firewalls wipe out all those physical processes, saving you time and resources.

Availability

Unlike traditional firewalls that rely on singular hardware systems and can fail, cloud firewalls are designed for high availability. Their decentralization means that even if one part fails, the rest continue to operate, ensuring constant protection.

Being cloud-based, they can also balance the load during peak traffic times to prevent slowdowns or outages.

For instance — during an attack like DDoS when the traffic dramatically increases, a cloud firewall can distribute the traffic across multiple servers. This ensures that your systems remain accessible and functional.

Extensibility

Cloud-based firewalls are not just scalable and highly available — they are also highly extensible.

This means that you can easily integrate them with other security features or services — such as Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and Secure Web Gateways (SWG) — to create a solid security system.

Release updates and patches can be applied automatically, ensuring that the security is always up-to-date.

Identity Protection

When it comes to identity protection, cloud firewalls reign supreme.

They can identify and control application access on a per-user basis. This means that if unauthorized access is attempted, it can be immediately identified and blocked, providing extra security to your sensitive information.

Along with that, they can also provide an audit trail so that attempted breaches can be traced back to their origins. This info is beneficial for investigating cyber crimes and strengthening your cybersecurity strategy in the long run.

Performance Management

Sometimes, it’s not just about blocking harmful traffic, but also about prioritizing useful traffic.

Cloud firewalls enable performance management by prioritizing network traffic and providing quality of service (QoS) capabilities.

This can be handy during peak usage times or when certain services require higher bandwidth.

For instance, a cloud firewall can prioritize the traffic for certain high-demand resources, ensuring uninterrupted access and excellent performance. As a result, end users experience less lag and appreciate better service.

Moreover, the firewall can be programmed to give a higher priority to certain types of workloads or specific applications, like Voice over Internet Protocol (VoIP) or video streaming services.

Secure Access Parity

Remote work is another area where cloud firewalls shine.

Cloud firewalls enable a consistent security policy across all locations and users, no matter where they’re accessing from. This ensures that remote workers are just as protected as on-site ones.

Also, you get comprehensive visibility and control over all network traffic, and thanks to their cloud nature — updates can be pushed globally.

Migration Security

Migration — in particular to the cloud — can be a risky process in terms of security. The necessity to move data from one place to another can expose it to potential threats. Cloud firewalls eliminate these concerns.

Due to their inherent design, they provide end-to-end security during data migration. The data is protected at the source, during transit, and at the destination. This ensures a secure and seamless cloud migration process.

It’s like having a secure convoy for your data as it travels.

Types of Cloud Firewalls

There are four major types of cloud firewalls which can be broadly categorized as — SaaS Firewalls/Firewall as a service (FWaaS), Next-generation Firewall (NGFW), Public Cloud Firewall, and Web Application Firewall (WAF).

SaaS Firewalls/Firewall as a Service (FWaaS)

SaaS Firewalls, or Firewall as a Service, operate directly in the cloud. Offering security as a service — they are a scalable, flexible, and cost-effective solution.

  • Flexibility: Being cloud-based, these firewalls can rapidly adapt to changes in network traffic and configuration.
  • Scalability: FWaaS can comfortably scale up or down based on the needs without harming performance.
  • Cost-effective: As a subscription-based service, FWaaS can be adjusted to fit any budget and eliminates the need for expensive hardware and software maintenance.
  • Integrated approach: FWaaS offers a comprehensive, integrated approach to security, so you have complete visibility and control over network traffic and user activity.
  • Ease of deployment: Require less administrative effort and minimize human error.

Next-Generation Firewall (NGFW)

Next-Generation Firewalls represent the evolution in firewall technology, designed to go beyond traditional firewall functions.

  • Deep packet inspection: NGFWs are capable of examining the payload of a packet, crucial for detecting advanced threats within seemingly legitimate traffic.
  • Application awareness: NGFWs offer application-level control, significantly enhancing the granularity of security policies.
  • Threat detection: Their advanced threat detection capabilities protect organizations from a broad range of attacks, including zero-day vulnerabilities.
  • Integrated IPS: They feature an integrated Intrusion Prevention System that can identify and block potential security breaches, adding a layer of protection.
  • User identification: Unlike traditional firewalls, NGFWs can identify users and devices, not just IP addresses. This helps in creating more targeted, effective security policies.

Public Cloud Firewall

Public cloud firewalls are built within public cloud infrastructures like AWS, Google Cloud, and Azure to provide a layer of security control.

  • Seamless integration: These firewalls integrate seamlessly with other cloud services, infrastructure, and applications.
  • Autoscaling: Being cloud-native, they can scale dynamically with the workload, managing a substantial increase in network traffic without compromising performance.
  • Cloud-specific rulesets: These firewalls enable cloud-specific packet filtering, applying rules to cloud-native as well as hybrid and multi-cloud environments.
  • Compatibility: Public Cloud Firewalls are compatible with the automatic deployment mechanisms of their respective cloud platforms. This compatibility reduces the overhead of manual configurations.
  • Resilience: With a distributed, highly available architecture, they provide resilience — ensuring that the firewall is operational even if individual components fail.

Web Application Firewall (WAF)

A Web Application Firewall specifically protects web applications by filtering, monitoring, and blocking HTTP traffic that could exploit vulnerabilities in these applications.

  • Web app protection: WAFs stop attacks targeting web applications, including SQL injection, cross-site scripting (XSS), and others.
  • Custom policies: Customizable Policies in WAFs allow for tailored protection suited to the individual needs of every web application.
  • Inspection: They offer a thorough inspection of HTTP/S traffic, ensuring no harmful requests reach the web applications.
  • Bot control: WAFs can discern harmful bots from legitimate traffic, granting access only to authorized users and services.
  • API security: Security for APIs against attacks such as DDoS, improving overall protection.

Using Cloud Firewall vs Other Network Security Approaches

How do cloud firewalls compare to other network security approaches? See how they compare to virtual firewall appliances, IP-based network security policies, and security groups.

Virtual Firewall Appliances

Despite brands like Cisco, Juniper, and Fortinet making a strong push for them, virtual firewall appliances don’t fit in a work environment that is heavily cloud-based.

  • Not scalable: Virtual appliances have limitations in scaling. When traffic increases, they struggle to keep pace, affecting performance.
  • Operational inefficiency: They require manual configurations and adjustments, which can lead to operational inefficiencies and potential mistakes.
  • Limited visibility: They usually provide limited visibility into network traffic and, in some cases, can’t even offer granular control at the application level.
  • Architectural complexity: These appliances often introduce architectural complexity, as they need to intercept and secure network traffic at different points.
  • High cost: Acquiring, maintaining, and upgrading a virtual firewall appliance can be expensive, especially when compared to subscription-based cloud firewalls.
  • Limited extensibility: Be it AWS transit gateways, Gateway Load Balancers, or VPC/VNet peering — virtual appliances usually struggle to integrate with these advanced cloud-native services.

IP-Based Network Security Policy

IP-based network security policies have traditionally been used in many organizations. However, they also have shortcomings when compared to cloud firewalls.

  • Dynamic IP difficulties: These policies are primarily based on static IP addresses, triggering issues when dealing with dynamic IPs — such as those used in today’s highly scalable, distributed infrastructures.
  • Granularity problems: IP-based policies offer less granular control over access to applications and data, compared to cloud firewalls.
  • Security loopholes: Because they rely heavily on IP addresses for identification, they can be vulnerable to IP spoofing, creating potential security loopholes.
  • Inefficient management: IP-based policies can be tedious to manage, especially when dealing with larger, more complex network infrastructures.
  • Limited scalability: Like virtual appliances, IP-based policies struggle when it comes to handling a significant increase in network traffic.
  • Dependency on IP reputation: These policies depend on the reputation of IP addresses, which can be unreliable and manipulated. Also, legitimate IP addresses can be compromised, creating a potential avenue for attacks.

Security Groups

Lastly, security groups, while being a crucial part of network security in a cloud-based environment, fall short compared to cloud firewalls on several fronts.

  • Scope limitation: Security groups usually have a limited scope — often only applicable within a single instance or VPC. This might not be adequate for enterprises with large-scale or diverse cloud deployments.
  • Manual administration: This can lead to potential errors and security risks, more so in large and complex environments.
  • Lack of visibility: Security groups don’t provide comprehensive visibility into network traffic or robust logging and audit capabilities — both of which are fundamental for troubleshooting and regulatory compliance.
  • Limited flexibility: Security groups lack the flexibility to adapt quickly to changes in network configuration or traffic patterns. This can hinder performance and affect user experience.
  • Dependencies: Security groups are dependent on the underlying cloud service. This means that they can be impacted by any disruptions or changes to that service. So, the level of independence and control tends to be on the lower end.

It’s evident, compared to the other network security approaches, cloud firewalls provide superior flexibility, scalability, visibility, and control.

How does a Cloud-Based Firewall Fit into a SASE Framework?

SASE is a concept introduced by Gartner that stands for Secure Access Service Edge. It combines network security and wide area networking (WAN) capabilities in a single cloud-based service.

Cloud-based firewalls fit wonderfully into this framework as they provide network security enforcement. Below’s how.

  • Unified security and networking: By integrating with other SASE components, cloud-based firewalls facilitate unified security and networking. They ensure that security controls and networking capabilities are not siloed but work together seamlessly.
  • Location-agnostic: Being cloud-based, these firewalls offer location-agnostic security. This is important in a SASE framework which is designed to support securely connected, geographically-dispersed endpoints.
  • Dynamic scaling: The dynamism of cloud-based firewalls aligns with the scalable nature of SASE. So, the security scales with network requirements.
  • Policy enforcement: They provide efficient enforcement of security policies across a distributed network, aiding in consistent security compliance.
  • Visibility and control: In a SASE framework, cloud-based firewalls offer enriched visibility and control over network traffic and user activity. This aids in improved threat detection and response times.
  • Data protection: They provide encryption and decryption, protecting sensitive data transmitted across the network. This capability is pivotal for data protection in a SASE architecture.
  • Fast deployment: Enjoy operational simplicity as they can be seamlessly deployed across multiple locations.
  • Easier management: Management becomes easier as there is a single point of control allowing for unified threat management.
  • Lower costs: Reduced capital expenditure as the need for on-premise hardware decreases significantly.
  • Highly available: These firewalls offer high availability and resilience, adhering to the SASE principle of continual access and service regardless of location. Thus, enhancing the overall security posture in an ever-increasing remote work landscape.

