Security Archives - Page 92 of 94

Emotet Malware Now Hacks Nearby Wi-Fi Networks to Infect New Victims

Emotet, the notorious trojan behind a number of botnet-driven spam campaigns and ransomware attacks, has found a new attack vector: using already infected devices to identify new victims that are connected to nearby Wi-Fi networks.

According to researchers at Binary Defense, the newly discovered Emotet sample leverages a "Wi-Fi spreader" module to scan Wi-Fi networks, and then attempts to infect devices that are connected to them.

The cybersecurity firm said the Wi-Fi spreader has a timestamp of April 16, 2018, indicating the spreading behavior has been running "unnoticed" for close to two years until it was detected for the first time last month.

The development marks an escalation of Emotet's capabilities, as networks in close physical proximity to the original victim are now susceptible to infection.

How Does Emotet's Wi-Fi Spreader Module Work?

The updated version of the malware works by leveraging an already compromised host to list all the nearby Wi-Fi networks. To do so, it makes use of the wlanAPI interface to extract the SSID, signal strength, the authentication method (WPA, WPA2, or WEP), and mode of encryption used to secure passwords.

On obtaining the information for each network this way, the worm attempts to connect to the networks by performing a brute-force attack using passwords obtained from one of two internal password lists. Provided the connection fails, it moves to the next password in the list. It's not immediately clear how this list of passwords was put together.

But if the operation succeeds, the malware connects the compromised system on the newly-accessed network and begins enumerating all non-hidden shares. It then carries out a second round of brute-force attack to guess the usernames and passwords of all users connected to the network resource.

After having successfully brute-forced users and their passwords, the worm moves to the next phase by installing malicious payloads — called "service.exe" — on the newly infected remote systems. To cloak its behavior, the payload is installed as a Windows Defender System Service (WinDefService).

In addition to communicating with a command-and-control (C2) server, the service acts as a dropper and executes the Emotet binary on the infected host.

The fact that Emotet can jump from one Wi-Fi network to the other puts onus on companies to secure their networks with strong passwords to prevent unauthorized access. The malware can also be detected by actively monitoring processes running from temporary folders and user profile application data folders.

Emotet: From Banking Trojan to Malware Loader

Emotet, which was first identified in 2014, has morphed from its original roots as a banking Trojan to a "Swiss Army knife" that can serve as a downloader, information stealer, and spambot depending on how it's deployed.

Over the years, it has also been an effective delivery mechanism for ransomware. Lake City's IT network was crippled last June after an employee inadvertently opened a suspicious email that downloaded the Emotet Trojan, which in turn downloaded TrickBot trojan and Ryuk ransomware.

Although Emotet-driven campaigns largely disappeared throughout the summer of 2019, it made a comeback in September via "geographically-targeted emails with local-language lures and brands, often financial in theme, and using malicious document attachments or links to similar documents, which, when users enabled macros, installed Emotet."

"With this newly discovered loader-type used by Emotet, a new threat vector is introduced to Emotet's capabilities," Binary Defense researchers concluded. "Emotet can use this loader-type to spread through nearby wireless networks if the networks use insecure passwords."

Source :
https://thehackernews.com/2020/02/emotet-malware-wifi-hacking.html

Coronavirus Affecting Business as Remote Workforces Expand Beyond Expected Capacity

The novel coronavirus epidemic is a major global health concern. To help prevent the spread of the new virus, organizations, businesses and enterprises are protecting their workforce and allowing employees to work remotely. This practice helps limit individual contact with large groups or crowds (e.g., restaurants, offices, transit) where viruses can easily spread.

As such, ‘stay at home’ is a common phrase in many health-conscious regions this week. According to the BBC, the city of Suzhou said businesses would remain closed until Feb 8, if not longer. As of 2018, Suzhou had a population of more than 10.7 million people.

On Jan. 30, the World Health Organization labeled the outbreak as a global health emergency. In response, the U.S. Department of issued a Level 4 travel advisory to China (do not travel).

Precautions like these are causing unexpected increases in mobile workers; many organizations don’t have enough virtual private network (VPN) licenses to accommodate the increase of users. This is a serious risk as employees will either not have access to business resources or, worse, they will do so via non-secure connections.

Organizations and enterprises in affected areas should review their business continuity plans. The National Law Review published a useful primer for employers and organizations managing workforces susceptible to coronavirus outbreaks. In addition, leverage SonicWall’s ‘5 Core Practices to Ensure Business Continuity.”

FREE VPN SPIKE LICENSES

If you are a current SonicWall SMA 100 or 1000 series customer, or have Central Management Server (CMS) licenses, SonicWall will help implement complimentary 10-day spike licenses to help temporarily manage the increase in VPN capacity. Contact SonicWall or your SonicWall SecureFirst partner for assistance.

What is the coronavirus?

Coronavirus (2019-nCoV) is a respiratory illness first identified in Wuhan, China, but cases have since been reported in the U.S., Canada, Australia, Germany, France, Thailand, Japan, Hong Kong, and nine other countries. In an effort to contain the virus, the Chinese authorities have suspended air and rail travel in the area around Wuhan.

According to Centers for Disease Control and Prevention (CDC), early patients in the outbreak in China “reportedly had some link to a large seafood and animal market, suggesting animal-to-person spread. However, a growing number of patients reportedly have not had exposure to animal markets, indicating person-to-person spread is occurring. At this time, it’s unclear how easily or sustainably this virus is spreading between people.”

The latest situation summary updates are available via the CDC: 2019 Novel Coronavirus, Wuhan, China.

