Chuck Leaver – The Girl Scouts Are Raising The Profile Of Women In Cybersecurity

Written By Kim Foster And Presented By Chuck Leaver

 

It’s clear that cybersecurity is getting more international attention than before, and businesses are rightfully worried if they are training sufficient security specialists to fulfill growing security dangers. While this issue is felt across the commercial world, numerous people did not anticipate Girl Scouts to hear the call.

Beginning this fall, countless Girl Scouts nationwide have the chance to receive cybersecurity badges. Girl Scouts of the U.S.A teamed up with Security Company (and Ziften tech partner) Palo Alto Networks to create a curriculum that informs girls about the essentials of computer system security. In accordance with Sylvia Acevedo, CEO of GSUSA, they developed the program based upon need from the ladies themselves to safeguard themselves, their computers, and their household networks.

The timing is good, given that in accordance with a study launched in 2017 by (ISC), 1.8 million cybersecurity positions will be unfilled by 2022. Combine increased need for security pros with stagnant growth for females – only 11 percent for the past several years – our cybersecurity staffing difficulties are poised to get worse without significant effort on behalf of the industry for better inclusion.

Obviously, we can’t rely on the Girl Scouts to do all of the heavy lifting. Broader educational efforts are a given: according to the Computing Technology Industry Association, 69% of U.S. ladies who do not have a career in infotech pointed out not knowing exactly what chances were readily available to them as the reason they did not pursue one. One of the great untapped chances of our market is the recruitment of more diverse specialists. Targeted educational programs and increased awareness must be high concern. Raytheon’s Ladies Cyber Security Scholarship is a fine example.

To gain the rewards of having women invested in shaping the future of technology, it is very important to dispel the exclusionary understanding of “the boys’ club” and keep in mind the groundbreaking contributions made by females of the past. Numerous folk know that the very first computer system developer was a female – Ada Lovelace. Then there is the work of other well-known leaders such as Grace Hopper, Hedy Lamarr, or Ida Rhodes, all who may stimulate some vague recollection among those in our market. Female mathematicians produced programs for one of the world’s first fully electronic general-purpose computers: Kay McNulty, Jean Jennings Bartik, Betty Snyder, Marlyn Meltzer, Fran Bilas, and Ruth Lichterman were simply a few of the initial developers of the Electronic Numerical Integrator and Computer system (better known as ENIAC), though their important work was not commonly recognized for over half a century. In fact, when historians initially discovered photos of the ladies in the mid-1980s, they misinterpreted them for “Refrigerator Ladies” – models posing in front of the machines.

It’s worth noting that many think the same “boys’ club” mentality that neglected the accomplishments of women in history has led to restricted leadership positions and lower wages for contemporary women in cybersecurity, along with outright exclusion of female stars from speaking chances at market conferences. As trends go, excluding brilliant people with suitable knowledge from affecting the cybersecurity market is an unsustainable one if we wish to stay up to date with the bad guys.

Whether or not we jointly take action to promote more inclusive offices – like informing, hiring, and promoting females in larger numbers – it is heartening to see an organization synonymous with fundraising event cookies successfully alert an entire industry to the fact that girls are really interested in the field. As the Girls Scouts these days are offered the tools to pursue a profession in info security, we must expect that they will become the very ladies who eventually reprogram our expectations of what a cybersecurity professional appears like.

Chuck Leaver – A Mac Is A Security Risk Too

Written By Roark Pollock And Presented By Chuck Leaver

 

Got Macs? Great. I have one too. Have you locked your Macs down? If not, your enterprise has a possibly major security weak point.

It’s a misconception to believe that Macintosh computer systems are inherently protected and don’t need to be protected against malware or hacking. Many believe Macs are certainly arguably more protected than Windows desktops and notebooks, due to the style of the Unix-oriented kernel. Definitely, we see less security patches issued for macOS from Apple, compared to security patches for Windows from Microsoft.

Fewer security defects is not absolutely no problems. And safer doesn’t imply 100% safe.

Some Mac Vulnerability Examples

Take, for example, the macOS 10.13.3 update, released on January 23, 2018, for the current versions of the Mac’s operating system. Like a lot of present computer systems running Intel processors, the Mac was susceptible to the Meltdown flaw, which indicated that harmful applications may be able to check out kernel memory.