Secure your network with firewall-as-a-service today!

Organizations across the globe are transitioning to a cloud-first strategy. Perimeter 81 can assist you in this journey. Our Firewall-as-a-Service model provides security, scalability, and simplicity that is unmatched in the industry. Learn more here!

FAQs

What is the disadvantage of cloud firewall?

Reliance on the availability of the FaaS provider is a potential disadvantage of cloud firewalls.

Why do you need a cloud firewall?

Just like you need a security gate to prevent unauthorized entry into your house, a cloud firewall acts as a barrier to block malicious traffic from entering your network. It provides real-time protection and security monitoring — making it crucial in today’s world where cyber threats are rampant.

What is the main reason to operate a public cloud firewall?

Application visibility and control is the primary reason to operate a public cloud firewall. And unlike traditional firewalls, cloud firewalls allow for extensive network traffic logging and reporting, providing a thorough overview of your application’s security status.

What is cloud vs hardware firewall?

A cloud firewall, also known as a Firewall-as-a-Service (FaaS), is a firewall hosted in the cloud, providing scalability, cost efficiency, and real-time updates. Hardware firewalls, on the other hand, are physical devices installed in the infrastructure of a network. While cloud firewall is software-based, traditional ones can be both software and hardware-based.

Is a cloud-based firewall more secure?

Cloud-based firewall comes with the same level of security as a traditional or on-premises firewall but with advanced access policy, encryption, connection management, and filtering between servers.

What is the difference between a next-generation firewall and a cloud firewall?

While next-generation firewalls (NGFWs) offer advanced security capabilities such as intrusion prevention systems (IPS), deep packet inspection, and application awareness— they can be limiting when it comes to scalability and flexibility, especially in a dynamic, cloud-based environment. That’s where cloud firewalls excel.

Source :
https://www.perimeter81.com/blog/network/cloud-based-firewall

HIPAA LAW: What Does It Protect?

27.07.2023

What is HIPPA?

HIPAA stands for the Health Insurance Portability and Accountability Act, a federal law enacted in 1996 in the United States. HIPAA’s primary aim is to safeguard the privacy, security, and confidentiality of individuals’ protected health information (PHI) by establishing a set of standards and regulations for healthcare providers, health plans, and other entities that maintain PHI. 

HIPAA Privacy Rule, Explained

The HIPAA Privacy Rule grants patients’ rights over their PHI, including the right to access, request amendments, and control the sharing of their health information. It also imposes obligations on covered entities to implement safeguards to protect PHI, train their workforce on privacy practices, and obtain individual consent for certain uses and disclosures. 

The Privacy Rule plays a vital role in keeping the confidentiality and security of personal health information, ensuring patients have control over their own data while allowing appropriate access for healthcare purposes.

HIPAA Security Rule, Explained

The HIPAA Security Rule is an essential part of the Health Insurance Portability and Accountability Act (HIPAA). The Security Rule sets forth administrative, physical, and technical safeguards that covered entities must implement to protect the confidentiality, integrity, and availability of ePHI. 

These safeguards include measures such as risk assessments, workforce training, access controls, encryption, and contingency planning to prevent unauthorized access, use, or disclosure of ePHI. Compliance with the HIPAA Security Rule is crucial for ensuring the secure handling of electronic health information, reducing the risk of data breaches, and maintaining the trust and confidentiality of sensitive patient data.

HIPAA Covered Entities

HIPAA defines specific entities that are subject to its regulations, known as covered entities. 

Covered entities include:

Healthcare Providers

Healthcare providers, such as doctors, hospitals, clinics, psychologists, and pharmacies, are considered covered entities under HIPAA. They play a vital role in the delivery of healthcare services and are responsible for maintaining the privacy and security of patients’ protected health information (PHI).

Healthcare providers must follow HIPAA regulations when electronically transmitting and overseeing PHI, implementing safeguards to protect patient data, and ensuring appropriate access and disclosures.

Health Plans

Health plans, including health insurance companies, HMOs, employer-sponsored health plans, Medicare, Medicaid, and government health programs, fall under the category of covered entities. These entities are responsible for managing health insurance coverage and must comply with HIPAA to protect the privacy of individuals’ health information.

Health plans have obligations to implement privacy policies, provide individuals with notice of their privacy practices, and set up safeguards to secure PHI against unauthorized access or disclosures.

Healthcare Clearinghouses 

Healthcare clearinghouses are entities that process nonstandard health information into standardized formats. They function as intermediaries between healthcare providers and health plans, facilitating the electronic exchange of health information.

Covered healthcare clearinghouses must adhere to HIPAA’s regulations, implementing security measures and safeguards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). They play a critical role in ensuring the secure transmission and conversion of health data, contributing to the interoperability and efficiency of electronic healthcare transactions.

Business Associates

Business associates are external entities or individuals that provide services or perform functions involving PHI, such as third-party administrators, billing companies, IT providers, and certain consultants. 

Covered entities must have written agreements in place with their business associates, outlining the responsibilities and obligations regarding the protection of PHI. These agreements should address issues such as the permissible uses and disclosures of PHI, safeguards for data security, breach notification requirements, and compliance with HIPAA’s Privacy Rule.

Who is Not Required to Follow HIPAA Regulations? 

Entities not required to follow HIPAA laws include:

Life Insurers

Since life insurers primarily deal with underwriting life insurance policies, they do not manage or maintain protected health information (PHI) as defined by HIPAA.

Employers

Employers, in their role as employers, are not covered by HIPAA regulations because they manage employee health information for employment-related purposes only, rather than for healthcare operations.

Workers’ Compensation Carriers

Workers’ compensation carriers are exempt from HIPAA because the health information they handle is typically related to work-related injuries or illnesses, which falls outside the scope of HIPAA’s regulations.

Most Schools and School Districts

Schools and school districts, except for those that run healthcare facilities or have specific health programs, are generally not subject to HIPAA as they primarily handle educational records and student information.

Many State Agencies

State agencies, such as child protective service agencies, often deal with sensitive information related to child welfare or social services, which are typically regulated under state-specific privacy laws rather than HIPAA.

Most Law Enforcement Agencies

Law enforcement agencies, while involved in protecting public safety, are generally exempt from HIPAA as they primarily focus on law enforcement activities rather than the provision of healthcare services.

Many Municipal Offices

Municipal offices that do not function as healthcare providers or healthcare clearinghouses are not subject to HIPAA regulations. They primarily manage administrative and governmental functions rather than healthcare-related activities.

What Information is Protected Under HIPAA? 

HIPAA protects a broad range of health information, primarily focusing on individually identifiable health information known as Protected Health Information (PHI). 

Under HIPAA, PHI is subject to strict privacy and security safeguards, and covered entities must obtain individual consent or authorization before using or disclosing PHI, except in certain permitted circumstances. HIPAA also allows the use and disclosure of de-identified health information, which is health information that does not identify an individual and has undergone a process to remove specific identifiers.

De-identified health information is not subject to HIPAA’s privacy and security requirements because it does not contain identifiable information that could be used to link it back to an individual. However, covered entities must follow specific guidelines and methods outlined by HIPAA to ensure that information is properly de-identified and cannot be re-identified.

Overall, HIPAA provides protection and safeguards for a wide range of health information, with a specific focus on safeguarding individually identifiable health information (PHI) and allowing for the use and disclosure of de-identified health information under certain circumstances.

When Can PHI Be Disclosed? 

Under HIPAA, Protected Health Information (PHI) can be disclosed in a variety of situations, including:

General Principle for Uses and Disclosure

PHI can be disclosed for treatment, payment, and healthcare operations without explicit authorization, following the general principle that PHI should be used or disclosed based on the minimum necessary information needed to accomplish the intended purpose.

Permitted Uses and Disclosures

PHI can be shared without individual authorization for activities such as public health activities, healthcare oversight, research (with privacy safeguards), law enforcement purposes, and when required by law, including reporting certain diseases and vital events.

Authorized Uses and Disclosures

PHI can be disclosed based on the individual’s written authorization, allowing specific uses and disclosures beyond what is permitted without authorization, such as sharing PHI for marketing purposes or with third-party organizations.

PHI Uses and Disclosures Limited to the Minimum Necessary

Covered entities are required to make reasonable efforts to limit PHI uses and disclosures to the minimum necessary to accomplish the intended purpose. This means sharing only the information necessary for the specific situation, whether it is for treatment, payment, healthcare operations, or other permitted purposes.

Notice and Individual Rights

Covered entities must provide individuals with a Notice of Privacy Practices, explaining how their PHI may be used and disclosing their rights regarding their health information. Individuals have rights such as accessing their PHI, requesting amendments, and requesting restrictions on certain uses or disclosures. 

Privacy Practices Notice

Covered entities must respect these rights and enable individuals to exercise them. 

Notice distribution

Covered entities must make efforts to distribute the Notice of Privacy Practices to individuals, including posting it prominently in their facilities and providing a copy to individuals upon request. They should also make reasonable attempts to obtain written acknowledgment of receipt.

Acknowledgment of Notice Receipt

Covered entities should document individuals’ acknowledgment of receiving the Notice of Privacy Practices. This acknowledgment can be obtained through various means, such as a signed form or electronic confirmation, ensuring that individuals have been made aware of their rights and the entity’s privacy practices.