THE CLEAN VPN APPROACH FOR THE MOBILE WORKFORCE

To protect the corporate network, IT must recognize that no mobile device should be trusted and that all access outside the corporate network is beyond IT control.

A combined Clean VPN approach delivers all of the security and SSL VPN elements of an integrated Clean VPN deployment, plus the additional SonicWall SMA capability to perform device interrogation and enforce policy-based endpoint controls.

GET THE BRIEF

source :
https://blog.sonicwall.com/en-us/2020/02/coronavirus-affecting-business-as-remote-workforces-expand/

Inside Cybercriminal Inc.: SonicWall Exposes New Cyberattack Data, Threat Actor Behaviors in Latest Report

For cybercriminals and threat actors, the digital frontier is a lawless panorama of targets and opportunity. Despite the best intentions of government agencies, law enforcement and oversight groups, the modern cyber threat landscape is more agile and evasive than ever before.

For this reason, SonicWall Capture Labs threat researchers work tirelessly to arm organizations, enterprises, governments and businesses with actionable threat intelligence to stay ahead in the global cyber arms race.

And part of that dedication starts with the 2020 SonicWall Cyber Threat Report, which provides critical threat intelligence to help you better understand how cybercriminals think — and be fully prepared for what they’ll do next.

Global Malware Dips, But More Targeted

For the last five years, cybercriminals overwhelmed organizations with sheer volume. But as cyber defenses evolved, more volume was not resulting in higher paydays. A change was in order.

In 2018, cybercriminals began to leverage more evasive and pointed attacks against “softer” targets. In 2019, global malware volume dipped, but attacks were more targeted with higher degrees of success, particularly against the healthcare industry, and state, provincial and local governments.

All told, SonicWall Capture Labs threat researchers recorded 9.9 billion malware attacks* in 2019 — a slight 6% year-over-year decrease.

Ransomware targets state, provincial and local governments

‘Spray and pray’ is over. Cybercriminals are using ransomware to surgically target victims that are more likely to pay given the sensitive data they possess or funds at their disposal (or both). Now it’s all about ‘big-game hunting.’

The report outlines the most egregious ransomware attacks of 2019, while also painting a picture of the evolution of ransomware families and signatures, including Cerber, GandCrab, HiddenTear and more.

Fileless malware spikes in Q3

Fileless malware is a type of malicious software that exists exclusively as a memory-based artifact (i.e., RAM). It does not write any part of its activity to the computer’s hard drive, making it very resistant to existing computer forensic strategies.

The use of fileless malware ebbed and flowed in 2019. But exclusive SonicWall data shows a massive mid-year spike for this savvy technique.

Encrypted threats growing consistently

Another year, another jump in the use of encrypted threats. Until more organizations proactively and responsibly inspect TLS/SSL traffic, this attack vector will only expand.

IoT malware volume rising

From hacked doorbell cameras to rogue nanny cams, 2019 was an alarming year for the security and privacy of IoT devices. Trending data suggests more IoT-based attacks are on the horizon.

Cryptojacking crumbles

In early 2019, the price of bitcoin and complementary cryptocurrencies created an untenable situation between Coinhive-based cryptojacking malware and the legitimate Coinhive mining service. The shuttering of the latter led to the virtual disappearance of one the year’s hottest malware.

Source :
https://blog.sonicwall.com/en-us/2020/02/sonicwall-exposes-new-cyberattack-data-threat-actor-behaviors-in-latest-report/

HSTS Strict-Transport-Security

Testing your website:
https://hstspreload.org/

The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP.

Header type	Response header
Forbidden header name	no

Syntax

Strict-Transport-Security: max-age=<expire-time>
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
Strict-Transport-Security: max-age=<expire-time>; preload

Directives

max-age=<expire-time>: The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.
includeSubDomains Optional: If this optional parameter is specified, this rule applies to all of the site's subdomains as well.
preload Optional: See Preloading Strict Transport Security for details. Not part of the specification.

Description

If a website accepts a connection through HTTP and redirects to HTTPS, visitors may initially communicate with the non-encrypted version of the site before being redirected, if, for example, the visitor types http://www.foo.com/ or even just foo.com. This creates an opportunity for a man-in-the-middle attack. The redirect could be exploited to direct visitors to a malicious site instead of the secure version of the original site.

The HTTP Strict Transport Security header informs the browser that it should never load a site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.

Note: The Strict-Transport-Security header is ignored by the browser when your site is accessed using HTTP; this is because an attacker may intercept HTTP connections and inject the header or remove it. When your site is accessed over HTTPS with no certificate errors, the browser knows your site is HTTPS capable and will honor the Strict-Transport-Security header.

An example scenario

You log into a free WiFi access point at an airport and start surfing the web, visiting your online banking service to check your balance and pay a couple of bills. Unfortunately, the access point you're using is actually a hacker's laptop, and they're intercepting your original HTTP request and redirecting you to a clone of your bank's site instead of the real thing. Now your private data is exposed to the hacker.

Strict Transport Security resolves this problem; as long as you've accessed your bank's web site once using HTTPS, and the bank's web site uses Strict Transport Security, your browser will know to automatically use only HTTPS, which prevents hackers from performing this sort of man-in-the-middle attack.

How the browser handles it

The first time your site is accessed using HTTPS and it returns the Strict-Transport-Security header, the browser records this information, so that future attempts to load the site using HTTP will automatically use HTTPS instead.

When the expiration time specified by the Strict-Transport-Security header elapses, the next attempt to load the site via HTTP will proceed as normal instead of automatically using HTTPS.