Apple needed to patch this defect – as well as numerous others.

For instance, another problem could allow harmful audio files to carry out random code, which might break the system’s security integrity. Apple had to patch it.

A kernel flaw meant that a harmful application may be able to execute random code with kernel opportunities, giving hackers access to anything on the device. Apple needed to patch the kernel.

A defect in the WebKit library indicated that processing maliciously crafted web content may result in arbitrary code execution. Apple had to patch WebKit.

Another defect suggested that processing a malicious text message may result in application denial of service, freezing the system. Whoops. Apple had to patch that flaw also.

Don’t Make The Same Errors as Customers

Numerous consumers, believing all the hype about how wonderful macOS is, opt to run without defense, relying on the macOS and its integrated application firewall program to block all manner of bad code. Bad news: There’s no integrated anti virus or anti malware, and the firewall program can just do so much. And lots of businesses wish to overlook macOS when it comes to visibility for posture tracking and hardening, and hazard detection/ risk hunting.

Consumers frequently make these assumptions because they do not know any better. IT and Security experts ought to never ever make the very same mistakes – we must know much better.

If a Mac user sets up bad software applications, or adds a malicious browser extension, or opens a bad email attachment, or clicks a phishing link or a nasty ad, their machine is corrupted – much like a Windows computer. However within the enterprise, we need to be prepared to handle these issues, even with Mac computers.

What To Do?

What do you need to do?

– Set up anti-virus and anti malware on corporate Mac computers – or any Mac that has access to your organization’s material, servers, or networks.
– Track the state of Macs, much like you would with Windows computers.
– Be proactive in applying patches and fixes to Mac computers, again, much like with Windows.

You must also eliminate Macs from your corporate environment which are old and cannot run the most recent variation of macOS. That’s a lot of them, since Apple is pretty good at keeping old hardware. Here is Apple’s list of Mac models that can run macOS 10.13:

– MacBook (Late 2009 or newer).
– MacBook Pro (Mid 2010 or more recent).
– MacBook Air (Late 2010 or more recent).
– Mac mini (Mid 2010 or newer).
– iMac (Late 2009 or newer).
– Mac Pro (Mid 2010 or newer).

When the next version of macOS comes out, some of your older devices might fall off the list. They ought to fall off your inventory as well.

Ziften’s Perspective.

At Ziften, with our Zenith security platform, we strive to preserve visibility and security feature parity between Windows systems, macOS systems, and Linux-based systems.

In fact, we have actually partnered with Microsoft to incorporate our Zenith security platform with Microsoft Windows Defender Advanced Threat Protection (ATP) for macOS and Linux tracking and threat detection and response coverage. The integration makes it possible for customers to detect, see, investigate, and respond to advanced cyber-attacks on macOS computers (as well as Windows and Linux-based endpoints) straight within the Microsoft WDATP Management Console.

From our perspective, it has actually always been very important to offer your security teams confidence that every desktop/ laptop endpoint is safeguarded – and therefore, the enterprise is protected.

It can be hard to believe, 91% of businesses state they have some Mac computers. If those computers aren’t safeguarded, and also appropriately incorporated into your endpoint security systems, the enterprise is not secured. It’s just that basic.

Chuck Leaver – The Advantages Of The Security Industry Working Together

Written By Chuck Leaver

No one can solve cybersecurity alone. No single solution company, no single provider, no one can take on the whole thing. To tackle security needs cooperation between different companies.

In some cases, those players are at various levels of the service stack – some install on endpoints, some within applications, others within network routers, others at the telco or the cloud.

Sometimes, those companies each have a particular best-of-breed piece of the puzzle: one player focuses on e-mail, others in crypto, others in interrupting the kill chain.

From the enterprise consumer’s point of view, effective security needs assembling a set of tools and services into a working whole. Speaking from the suppliers’ viewpoint, efficient security requires tactical alliances. Sure, each vendor, whether making hardware, writing software applications, or using services, has its own products and intellectual property. Nevertheless, we all work better when we work together, to allow integrations and make life easy for our resellers, our integrators- and the end client.

Paradoxically, not only can suppliers make more money through strategic alliances, but end customers will save profits at the same time. Why? A number of factors.