Access

Individuals have the right to access their PHI and obtain copies of their health records upon request, with certain exceptions and reasonable fees.

Amendment

Individuals can request amendments or corrections to their PHI if they believe it is incomplete, inaccurate, or requires updating.

Disclosure Accounting

Covered entities must provide individuals with an accounting of certain disclosures of their PHI, upon request, excluding disclosures for treatment, payment, healthcare operations, and other exceptions.

Restriction Request

Individuals have the right to request restrictions on the use or disclosure of their PHI, although covered entities are not required to agree to all requested restrictions.

Confidential Communications Requirement

Covered entities must accommodate reasonable requests from individuals to receive communications of their PHI through alternative means or at alternative locations to protect privacy.

Administrative Requirements

Covered entities must establish and implement privacy policies and procedures to ensure compliance with HIPAA’s Privacy Rule, including designating a Privacy Officer responsible for overseeing privacy practices.

Privacy Personnel

Covered entities should have designated privacy personnel responsible for developing and implementing privacy policies, handling privacy inquiries, and ensuring compliance.

Workforce Training and Management

Covered entities must provide training to their workforce members regarding privacy policies, procedures, and the protection of PHI. They should also have mechanisms in place to manage workforce members’ compliance with privacy practices.

Mitigation

Covered entities must take reasonable steps to mitigate any harmful effects resulting from the use or disclosure of PHI in violation of the Privacy Rule.

Data Safeguards

Covered entities are required to implement reasonable safeguards to protect PHI from unauthorized access, disclosure, or use.

Complaints

Covered entities must have a process in place for individuals to file complaints regarding privacy practices, and they must not retaliate against individuals who exercise their privacy rights.

Retaliation and Waiver

Covered entities cannot retaliate against individuals for exercising their privacy rights, and individuals cannot be required to waive their rights as a condition for receiving treatment or benefits.

Documentation and Record Retention

Covered entities must retain documentation related to their privacy practices and policies for at least six years.

Fully Insured Group Health Plan Exception

The Privacy Rule does not apply directly to fully insured group health plans, although the plans must follow other federal and state laws governing the privacy of health information.

These various requirements and provisions ensure that covered entities adhere to privacy practices, protect individuals’ rights, and keep the security and confidentiality of PHI.

How is PHI Protected?

PHI is protected through various measures to safeguard its confidentiality, integrity, and security:

  1. Safeguards – Safeguards can include physical, technical, and administrative measures such as secure storage, encryption, access controls, and firewalls.
  2. Minimum Necessary – This means that only the information needed for a particular task or situation should be accessed or shared.
  3. Access and Authorization Controls – Covered entities must have procedures in place to control and limit who can view and access PHI. This includes implementing access controls, user authentication, and authorization processes to ensure that only authorized individuals can access and handle PHI.
  4. Employee Training – Training ensures that employees understand their responsibilities, know how to handle PHI securely, and are aware of potential risks and safeguards.
  5. Business Associates – Business associates, who handle PHI on behalf of covered entities, are also obligated to implement safeguards to protect PHI and comply with HIPAA regulations. This ensures that third-party entities involved in healthcare operations support the same level of privacy and security standards when handling PHI.

Get HIPAA Compliant With Our Checklist

By implementing the above-mentioned HIPAA safeguards, limiting the use and disclosure of PHI, and supplying employee training, covered entities and their business associates can work together to protect the privacy and security of individuals’ health information, and prevent improper use or disclosure. Want more tips to stay compliant? Check out our HIPAA Compliance Checklist.

Source :
https://www.perimeter81.com/blog/compliance/hipaa-law

What network ports are used by Synology DSM services?

Last updated: Aug 10, 2023

Details

The operations of DSM services require specific ports to be opened to ensure normal functionality. In this article, you can find the network ports and protocols required by DSM services for operations.

Contents

Resolution

Setup Utilities

TypePort NumberProtocol
Synology Assistant9999, 9998, 9997UDP

Backup

TypePort NumberProtocol
Active Backup for Business5510 (Synology NAS)1TCP
443 (vCenter Server and ESXi host), 902 (ESXi host),
445 (SMB for Hyper-V host), 5985 (HTTP for Hyper-V host), 5986 (HTTPS for Hyper-V host)		TCP
Data Replicator, Data Replicator II, Data Replicator III9999, 9998, 9997, 137, 138, 139, 445TCP
DSM 5.2 Data Backup, rsync, Shared Folder Sync, Remote Time Backup873, 22 (if encrypted over SSH)TCP
Hyper Backup (destination)6281 (remote Synology NAS), 22 (rsync with transfer encryption enabled), 873 (rsync without transfer encryption)TCP
Hyper Backup Vault6281,
For DSM 7.0 or above: 5000 (HTTP), 5001 (HTTPS)		TCP
DSM 5.2 Archiving Backup6281TCP
LUN Backup3260 (iSCSI), 873, 22 (if encrypted over SSH)TCP
Snapshot Replication5566 (Advanced LUNs and shared folders)TCP
3261 (Legacy Advanced LUNs)TCP

Download

TypePort NumberProtocol
BTFor DSM 2.0.1 or above: 16881,
For DSM 2.0.1-3.0401 or below: 6890-6999		TCP/UDP
eMule4662TCP
4672UDP

Web Applications

TypePort NumberProtocol
DSM5000 (HTTP), 5001 (HTTPS)TCP

Mail Service

TypePort NumberProtocol
IMAP143TCP
IMAP over SSL/TLS993TCP
POP3110TCP
POP3 over SSL/TLS995TCP
SMTP25TCP
SMTP-SSL465TCP
SMTP-TLS587TCP

File Transferring

TypePort NumberProtocol
AFP548TCP
CIFS/SMBsmbd: 139 (netbios-ssn), 445 (microsoft-ds)TCP/UDP
Nmbd: 137, 138UDP
FTP, FTP over SSL, FTP over TLS21 (command),
20 (data connection in Active Mode), 1025-65535 (data connection in Passive Mode)2		TCP
iSCSI3260, 3263, 3265TCP
NFS111, 892, 2049TCP/UDP
TFTP69UDP
WebDAV5005, 5006 (HTTPS)TCP

Packages

TypePort NumberProtocol
Audio Station1900 (UDP), 5000 (HTTP), 5001 (HTTPS), 5353 (Bonjour service), 6001-6010 (AirPlay control/timing)TCP/UDP
C2 Identity Edge Server389 (LDAP), 7712 (HTTP), 8864TCP
53UDP
Central Management System5000 (HTTP), 5001 (HTTPS)TCP
CIFS Scale-out Cluster49152-49252TCP/UDP
17909, 17913, 19998, 24007, 24008, 24009-24045, 38465-38501, 4379TCP
Cloud Station6690TCP
DHCP Server53, 67, 68TCP/UDP
DNS Server53 (named)TCP/UDP
LDAP Server (formerly Directory Server)389 (LDAP), 636 (LDAP with SSL)TCP
Download Station5000 (HTTP), 5001 (HTTPS)TCP
File Station5000 (HTTP), 5001 (HTTPS)TCP
Hybrid Share50051 (catalog), 443 (API), 4222 (NATS)TCP
iTunes Server3689TCP
Log Center (syslog server)514 (additional port can be added)TCP/UDP
Logitech® Media Server3483, 9002TCP
MailPlus Server1344, 4190, 5000 (HTTP), 5001 (HTTPS), 5252, 8500 – 8520, 8893, 9526 – 9529, 10025, 10465, 10587, 11211, 11332 – 11334, 12340, 24245, 24246TCP
MailPlus web client5000 (HTTP), 5001 (HTTPS)TCP
Mail Station80 (HTTP), 443 (HTTPS)TCP
Media Server1900 (UPnP), 50001 (content browsing), 50002 (content streaming)TCP/UDP
Migration Assistant7400-7499 (DRBD), 22 (SSH)3DRBD
Note Station5000 (HTTP), 5001 (HTTPS)TCP
Photo Station, Web Station80 (HTTP), 443 (HTTPS)TCP
Presto File Server3360, 3361TCP/UDP
Proxy Server3128TCP
RADIUS Server1812, 18120UDP
SMI-S Provider5988 (HTTP), 5989 (HTTPS)TCP
Surveillance Station5000 (HTTP), 5001 (HTTPS)TCP
Synology Calendar5000 (HTTP), 5001 (HTTPS)TCP
Synology CardDAV Server8008 (HTTP), 8443 (HTTPS)TCP
Synology Chat5000 (HTTP), 5001 (HTTPS)TCP
Synology Contacts5000 (HTTP), 5001 (HTTPS)TCP
Synology Directory Server88 (Kerberos), 389 (LDAP), 464 (Kerberos password change)TCP/UDP
135 (RPC Endpoint Mapper), 636 (LDAP SSL), 1024 (RPC), 3268 (LDAP GC), 3269 (LDAP GC SSL), 49152 (RPC)4, 49300-49320 (RPC)TCP
Synology Drive Server80 (link sharing), 443 (link sharing), 5000 (HTTP), 5001 (HTTPS), 6690 (file syncing/backup)TCP
Synology High Availability (HA)123 (NTP), ICMP, 5000 (HTTP), 5001 (HTTPS),
1234, 9997, 9998, 9999 (Synology Assistant), 874, 5405, 5406, 7400-7999 (HA)		TCP/UDP
Synology Moments5000 (HTTP), 5001 (HTTPS)TCP
Synology Photos5000 (HTTP), 5001 (HTTPS)TCP
Video Station1900 (UDP), 5000 (HTTP), 5001 (HTTPS), 9025-9040, 5002, 5004, 65001 (for using the HDHomeRun network tuner)TCP/UDP
Virtual Machine Manager2379-2382 (cluster network), ICMP, 3260-3265 (iSCSI), 5000 (HTTP), 5001 (HTTPS), 5566 (replication), 16509, 16514, 30200-30300, 5900-5999 (QEMU), 2385 (Redis Server)TCP
VPN Server (OpenVPN)1194UDP
VPN Server (PPTP)1723TCP
VPN Server (L2TP/IPSec)500, 1701, 4500UDP