Whenever the Strict-Transport-Security header is delivered to the browser, it will update the expiration time for that site, so sites can refresh this information and prevent the timeout from expiring. Should it be necessary to disable Strict Transport Security, setting the max-age to 0 (over a https connection) will immediately expire the Strict-Transport-Security header, allowing access via http.

Preloading Strict Transport Security

Google maintains an HSTS preload service. By following the guidelines and successfully submitting your domain, browsers will never connect to your domain using an insecure connection. While the service is hosted by Google, all browsers have stated an intent to use (or actually started using) the preload list. However, it is not part of the HSTS specification and should not be treated as official.

Information regarding the HSTS preload list in Chrome : https://www.chromium.org/hsts
Consultation of the Firefox HSTS preload list : nsSTSPreloadList.inc

Examples

All present and future subdomains will be HTTPS for a max-age of 1 year. This blocks access to pages or sub domains that can only be served over HTTP.

Strict-Transport-Security: max-age=31536000; includeSubDomains

In the following example, max-age is set to 2 years, raised from what was a former limit max-age of 1 year. Note that 1 year is acceptable for a domain to be included in browsers' HSTS preload lists. 2 years is, however, the recommended goal as a website's final HSTS configuration as explained on https://hstspreload.org. It also suffixed with preload which is necessary for inclusion in most major web browsers' HSTS preload lists, e.g. Chromium, Edge, & Firefox.

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

Specifications

Specification	Status	Comment
HTTP Strict Transport Security (HSTS)	IETF RFC	Initial definition

Source :
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

The Worst Cyberattacks and Data Breaches of 2019

Put your email address in the have i been pwned? website and see what results you get. How secure do you feel? By 2020, it’s safe to assume that most people with an online presence have had a least some of their Personally Identifiable Information (PII) compromised in a data breach.

SonicWall has been tracking and reporting on major data breaches throughout 2019 and we’ve compiled a list of not necessarily the biggest cyberattacks and data breaches of 2019, but the ones with the worst overall impact, giving us insight into the direction cyberattacks are heading in 2020.

Notable cyberattacks of 2019

Quest Diagnostics

Breaches that result in the loss of medical data can be damaging due to the possibility of highly personal information being released, whether that data is medical records themselves or identifiable data like Social Security numbers that could aid a cybercriminal in carrying out identity theft, or even blackmail. With this in mind, 2019 unfortunately set breach records in this category, with the biggest single breach likely being Quest Diagnostics, where 11.9 million patients were affected. Data taken included credit card numbers, medical information and personally identifiable data but, small consolation prize, lab results were not included.

Fortnite

The gaming industry is now bigger than both the entire music industry and Hollywood combined, making it a prime target for cybercriminals. It should come as no surprise then that cyberattackers would aim squarely for one of the biggest games on the planet.

In January 2019, a vulnerability found in Fortnite’s login system allowed hackers to impersonate real players, including viewing chat logs and other in-game details. More worryingly, the vulnerability allowed malicious users to purchase in-game currency using credit cards on file. This currency could then be siphoned off to other, legitimate, accounts — essentially money-laundering.

It is unclear how many accounts were affected, but considering there were over 80 million people logging in to Fortnite a week at the time the vulnerability was discovered, the number of players impacted is potentially huge. The vulnerability was quickly fixed but a class-action lawsuit was launched in August, the same month that a known exploit in Fortnite was used to install ransomware.

The Fortnite vulnerabilities serve as a warning to gamers and the wider gaming industry: you are a target.

US Customs and Border Protection

When U.S. Customs and Border Protection officials announced in June that a federal subcontractor had been hacked, 100,000 global travelers joined the ranks of people who have had their personal information and photos exposed. The hack included a large cache of images of car license plates, often including the face of the driver. The incident stands out as one of the more distinctive cyberattacks on U.S. public institutions in 2019, a year in which the most high-profile attacks were a rash of ransomware attacks on Texas government agencies that temporarily brought the state’s municipal infrastructure to a standstill.

Capital One

Over 100 million Americans and 6 million Canadians were affected by the Capital One data breach, where the data taken stretched from 2019 all the way back to 2005. Names, addresses, ZIP codes/postal codes, phone numbers, email addresses, dates of birth and self-reported income were taken in most cases. In addition, 140,000 Social Security numbers, 80,000 linked bank account numbers and 1 million Canadian Social Insurance numbers were all stolen. One estimate of the damage to the financial giant put the cost of the data breach at more than $300 million.

Facebook

As one of the most ubiquitous and data-packed websites on the internet, Facebook is under constant scrutiny. In April and September of 2019, two privacy breaches were discovered that exposed the personal information of around 2 million Facebook users, including phone numbers and passwords. Neither of these events were related to a cyberattack, however, and they were both discovered by security researchers looking for vulnerabilities in the Facebook web architecture. In December, Facebook again made the headlines when security expert Bob Diachenko discovered an exposed database containing names, phone numbers and Facebook IDs of more than 267 million Facebook users. In this case, the data was already posted to a hacker forum for download before the internet service provider could take action and remove access.

Magecart

Magecart makes our list as one of the most widely-distributed malware attacks in 2019. A recent count of active Magecart infections claims the malware is affecting over 18,000 website hosts, remarkable considering it’s an infection that’s been around in one form or another for nearly a decade. Magecart is a supply-chain attacker than hijacks the digital cart-system on websites when users make orders, stealing financial information as the order is processed. Major breaches caused by Magecart in 2019 included British Airways, Ticketmaster UK, Newegg.com and even the Sesame Street store.