Consumers do not waste their cash (and time) with products which have overlapping abilities. Clients do not need to lose cash (and time) creating custom integrations. And customers won’t squander money (and time) aiming to debug systems that combat each other, such as by triggering additional notifications or hard to find incompatibilities.

The Ultimate Trifecta – Products, Solutions, and Channels

All three work together to meet the needs of the business client, as well as benefit the suppliers, who can concentrate on doing exactly what they do best, relying on strategic alliances to develop total solutions from jigsaw puzzle pieces.

Usually speaking, those services require more than simple APIs – which is where strategic alliances come in.

Think about the integration in between solutions (like a network danger scanner or Ziften’s endpoint visibility services) and analytics options. End clients don’t wish to run a whole load of different control panels, and they don’t want to by hand associate anomaly findings from a lot of different security tools. Strategic alliances in between product suppliers and analytics solutions – whether on-site or in the cloud – make good sense for everybody. That includes for the channel, who can offer and support total services that are already dialed in, already debugged, already documented, and will work with the least hassle possible.

Or think about the integration of solutions and managed security services providers (MSSPs). They wish to offer prospective clients pre-packaged options, ideally which can run in their multi-tenant clouds. That means that the items need to be scalable, with synergistic license terms. They must be well-integrated with the MSSP’s existing control panels and administrative control systems. And naturally, they have to feed into predictive analytics and occurrence response programs. The very best way to do that? Through tactical alliances, both horizontally with other solution vendors, and with significant MSSPs also.

How about major value add resellers (VAR)? VARs require solutions that are simple to understand, easy to support, and easy to add into existing security deployments. This makes brand-new solutions more attractive, more cost effective, simpler to set up, much easier to support – and strengthen the VAR’s client relationships.

Exactly what do they try to find when adding to their solution portfolio? Brand-new products that have tactical alliances with their existing product offerings. If you do not dovetail in to the VAR’s portfolio partners, well, you probably don’t dovetail.

2 Examples: Fortinet and Microsoft

No one can resolve cybersecurity alone, and that includes giants like Fortinet and Microsoft.

Think About the Fortinet Fabric-Ready Partner Program, where innovation alliance partners integrate with the Fortinet Security Fabric by means of Fabric APIs and have the ability to actively collect and share info to enhance threat intelligence, boost general hazard awareness, and widen hazard response from end to end. As Fortinet discusses in their Fortinet Fabric-Ready Partner Program Introduction, “partner inclusion in the program signals to customers and the industry as a whole that the partner has actually teamed up with Fortinet and leveraged the Fortinet Fabric APIs to develop verified, end-to-end security options.”

Likewise, Microsoft is pursuing a similar technique with the Windows Defender Advanced Threat Protection program. Microsoft recently picked just a couple of crucial partners into this security program, saying, “We’ve spoken with our customers that they desire protection and visibility into possible hazards on all their device platforms and we’ve relied on partners to assist address this need. Windows Defender ATP provides security groups a single pane of glass for their endpoint security and now by working together with these partners, our customers can extend their ATP service to their entire install base.”

We’re the first to confess: Ziften cannot resolve security alone. No one can. The best way forward for the security market is to move forward together, through tactical alliances combining item vendors, service companies, and the channel. That way, we all win, vendors, service providers, channel partners, and business customers alike.

Chuck Leaver – Why You Must Have Flexibility With SysSecOps

Written by Chuck Leaver

 

You will discover that endpoints are everywhere. The device you read this on is an endpoint, whether it’s a desktop, notebook, tablet, or phone. The HEATING AND COOLING controller for your structure is an endpoint, assuming it’s linked to a network, and the WiFi access points and the security cams too. So is the linked vehicle. So are the Web servers, storage servers, and Active Directory servers in the data center. So are your IaaS/PaaS services in the cloud, where you are in control of bare-metal servers, VMware virtual machines, or containers working on Windows and/or Linux.

All of them are endpoints, and each and every one is very important to manage.

They have to be handled from the IT side (from IT administrators, who ideally have appropriate IT-level visibility of each connected thing like those security cams). That management means making sure they’re connected to the right network zones or VLANs, that their software and setups are up to date, that they’re not creating a flood on the network with bad packets due to electrical faults and so-on.