Mobile Applications

TypePort NumberProtocol
DS audio5000 (HTTP), 5001 (HTTPS)TCP
DS cam5000 (HTTP), 5001 (HTTPS)TCP
DS cloud6690TCP
DS file5000 (HTTP), 5001 (HTTPS)TCP
DS finder5000 (HTTP), 5001 (HTTPS)TCP
DS get5000 (HTTP), 5001 (HTTPS)TCP
DS note5000 (HTTP), 5001 (HTTPS)TCP
DS photo80(HTTP), 443 (HTTPS)TCP
DS video5000 (HTTP), 5001 (HTTPS)TCP
MailPlus5000 (HTTP), 5001 (HTTPS)TCP
Synology Drive5000 (HTTP), 5001 (HTTPS)TCP
Synology Moments5000 (HTTP), 5001 (HTTPS)TCP
Synology Photos5000 (HTTP), 5001 (HTTPS)TCP

Peripheral Equipment

TypePort NumberProtocol
Bonjour5353UDP
LPR515UDP
Network Printer (IPP)/CUPS631TCP
Network MFP3240-3259TCP
UPS3493TCP

System

TypePort NumberProtocol
LDAP389, 636 (SLAPD)TCP
MySQL3306TCP
NTP123UDP
Resource Monitor/SNMP161TCP/UDP
SSH/SFTP22TCP
Telnet23TCP
WS-Discovery3702UDP
WS-Discovery5357 (Nginx)TCP

Notes:

  1. For the backup destination of Synology NAS, Hyper-V, or physical Windows/Linux/macOS devices.
  2. The default range varies according to your Synology product models.
  3. For the SSH service that runs on a customized port, make sure the port is accessible.
  4. Only Synology Directory Server version 4.10.18-0300 requires port 49152.

Further reading

Source :
https://kb.synology.com/en-global/DSM/tutorial/What_network_ports_are_used_by_Synology_services

Malvertising Used as Entry Vector for BlackCat, Actors Also Leverage SpyBoy Terminator

By: Lucas Silva, RonJay Caragay, Arianne Dela Cruz, Gabriel Cardoso
June 30, 2023
Read time: 7 min (1889 words)

Recently, the Trend Micro incident response team engaged with a targeted organization after having identified highly suspicious activities through the Targeted Attack Detection (TAD) service. In the investigation, malicious actors used malvertising to distribute a piece of malware via cloned webpages of legitimate organizations. In this case, the distribution involved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer.

Advertising platforms like Google Ads enable businesses to display advertisements to target audiences to boost traffic and increase sales. Malware distributors abuse the same functionality in a technique known as malvertising, where chosen keywords are hijacked to display malicious ads that lure unsuspecting search engine users into downloading certain types of malware.

The targeted organization conducted a joint investigation with the Trend team and discovered that cybercriminals performed the following unauthorized and malicious activities within the company’s network:

  • Stole top-level administrator privileges and used these privileges to conduct unauthorized activities
  • Attempted to establish persistence and backdoor access to the customer environment using remote management tools like AnyDesk
  • Attempted to steal passwords and tried to access backup servers

It is highly likely that the enterprise would have been substantially affected by the attack if intervention had been sought later, especially since the threat actors had already succeeded in gaining initial access to domain administrator privileges and started establishing backdoors and persistence.

The following chart represents how the infection starts.

Infection chain of the observed attack
Figure 1. Infection chain of the observed attack

In the following sections, we discuss the details of this case: how threat actors made the initial access, what kind of attacks they carried out, and the lessons that can be drawn from this event.

Deep dive into the infection chain

The infection starts once the user searches for “WinSCP Download” on the Bing search engine. A malicious ad for the WinSCP application is displayed above the organic search results. The ad leads to a suspicious website containing a tutorial on how to use WinSCP for automating file transfer.

A suspicious site from a malvertisement
Figure 2. A suspicious site from a malvertisement

From this first page, the user is then redirected to a cloned download webpage of WinSCP (winsccp[.]com). Once the user selects the “Download” button, an ISO file is downloaded from an infected WordPress webpage (hxxps://events.drdivyaclinic[.]com). Recently, the malicious actor changed their final stage payload URL to the file-sharing service 4shared.

Malicious download site
Figure 3. Malicious download site

The overall infection flow involves delivering the initial loader, fetching the bot core, and ultimately, dropping the payload, typically a backdoor.

In summary, the malicious actor uses the following malvertising infection chain:

  1. A user searches for an application by entering a search term in a search bar (such as Google or Bing). In this example, the user wants to download the WinSCP application and enters the search term “WinSCP Download” on the Bing search bar.
  2.  Above the organic search results, the user finds a malvertisement for the WinSCP application that leads to a malicious website.
  3. Once the user selects the “Download” button, this begins the download of an ISO file to their system.

On Twitter, user @rerednawyerg first spotted the same infection chain mimicking the AnyDesk application. Once the user mounts the ISO, it contains two files, setup.exe and msi.dll. We list the details of these two files here:

  • Setup.exe: A renamed msiexec.exe executable
  • Msi.dll: delayed-loaded DLL (not loaded until a user’s code attempts to reference a symbol contained within the DLL) that will act as a dropper for a real WinSCP installer and a malicious Python execution environment responsible for downloading Cobalt Strike beacons.
The files downloaded once a user mounts the ISO
Figure 4. The files downloaded once a user mounts the ISO

Once setup.exe is executed, it will call the msi.dll that will later extract a Python folder from the DLL RCDATA section as a real installer for WinSCP to be installed on the machine. Two installations of Python3.10 will be created — a legitimate python installation in %AppDataLocal%\Python-3.10.10 and another installation in %Public%\Music\python containing a trojanized python310.dll. Finally, the DLL will create a persistence mechanism to make a run key named “Python” and the value C:\Users\Public\Music\python\pythonw.exe.

The run key named “Python”
Figure 5. The run key named “Python”

When the executable pythonw.exe starts, it loads a modified/trojanized obfuscated python310.dll that contains a Cobalt Strike beacon that connects to 167[.]88[.]164[.]141.

The following command-and-control (C&C) servers are used to obtain the main beacon module:

File nameC&C
pp.pyhxxps://167.88.164.40/python/pp2
work2.pyhxxps://172.86.123.127:8443/work2z
work2-2.pyhxxps://193.42.32.58:8443/work2z
work3.pyhxxps://172.86.123.226:8443/work3z

Multiple scheduled tasks executing batch files for persistence were also created in the machine. These batch files execute Python scripts leading to in-memory execution of Cobalt Strike beacons. Interestingly, the Python scripts use the marshal module to execute a pseudo-compiled (.pyc) code that is leveraged to download and execute the malicious beacon module in memory.

The Trend Vision One™ platform was able to generate the following Workbench for the previously mentioned kill chain.

Kill chain for the executed malware
Figure 6. Kill chain for the executed malware

The threat actor used a few other tools for discovery in the customer’s environment. First, they used AdFind, a tool designed to retrieve and display information from Active Directory (AD) environments. In the hands of a threat actor, AdFind can be misused for enumeration of user accounts, privilege escalation, and even password hash extraction.

In this case, the threat actor used it to fetch information on the operating system using the command adfind.exe -f objectcategory=computer -csv name cn OperatingSystem dNSHostName. The command specifies that it wants to retrieve the values of the name, common name (CN), operating system, and dNSHostName attributes for each computer object and output its result in a CSV format.

The threat actor used the following PowerShell command to gather user information and to save it into a CSV file:

Get-ADUser -Filter * -Properties * | Select -Property EmailAddress,GivenName,Surname,DisplayName,sAMAccountName,Title,Department,OfficePhone,MobilePhone,Fax,Enabled,LastLogonDate | Export-CSV “C:\users\public\music\ADusers.csv” -NoTypeInformation -Encoding UTF8

We also observed that the threat actor used AccessChk64, a command-line tool developed by Sysinternals that is primarily used for checking the security permissions and access rights of objects in Windows. Although the threat actor’s purpose for using the tool in this instance is not clear, it should be noted that the tool can be used for gaining insights on what permissions are assigned to users and groups, as well as for privilege escalation and the identification of files, directories, or services with weak access control settings. 

The threat actor then used findstr, a command-line tool in Windows used for searching strings or regular expressions within files by using the command findstr /S /I cpassword \\<REDACTED>\sysvol\<REDACTED>\policies\*.xml.

It is possible that the purpose of this command is to identify any XML files that contain the string cpassword. This is interesting from a security context since cpassword is associated with a deprecated method of storing passwords in Group Policy Preferences within AD.

How finsdtr is used in the attack
Figure 7. How finsdtr is used in the attack

We also observed the execution of scripts with PowerShell. For instance, the command IEX (New-Object Net.Webclient).DownloadString(‘hxxp://127[.]0[.]0[.]1:40347/’); Invoke-FindLocalAdminAccess -Thread 50” it invokes a PowerShell function called Invoke-FindLocalAdminAccess and passes the parameter -Thread with a value of 50. This function is likely part of a script that performs actions related to finding local administrator access on a system.

Another PowerShell script used by the threat actor was PowerViewPowerView, which belongs to the PowerSploit collection of scripts used to assist in penetration testing and security operations, focuses on AD reconnaissance and enumeration and is commonly used by threat actors to gather information about the AD environment.

PowerShell Expand-Archive command was used to extract the ZIP files.  

powershell -w hidden -command Expand-Archive C:\users\public\videos\python.zip -DestinationPath C:\users\public\videos\python

WMI was used to launch CoBeacon remotely across the environment. 

