Intel and Cybereason have partnered to build anti-ransomware defenses into the chipmaker’s newly announced 11th generation Core vPro business-class processors.
The hardware-based security enhancements are baked into Intel’s vPro platform via its Hardware Shield and Threat Detection Technology (TDT), enabling profiling and detection of ransomware and other threats that have an impact on the CPU performance.
“The joint solution represents the first instance where PC hardware plays a direct role in ransomware defenses to better protect enterprise endpoints from costly attacks,” Cybereason said.
Exclusive to vPro, Intel Hardware Shield provides protections against firmware-level attacks targeting the BIOS, thereby ensuring that the operating system (OS) runs on legitimate hardware as well as minimizing the risk of malicious code injection by locking down memory in the BIOS when the software is running to help prevent planted malware from compromising the OS.
Intel TDT, on the other hand, leverages a combination of CPU telemetry data and machine learning-based heuristics to identify anomalous attack behavior — including polymorphic malware, file-less scripts, crypto mining, and ransomware infections — in real-time.
“The Intel [CPU performance monitoring unit] sits beneath applications, the OS, and virtualization layers on the system and delivers a more accurate representation of active threats, system-wide,” Intel said. “As threats are detected in real-time, Intel TDT sends a high-fidelity signal that can trigger remediation workflows in the security vendor’s code.”
The development comes as ransomware attacks exploded in number last year, fueled in part by the COVID-19 pandemic, with average payout increasing from about $84,000 in 2019 to about $233,000 last year.
The ransomware infections have also led to a spike in “double extortion,” where cybercriminals steal sensitive data before deploying the ransomware and hold it hostage in hopes that the victims will pay up rather than risk having their information made public — thus completely undermining the practice of recovering from data backups and avoid paying ransoms.
What’s more, malware operators are increasingly extending their focus beyond the operating system of the device to lower layers to potentially deploy bootkits and take complete control of an infected system.
Last month, researchers detailed a new “TrickBoot” feature in TrickBot that can allow attackers to inject malicious code in the UEFI/BIOS firmware of a device to achieve persistence, avoid detection and carry out destructive or espionage-focused campaigns.
Viewed in that light, the collaboration between Intel and Cybereason is a step in the right direction, making it easier to detect and eradicate malware from the chip-level all the way to the endpoint.
“Cybereason’s multi-layered protection, in collaboration with Intel Threat Detection Technology, will enable full-stack visibility to swiftly detect and block ransomware attacks before the data can be encrypted or exfiltrated,” the companies said.
One of the many features of an Active Directory Password Policy is the maximum password age. Traditional Active Directory environments have long using password aging as a means to bolster password security. Native password aging in the default Active Directory Password Policy is relatively limited in configuration settings.
Let’s take a look at a few best practices that have changed in regards to password aging. What controls can you enforce in regards to password aging using the default Active Directory Password Policy? Are there better tools that organizations can use regarding controlling the maximum password age for Active Directory user accounts?
What password aging best practices have changed?
Password aging for Active Directory user accounts has long been a controversial topic in security best practices.
While many organizations still apply more traditional password aging rules, noted security organizations have provided updated password aging guidance. Microsoft has said that they are dropping the password-expiration policies from the Security baseline for Windows 10 v1903 and Windows Server v1903. The National Institute of Standards and Technology (NIST) has long offered a cybersecurity framework and security best practice recommendations.
“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.” NIST helps to explain the guidance change in their FAQ page covering the Digital Identity Guidelines.
It states: “Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets has been compromised since attackers can apply these same common transformations. But if there is evidence that the memorized secret has been compromised, such as by a breach of the verifier’s hashed password database or observed fraudulent activity, subscribers should be required to change their memorized secrets. However, this event-based change should occur rarely, so that they are less motivated to choose a weak secret with the knowledge that it will only be used for a limited period of time.”
With the new guidance from the above organizations and many others, security experts acknowledge that password aging, at least in itself, is not necessarily a good strategy to prevent the compromise of passwords in the environment.
The recent changes in password aging guidance also apply to traditional Microsoft Active Directory Password Policies.