Those endpoints also need to be handled from the security perspective by CISO teams. Every endpoint is a prospective entrance into the business network, which indicates the devices should be locked down – default passwords never used, all security patches used, no unapproved software set up on the device’s embedded web server. (Kreb’s outlines how, in 2014, hackers got into Target’s network via its HVAC system.).

Systems and Security Operations.

Systems Security Operations, or SysSecOps, brings those two worlds together. With the best kind of SysSecOps frame of mind, and tools that support the correct workflows, IT and security workers get the exact same data and can collaborate together. Sure, they each have various tasks, and react differently to problem signals, however they’re all managing the same endpoints, whether in the pocket, on the desk, in the energy closet, in the data center, or in the cloud.

Ziften Zenith Test Report.

We were thrilled when the just recently released Broadband-Testing report applauded Zenith, Ziften’s flagship endpoint security and management platform, as being perfect for this kind of situation. To quote from the recent report, “With its Zenith platform, Ziften has a solution that ticks all the SysSecOps boxes and more. Because its meaning of ‘endpoints’ extends into the Data Centre (DC) and the world of virtualisation, it holds true blanket protection.”.

Broadband-Testing is an independent testing facility and service based in Andorra. They explain themselves as, “Broadband-Testing communicates with suppliers, media, investment groups and VCs, experts and consultancies alike. Testing covers all elements of networking hardware and software, from ease of use and performance, through to progressively important aspects such as device power intake measurement.”

Back to flexibility. With endpoints all over (once again, on the desk, in the energy closet, in the data center, or in the cloud), a SysSecOps-based endpoint security and management system should go everywhere and do anything, at scale. Broadband-Testing wrote:

“The configuration/deployment options and architecture of Ziften Zenith permit a really flexible implementation, on or off-premise, or hybrid. Agent deployment is simpleness itself with zero user requirements and no endpoint invasion. Agent footprint is also very little, unlike numerous endpoint security services. Scalability also looks to be excellent – the most significant customer implementation to this day remains in excess of 110,000 endpoints.”

We cannot help but be proud of our product Zenith, and exactly what Broadband-Testing concluded:

“The introduction of SysSecOps – integrating systems and security operations – is an uncommon moment in IT; a hype-free, sound judgment approach to refocusing on how systems and security are managed inside a business.

Key to Ziften’s endpoint technique in this category is total visibility – after all, how can you protect what you can’t see or do not know exists in the first place? With its Zenith platform, Ziften has a product that ticks all the SysSecOps boxes and more.

Deployment is simple, specifically in a cloud-based situation as evaluated. Scalability also looks to be excellent – the most significant customer implementation to this day is in excess of 110,000 endpoints.

Data analysis options are comprehensive with a huge quantity of info offered from the Ziften console – a single view of the whole endpoint infrastructure. Any object can be analysed – e.g. Binaries, applications, systems – and, from a procedure, an action can be defined as an automated function, such as quarantining a system in case of a possibly harmful binary being found. Several reports are predefined covering all aspects of analysis. Alerts may be set for any occurrence. Furthermore, Ziften provides the principle of extensions for customized data collection, beyond the reach of a lot of vendors.

And with its External API performance, endpoint data gathered by Ziften can be shared with most third party applications, thus including more worth to a client’s existing security and analytics infrastructure investment.

Overall, Ziften has an extremely competitive offering in what is a really worthwhile and emerging IT classification through SysSecOps that is extremely deserving of evaluation.”.

We hope you’ll think about an assessment of Zenith, and will concur that when it concerns SysSecOps and endpoint security and management, we do tick all the boxes with the true blanket coverage that both your IT and CISO teams have actually been looking for.

Chuck Leaver – Ziften Can Assist With Meltdown And Spectre

Written By Josh Harriman And Presented By Chuck Leaver

 

Ziften is aware of the latest exploits impacting practically everyone who deals with a computer system or digital device. While this is a very large statement, we at Ziften are working diligently assisting our clients find susceptible assets, repairing those vulnerable systems, and keeping an eye on systems after the repair for prospective performance concerns.