C:\WINDOWS\system32\cmd.exe /C wmic /NODE:”<REDACTED>” process call create C:\users\public\videos\python\pythonw.exe C:\users\public\videos\python\work2-2.py

To obtain high-privileged credentials and escalate privileges, the threat actor used a Python script also containing the marshal module to execute a pseudo-compiled code for LaZagne. Another script to obtain Veeam credentials following the same structure was also identified in the environment.

PsExec, BitsAdmin, and curl were used to download additional tools and to move laterally across the environment.

The threat actor dropped a detailed KillAV BAT script (KillAV is a type of malicious software specifically designed to disable or bypass antivirus or antimalware programs installed on a target system) to tamper with Trend protections. However, due to the agent’s Self-Protection features and VSAPI detections, the attempt failed. The threat actors also made attempts to stop Windows Defender through a different KillAV BAT script.

Finally, the threat actor installed the AnyDesk remote management tool (renamed install.exe) in the environment to maintain persistence.

Remote management tool installed for persistence
Figure 8. Remote management tool installed for persistence

After a diligent and proactive response, the attacker was successfully evicted from the network before they could reach their goal or execute their final payload. The incident response team also presented immediate countermeasures as well as medium- and long-term security procedures for implementation.

BlackCat uses the same tools, techniques, and procedures (TTPs)

In another investigation, following the same TTPs described previously described, we were able to identify that this activity led to a BlackCat (aka ALPHV) infection. Along with other types of malware and tools already mentioned, we were able to identify the use of the anti-antivirus or anti-endpoint detection and response (EDR) SpyBoy terminator in an attempt to tamper with protection provided by agents.

In order to exfiltrate the customer data, the threat actor used PuTTY Secure Copy client (PSCP) to transfer the gathered information. Investigating one of the C&C domains used by the threat actor behind this infection also led to the discovery of a possible related Cl0p ransomware file.

Files indicating possible Cl0p ransomware file
Figure 9. Files indicating possible Cl0p ransomware file

Conclusion and recommendations

In recent years, attackers have become increasingly adept at exploiting vulnerabilities that victims themselves are unaware of and have started employing behaviors that organizations do not anticipate. In addition to a continuous effort to prevent any unauthorized access, early detection and response within an organization’s network is critical. Immediacy in remediation is also essential, as delays in reaction time could lead to serious damage.

By understanding attack scenarios in detail, organizations can not only identify vulnerabilities that could lead to compromise and critical damage but also take necessary measures to prevent them.

Organizations can protect themselves by taking the following security measures:

  • Educate employees about phishing. Conduct training sessions to educate employees about phishing attacks and how to identify and avoid them. Emphasize the importance of not selecting suspicious links and not downloading files from unknown sources.
  • Monitor and log activities. Implement a centralized logging system to collect and analyze logs from various network devices and systems. Monitor network traffic, user activities, and system logs to detect any unusual or suspicious behavior.
  • Define normal network traffic for normal operations. Defining normal network traffic will help identify abnormal network traffic, such as unauthorized access.
  • Improve incident response and communication. Develop an incident response plan to guide your organization’s response in case of future breaches. Establish clear communication channels to inform relevant stakeholders, including employees, customers, and regulatory bodies, about a breach and the steps being taken to address it.
  • Engage with a cybersecurity professional. If your organization lacks the expertise or resources to handle the aftermath of a breach effectively, consider engaging with a reputable cybersecurity firm to assist with incident response, forensic analysis, and security improvements.

Indicators of Compromise (IOCs)

The full list of IOCs can be found here and below :

Malvertising Used as Entry Vector for BlackCat, Actors Also Leverage SpyBoy Terminator