Active Directory Password Policy Password Aging
The capabilities of the password change policies in default Active Directory Password Policies are limited. You can configure the maximum password age, and that is all. By default, Active Directory includes the following Password Policy settings:
Enforce password history
Maximum password age
Minimum password age
Minimum password length
Minimum password length audit
Password must meet complexity requirements
Store passwords using reversible encryption
When you double click the maximum password age, you can configure the maximum number of days a user can use the same password.
When you look at the explanation given for the password age, you will see the following in the Group Policy setting:
“This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If the maximum password age is between 1 and 999 days, the minimum password age must be less than the maximum password age. If the maximum password age is set to 0, the minimum password age can be any value between 0 and 998 days.”
Defining the maximum password age with Active Directory Password Policy
With the default policy setting, you really can either turn the policy on or off and then set the number of days before the user password expires. What if you had further options to control the maximum password age and set different values based on the password complexity?
Specops Length Based Password Policy
As mentioned, recent guidance from many cybersecurity best practice authorities recommends against forced password changes and details the reasons for this change. However, many organizations may still leverage password aging as a part of their overall password security strategy to protect against user passwords falling into the wrong hands. What if IT admins had features in addition to what is provided by Active Directory?
Specops Password Policy provides many additional features when compared to the default Active Directory Password Policy settings, including password expiration. One of the options contained in the Specops Password Policy is called “Length based password aging.
Using this setting, organizations can define different “levels” of password expiration based on the user password’s length. It allows much more granularity in how organizations configure password aging in an Active Directory environment compared to using the default Active Directory Password Policy configuration settings.
It also allows targeting the weakest passwords in the environment and forcing these to age out the quickest. You will note in the screenshot. The length-based password aging in Specops Password Policy is highly configurable.
It includes the following settings:
Number of expiration levels – Enter how many expiration levels there will be. An expiration level determines how many extra days the user will have until their password expires and they are required to change it. This depends on how long the user’s password is. To increase the number of levels, move the slider to the right. The maximum number of expiration levels that can exist is 5.
Characters per level – The number of additional characters per level that define the extra days in password expiration
Extra days per level – How many additional expiration days each level is worth.
Disable expiration for the last level – Passwords that meet the requirements for the final expiration level in the list will not expire.
Configuring the Length based password policy in Specops Password Policy
Specops allows easily notifying end-users when their password is close to expiring. It will inform end-users at login or by way of sending an email notification. You can configure the days before expiration value for each of these settings.
Configuring password expiration notifications in Specops Password Policy
Organizations define the minimum and maximum password length configurations in the Password Rules area of the Specops Password Policy configuration. If you change the minimum and maximum password length configuration, the password length values in each level of the length-based password expiration will change as well.
Configuring the minimum and maximum password length
Combined with other Specops Password Policy features, such as breached password protection, the length-based password expiration strengthens enterprise password policies for both on-premises and remote workers.
Wrapping Up
Password aging has long been a feature of Active Directory Password Policies in most enterprise environments. However, as attackers get better at compromising passwords, new security best practice guidance is no longer recommending organizations make use of standard password aging.
Specops Password Policy provides compelling password aging capabilities that allow extending password aging features compared to default Active Directory Password Policies. By adding expiration levels, Specops Password Policy allows effectively targeting weak passwords in the environment by quickly aging these passwords out. End-users can use strong passwords much longer.
Organizations can even decide never to expire specific passwords that meet the defined password length. Using Specops Password Policy features, including length-based password expiration, helps to ensure more robust password security in the environment. Click here to learn more.
In today’s connected world, almost everyone has at least one internet-connected device. With the number of these devices on the rise, it is important to implement a security strategy to minimize their potential for exploitation (see Securing the Internet of Things). Internet-connected devices may be used by nefarious entities to collect personal information, steal identities, compromise financial data, and silently listen to—or watch—users. Taking a few precautions in the configuration and use of your devices can help prevent this type of activity.
What are the risks to your wireless network?
Whether it’s a home or business network, the risks to an unsecured wireless network are the same. Some of the risks include:
Piggybacking
If you fail to secure your wireless network, anyone with a wireless-enabled computer in range of your access point can use your connection. The typical indoor broadcast range of an access point is 150–300 feet. Outdoors, this range may extend as far as 1,000 feet. So, if your neighborhood is closely settled, or if you live in an apartment or condominium, failure to secure your wireless network could open your internet connection to many unintended users. These users may be able to conduct illegal activity, monitor and capture your web traffic, or steal personal files.