This is an ongoing investigation by our group in Ziften Labs, where we keep up to date on the most recent harmful attacks as they develop. Today, the majority of the conversations are around PoC code (Proof of Concept) and exactly what can in theory take place. This will quickly change as hackers benefit from these opportunities. The exploits I’m speaking, of course, are Meltdown and Spectre.

Much has actually been written about how these exploits were found and exactly what is being done by the market to discover workarounds to these hardware concerns. To get more information, I feel it’s appropriate to go right to the source here (https://spectreattack.com/).

What Do You Need To Do, and How Can Ziften Help?

A key area that Ziften helps with in case of an attack by either method is keeping track of for data exfiltration. Given that these attacks are essentially taking data they should not have access to, our company believe the first and simplest techniques to protect yourself is to take this confidential data and remove it from these systems. This data might be passwords, login qualifications or perhaps security keys for SSH or VPN access.

Ziften checks and alerts when processes that typically do not make network connections begin showing this uncommon behavior. From these notifications, users can quarantine systems from the network and / or eliminate procedures connected with these circumstances. Ziften Labs is keeping an eye on the development of the attacks that are likely to become readily available in the real world related to these vulnerabilities, so we can better safeguard our consumers.

Discover – How am I Susceptible?

Let’s look at areas we can monitor for susceptible systems. Zenith, Ziften’s flagship product, can easily and quickly find Operating Systems that need to be patched. Although these exploits remain in the CPU chips themselves (Intel, AMD and ARM), the repairs that will be available will be upgraded to the Operating System, and in other cases, the web browser you use as well.

In Figure 1 below, you can see one example of how we report on the readily available patches by name, and what systems have actually successfully installed each patch, and which have yet to set up. We can also track patch installs that stopped working. The example shown below is not for Meltdown or Spectre, however the KB and / or patch number for the environment could be populated on this report to reveal the vulnerable systems.

The same is true for browser updates. Zenith keeps an eye out for software application variations running in the environment. That data can be utilized to comprehend if all browsers are up to date once the fixes appear.

Speaking of internet browsers, one area that has actually already picked up steam in the attack scenarios is utilizing Javascript. A working copy is shown here (https://www.react-etc.net/entry/exploiting-speculative-execution-meltdown-spectre-via-javascript).

Products like Edge browsers do not use Javascript any longer and mitigations are readily available for other web browsers. Firefox has a fix offered here (https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/). A Chrome fix is coming out soon.

Fix – Exactly What Can I Do Now?

Once you have actually recognized susceptible systems in your environment you certainly want to patch and repair them as soon as possible. Some safeguards you have to take into consideration are reports of specific Anti-Virus products causing stability issues when the patches are applied. Details about these problems are here (https://www.cyberscoop.com/spectre-meltdown-microsoft-anti-virus-bsod/) and here (https://docs.google.com/spreadsheets/u/1/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true).

Zenith also has the ability to help patch systems. We can monitor for systems that require patches, and direct our solution to apply those patches for you and then report success / failure and the status of those still requiring patching.

Considering that the Zenith backend is cloud-based, we can even track your endpoint systems and use the needed patches when and if they are not linked to your business network.

Track – How is it all Running?

Last but not least, there could be some systems that exhibit performance degradation after the OS repairs are applied. These problems seem to be restricted to high load (IO and network) systems. The Zenith platform assists both security and operational groups within your environment. What we want to call SysSecOps (https://ziften.com/introducing-systems-security-operations-syssecops/).

We can help reveal issues such as hangs or crashes of applications, and system crashes. Plus, we monitor system usage for Memory and CPU gradually. This data can be utilized to monitor and notify on systems that start to exhibit high usage compared with the period prior to the patch was used. An example of this tracking is shown in Figure 2 below (system names deliberately removed).

These ‘defects’ are still new to the public, and far more will be gone over and discovered for days / weeks / months to come. Here at Ziften, we continue to monitor the circumstance and how we can best educate and secure our clients and partners.

Chuck Leaver – Why You Need SysSecOps

Written By Alan Zeichick And Presented By Chuck Leaver

 

SysSecOps. That’s a new phrase, still unseen by many IT and security administrators – however it’s being discussed within the market, by analysts, and at technical conferences. SysSecOps, or Systems & Security Operations, describes the practice of combining security groups and IT operations groups to be able to make sure the health of enterprise technology – and having the tools to be able to respond most effectively when issues happen.