[+] File IOCs
SHA-256									Detection name
25467df66778077cc387f4004f25aa20b1f9caec2e73b9928ec4fe57b6a2f63c 	Trojan.Win64.COBEACON.SWG
4a4d20d107ee8e23ce1ebe387854a4bfe766fc99f359ed18b71d3e01cb158f4a 	Trojan.Win64.COBEACON.SWG
13090722ba985bafcccfb83795ee19fd4ab9490af1368f0e7ea5565315c067fe 	Trojan.Win64.COBEACON.SWG
									Troj.Win32.TRX.XXPE50FFF069
8859a09fdc94d7048289d2481ede4c98dc342c0a0629cbcef2b91af32d52acb5  	Trojan.Win64.COBEACON.SWG
bacbe893b668a63490d2ad045a69b66c96dcacb500803c68a9de6cca944affef  	Trojan.Win64.COBEACON.SWG
c7a5a4fb4f680974f3334f14e0349522502b9d5018ec9be42beec5fa8c1597fe  	Trojan.Win64.COBEACON.SWG
3ce4ed3c7bd97b84045bdcfc84d3772b4c3a29392a9a2eee9cc17d8a5e5403ce  	Trojan.Win64.COBEACON.SWG
21e7bcc03c607e69740a99d0e9ae8223486c73af50f4c399c8d30cce4d41e839  	Trojan.Win64.COBEACON.SWG
e5db80c01562808ef2ec1c4b8f3f033ac0ed758d 				Backdoor.Python.COBEACON.C
cfbde85bdb62054b5b9eb4438c3837b9f1a69f61 				Backdoor.Python.COBEACON.C
3b14559a6e33fce120a905fde57ba6ed268a51f1  				Backdoor.Python.COBEACON.C
aae1b17891ec215a0e238f881be862b4f598e46c  				Backdoor.Python.COBEACON.C
c82b28daeb33d94ae3cafbc52dbb801c4a5b8cfa  				Backdoor.Python.COBEACON.C
d2663fc6966c197073c7315264602b4c6ba9c192  				Trojan.BAT.COBEACON.AO
c7568d00ae38b3a4691a413ed439a0e3fb5664b1  				Trojan.BAT.COBEACON.AO
61e41be7a9889472f648a5a3d0b0ab69e2e056c5  				Trojan.BAT.COBEACON.AO
69ffad6be67724b1c7e8f65e8816533a96667a36  				Trojan.XML.COBEACON.F
c1516915431cb55703b5a88d94ef6de0ac67190a  				Trojan.XML.COBEACON.F
a7b1853348346d5d56f4c33f313693a18b6af457  				Trojan.XML.COBEACON.F
ac8e3146f41845a56584ce5e8e172a56d59aa804  				Trojan.XML.COBEACON.F
e5d434dfa2634041cdbdac1dec58fcd49d629513  				Trojan.BAT.KILLAV.WLEBG
42da9e9e3152c1d995d8132674368da4be78bf6a  				Trojan.BAT.COBEACON.AO.dldr
5cbb6978c9d01c8a6ea65caccb451bf052ed2acd  				HackTool.Win32.Adfind.VSNW1FE23
a9310c3f039c4e2184848f0eb8e65672f9f11240  				TrojanSpy.Python.CREAL.A
5e36a649c82fa41a600d51fe99f4aa8911b87828  				HackTool.Python.LaZagne.AD
5263a135f09185aa44f6b73d2f8160f56779706d  				HackTool.PS1.VeeamCreds.A
75d02e81cc326e6a0773bc11ffa6fa2f6fa5343e  				TROJ.Win32.TRX.XXPE50FFF069
9d85cb2c6f1fccc83217837a63600b673da1991a  				TROJ.Win32.TRX.XXPE50FFF069
2f2eb89d3e6726c6c62d6153e2db1390b7ae7d01  				TROJ.Win32.TRX.XXPE50FFF069
7d500a2cd8ea7e455ae1799cb4142bb2abac3ae1  				TROJ.Win32.TRX.XXPE50FFF069
0362c710e4813020147f5520a780a15ef276e229  				Troj.Win32.TRX.XXPE50FFF069
									Troj.Win32.TRX.XXPE50FFF069R450C 
									TROJ.Win32.TRX.XXPE50FLM011
fb2ef2305511035e1742f689fce928c424aa8b7d  				Troj.Win32.TRX.XXPE50FFF069 
									Troj.Win32.TRX.XXPE50FFF069R450C 
									TROJ.Win32.TRX.XXPE50FLM011
7874d722a6dbaef9e5f9622d495f74957da358da  				Troj.Win32.TRX.XXPE50FFF069 
									Troj.Win32.TRX.XXPE50FFF069R450C 
									TROJ.Win32.TRX.XXPE50FLM011
06e3f86369046856b56d47f45ea2f7cf8e240ac5  				Troj.Win32.TRX.XXPE50FFF069 
									Troj.Win32.TRX.XXPE50FFF069R450C 
									TROJ.Win32.TRX.XXPE50FLM011
36b454592fc2b8556c2cb983c41af4d2d8398ea2  				Troj.Win32.TRX.XXPE50FFF068
337ca5eefe18025c6028d617ee76263279650484  				TROJ_GEN.R002C0DCS23
e862f106ed8e737549ed2daa95e5b8d53ed50f87  				TROJ_GEN.R002C0PFK23
2a85cdfb1c3434d73ece7fe60d6d2d5c9b7667dd  				Troj.Win32.TRX.XXPE50FFF068
d883be0ee79dec26ef8c04e0e2857a516cff050c  				TROJ.Win32.TRX.XXPE50FLM011
a0f1a8462cb9105660af2d4240e37a27b5a9afad  				Ransom.Win32.BLACKCAT.SMYPCC5
ab0eade9b8d24b09e32aa85f78a51b777861debc  				Ransom.Win32.BLACKCAT.SMYPCC5
0cc0e1cbf4923d2ce7179064c244fe138dcb3ce8  				Ransom.Win32.BLACKCAT.SMYPCC5
3789a218c966f175067242975e1cb44abdef81ec  				Ransom.Win32.BLACKCAT.SMYPCC5
83c5f8821f9a07e0318beaa4bcf0b7ef21127aa8  				Ransom.Win32.BLACKCAT.SMYPCC5
08f63693bb40504b71fe3e4e4d9e7142c011aeb1  				Ransom.Win32.BLACKCAT.SMYPCC5
b34bb1395199c7b168d9204833fdfd13d542706d  				Ransom.Win32.BLACKCAT.SMYPCC5
5c6aa1a5bd7572ac8e91eaa5c9d6096f302f775b  				Ransom.Win32.BLACKCAT.SMYPCC5
9480a79b0b6f164b1148c56f43f3d505ee0b7ef3  				Ransom.Win32.BLACKCAT.SMYPCC5
7874d722a6dbaef9e5f9622d495f74957da358da  				Ransom.Win32.BLACKCAT.SMYPCC5
9b1ebbe03949e0c16338595b1772befe276cd10d  				Ransom.Win32.BLACKCAT.SMYPCC5
801950ed376642e537466795f92b04e13a4fcc2a  				Ransom.Win32.BLACKCAT.SMYPCC5
1ca4e3fdcdf8a9ab095cfa0629750868eb955eb7  				Ransom.Win32.BLACKCAT.SMYPCC5
42920e4d15428d4e7a8f52ae703231bdf0aec241  				Ransom.Win32.BLACKCAT.SMYPCC5
06e3f86369046856b56d47f45ea2f7cf8e240ac5  				Ransom.Win32.BLACKCAT.SMYPCC5
f42e97901a1a3b87b4f326cb9e6cbdb98652d900  				Ransom.Win32.BLACKCAT.SMYPCC5
d125c4f82e0bbf369caf1be524250674a603435c  				Ransom.Win32.BLACKCAT.SMYPCC5
03d7bc24d828abaf1a237b3f418517fada8ae64f  				Ransom.Win32.BLACKCAT.SMYPCC5
c133992ea87f83366e4af5401a341365190df4e7  				Ransom.Win32.BLACKCAT.SMYXCCN.note
b35be51d727d8b6f8132850f0d044b838fec001d  				Ransom.Win32.BLACKCAT.SMYXCCN.note
fd84cf245f7a60c38ac7c92e36458c5ea4680809  				Ransom.Win32.BLACKCAT.SMYXCCN.note
946c0a0c613c8ac959d94bb2fd152c138fc752da  				Ransom.Win32.BLACKCAT.SMYXCCN.note
7b3051f8d09d53e7c5bc901262f5822f1999caae  				Ransom.Win32.BLACKCAT.SMYXCCN.note
eeff22b4a442293bf0f5ef05154e8d4c7a603005  				Ransom.Win32.BLACKCAT.SMYXCCN.note
2547d2deedc385f7557d5301c19413e1cbf58cf8  				Ransom.Win32.BLACKCAT.SMYXCCN.note
0437f84967de62d8959b89d28a56e40247b595d8  				Ransom.Win32.BLACKCAT.SMYXCCN.note
105d33c00847ccd0fb230f4a7457e8ab6fb035fc  				Ransom.Win32.BLACKCAT.SMYXCCN.note
5831b3a830690c603fd093329dce93b9a7e83ad3  				Ransom.Win32.BLACKCAT.SMYXCCN.note
a5c164b734a8b61d8af70257e23d16843a4c72e3  				Ransom.Win32.BLACKCAT.SMYXCCN.note
1aff9fd8fdc0eae3c09a3ee6b4df2cdb24306498  				Ransom.Win32.BLACKCAT.SMYXCCN.note
3d4051c65d1b5614af737cb72290ec15b71b75bd  				Ransom.Win32.BLACKCAT.SMYXCCN.note
a116ef48119c542a2d864f41dbbb66e18d5cd4e6  				Ransom.Win32.BLACKCAT.SMYXCCN.note
508e7522db24cca4913aeed8218975c539d3b0a4  				Ransom.Win32.BLACKCAT.SMYXCCN.note
72603dadebc12de4daf2e12d28059c4a3dcf60d0  				Ransom.Win32.BLACKCAT.SMYXCCN.note
930bd974a2d01393636fdb91ca9ac53256ff6690  				Ransom.Win32.BLACKCAT.SMYXCCN.note
a9a03d39705bd1d31563d7a513a170c99f724923  				Ransom.Win32.BLACKCAT.SMYXCCN.note
c14bd9ad77d8beca07fb17dc34f8a5f636e621b5  				Ransom.Win32.BLACKCAT.SMYXCCN.note
01b122eb0edb6274b3743458e375e34126fd2f9a  				Ransom.Win32.BLACKCAT.SMYXCCN.note
b98bb7b4c3b823527790cb62e26d14d34d3e499b  				Ransom.Win32.BLACKCAT.SMYXCCN.note
381058a5075ce06605350172e72c362786e8c5e3  				Ransom.Win32.BLACKCAT.SMYXCCN.note
75e9d507b1a1606a3647fe182c4ed3a153cecc2c  				Ransom.Win32.BLACKCAT.SMYXCCN.note
cd485054625ea8ec5cf1fe0e1f11ede2e23dde00  				Ransom.Win32.BLACKCAT.SMYXCCN.note
c9cdfdc45b04cca45b64fedca7c372f73b42cab2  				Ransom.Win32.BLACKCAT.SMYXCCN.note
31d4dadd11fe52024b1787a20b56700e7fd257f8  				Ransom.Win32.BLACKCAT.SMYXCCN.note
0fe306dc12ba6441ba2a5cab1b9d26638c292f9c  				Ransom.Win32.BLACKCAT.SMYXCCN.note
bc0fb6b220045f54d34331345d1302f9a00b3580  				Ransom.Win32.BLACKCAT.SMYXCCN.note
b4f59fe2ee3435b9292954d1c3ef7e74c233abea  				Ransom.Win32.BLACKCAT.SMYXCCN.note
aee0b252334b47a6e382ce2e01de9191de2e6a7a  				Ransom.Win32.BLACKCAT.SMYXCCN.note
92673b91d2c86309f321ade6a86f0c9e632346d8  				Ransom.Win32.BLACKCAT.SMYXCCN.note
de7fb8efa05ddf5f21a65e940717626b1c3d6cb4  				Ransom.Win32.BLACKCAT.SMYXCCN.note
5f455dcdca66df9041899708289950519971bb76  				Ransom.Win32.BLACKCAT.SMYXCCN.note
5ed1b9810ee12d2b9b358dd09c6822588bbb4a83  				Ransom.Win32.BLACKCAT.SMYXCCN.note
c779a4a98925bc2f7feac91c1867a3f955462fc2  				Ransom.Win32.BLACKCAT.SMYXCCN.note
cb358aa4ed50db8270f3ee7ea5848b8c16fa21fe  				Ransom.Win32.BLACKCAT.SMYXCCN.note
5ec6b30dacfced696c0145a373404e63763c2fa8  				Ransom.Win32.BLACKCAT.SMYXCCN.note
f2f5137c28416f76f9f4b131f85252f8273baee8  				Ransom.Win32.BLACKCAT.SMYXCCN.note
12534212c7d4b3e4262edc9dc2a82c98c2121d04  				Ransom.Win32.BLACKCAT.SMYXCCN.note
bc09ee8b42ac3f6107ab5b51a2581a9161e53925  				Ransom.Win32.BLACKCAT.SMYXCCN.note
152400be759355ec8dd622ec182c29ce316eabb1  				Ransom.Win32.BLACKCAT.SMYXCCN.note
379e497d0574fd4e612339440b603f380093655c  				Ransom.Win32.BLACKCAT.SMYXCCN.note
141c7b9be4445c1aad70ec35ae3fe02f5f8d37ac  				Ransom.Win32.BLACKCAT.SMYXCCN.note
27e9e6a54d73dcb28b5c7dfb4e2e05aaba913995  				Ransom.Win32.BLACKCAT.SMYXCCN.note
ad981cd18f58e12db7c9da661181f6eb9a1754f3  				Ransom.Win32.BLACKCAT.SMYXCCN.note
4829eaa38bd061773ceefe175938a2c0d75a75f3  				Ransom.Win32.BLACKCAT.SMYXCCN.note
b0d61d1eba9ebf6b7eabcd62b70936d1a343178e  				Ransom.Win32.BLACKCAT.SMYXCCN.note
014c277113c4b8c4605cb91b29302cdedbc2044e  				Ransom.Win32.BLACKCAT.SMYXCCN.note
974c1684cf0f3a46af12ba61836e4c161fd48cb5  				Ransom.Win32.BLACKCAT.SMYXCCN.note
913414069259e760e201d0520ce35fe22cf3c285  				Ransom.Win32.BLACKCAT.SMYXCCN.note

[+] Network IOCs
Distribution URLs
https://cuororeresteadntno.com/how-to-work-with-ftp-ftps-connection-through-winscp/ = 78. Malware Accomplice
https://airplexacrepair.com/the-key-to-secure-remote-desktop-connections-a-comprehensive-guide/ = 78. Malware Accomplice
https://maker-events.com/automating-file-transfers-with-winscp/ = 78. Malware Accomplice

Redirects Domains:
https://winsccp.com/WLPuVHrN = 79. Disease Vector
https://anydeesk.net = 79. Disease Vector

Payload Download
https://events.drdivyaclinic.com/wp-content/task/update/WinSCP-5.21.8-Setup.iso = 79. Disease Vector
https://www.4shared.com/web/directDownload/wd0Bbaw6jq/gx1qdBDA.ab8ba6f7d1af2d0a5d81cf42aefe8e51 = 79. Disease Vector
https://www.yb-lawyers.com/wp-content/ter/anyconnect/AnyDesk.iso = 79. Disease Vector
https://mm.onemakan.ml//wp/wp-content/winscp/smart/WinSCP-5.21.8-Setup.iso = 79. Disease Vector