Looking to 2020

As demonstrated throughout 2019, “cyberattack” and “data breach” are broad terms covering a huge range of activities, from poorly maintained databases found exposed online to well-oiled criminal enterprises selling their capabilities as a service. The data indicates that these events are not going to go away any time soon and cybersecurity needs to continue to be a top priority for businesses and organizations everywhere.

As 2020 starts and tensions between the U.S. and Iran have ratcheted up to a fever pitch, security researchers are highlighting the likelihood of cyberwarfare increasingly being used as an instrument of foreign policy. From disrupting elections to attacks on power grids and ransomware attacks targeting government agencies, cybersecurity is firmly establishing itself as the central concern for organizations everywhere.

SonicWall protects organizations from cyberattacks

The growing complexity of attack tactics and increasing areas of vulnerability mean that security professionals can no longer view insider threats and traditional phishing attacks as the primary attack vector for data compromise. Every organization needs to have a layered, defense-in-depth approach, something SonicWall can help with through our automated real-time breach detection and prevention platform.

Some general best practices include:

Ensure your cybersecurity strategy is scaled across wired, wireless, cloud and mobile networks, where applicable
Leverage next-generation firewalls to mitigate advanced cyber threats
Layer cybersecurity controls with cloud sandboxing, such as SonicWall Capture ATP
Secure your data in the cloud protect SaaS environments using SonicWall Cloud App Security
Deploy email security controls to help identify and block phishing attempts
Map network data to understand what’s most valuable

There’s no question that our list of the worst cyberattacks and data breaches of 2019 tell a dismal story of a rapidly expanding cyber threat landscape. However, by assessing your business’s cybersecurity strategy, ensuring you have a layered approach in place, and improving overall security behavior, it’s possible to protect your business from most data breaches.

Source :
https://blog.sonicwall.com/en-us/2020/01/worst-cyberattacks-and-data-breaches-of-2019/

Defend Yourself Now and in the Future Against Mobile Malware

The world has gone mobile and the US is leading the way. It’s estimated that that the number of smartphone users alone topped 257 million in the States in 2018. That means three-quarters (74%) of households now boast at least one mobile device. And in this new digital world, it’s mobile applications that really matter. They’re a one-click gateway to our favorite videos, live messaging, email, banking, social media and much more.

There are said to be around 2.8 million of these apps on the official Google Play Store today. But unfortunately, where there are users, there are also hackers looking to capitalize. And one of their favorite ways to make money is by tricking you into downloading a malicious app they’ve sneaked onto the marketplace.

Most recently, 42 such apps had to be removed after being installed eight million times over the period of a year, flooding victims’ screens with unwanted advertising. This is just the tip of the iceberg. As more of us turn to mobile devices as our primary internet gateway, the bad guys will follow suit. Trend Micro blocked over 86 million mobile threats in 2018, and we can expect this figure to increase into the future.

So how can you protect your devices and your data from hackers?

Adware ahoy

The latest bunch of 42 apps are from a class of malicious software known as adware. This follows a previous discovery by Trend Micro earlier this year of a further 85 adware-laden apps downloaded eight million times. Cyber-criminals fraudulently make money by displaying unwanted ads on the victim’s device. In the meantime, the user has to contend with annoying pop-ups which can run down the device’s battery and eat up computing resources. Some even silently gather user information.

Ones to watch

Unfortunately, it’s increasingly difficult to spot malicious apps on the Play Store. A popular tactic for hackers is to hide their malware in titles which impersonate legitimate applications. A recent two-year study found thousands of such counterfeits on the Play Store, exposing users unwittingly to malware. Banking apps are a particularly popular type of title to impersonate as they can provide hackers with highly lucrative log-ins to open users’ accounts.

Some malware, like the recently disclosed Agent Smith threat, works by replacing all the legitimate apps on a user’s device with malicious alter-egos.

So, as we hit 2020, what other threats hidden in legitimate-seeming apps should mobile users be looking out for?

More intrusive adware.
Cryptocurrency mining malware. This will run in the background, eating up your device battery and computing power. Trend Micro noted a 450% increase in infections from 2017 to 2018.
Banking Trojans designed to harvest your log-ins so hackers can get their hands on your savings. Our detections of this malware soared 98% between 2017-18.
These attacks have evolved from simple screen lockers to malware designed to encrypt all the files on your device.
Premium rate services. Some malware will covertly text or call premium rate SMS numbers under the control of the hacker, thus making them money and costing you potentially significant sums. ExpensiveWall malware, for example, was found in 50 Google Play apps and downloaded millions of times, charging victims’ accounts for fake services.
Information theft. Some malware will allow hackers to eavesdrop on your conversations, and/or hoover up your personal data, including phone number, email address, and account log-ins. This data can then be sold on the dark web and used in follow-on identity fraud attempts.

Is Google helping?

The Android ecosystem has always and remains to be a bigger threat than iOS because it’s relatively easier for developers to get their applications onto the official marketplace. Now, it’s true that Google carries out some vetting of the apps on its Play Store and it is getting better and quicker at spotting and blocking malware. It says the number of rejected app submissions grew by over 55% in 2018 while app suspensions increased by over 66%.

However, Google’s Play Protect, which is pre-installed on Android devices, has garnered less than favorable reviews. This anti-malware solution is intended to scan for malicious apps to prevent you downloading them. However, it has received poor reviews for its “terrible malware protection.”

In fact, in independent tests run in July by German organization AV-TEST, Google Play Protect found just 44% of the 3,347 “real-time” online malware threats, and just 55% of the 3,433 malware samples that were collected in the previous month. According to Tom’s Guide, “these scores are all well below the industry averages, which were always 99.5% or above in both categories for all three rounds.”