Wardriving
Wardriving is a specific kind of piggybacking. The broadcast range of a wireless access point can make internet connections available outside your home, even as far away as your street. Savvy computer users know this, and some have made a hobby out of driving through cities and neighborhoods with a wireless-equipped computer—sometimes with a powerful antenna—searching for unsecured wireless networks. This practice is known as “wardriving.”
Evil Twin Attacks
In an evil twin attack, an adversary gathers information about a public network access point, then sets up their system to impersonate it. The adversary uses a broadcast signal stronger than the one generated by the legitimate access point; then, unsuspecting users connect using the stronger signal. Because the victim is connecting to the internet through the attacker’s system, it’s easy for the attacker to use specialized tools to read any data the victim sends over the internet. This data may include credit card numbers, username and password combinations, and other personal information. Always confirm the name and password of a public Wi-Fi hotspot prior to use. This will ensure you are connecting to a trusted access point.
Wireless Sniffing
Many public access points are not secured and the traffic they carry is not encrypted. This can put your sensitive communications or transactions at risk. Because your connection is being transmitted “in the clear,” malicious actors could use sniffing tools to obtain sensitive information such as passwords or credit card numbers. Ensure that all the access points you connect to use at least WPA2 encryption.
Unauthorized Computer Access
An unsecured public wireless network combined with unsecured file sharing could allow a malicious user to access any directories and files you have unintentionally made available for sharing. Ensure that when you connect your devices to public networks, you deny sharing files and folders. Only allow sharing on recognized home networks and only while it is necessary to share items. When not needed, ensure that file sharing is disabled. This will help prevent an unknown attacker from accessing your device’s files.
Shoulder Surfing
In public areas malicious actors can simply glance over your shoulder as you type. By simply watching you, they can steal sensitive or personal information. Screen protectors that prevent shoulder-surfers from seeing your device screen can be purchased for little money. For smaller devices, such as phones, be cognizant of your surroundings while viewing sensitive information or entering passwords.
Theft of Mobile Devices
Not all attackers rely on gaining access to your data via wireless means. By physically stealing your device, attackers could have unrestricted access to all of its data, as well as any connected cloud accounts. Taking measures to protect your devices from loss or theft is important, but should the worst happen, a little preparation may protect the data inside. Most mobile devices, including laptop computers, now have the ability to fully encrypt their stored data—making devices useless to attackers who cannot provide the proper password or personal identification number (PIN). In addition to encrypting device content, it is also advisable to configure your device’s applications to request login information before allowing access to any cloud-based information. Last, individually encrypt or password-protect files that contain personal or sensitive information. This will afford yet another layer of protection in the event an attacker is able to gain access to your device.
What can you do to minimize the risks to your wireless network?
Change default passwords. Most network devices, including wireless access points, are pre-configured with default administrator passwords to simplify setup. These default passwords are easily available to obtain online, and so provide only marginal protection. Changing default passwords makes it harder for attackers to access a device. Use and periodic changing of complex passwords is your first line of defense in protecting your device. (See Choosing and Protecting Passwords.)
Restrict access. Only allow authorized users to access your network. Each piece of hardware connected to a network has a media access control (MAC) address. You can restrict access to your network by filtering these MAC addresses. Consult your user documentation for specific information about enabling these features. You can also utilize the “guest” account, which is a widely used feature on many wireless routers. This feature allows you to grant wireless access to guests on a separate wireless channel with a separate password, while maintaining the privacy of your primary credentials.
Encrypt the data on your network. Encrypting your wireless data prevents anyone who might be able to access your network from viewing it. There are several encryption protocols available to provide this protection. Wi-Fi Protected Access (WPA), WPA2, and WPA3 encrypt information being transmitted between wireless routers and wireless devices. WPA3 is currently the strongest encryption. WPA and WPA2 are still available; however, it is advisable to use equipment that specifically supports WPA3, as using the other protocols could leave your network open to exploitation.
Protect your Service Set Identifier (SSID). To prevent outsiders from easily accessing your network, avoid publicizing your SSID. All Wi-Fi routers allow users to protect their device’s SSID, which makes it more difficult for attackers to find a network. At the very least, change your SSID to something unique. Leaving it as the manufacturer’s default could allow a potential attacker to identify the type of router and possibly exploit any known vulnerabilities.