SysSecOps concentrates on taking down the info walls, disrupting the silos, that get between security groups and IT administrators.

IT operations personnel are there to make sure that end-users can access applications, and that important infrastructure is running at all times. They want to optimize access and availability, and require the data required to do that job – like that a new employee needs to be provisioned, or a hard disk drive in a RAID array has actually stopped working, that a new partner needs to be provisioned with access to a secure document repository, or that an Oracle database is ready to be moved to the cloud. It’s everything about innovation to drive business.

Very Same Data, Various Use-Cases

While using endpoint and network monitoring details and analytics are clearly customized to fit the diverse needs of IT and security, it ends up that the underlying raw data is in fact the exact same. The IT and security groups simply are looking at their own domain’s issues and scenarios – and doing something about it based upon those use-cases.

Yet in some cases the IT and security groups have to interact. Like provisioning that brand-new organization partner: It must touch all the ideal systems, and be done securely. Or if there is a problem with a remote endpoint, such as a mobile phone or a mechanism on the Industrial Internet of Things, IT and security might have to work together to identify exactly what’s going on. When IT and security share the exact same data sources, and have access to the very same tools, this job becomes a lot easier – and hence SysSecOps.

Envision that an IT administrator spots that a server hard drive is nearing full capacity – and this was not anticipated. Perhaps the network had actually been breached, and the server is now being utilized to steam pirated films throughout the Web. It happens, and finding and resolving that issue is a task for both IT and security. The data gathered by endpoint instrumentation, and showed through a SysSecOps-ready tracking platform, can assist both sides working together more effectively than would happen with conventional, distinct, IT and security tools.

SysSecOps: It’s a brand-new term, and a brand-new idea, and it’s resonating with both IT and security groups. You can discover more about this in a brief 9 minute video, where I talk with numerous market specialists about this subject: “Exactly what is SysSecOps?”

Chuck Leaver – Be Careful Of This Microsoft Word Feature And Phishing Attacks

Written By Josh Harriman And Presented By Chuck Leaver

 

An intriguing multifaceted attack has been reported in a current blog by Cisco’s Talos
Intelligence group. I wanted to speak about the infection vector of this attack as it’s quite
fascinating and something that Microsoft has actually pledged not to repair, as it is a feature
and not a bug. Reports are can be found about attacks in the wild which are making use of a
feature in Microsoft Word, called Dynamic Data Exchange (DDE). Details to how this is
accomplished are reported in this blog from SecureData.

Special Phishing Attack with Microsoft Word

Attackers constantly search for brand-new methods to breach a company. Phishing attacks are one
of the most typical as assailants are relying on that someone will either open a document sent
out to them or go to a ‘faked’ URL. From there an exploit on a susceptible piece of software
usually provides access to begin their attack.

However in this case, the documents didn’t have a malicious item embedded in the Word doc,
which is a preferred attack vector, but rather a sly way of utilizing this function that
permits the Word program to connect out to obtain the real malicious files. By doing this they
could hope or rely on a better success rate of infection as harmful Word files themselves can
be scanned and erased prior to reaching the recipient.

Hunting for Suspicious Behaviors with Ziften Zenith

Here at Ziften, we wanted to have the ability to alert on this behavior for our clients.
Finding conditions that show ‘odd’ habits such as Microsoft Word spawning a shell is
fascinating and not expected. Taking it further on and trying to find PowerShell running from
that spawned shell and it gets ‘extremely’ intriguing. Through our Search API, we can discover
these behaviors anytime they happened. We do not need the system to be switched on at the time
of the search, if they have actually run a program (in this case Word) that exhibited these
behaviors, we can discover that system. Ziften is constantly gathering and sending appropriate
procedure info which is why we can discover the data without depending on the system state at
the time of searching.

In our Zenith console, I looked for this condition by looking for the following:

Process → Filepath includes word.exe, Child Process Filepath includes cmd.exe, Child Process
commandline includes powershell

This returns the PIDs (Process ID) of the processes we saw startup with these conditions. After
this we can drill down to see the critical information.

In this very first image, we can see details around the procedure tree (Word spawning CMD with
Powershell under that) on the left, and to the right side you can see details like the System
name and User, plus start time.