How do I stay safe?

So how can mobile users ensure their personal data and devices are secure from the growing range of app-based threats?

Consider the following:

Only visit official app stores. Even though Google Play has a malware problem, it is more secure than third-party app stores. In fact, you are 23 times more likely to install a potentially harmful application (PHA) outside Play, according to Google.
Ensure you’re on the latest operating system version.
Do not root your device as this can expose it to threats.
Be cautious. If the app is requesting an excessive number of permissions, it may be malicious.
Install on-device AV from a reputable third-party provider like Trend Micro.

How Trend Micro Mobile Security helps

Trend Micro Mobile Security (TMMS) offers customers comprehensive anti-malware capabilities via its real-time Security Scan function. Security Scan alerts you to any malware hidden in apps before they are installed and suggests legitimate versions. It can also be manually run on devices to detect and remove malicious apps, including ransomware, that may already have been installed.

To use the manual scan, simply:

1. Tap the Security Scan panel in the TMMS Console. The Security Scan settings screen appears, with the Settings tab active by default.

2. Tap Scan Now to conduct a security scan. The result appears.

3. In the example shown, “Citibank” has been detected as a fake banking app, installed on the device before Mobile Security was installed. Apps are recommended for you to remove or to trust.

4. Tap Uninstall to uninstall the fake app. A Details screen defines the security threats.

5. Tap Uninstall A popup will ask if you want to uninstall the app.

6. Tap Uninstall once more to uninstall it. The app will uninstall.

7. If there are more potentially unwanted apps, tap the panel for Apps Removal Recommended to show the list of apps recommended for removal. The Removal Recommended list will show apps to Remove or Trust.

8. You can configure settings via Security Scan > Settings This will allow you to choose protection strength (Low, Normal, and High).

9. In Settings, check the Pre-Installation Scan, which is disabled by default, to block malware from Google Play before it’s installed. It sets up a virtual private network (VPN) and enables the real-time scan.

Among its other features, Trend Micro Mobile Security also:

Blocks dangerous websites from loading in any browsing app with Web Guard
Checks if public WiFi connections are safe with Wi-Fi Checker
Guards financial and commercial apps with Pay Guard Mobile
Optimizes your device’s performance System Tuner and App Manager
Protects your kids’ devices with Parental Controls
Protects your privacy on social media with Social Network Privacy
Provides Lost Device Protection.

Source :
https://blog.trendmicro.com/defend-yourself-now-and-in-the-future-against-mobile-malware/

Introducing Google Cloud’s Secret Manager

Many applications require credentials to connect to a database, API keys to invoke a service, or certificates for authentication. Managing and securing access to these secrets is often complicated by secret sprawl, poor visibility, or lack of integrations.

Secret Manager is a new Google Cloud service that provides a secure and convenient method for storing API keys, passwords, certificates, and other sensitive data. Secret Manager provides a central place and single source of truth to manage, access, and audit secrets across Google Cloud.

Secret Manager offers many important features:

Global names and replication: Secrets are project-global resources. You can choose between automatic and user-managed replication policies, so you control where your secret data is stored.
First-class versioning: Secret data is immutable and most operations take place on secret versions. With Secret Manager, you can pin a secret to specific versions like 42 or floating aliases like latest.
Principles of least privilege: Only project owners have permissions to access secrets. Other roles must explicitly be granted permissions through Cloud IAM.
Audit logging: With Cloud Audit Logging enabled, every interaction with Secret Manager generates an audit entry. You can ingest these logs into anomaly detection systems to spot abnormal access patterns and alert on possible security breaches.
Strong encryption guarantees: Data is encrypted in transit with TLS and at rest with AES-256-bit encryption keys. Support for customer-managed encryption keys (CMEK) is coming soon.
VPC Service Controls: Enable context-aware access to Secret Manager from hybrid environments with VPC Service Controls.

The Secret Manager beta is available to all Google Cloud customers today. To get started, check out the Secret Manager Quickstarts. Let's take a deeper dive into some of Secret Manager’s functionality.

Global names and replication

Early customer feedback identified that regionalization is often a pain point in existing secrets management tools, even though credentials like API keys or certificates rarely differ across cloud regions. For this reason, secret names are global within their project.

While secret names are global, the secret data is regional. Some enterprises want full control over the regions in which their secrets are stored, while others do not have a preference. Secret Manager addresses both of these customer requirements and preferences with replication policies.

Automatic replication: The simplest replication policy is to let Google choose the regions where Secret Manager secrets should be replicated.
User-managed replication: If given a user-managed replication policy, Secret Manager replicates secret data into all the user-supplied locations. You don’t need to install any additional software or run additional services—Google handles data replication to your specified regions. Customers who want more control over the regions where their secret data is stored should choose this replication strategy.

First-class versioning

Versioning is a core tenet of reliable systems to support gradual rollout, emergency rollback, and auditing. Secret Manager automatically versions secret data using secret versions, and most operations—like access, destroy, disable, and enable—take place on a secret version.

Production deployments should always be pinned to a specific secret version. Updating a secret should be treated in the same way as deploying a new version of the application. Rapid iteration environments like development and staging, on the other hand, can use Secret Manager's latest alias, which always returns the most recent version of the secret.

Integrations

In addition to the Secret Manager API and client libraries, you can also use the Cloud SDK to create secrets:

$ gcloud beta secrets create "my-secret" \
    --replication-policy "automatic" \
    --data-file "/tmp/my-secret.txt"

and to access secret versions:

$ gcloud beta secrets versions access "latest" \
    --secret "my-secret"

Discovering secrets

As mentioned above, Secret Manager can store a variety of secrets. You can use Cloud DLP to help find secrets using infoType detectors for credentials and secrets. The following command will search all files in a source directory and produce a report of possible secrets to migrate to Secret Manager:

$ find . -type f | xargs -n1 gcloud alpha dlp text inspect \
    --info-types="AUTH_TOKEN,ENCRYPTION_KEY,GCP_CREDENTIALS,PASSWORD" \
    --content-file

If you currently store secrets in a Cloud Storage bucket, you can configure a DLP job to scan your bucket in the Cloud Console.

Over time, native Secret Manager integrations will become available in other Google Cloud products and services.

What about Berglas?

Berglas is an open source project for managing secrets on Google Cloud. You can continue to use Berglas as-is and, beginning with v0.5.0, you can use it to create and access secrets directly from Secret Manager using the sm:// prefix.

$ berglas access sm://my-project/api-key

If you want to move your secrets from Berglas into Secret Manager, the berglas migrate command provides a one-time automated migration.

Accelerating security

Security is central to modern software development, and we’re excited to help you make your environment more secure by adding secrets management to our existing Google Cloud security product portfolio. With Secret Manager, you can easily manage, audit, and access secrets like API keys and credentials across Google Cloud.

To learn more, check out the Secret Manager documentation and Secret Manager pricing pages.

Source :
https://cloud.google.com/blog/products/identity-security/introducing-google-clouds-secret-manager

BlueCat’s DNS Edge Is Cisco Umbrella’s Newest Integration

Cisco Umbrella is widely recognized as one of the strongest products on the market for a secure and fast connection to the internet. And we are always looking for ways to deepen visibility and control for our customers. This is why we are teaming up with BlueCat, a leading provider of DNS, DHCP, and IPAM (DDI) management solutions.

Studies show that 91% of malware uses DNS to establish command and control callbacks, navigate through network pathways, and exfiltrate data. Cisco Umbrella fills this traditional gap in network security by blocking the outbound requests made to the malicious domains. When Umbrella customers point their network traffic to our resolvers they get visibility into the egress (external) IP address of their network. By leveraging capabilities such as the Umbrella roaming client, Umbrella virtual appliance or AnyConnect integration, customers can get additional attribution such as Active Directory user names, internal IP addresses and hostname of computers.

With the BlueCat DNS Edge integration, customers get greater visibility into the attribution of the external DNS query (ie. the source IP), as well as additional control with the use cases outlined below. This integration expands the use cases for DNS security into investigations of internal network traffic, restricting lateral movement, and decreasing forensic response times. The integration enables customers to get full visibility and protection for DNS traffic leaving your environment for users on and off network.

How It Works
DNS Edge deploys as a virtual machine at the “first hop” of any DNS query. This gives DNS Edge the ability to tie every request on the network to a specific device without the need for an agent. With the integration, BlueCat Edge sends additional attribution information (ie. internal client IP) for each external DNS query to Umbrella. This allows viewing of device-level data directly in Cisco Umbrella, providing more granular information into the source of network threats.

Expand network visibility and control with the Cisco Umbrella and BlueCat integration

Use Cases
Investigate internal, “east-west” traffic: BlueCat’s “first hop” position on the network provides visibility into internal, “east-west” traffic – that’s 60% of all network queries – which mostly go unmonitored today. You can investigate internal traffic within DNS Edge, or send it to a SIEM and correlate it with other threat indicators. Using DNS Edge to apply security policies to this internal traffic means that security teams can contain lateral movement associated with advanced persistent threats and malicious insiders.

BlueCat's Integration with Cisco Umbrella is now available

This screenshot shows how internal traffic appears in DNS Edge. Searching by source IP, you can see all internal and external domains queried by that device, and refine the search further by subdomains or any other factor you choose. In this example, you can see how a query to a known bad domain then results in lateral movement to other internal resources. This expands your visibility beyond the external domain that is shown in Umbrella.

Investigate lateral movement from IoT devices without agents: The threats to Internet of Things (IoT) devices are well known but difficult to properly control at an enterprise level. Since many IoT devices lack the capacity for security agents or any external software, blocking DNS queries as they leave the device is both a more elegant and more operationally feasible way to control a fleet of sensors at the enterprise level.

BlueCat's Integration with Cisco Umbrella is Now Available

Here’s an example of how a rogue IoT device would look in DNS Edge. This is a security camera which should only ever be hitting a single internal domain. When it unexpectedly connects to an external domain (in this case, easyridegolfcars.com), this is the first indicator of a compromise. Looking at the subsequent queries, you can see both lateral movement to internal domains as well as potential data exfiltration attempts to the same external site.

Improve forensic response time: With all of this new data at their disposal, security teams are cutting their response time significantly – from days to minutes. Forensic investigators and threat hunters no longer have to compile DNS logs from recursive servers to find a source device – the data is available right in Cisco Umbrella or can be exported directly to a SIEM for further analysis. The rich context available from internal DNS data adds a new dimension to that analysis as well, uncovering additional connections to malicious activity.

Improve network performance: Device-level DNS data is a critical source of intelligence on how networks are performing. With visibility into the source, type, and result of every DNS query across the network, operators can quickly spot DNS misconfigurations, architectural shortcomings, misbehaving clients, and a host of other issues that may be impacting network performance and client reliability.

Getting Started
With a few simple steps, you can connect Cisco Umbrella to DNS Edge and start applying security policies. This integration leverages the network device API integration available in Umbrella. This allows for additional attribution information to be sent from the BlueCat Edge device to Umbrella. This allows the investigating user to see the internal IP of the requesting client instead of just the egress IP that Umbrella would see in a traditional network deployment.