IPs AnyDesk.iso:
104.234.11.236 = 78. Malware Accomplice
157.254.195.108 = 78. Malware Accomplice

IPs WinSCP-5.21.8-Setup.iso:
157.254.195.83 = 78. Malware Accomplice

COBEACON C2: 
167.88.164.141 = 91. C&C Server
https://167.88.164.40/python/pp2 = 91. C&C Server
https://172.86.123.127:8443/work2z = 91. C&C Server
https://172.86.123.127:8443/work2
https://172.86.123.226:8443/work3z = 91. C&C Server
https://172.86.123.226:8443/work3
https://193.42.32.58:8443/work2z = 91. C&C Server
https://193.42.32.58/python/pp
https://193.42.32.58:8443/zakrep
https://104.234.147.134/python/pp3.py = 91. C&C Server
http://45.12.253.50:447/work2
https://45.66.230.240/python/pp3.py = 91. C&C Server
https://45.66.230.240:8443/work1
http://45.66.230.240/python/pp
https://firstclassbale.com/python/pp3.py = 91. C&C Server

Other COBEACON C2 Using the Same Watermark (587247372)
104.234.11.226 = 91. C&C Server
104.234.11.236
141.98.6.56 = 91. C&C Server
166.0.95.43 = 91. C&C Server
167.88.164.91 = 91. C&C Server
193.42.32.143 = 91. C&C Server
45.12.253.51 = 91. C&C Server
45.12.253.50
45.66.230.215 = 91. C&C Server
45.81.39.175 = 91. C&C Server
45.81.39.176 = 91. C&C Server
84.54.50.116 = 91. C&C Server
85.217.144.233
aleagroupdevelopment.com = 91. C&C Server
azurecloudup.online = 91. C&C Server
cloudupdateservice.online = 91. C&C Server
devnetapp.com = 91. C&C Server
situotech.com = 91. C&C Server

URLs accessed by Trojan.BAT.COBEACON.AO.dldr
http://104.234.147.134/python/python.zip
https://167.88.164.40/python/python.zip = 79. Disease Vector
http://172.86.123.226/python/python.zip = 79. Disease Vector
https://45.66.230.240/python/python.zip
https://closeyoueyes.com/python/python.zip
https://firstclassbale.com/python/python.zip
https://167.88.164.40/python/unzip.bat = 79. Disease Vector
http://172.86.123.226/python/unzip.bat = 79. Disease Vector
http://104.234.147.134/python/unzip.bat
https://45.66.230.240/python/unzip.bat
https://closeyoueyes.com/python/unzip.bat
https://firstclassbale.com/python/unzip.bat
https://167.88.164.40/python/pp3.py = 79. Disease Vector
http://172.86.123.226/python/pp3.py = 79. Disease Vector
ccloseyoueyes.com/python/pp3.py
http:////bigallpack.com/union/desktop



Source :
https://www.trendmicro.com/it_it/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html

All about the TeamViewer company profile

By JeanK

Last Updated: 

A TeamViewer company profile allows the ability within the TeamViewer Management Console to manage user permissions and access centrally.

Company admins can add existing users to the license and create new TeamViewer accounts. Both will allow users to log into any TeamViewer application and license the device so they may make connections.

Before starting

It is highly recommended to utilize a Master Account for a company profile, which will be the account that manages all licenses and users.

Please see the following article: Using a Master Account for the TeamViewer Management Console

This article applies to TeamViewer customers with a Premium, Corporate, or Tensor plan.

Benefits of a company profile

Managing users as the company administrator of a company profile also gives access to:

Licensing

Each company profile must have one TeamViewer Core multi-user license activated; this license can be combined with other licenses of the TeamViewer product family (e.g., Assist AR, Remote Management, IoT, etc. ), but cannot be combined with another TeamViewer Core license.

📌Note: If a company admin attempts to activate a second TeamViewer license, they will need to choose between keeping the existing license or replacing it with the new license.

image.png

📌Note: In some cases (with older company profiles and an active perpetual license), multiple core TeamViewer licenses may be activated to one company profile. One subscription license may be added to an existing perpetual license for such company profiles.

License management

Through the TeamViewer Management Console, company admins can manage the licensing of their users directly, including:

  • Assign/un-assign the license to various members of the company profile.
  • Reserve one or more channels for specific teams or persons via Channel Groups.

💡Hint: To ensure the license on your company profile best matches your use case, we highly recommend reaching out to our TeamViewer licensing experts. You may find local numbers here.

 

How to create a company profile

To create a company profile, please follow the instructions below:

  1. Log into the Management Console
  2. On the left-hand side, under the Company header, select User management
  3. In the text box provided, enter the desired company name and click Create.
    • 📌Note: The name of a company profile must be unique and cannot be re-used. If another company profile already uses a name, an error will appear, requesting another name be used instead. 
  4. Once the company profile is created, User management will load with the user that created the company profile as a company administrator.

How to add a new user

To add a new user, please follow the instructions below:

  1. Under User management, click the icon of a person with a + sign. Click on Add user.
  2. On the General tab, add the user’s name and email address and enter a password for the user and click Add user.
    • 💡Hint: Other settings for the user can be adjusted under Advanced, Licenses, and Permissions.
  3. The user will now appear under the User management tab. An email is sent to the user with instructions on activating their account.
    • 📌Note: If the user does not activate their account via email, they will receive an error that the account has not yet been activated when trying to sign in.

How to add an existing user

Users that already have an existing TeamViewer account can request to join a company profile using a few simple steps:

  1. Under User management, click the icon of a person with a + sign. Select Add existing account.
  2. A pop-up will appear, including a URL. Please send this URL to the user you want to add: https://login.teamviewer.com/cmd/joincompany
  3. Once the user opens the link within a browser, they must sign in with their TeamViewer account. Once logged in, they will be prompted to enter the email address of the company administrator. Once completed, they must tick the box I allow to transfer my account and click Join Company.
  4. The company admin will receive a join request via email. The user will appear in user management, where the company admin can approve or decline the addition of the user to the company profile

📌Notes:

  • Every user that joins a company profile will be informed that the company admin will take over full management of their account, including the ability to connect to and control all their devices. It is recommended never to join a company profile the user does not know or fully trust.
  • A user can only be part of one company profile.

How to set user permissions

Users of a company profile have multiple options that can be set by the current company admin, including promoting other users to administrator or company administrator. Permissions are set for each user individually. To access user permissions:

  1. In the User management tab, hovering the cursor over the desired user’s account will produce a three-dots menu (⋮) to the far right of the account. Click this menu and select Edit user from the drop-down.
  2. Once in Edit user, select the Permissions tab. Overall permissions for the account can be changed using the drop-down under the Role header.
image.png

Four options are available:

  • Company administrator: Can make changes to company settings, other administrator accounts, and user accounts.
  • User administrator: Can make changes to other user accounts but cannot change company settings or company administrator accounts.
  • Member: Cannot change the company profile or other users.
  • Customized permissions: The company admin sets permissions for each aspect of the account.

Once the appropriate role is selected, click Save in the window’s upper-left corner.

📌Note: Changes to user permissions are automatic once saved.

How to remove/deactivate/delete users

Along with adding new or existing accounts, company admins can remove, deactivate, or even delete users from the company profile.

📌Note: A current company admin of that license can only remove a TeamViewer account currently connected to a company profile. TeamViewer Customer Support is unable to remove any account from a company profile.

To remove, deactivate or delete an account, please follow the instructions below:

  1. In the User management tab, hovering the cursor over the desired user’s account will produce a three-dots menu (⋮) to the far right of the account. In the drop-down menu that appears are the three options
  2. Select Delete accountRemove user or Deactivate user.
image.png

Consequences of deleting an account

When an account is deleted, the account is not only removed from the company profile but deleted from TeamViewer altogether. The user can no longer use the account or access any information associated with it as it no longer exists.

📌Note: When an account is deleted, the email address associated with the account can be re-used to create a new TeamViewer account.

image.png

When a TeamViewer account is deleted from a company profile:

  • Connection reports, custom modules, and TeamViewer/Remote management policies will be transferred to the current company admin.
  • Web API Tokens for the deleted user are logged out, and their company functionality is removed
  • License activations are removed from the deleted user’s account
  • Shared groups from the deleted user’s account are deleted.

Once the company admin checks the box to confirm that this process cannot be undone, the Delete account button becomes available. Once pressed, the account is deleted.

📌Note: Deletion of any TeamViewer account deletion is irreversible. Only a new account can be created after deletion. All user data will be lost.

Remove user

When an account is removed, the account is removed from the company profile and reverted to a free TeamViewer account. The account is reverted to a free account, and the user is still able to log in with the account. All information associated with the account is still accessible.

When an account is removed from a company profile:

  • Connection reports, custom modules, and TeamViewer /Remote management policies will be transferred to the current company admin.
  • Contacts in the contact book are transferred to the current company admin
  • Web API Tokens for the user’s account are logged out and their company functionality is removed
  • License activations are removed from the user’s account

📌Note: Groups & devices in the Computers & Contacts of the removed user’s account are not affected. Any groups shared also will remain shared.

Once the company admin checks the box to confirm that this process cannot be undone, the Remove user button becomes available. Once pressed, the account is removed from the company profile and reverted to a free TeamViewer account.

📌Note: Once a user account is removed from the current company profile, it can request to join another company profile.

Deactivate user

When an account is deactivated, the account is reverted to inactive. The deactivated account is still associated with the company profile but cannot be used to log into TeamViewer on a free or licensed device. The account is rendered completely unusable.

📌Note: When an account is deactivated, the email address associated with the account cannot be used to create a new free TeamViewer account.

💡Hint: To view inactivated users within the company profile, select the drop-down menu under User Status and check the box for Inactive. All inactive users will now appear in user management.