Below in the next image, we take a look at the CMD procedure and get details regarding what was
passed to Powershell.

Most likely when the user had to answer this Microsoft Word pop up dialog box, that is when the
CMD shell used Powershell to head out and obtain some code that was hosted on the Louisiana Gov
website. In the Powershell image below we can see more details such as Network Connect info
when it was reaching out to the website to pull the fonts.txt file.

That IP address (206.218.181.46) is in fact the Louisiana Gov website. Often we see fascinating
data within our Network Connect information that might not match exactly what you expect.

After developing our Saved Search, we can inform on these conditions as they occur throughout
the environment. We can likewise develop extensions that alter a GPO policy to not allow DDE or
even take additional action and go and discover these files and remove them from the system if
so wanted. Having the ability to find fascinating mixes of conditions within an environment is
extremely effective and we are delighted to have this function in our offering.

Chuck Leaver – Prevent And Manage Ransomware Withy These 4 Steps

Written By Alan Zeichick And Presented By Chuck Leaver

 

Ransomware is genuine, and is threatening individuals, services, schools, medical facilities, governments – and there’s no indication that ransomware is stopping. In fact, it’s probably increasing. Why? Let’s be honest: Ransomware is probably the single most efficient attack that hackers have ever created. Anybody can develop ransomware utilizing easily available tools; any cash received is likely in untraceable Bitcoin; and if something goes wrong with decrypting someone’s disk drive, the hacker isn’t impacted.

A business is hit with ransomware every 40 seconds, according to some sources, and 60% of malware issues were ransomware. It strikes all sectors. No industry is safe. And with the increase of RaaS (Ransomware-as-a-Service) it’s going to get worse.

Fortunately: We can fight back. Here’s a 4 step fight plan.

Good Fundamental Hygiene

It begins with training employees ways to handle destructive e-mails. There are falsified messages from service partners. There’s phishing and target spearphishing. Some will survive email spam/malware filters; workers need to be taught not to click links in those messages, or naturally, not to give permission for plugins or apps to be installed.

However, some malware, like ransomware, will get through, typically making use of obsolete software applications or unpatched systems, just like in the Equifax breach. That’s where the next step can be found in:

Guaranteeing that end points are completely patched and completely updated with the current, most safe os, applications, utilities, device drivers, and code libraries. In this way, if there is an attack, the end point is healthy, and has the ability to best battle the infection.

Ransomware isn’t really a technology or security problem. It’s an organization problem. And it’s a lot more than the ransom that is demanded. That’s peanuts compared to loss of efficiency because of downtime, bad public relations, angry clients if service is interfered with, and the expense of rebuilding lost data. (And that assumes that valuable intellectual property or protected financial or consumer health data isn’t really stolen.).

Exactly what else can you do? Backup, backup, backup, and safeguard those backups. If you do not have safe, protected backups, you cannot restore data and core infrastructure in a timely fashion. That includes making day-to-day snapshots of virtual machines, databases, applications, source code, and configuration files.

Businesses need tools to discover, determine, and avoid malware like ransomware from dispersing. This needs continuous visibility and reporting of what’s taking place in the environment – consisting of “zero day” attacks that have not been seen before. Part of that is keeping an eye on end points, from the smart phone to the PC to the server to the cloud, to make sure that endpoints are up-to-date and secure, which no unexpected changes have been made to their underlying configuration. That way, if a machine is contaminated by ransomware or other malware, the breach can be discovered quickly, and the device separated and closed down pending forensics and healing. If an end point is breached, quick containment is critical.

The 4 Tactics.

Excellent user training. Upgrading systems with patches and repairs. Supporting everything as typically as possible. And using monitoring tools to assist both IT and security teams spot problems, and react rapidly to those problems. When it pertains to ransomware, those are the four battle-tested tactics we have to keep our organizations safe.

You can find out more about this in a short 8 minute video, where I speak to numerous industry experts about this concern:

Chuck Leaver – Collaboration With Microsoft To Defend You Against Attacks

Written By David Shefter And Presented By Chuck Leaver

 

Recently we announced a partnership with Microsoft that combines Ziften’s Zenith ® systems and security operations platform, and Windows Defender Advanced Threat Protection (ATP) delivering a cloud-based, “single pane of glass” to find, see, examine, and respond to innovative cyber attacks and breaches on Windows, macOS, and Linux-based devices (desktops, laptop computers, servers, cloud, etc).