Follow the steps below to take advantage of this integration.

Start off by creating an API key in Cisco Umbrella – you’ll want to choose the “Umbrella Network Devices” option.
Add that API key into DNS Edge. To do this, go to the Cisco Umbrella Integration tab on the main menu of DNS Edge. Paste in the API key and the secret.
BlueCat's Integration with Cisco Umbrella is Now Available

Once the API key is inserted, DNS Edge will appear as a network device within Cisco Umbrella. Initially, it will appear as “offline”, but will automatically switch to “active” once the data starts flowing.

BlueCat's Integration with Cisco Umbrella is Now Available

3. Create a policy within Cisco Umbrella to handle external-facing traffic which comes from the DNS Edge service point (network device), just as you would do for any other network device.

BlueCat's Integration with Cisco Umbrella is Now Available

When looking at the DNS queries in Umbrella you will now see additional attribution. For example, in the screenshot below we can see which Edge device the query came from, alongside the internal IP of who made that request.

BlueCat's Integration with Cisco Umbrella is Now Available

WANT TO LEARN MORE?
Cisco and BlueCat recently presented this new integration at a Tech Field Day event. You can check out the session recording, as well as the Cisco Umbrella BlueCat integration data sheet to learn more.

This new integration with BlueCat adds one of the largest providers of DDI services to Umbrella’s integration arsenal, expanding on our existing integration with EfficientIP. If you’re heading to Cisco Live Barcelona next month be sure to stop by the BlueCat booth or La Taberna where Cisco Umbrella will be serving coffee and beer throughout the day. We would love to see you at the show!

Source :
https://umbrella.cisco.com/blog/2020/01/09/bluecats-dns-edge-is-cisco-umbrellas-newest-integration/

Smarter Cybersecurity: How SecOps Can Simplify Security Management, Oversight & Real-Time Decision-Making

Organizations continue to be alarmed by how easily cybercriminals can circumvent security defenses as malware, ransomware, cryptojacking and phishing attacks make headline news.

In addition, security operations lack visibility and awareness of unsafe network and user activities, network traffic irregularities, and unusual data access and utilization. This exacerbates the situation and creates a dangerous condition where security teams are too late or unable to:

Respond to security alerts or incidents at the speed and accuracy they need
Conduct thorough and effective investigations
Find answers fast enough to take corrective actions

Through close engagements with our top channel partners and key customers, SonicWall learned and understood these challenges first-hand. And through that collaboration, SonicWall developed and introduced the SonicWall Capture Security Center and two powerful risk management tools — Analytics and Risk Meters — to help customers solve these difficult problems.

Govern, comply and manage risk

The Capture Security Center is grounded on three core objectives:

‘Govern Centrally’ focuses on improving operational efficiencies and reducing overhead, while ‘Compliance’ and ‘Risk Management’ concentrate on the business value. These core objectives are interdependent as each leverages a common set of information, processes and technologies that help SecOps establish and deliver a strong, federated security defense and response services at the core of their security program.

Work faster and smarter — with less effort

Capture Security Center is a cloud solution organizations use to avoid operational overhead associated with software and hardware installation, upgrades and maintenance. This solution provides SecOps teams secure single sign-on (SSO) access to license, provision and manage their entire SonicWall security suite, including network, wireless, endpoint, email, mobile and cloud security products and services.

Think of it as a high-productivity tool that provides authorized users access to all available security services based on their role and access rules. The command console is assessible from any location and from any web-enabled PC. Once signed in, users are automatically granted access to everything — and are able do everything securely — using one cloud app.

The different tiles (shown below) are exactly what you’ll see when you log in to your Capture Security Center account. Users can easily navigate between tenants presented on the left panel and, on the right panel, manage any licensed cloud services registered to that tenant.

Available in January 2020, Capture Security Center version 1.8 adds capabilities for security teams to:

Access and manage SonicWall Email Security, Web Application Firewall (WAF) and Secure Mobile Access (SMA) products centrally
Push pre-defined configurations and security policies automatically to all zero-touch-enabled firewalls and wireless devices at scale to multiple sites globally

Study risks and threats in real time with real-world data

SonicWall Risk Meters is a threat monitoring and risk-rating tool we’ve integrated into the Capture Security Center. The tool is available to all SonicWall Capture Security Center customers at no additional cost.

Risk Meters, shown below, gives a direct line of sight into the cyberattacks affecting your security posture. Threat vectors are represented by colored arrows while threat types are shown as icons.

Clicking on an icon pops up an information panel that provides a detailed description of the threat. A tenant drop-down list allows you to view threat metrics at the tenant level. Visibility into the attacks targeting various defense layers helps guide your response to where immediate defensive actions are needed for a specific environment.

The first defense layer captures attacks blocked by the firewalls, Capture Advanced Threat Protection (ATP) sandbox and WAF.

The second defense layer reveals attacks targeting your SaaS appliances and email environments.

The third defense layer shows threats attacking your users’ devices. The DEFCON and Shield Level ratings displayed at the top-right corner provide the computed risk scores based on existing defense layers. Scores are adjusted as you toggle to activate or deactivate available services.

Taking this a step further, Risk Meters gains several important improvements in Capture Security Center 1.8. A new control panel presents users with customization functionalities to run analysis on a variety of threat data.

This new feature allows for experimenting “what-if” simulations at a more granular level to see how the risk score dynamically changes when sub-components of certain layer or multiple layers are added or removed.