How to reactivate inactive users

When Deactivate user is selected, the account disappears from user management. They are, however, still a part of the Company Profile and can be reactivated back to the license instantly at any time.

image.png
  1. To view inactivated users within the company profile, select the menu under User Status and check the box for Inactive. All inactive users will now appear in user management.
  2. Once the user is located, hover the cursor over the account. Select the three-dots menu (⋮) to the right of the user’s account and select Activate user
  3. The user’s original permissions status is reverted, and the account can again be used with any TeamViewer device.
image.png

Troubleshooting

Below you will find answers to some common issues encountered when interacting with a company profile.

▹User(s) on a company profile show a free license

In some cases, older users on a company profile may appear as ‘free’ users, especially after upgrading or changing a license. The company admin can resolve this:

  1. Log in to the TeamViewer Management Console under https://login.teamviewer.com
  2. Click Company administration on the left-hand side:
  3. Select the Licenses tab and locate the license. Hovering the cursor over the license will produce a three-dots menu (⋮). Click the menu and select Assign from the drop-down.
  4. The users who show ‘free’ will appear in Unassigned. Select the desired users and click the Add button at the bottom of the page.
image.png

📌Note: Affected users should log out and then back in to see the licensing changes.

▹Your account is already associated with a company 

If a user who is already associated with one company profile attempts to join another company profile, the following pop-up will appear:

image.png

The user’s account must be removed from the current company profile to resolve this. The steps required vary depending on whether it is their active or expired company profile or if they are associated with a company profile created by another account.

SCENARIO 1: As company administrator of an active company profile

If a user who created a company profile wishes to delete the company profile associated with their account, they will need to perform the following steps:

  1. Log in to the TeamViewer Management Console under https://login.teamviewer.com
  2. Click User Management in the upper left corner 
  3. Remove all other accounts: Before deleting a company profile, the company admin must remove all other accounts. Perform these steps for each user on the company profile
  4. Remove the company admin account: Once all other accounts have been removed, the company admin will remove their account. This will delete the company profile altogether
  5. The user is immediately logged out and can now follow the process to add their account to an existing company profile

SCENARIO 2: As company administrator of an expired company profile

In some cases, the user may have created a company profile on an older license that is no longer used or active. In such cases, the company profile will appear as expired in the Management Console.

In such cases, it is still possible to delete the company profile:

  1. Log in to the TeamViewer Management Console under https://login.teamviewer.com
  2. Click Company administration on the left-hand side.
  3. On the General tab, select Delete company.
  4. A pop-up will appear confirming the request to delete the company profile. Check the box at the bottom to validate, and select Delete company.

SCENARIO 3: The account is a member of a company profile

📌Note: Only a company administrator can remove a user from their company profile – not even TeamViewer can remove a user from a company profile, regardless of the request’s origin.

If the user is a member of another company profile, they will need to contact the company admin of that license to request removal.

Once removed, they can then request to join the correct company profile.

Source :
https://community.teamviewer.com/English/kb/articles/3573-all-about-the-teamviewer-company-profile

Teamviewer Block and allowlist

By .Carol.fg.

Last Updated: 

You have the possibility to restrict remote access to your device by using the Block and Allowlist feature in the TeamViewer full version and the TeamViewer Host.

You can find the feature easily by clicking in your TeamViewer full version on the Gear icon (⚙) in the upper right corner of the TeamViewer (Classic) application, then Security ➜ Block and Allowlist.

Let´s begin with the difference between a blocklist and an allowlist.

This article applies to all TeamViewer (Classic) users.

What is a Blocklist?

The Blocklist generally lets you prevent certain partners or devices from establishing a connection to your computer. TeamViewer accounts or TeamViewer IDs on the blocklist cannot connect to your computer.

📌Note: You will still be able to set up outgoing TeamViewer sessions with partners on the blocklist.

What is an Allowlist?

If you add TeamViewer accounts to the Allowlist, only these accounts will be able to connect to your computer. The possibility of a connection to your computer through other TeamViewer accounts or TeamViewer IDs will be denied

If you have joined a company profile with your TeamViewer account, you can also place the entire company profile on the Allowlist. Thus only the TeamViewer accounts that are part of the company profile can access this device.

📌Note: To work with a company profile you will need a TeamViewer Premium or Corporate license

 

How to set up a Blocklist?

If you would like to deny remote access to your device to specific persons or TeamViewer IDs, we recommend setting up a Blocklist.

You can find the feature easily by clicking in your TeamViewer full version on the Gear icon (⚙) in the upper right corner of the TeamViewer (Classic) application, then Security ➜ Block and Allowlist ➜ Click on Configure…

A new window will open. Activate the first option Deny access for the following partners and click on Add 

Blocklist_01.png

📌Note: If you activate the Also apply for meetings check box, these settings will also be applied to meetings. Contacts from your blocklist are excluded from being able to join your meetings.

After clicking on Add, you can either choose partners saved on your Computers & Contacts list or add TeamViewer IDs/contacts manually to your blocklist.

Blocklist_02.png
Blocklist_03.PNG

How to set up an Allowlist?

If you would like to allow only specific TeamViewer accounts or TeamViewer IDs remote access to your device, we recommend setting up an Allowlist.

You can find the feature easily by clicking in your TeamViewer full version on the Gear icon (⚙) in the upper right corner of the TeamViewer (Classic) application, then Security ➜ Block and Allowlist ➜ Click on Configure…

A new window will open. Activate the second option Allow access only for the following partners and click on Add 

image.png

📌Note: If you activate the Also apply for meetings check box, these settings will also be applied to meetings. Only contacts from your allowlist will then be able to join your meetings.

After clicking on Add, you can either choose partners saved on your Computers & Contacts list, add TeamViewer IDs/contacts manually to your blocklist, or add the whole company you are part of (only visible if you are part of a company profile). 

image.png
image.png
image.png

 

How to delete blocklisted/allowlisted partners?

If you no longer wish to have certain partners block or allowlisted, you can easily remove them from the list.

To do so navigate in your TeamViewer full version to the Gear icon (⚙) in the upper right corner of the TeamViewer (Classic) application, then Security ➜ Block and Allowlist ➜ Click on Configure… and choose whether you would like to remove partners from the Blocklist or from the Allowlist by choosing either Deny access for the following partners (Blocklist) or Allow access only for the following partner (Allowlist). Now click on the partners you would like to remove and finally click Remove  OK

image.png

📌Note: You can choose multiple partners at once by pressing CTRG when clicking on the different partners.

Learn more about how you can benefit from a Master Allowlist: Why Master Allowlists are So Effective to Secure Customers

Source :
https://community.teamviewer.com/English/kb/articles/29739-block-and-allowlist

Teamviewer Two-Factor Authentication for connections

By .Carol.fg.

Last Updated: 

This article provides a step-by-step guide to activating Two-factor authentication for connections (also known as TFA for connections). This feature enables you to allow or deny connections via push notifications on a mobile device.

This article applies to all Windows users using TeamViewer (Classic) 15.17 (and newer) and macOS and Linux users in version 15.22 (and newer).

What is Two-factor authentication for connections?

TFA for connections offers an extra layer of protection to desktop computers.

When enabled, connections to that computer need to be approved using a push notification sent to specific mobile devices. 

Enabling Two-factor authentication for connections and adding approval devices

Windows and Linux:

1. In the TeamViewer (Classic) application, click the gear icon at the top right menu.

2. Click on the Security tab on the left.

3. You will find the Two-factor authentication for connections section at the bottom.

4. Click on Configure… to open the list of approval devices.

5. To add a new mobile device to receive the push notifications, click Add.

6. You will now see a QR code that needs to be scanned by your mobile device.

Below please find a step-by-step gif for Windows, Linux, and macOS:

Windows

TFA for connections.gif

Linux

Linux add new device.gif

macOS

MAC1_community.gif

7. On the mobile device, download and install the TeamViewer Remote Control app:

a. Android

📌Note: This feature is only available on Android 6.0 or higher.

b. iOS

8. In the TeamViewer Remote Control app, go to Settings → TFA for connections.

9. You will see a short explanation and the option to open the camera to scan the QR code.

image.png

10. Tap on Scan QR code and you will be asked to give the TeamViewer app permission to access the camera.

11. After permission is given, the camera will open. Point the camera at the QR code on the desktop computer (see Step 6 above).

12. The activation will happen automatically, and a success message will be displayed. 

image.png

13. The new device is now included in the list of approval devices.

image.png

14. From now on, any connection to this desktop computer will need to be approved using a push notification.

📌 Note: TFA for connections cannot be remotely disabled if the approval device is not accessible. Due to this, we recommend setting up an additional approval device as a backup.

Removing approval devices

1. Select an approval device from the list and click Remove or the X.

2. You will be asked to confirm the action.

3. By clicking Remove again, the mobile device will be removed from the list of approval devices and won’t receive any further push notifications.

4. If the Approval devices list is empty, Two-factor authentication for connections will be completely disabled.

Below please find a step by step gif for Windows, Linux and macOS:

▹ Windows:

Removing approval devices[1).gif

▹ Linux:

linux remove device.gif

▹ macOS:

MAC2_community.gif

Remote connections when Two-factor authentication for connections is enabled

TFA for connections does not replace any existing authentication method. When enabled, it adds an extra security layer against unauthorized access.

When connecting to a desktop computer protected by TFA for connections, a push notification will be sent to all of the approval devices.

You can either:

  • accept/deny the connection request via the system notification:
image.png
  • accept/deny the connection request by tapping the TeamViewer notification. It will lead to you the following screen within the TeamViewer application to accept/deny the connection:
image.png

Multiple approval devices

All approval devices in the list will receive a push notification. 

The first notification that is answered on any of the devices will be used to allow or deny the connection.

Source :
https://community.teamviewer.com/English/kb/articles/108791-two-factor-authentication-for-connections