Install a firewall. Consider installing a firewall directly on your wireless devices (a host-based firewall), as well as on your home network (a router- or modem-based firewall). Attackers who can directly tap into your wireless network may be able to circumvent your network firewall—a host-based firewall will add a layer of protection to the data on your computer (see Understanding Firewalls for Home and Small Office Use).
Maintain antivirus software. Install antivirus software and keep your virus definitions up to date. Many antivirus programs also have additional features that detect or protect against spyware and adware (see Protecting Against Malicious Code and What is Cybersecurity?).
Use file sharing with caution. File sharing between devices should be disabled when not needed. You should always choose to only allow file sharing over home or work networks, never on public networks. You may want to consider creating a dedicated directory for file sharing and restrict access to all other directories. In addition, you should password protect anything you share. Never open an entire hard drive for file sharing (see Choosing and Protecting Passwords).
Keep your access point software patched and up to date. The manufacturer of your wireless access point will periodically release updates to and patches for a device’s software and firmware. Be sure to check the manufacturer’s website regularly for any updates or patches for your device.
Check your internet provider’s or router manufacturer’s wireless security options. Your internet service provider and router manufacturer may provide information or resources to assist in securing your wireless network. Check the customer support area of their websites for specific suggestions or instructions.
Connect using a Virtual Private Network (VPN). Many companies and organizations have a VPN. VPNs allow employees to connect securely to their network when away from the office. VPNs encrypt connections at the sending and receiving ends and keep out traffic that is not properly encrypted. If a VPN is available to you, make sure you log onto it any time you need to use a public wireless access point.
WiFi Internet has added much convenience to our daily lives, with its easy accessibility in public places such as restaurants, hotels, and cafes; malls, parks, and even in airplanes, where we can connect online for faster transactions and communication. Like any online technology, however, it’s vulnerable to hacker abuse, posing potential threats to you and your mobile devices.
The hacker can get between you and the WiFi hotspot when hooked to the network, to perform man-in-the-middle attacks and spy on your connection.
The hacker can “spoof” the legitimate WiFi, creating an “evil twin” that you log onto without noticing it’s a fake—which again, lets them spy on your data in transit.
A hacker can “sniff” the packets on the unencrypted network you’re attached to, reading it with software like WireShark, for identity clues they can analyze and use against you later.
They can also “hijack” a session in real-time, reading the cookies sent to your device during a session, to gain access to private accounts you’re logged into. This is typically known as “sidejacking.”
Finally, they can “shoulder-surf,” simply watching you over your shoulder, to view your screens and track your keystrokes. In crowded places, it’s easy for hackers to “eavesdrop” on your connection.
Connect only to more trusted public networks, like Starbucks, rather than any random public WiFi that shows up in your WiFi connection settings, as in a shopping mall or park.
Connect only to websites that show HTTPS, not just HTTP, which means the data transmission between the site and you is encrypted.
Don’t provide too much personal data, such as email addresses and phone numbers, if the WiFi network requires it to connect. Better to not connect than risk unwanted ads or even identity theft.
Don’t do public file or print sharing over public WiFi networks. This is even more true of financial transactions: banking on unsecured WiFi networks is an invitation to hackers to steal your data in transit.
Use a Virtual Private Network (VPN) on your mobile device, so you can be certain your data is encrypted to and from your mobile device.
The last piece of advice should probably be your first line of defense. Trend Micro WiFi Protection, for example, protects your devices from online threats by providing just such a VPN. It safeguards your private information when using public hotspots by automatically turning on when the device connects to an unsecured WiFi network. This ensures total anonymity from public servers and hides your data from hacker inspection by encrypting your data over the network. Trend Micro WiFi Protection also includes built-in web threat protection that protects you from online frauds and scams that can come your way via malicious links—and notifies you if there are any WiFi security issues on the network itself. You’ll be happy to also know that Trend Micro WiFi Protection does not affect your WiFi speed as it connects to its local or regional secured server.
Stay safe on public WiFi! Trend Micro WiFi Protection is available for PC, Mac, Android and iOSdevices.