Up until this release, risk scores were calculated based solely on security services from SonicWall. To give a more accurate account of customer security environments, CSC now factors in all security controls when calculating the risk scores, including non-SonicWall services.

The Risk Meters Control Panel allows users to configure and weigh third-party security controls into the calculated risk scores. Users can now review trends of different threat types and then compare them against regional and global averages to help identify which threat vectors to focus on and where to prepare their defenses.

Transforming threat data into decisions, decisions into actions

In conjunction with Capture Security Center 1.8, SonicWall releases Analytics 2.5 to introduce a new user-based analytics and reporting function to helps security teams visualize and conduct investigations into users’ actions and application and data usage.

Security teams can monitor or drill-down into the security data for more details about the user network traffic, access and connections, and what applications are being used and websites are frequently visited.

Also, security teams can investigate attacks that target a certain group of users and bandwidth costs associated with resource utilization to determine if policy-tuning or added configurations are needed to reduce their risk profile or optimize network performance.

About the SonicWall Capture Security Center

Capture Security Center is a scalable cloud security management system that’s a built-in and ready-to-use component of your SonicWall product or service. It features single-sign-on and ‘single-pane-of-glass’ management. It integrates the functionality of the Capture Cloud Platform to deliver robust security management, analytics and real-time threat intelligence for your entire portfolio of network, email, endpoint, mobile and cloud security resources.

Capture Security Center delivers a valuable team resource to help organizations control assets and defend entire networks from cyberattacks. Unify and synchronize updates and support, monitor security risks and fulfill regulatory compliance — all with greater clarity, precision and speed.

source :
https://blog.sonicwall.com/en-us/2019/12/smarter-cybersecurity-how-secops-can-simplify-security-management/

Cisco Umbrella’s Top 10 Cybersecurity Tips

By Lorraine Bellon
December 4, 2019

As the holidays are approaching, everyone is getting busier, and to-do lists keep getting longer. It feels like there’s never enough time in the day, and it’s easy to get distracted when time is in short supply. We’ve heard it all before — security should always be at the top of your to-do list — but we know that’s not always the case.

The weakest link in any security system is always the same — people. No matter how comprehensive, effective, or expensive your security tools are, it can all come crashing down if a single careless user makes one simple mistake. Every time someone decides to click on an unfamiliar link or open a suspicious email attachment, your organization could be facing massive data loss and significant disruption to your business.

Most IT professionals know how to stay safe online, but most users aren’t experts. To help you stay protected, we’ve compiled a list of things everyone should be thinking about whenever they’re using the Internet.

To help strengthen your organization’s cyber security practices, you can share this blog post with your users, or use these tips as a starting point for a security refresher training. You’ve probably heard many or all of these tips before, but repetition doesn’t hurt.

Here is our list of top 10 cybersecurity tips for anyone on the Internet (hint: that means you!).

Realize that you are an attractive target to attackers, and it can happen to anyone, anytime, anywhere, on any device. Don’t ever say “It won’t happen to me.”
Practice good password management. Use a strong mix of characters, and don’t use the same password for multiple sites. Don’t share your password with others and don’t write it down — no post-it note attached to your monitor! If you have trouble remembering your passwords, consider using a secure password vault. Then you only have to remember one (very strong) password.
Never leave your devices unattended. If you need to leave your computer, phone, or tablet for any length of time — no matter how short — lock the screen so no one can use it while you’re gone. If you keep sensitive information on a flash drive or external hard drive, make sure to lock those up as well.
Always be careful when clicking on attachments or links in email. If an email is unexpected or suspicious for any reason, don’t click on it. Even if it seems like it’s from your company CEO! Scammers can look up that information online and use it to target individuals in your company. Double check the URL of the website to see if it looks legitimate. Bad actors will often take advantage of spelling mistakes to direct you to a harmful domain.
Sensitive browsing, such as banking or shopping, should only be done on a device that belongs to you, on a network that you trust. Whether you’re using a friend’s phone, a public computer, or free Wi-Fi at a coffee shop — your data could be copied or stolen.
Back up your data regularly. Make sure your antivirus software is always turned on and up to date.
Be conscientious of what you plug in to your computer. Malware can be spread through infected flash drives, external hard drives, and even smartphones. You might want to help someone find their lost item, but end up falling into a trap.
Watch what you’re sharing on social networks. Criminals can find you and easily gain access to a shocking amount of information — where you go to school, where you work, when you’re on vacation — that could help them gain access to more valuable data.
Be wary of social engineering, where someone attempts to gain information from you through manipulation. If someone calls or emails you asking for sensitive information like login information or passwords, it’s okay to say no. You can always call the company directly to verify credentials before giving out any information.
Be sure to monitor your accounts for any suspicious activity. If you see something unfamiliar, it could be a sign that you’ve been compromised. Don’t be afraid to speak up and tell your IT team if you notice anything unusual. Remember, you’re the victim of the attack, and you’re not in trouble!

Share this list with your users and help them understand what IT teams already do — that cyber security is a team sport.

Of course, it’s important to have strong security tools to protect your users too. But how do you know if your current set of tools is enough? Check out our infographic to learn about 3 red flags you’re not getting what you were promised from your security stack.

There’s no substitute for educating your users, but defense matters too. Nothing is more important than your first line of defense. Because it’s built into the foundation of the internet, Cisco Umbrella can protect your network from malware, ransomware, malicious cryptomining, and other advanced threats by blocking connections at the DNS layer. Your users may never thank you, but your security operations team will!

Source
https://umbrella.cisco.com/blog/2019/12/04/cisco-umbrella-top-10-cybersecurity-tips/