Windows Defender ATP plus Ziften Zenith is a security service that enables business clients to spot, investigate, respond and remediate sophisticated hazards on their networks, off-network, and in the data center and cloud.

Imagine a single solution throughout all the devices in your business, offering scalable, cutting-edge security in a cost-effective and simple to use platform. Making it possible for enterprises across the globe to protect and handle devices through this ‘single pane of glass’ provides the pledge of lower operational expenses with real improved security providing real time worldwide threat security with information collected from billions of devices worldwide.

The Architecture Of Microsoft And Ziften

The diagram listed below provides an introduction of the service parts and integration between Windows Defender ATP and Ziften Zenith.

Endpoint investigation capabilities let you drill down into security notifications and understand the scope and nature of a potential breach. You can submit files for deep analysis, get the results and take remediation without leaving the Windows Defender ATP console.

Discover and Contain Hazards

With the Windows Defender ATP and Ziften Zenith integration, companies can readily detect and contain dangers on Windows, macOS, and Linux systems from an individual console. Windows Defender ATP and Ziften Zenith offer:

Behavior-based, cloud-powered, sophisticated attack detection. Discover the attacks that make it past all other defenses (after a breach has been detected).

Abundant timeline for forensic investigation and mitigation. Quickly examine the scope of any breach or believed behaviors on any device through a rich, 6-month machine timeline.

Built in unique danger intelligence knowledge base. Hazard intelligence to quickly identify attacks based upon tracking and data from millions of devices.

The image below shows many of the macOS and Linux threat detection and response capabilities now available with Windows Defender ATP.

At the end of the day, if you’re seeking to secure your endpoints and infrastructure, you have to take a tough look at Windows Defender ATP and Ziften Zenith.

Chuck Leaver – KRACK Vulnerability 4 Steps To Protect Yourself

Written By Dr Al Hartmann And Presented By Chuck Leaver

 

Enough media attention has actually been generated over the Wi-Fi WPA2 defeating Key Reinsertion Attack (KRACK), that we do not need to re-cover that again. The original finder’s website is a good place to review the concerns and connect to the comprehensive research paper. This might be the most attention paid to a core communications security failure since the Heartbleed attack. During that earlier attack, a patched variation of the vulnerable OpenSSL code was launched on the very same day as the general disclosure. In this brand-new KRACK attack, similar accountable disclosure guidelines were followed, and patches were either already released or soon to follow. Both wireless end points and wireless network devices need to be properly patched. Oh, and best of luck getting that Chinese knockoff wireless security web cam bought off eBay patched quickly.

Here we will just make a few points:

Take stock of your wireless devices and follow up to ensure correct patching. (Ziften can carry out passive network inventory, consisting of wireless networks. For Ziften-monitored endpoints, the offered network interfaces along with applied patches are reported.) For business IT personnel, it is patch, patch, patch every day anyway, so nothing new here. However any unmanaged wireless devices should be located and vetted.

iOS and Windows endpoints are less susceptible, while unpatched Linux and Android end points are highly prone. The majority of Linux endpoints will be servers without wireless networking, so not as much direct exposure there. But Android is another story, especially given the balkanized state of Android upgrading across device manufacturers. Most likely your enterprise’s biggest direct exposure will be Android and IoT devices, so do your danger analysis.

Prevent wireless access through unencrypted protocols such as HTTP. Adhere to HTTPS or other encrypted protocols or utilize a safe VPN, however know some default HTTPS websites permit compromised devices to force downgrade to HTTP. (Note that Ziften network monitoring reports IP addresses and ports used, so take a look at any wireless port 80 traffic on unpatched endpoints.).

Continue whatever wireless network hygiene practices you have actually been employing to recognize and silence rogue access points, wireless devices that are unapproved, etc. Grooming access point placement and transmission zones to decrease signal spillage outside your physical limits is also a wise practice, considering that KRACK hackers must be present locally within the wireless network. Do not give them advantaged positioning opportunities within or close by to your environment.

For a more broad discussion around the KRACK vulnerability, have a look at our recent video on the topic: