Author Archives: leavcharl1

Charles Leaver – More Women Needed In Cybersecurity And Girl Scouts Pushing This

Published by:

Written By Kim Foster And Presented By Charles Leaver

 

It’s no secret that cybersecurity is getting more international attention than ever before, and enterprises are rightfully concerned if they are training sufficient security specialists to meet growing security dangers. While this issue is felt throughout the commercial world, lots of people did not expect Girl Scouts to hear the call.

Beginning this fall, countless Girl Scouts across the country have the opportunity to earn cybersecurity badges. Girl Scouts of the United States teamed up with Security Company (and Ziften tech partner) Palo Alto Networks to create a curriculum that informs girls about the basics of computer security. In accordance with Sylvia Acevedo, CEO of GSUSA, they produced the program based on demand from the girls themselves to protect themselves, their computer systems, and their family networks.

The timing is good, since according to a research study launched in 2017 by (ISC), 1.8 million cybersecurity positions will be unfilled by 2022. Factor in increased need for security pros with stagnant growth for ladies – only 11 percent for the past several years – our cybersecurity staffing troubles are poised to intensify without significant effort on behalf of the market for better inclusion.

Of course, we cannot rely on the Girl Scouts to do all the heavy lifting. More comprehensive educational efforts are a given: according to the Computing Technology Industry Association, 69 percent of U.S. females who do not have a profession in information technology mentioned not knowing exactly what chances were available to them as the factor they did not pursue one. One of the excellent untapped opportunities of our market is the recruitment of more diverse professionals. Targeted curricula and increased awareness needs to be high top priority. Raytheon’s Women Cyber Security Scholarship is a good example.

To reap the benefits of having actually females supported shaping the future of innovation, it’s important to resolve the exclusionary perception of “the boys’ club” and remember the groundbreaking contributions made by females of the past. Lots of people understand that the very first computer developer was a woman – Ada Lovelace. Then there is the work of other famous pioneers such as Grace Hopper, Hedy Lamarr, or Ida Rhodes, all who might stimulate some vague recollection amongst those in our industry. Female mathematicians created programs for one of the world’s first fully electronic general-purpose computers: Kay McNulty, Jean Jennings Bartik, Betty Snyder, Marlyn Meltzer, Fran Bilas, and Ruth Lichterman were simply a few of the initial programmers of the Electronic Numerical Integrator and Computer (better known as ENIAC), though their important work was not extensively acknowledged for over 50 years. In fact, when historians initially discovered pictures of the ladies in the mid-1980s, they misinterpreted them for “Refrigerator Ladies” – models posing in front of the machines.

It deserves keeping in mind that numerous folk believe the very same “boys’ club” mentality that overlooked the achievements of females in history has actually resulted in limited management positions and lower salaries for modern-day ladies in cybersecurity, in addition to outright exemption of female stars from speaking opportunities at industry conferences. As trends go, excluding bright people with suitable understanding from influencing the cybersecurity market is an unsustainable one if we want to stay up to date with the cybercriminals.

Whether or not we collectively act to promote more inclusive workplaces – like educating, recruiting, and promoting ladies in larger numbers – it is heartening to see an organization synonymous with charity event cookies effectively inform an entire industry to the fact that ladies are genuinely thinking about the field. As the Girls Scouts of today are given the tools to pursue a career in information security, we need to prepare for that they will become the very females who ultimately reprogram our expectations of what a cybersecurity expert looks like.

Charles Leaver – Don’t Believe The Hype As Macs Can Affect Your Security

Published by:

Written By Roark Pollock And Presented By Charles Leaver

 

Do you have Mac computers? That’s fine. I have one too. Are your’s locked down? If not, your business has a possibly major security weakness.

It’s a fallacy to believe that Macintosh computers are inherently secure and don’t have to be protected against hacking or malware. People think Macs are undoubtedly probably more secure than Windows desktops and notebooks, due to the style of the Unix-oriented kernel. Definitely, we see less security patches released for macOS from Apple, compared with security patches for Windows from Microsoft.

Less security defects is not absolutely no defects. And much safer doesn’t indicate 100% safe.

Examples of Mac Vulnerabilities

Take, for instance, the macOS 10.13.3 update, released on January 23, 2018, for the current variations of the Mac’s operating system. Like a lot of current computer systems running Intel processors, the Mac was susceptible to the Meltdown defect, which implied that malicious applications might be able to read kernel memory.

Apple had to patch this defect – along with lots of others.

For instance, another flaw might allow malicious audio files to perform random code, which might break the system’s security integrity. Apple needed to patch it.

A kernel flaw meant that a malicious application may be able to execute random code with kernel privileges, giving cyber criminals access to anything on the device. Apple needed to patch the kernel.

A flaw in the WebKit library indicated that processing maliciously crafted web content might result in arbitrary code execution. Apple needed to patch WebKit.

Another flaw meant that processing a malicious text message might result in application denial of service, locking up the system. Whoops. Apple had to patch that flaw too.

Do not Make The Exact Same Errors as Customers

Numerous customers, believing all the talk about how terrific macOS is, choose to run without protection, trusting the macOS and its built-in application firewall program to obstruct all manner of bad code. Problem: There’s no built-in anti virus or anti-malware, and the firewall program can only do so much. And many enterprises want to overlook macOS when it pertains to visibility for posture tracking and hardening, and threat detection/ hazard searching.

Customers often make these assumptions due to the fact that they do not know any better. IT and Security experts need to never ever make the same mistakes – we need to understand better.

If a Mac user sets up bad software, or adds a harmful internet browser extension, or opens a bad e-mail attachment, or clicks a phishing link or a nasty advertisement, their device is corrupted – similar to a Windows computer. But within the business, we have to be prepared to deal with these concerns, even with Mac computers.

So What Do You Do?

Exactly what do you need to do?

– Install anti virus and anti malware on business Macs – or any Mac that has access to your company’s material, servers, or networks.
– Monitor the state of Mac computers, just like you would with Windows machines.
– Be proactive in applying patches and fixes to Mac computers, once again, similar to with Windows.

You must likewise get rid of Macs from your business environment which are too old to run the latest version of macOS. That’s a lot of them, because Apple is pretty good at maintaining hardware that is older. Here is Apple’s list of Mac models that can run macOS 10.13:

– MacBook (Late 2009 or newer).
– MacBook Pro (Mid 2010 or newer).
– MacBook Air (Late 2010 or more recent).
– Mac mini (Mid 2010 or more recent).
– iMac (Late 2009 or more recent).
– Mac Pro (Mid 2010 or more recent).

When the next version of macOS comes out, some of your older machines may drop off the list. They ought to fall off your inventory as well.

Ziften’s Perspective.

At Ziften, with our Zenith security platform, we work hard to keep visibility and security feature parity between Windows systems, macOS systems, and Linux-based systems.

In fact, we’ve partnered with Microsoft to incorporate our Zenith security platform with Microsoft Windows Defender Advanced Threat Protection (ATP) for macOS and Linux monitoring and risk detection and response coverage. The combination allows customers to find, view, investigate, and react to innovative cyber-attacks on macOS computers (as well as Windows and Linux-based endpoints) straight within the Microsoft WDATP Management Console.

From our perspective, it has actually constantly been very important to give your security teams confidence that every desktop/ notebook endpoint is safeguarded – and thus, the enterprise is protected.

It can be hard to believe, 91% of enterprises say they have a number of Mac computers. If those computers aren’t secured, and also properly integrated into your endpoint security systems, the enterprise is not protected. It’s just that basic.

Charles Leaver – The Security Industry Has To Have Strategic Alliances

Published by:

Written By Charles Leaver

 

No one can resolve cybersecurity alone. No one solution business, no single provider, no one can take on the whole issue. To take on security needs cooperation between different players.

Often, those companies are at different levels of the service stack – some set up on endpoints, some within applications, others within network routers, others at the telco or the cloud.

Sometimes, those players each have a specific best-of-breed piece of the puzzle: one player specializes in email, others in crypto, others in disrupting the kill chain.

From the business consumer’s viewpoint, effective security requires assembling a set of tools and services into a working whole. Speaking from the suppliers’ viewpoint, effective security needs strategic alliances. Sure, each supplier, whether making hardware, composing software, or offering services, has its own products and copyright. Nevertheless, we all work better when we interact, to enable integrations and make life simple for our resellers, our integrators- and that end consumer.

Paradoxically, not just can vendors make more profit through strategic alliances, however end clients will save money at the same time. Why? Numerous reasons.

Clients do not squander their cash (and time) with products which have overlapping capabilities. Consumers do not need to lose money (and time) creating custom-made integrations. And consumers won’t squander profits (and time) attempting to debug systems that fight each other, such as by triggering extra alerts or hard-to-find incompatibilities.

It’s the Trifecta – Products, Services, and Channels

All 3 interact to meet the needs of the business customer, as well as benefit the suppliers, who can focus on doing what they do best, relying on tactical alliances to create total services out of jigsaw puzzle pieces.

Normally speaking, those services need more than easy APIs – which is where tactical alliances come in.

Consider the integration in between solutions (like a network risk scanner or Ziften’s endpoint visibility options) and analytics options. End clients don’t want to operate a dozen various control panels, and they do not want to manually correlate anomaly findings from a lot of different security tools. Strategic alliances between product suppliers and analytics services – whether on-site or in the cloud – make good sense for everybody. That includes for the channel, who can provide and support total options that are currently dialed in, already debugged, already documented, and will work with the least hassle possible.

Or consider the integration of solutions and managed security services providers (MSSPs). They want to provide prospective customers pre-packaged services, preferably which can run in their multi-tenant clouds. That implies that the products should be scalable, with synergistic license terms. They need to be well-integrated with the MSSP’s existing control panels and administrative control systems. And naturally, they have to feed into predictive analytics and occurrence response programs. The very best way to do that? Through tactical alliances, both horizontally with other product suppliers, and with major MSSPs as well.

What about significant value add resellers (VAR)? VARs require products that are simple to understand, easy to support, and easy to include into existing security deployments. This makes new solutions more enticing, more budget friendly, much easier to set up, easier to support – and reinforce the VAR’s client relationships.

Exactly what do they search for when adding to their solution portfolio? New solutions that have strategic alliances with their existing product offerings. If you don’t dovetail in to the VAR’s portfolio partners, well, you probably don’t fit in.

Two Examples: Fortinet and Microsoft

No one can fix cybersecurity alone, and that consists of giants like Fortinet and Microsoft.

Consider the Fortinet Fabric-Ready Partner Program, where technology alliance partners integrate with the Fortinet Security Fabric through Fabric APIs and are able to actively gather and share information to improve danger intelligence, boost overall hazard awareness, and widen danger response from end to end. As Fortinet describes in their Fortinet Fabric-Ready Partner Program Overview, “partner addition in the program signals to clients and the market at large that the partner has actually worked together with Fortinet and leveraged the Fortinet Fabric APIs to develop verified, end-to-end security options.”

Likewise, Microsoft is pursuing a comparable strategy with the Windows Defender Advanced Threat Protection program. Microsoft just recently picked only a few essential partners into this security program, stating, “We have actually spoken with our customers that they want protection and visibility into prospective threats on all of their device platforms and we have actually turned to partners to assist address this requirement. Windows Defender ATP provides security teams a single pane of glass for their endpoint security and now by teaming up with these partners, our clients can extend their ATP service to their whole install base.”

We’re the first to admit: Ziften cannot resolve security alone. Nobody can. The best way forward for the security market is to progress together, through strategic alliances combining item suppliers, service providers, and the channel. That way, we all win, suppliers, service companies, channel partners, and business clients alike.

Charles Leaver – SysSecOps And Flexibility Is The Only Way Forward

Published by:

Written By Charles Leaver

 

You will find that endpoints are everywhere. The device you’re reading this on is an endpoint, whether it’s a desktop, laptop, tablet, or phone. The HEATING AND COOLING controller for your building is an endpoint, assuming it’s linked to a network, and the WiFi access points and the security electronic cameras too. So is the linked automobile. So are the Web servers, storage servers, and Active Directory site servers in the data center. So are your IaaS/PaaS services in the cloud, where you are in control of bare-metal servers, VMware virtual machines, or containers operating on Windows and/or Linux.

They’re all endpoints, and all are necessary to handle.

They need to be handled from the IT side (from IT administrators, who ideally have proper IT-level visibility of each connected thing like those security electronic cameras). That management suggests making certain they’re linked to the right network zones or VLANs, that their software applications and configurations the current version, that they’re not flooding the network with bad packets due to electrical faults and so-on.

Those endpoints likewise need to be handled from the security point of view by CISO teams. Every endpoint is a prospective entrance into the enterprise network, which suggests the devices need to be locked down – default passwords never used, all security patches applied, no unapproved software set up on the device’s ingrained web server. (Kreb’s outlines how, in 2014, hackers broke into Target’s network through its HVAC system.).

Systems and Security Operations.

Systems Security Operations, or SysSecOps, brings those two worlds together. With the right kind of SysSecOps state of mind, and tools that support the proper workflows, IT and security workers get the same data and can collaborate together. Sure, they each have various tasks, and react differently to trouble alerts, however they’re all handling the exact same endpoints, whether in the pocket, on the desk, in the energy closet, in the data center, or in the cloud.

Ziften Zenith Test Report.

We were thrilled when the recently published Broadband-Testing report praised Zenith, Ziften’s flagship end-point security and management platform, as being perfect for this type of circumstance. To quote from the recent report, “With its Zenith platform, Ziften has a solution that ticks all the SysSecOps boxes and more. Since its definition of ‘endpoints’ extends into the Data Centre (DC) and the world of virtualisation, it is true blanket coverage.”.

Broadband-Testing is an independent testing center and service based in Andorra. They describe themselves as, “Broadband-Testing engages with vendors, media, financial investment groups and VCs, analysts and consultancies alike. Evaluating covers all elements of networking hardware and software, from ease of use and efficiency, through to significantly important elements such as device power consumption measurement.”

Back to versatility. With endpoints all over (once again, on the desk, in the utility closet, in the data center, or in the cloud), a SysSecOps-based endpoint security and management system need to go everywhere and do anything, at scale. Broadband-Testing composed:

“The configuration/deployment alternatives and architecture of Ziften Zenith allow for a really versatile deployment, on or off-premise, or hybrid. Agent deployment is simplicity itself with zero user requirements and no endpoint intrusion. Agent footprint is likewise minimal, unlike lots of endpoint security solutions. Scalability also seems outstanding – the greatest customer release to this day remains in excess of 110,000 endpoints.”

We cannot help but be proud of our product Zenith, and exactly what Broadband-Testing concluded:

“The development of SysSecOps – integrating systems and security operations – is an uncommon moment in IT; a hype-free, common sense technique to refocusing on how systems and security are managed inside a company.

Secret to Ziften’s endpoint approach in this classification is overall visibility – after all, how can you secure exactly what you can’t see or don’t know is there in the first place? With its Zenith platform, Ziften has a product that ticks all the SysSecOps boxes and more.

Deployment is easy, specifically in a cloud-based situation as evaluated. Scalability likewise seems excellent – the greatest client deployment to date is in excess of 110,000 endpoints.

Data analysis alternatives are extensive with a huge amount of information readily available from the Ziften console – a single view of the whole endpoint infrastructure. Any item can be evaluated – e.g. Binaries, applications, systems – and, from a procedure, an action can be defined as an automated function, such as quarantining a system in the event of a potentially harmful binary being discovered. Multiple reports are predefined covering all areas of analysis. Alerts can be set for any event. Additionally, Ziften supplies the idea of extensions for customized data collection, beyond the reach of the majority of vendors.

And with its External API performance, Ziften-gathered endpoint data can be shared with many 3rd party applications, therefore adding further value to a client’s existing security and analytics infrastructure investment.

In general, Ziften has a very competitive offering in exactly what is a very worthy and emerging IT classification in the form of SysSecOps that is very deserving of assessment.”.

We hope you’ll consider an evaluation of Zenith, and will concur that when it pertains to SysSecOps and endpoint security and management, we do tick all the boxes with the true blanket protection that both your IT and CISO groups have actually been looking for.

Charles Leaver – Understand About Meltdown And Spectre And How Ziften Can Assist You

Published by:

Written By Josh Harriman And Presented By Charles Leaver

 

Ziften is aware of the current exploits impacting almost everybody who works on a computer or digital device. While this is a very large statement, we at Ziften are working diligently helping our consumers discover susceptible assets, repairing those vulnerable systems, and keeping an eye on systems after the fix for possible efficiency concerns.

This is an ongoing investigation by our group in Ziften Labs, where we keep up-to-date on the current malicious attacks as they develop. Right now, most of the conversations are around PoC code (Proof of Concept) and what can theoretically occur. This will soon alter as hackers benefit from these chances. The exploits I’m speaking, obviously, are Meltdown and Spectre.

Much has been blogged about how these exploits were discovered and exactly what is being done by the industry to find workarounds to these hardware concerns. To find out more, I feel it’s appropriate to go right to the source here (https://spectreattack.com/).

What Do You Need To Do, and How Can Ziften Assist?

A crucial area that Ziften assists with in case of an attack by either method is monitoring for data exfiltration. Considering that these attacks are essentially taking data they shouldn’t have access to, we believe the first and most convenient techniques to safeguard yourself is to take this personal data off these systems. This data might be passwords, login credentials or even security secrets for SSH or VPN access.

Ziften checks and notifies when procedures that generally do not make network connections start exhibiting this uncommon habit. From these notifications, users can quarantine systems from the network and / or eliminate processes connected with these scenarios. Ziften Labs is monitoring the advancement of the attacks that are most likely to become offered in the wild related to these vulnerabilities, so we can better secure our clients.

Find – How am I Vulnerable?

Let’s look at areas we can examine for susceptible systems. Zenith, Ziften’s flagship item, can simply and rapidly find OS’s that have to be patched. Despite the fact that these exploits are in the CPU chips themselves (Intel, AMD and ARM), the fixes that will be readily available will be upgraded to the OS, and in other cases, the internet browser you use too.

In Figure 1 below, you can see one example of how we report on the available patches by name, and what systems have effectively set up each patch, and which have yet to install. We can likewise track patch installs that stopped working. The example shown below is not for Meltdown or Spectre, but the KB and / or patch number for the environment could be occupied on this report to reveal the susceptible systems.

The exact same is true for internet browser updates. Zenith keeps track of for software application variations running in the environment. That data can be used to understand if all browsers the current version once the fixes appear.

Mentioning browsers, one area that has actually currently picked up steam in the attack scenarios is utilizing Javascript. A working copy is revealed here (https://www.react-etc.net/entry/exploiting-speculative-execution-meltdown-spectre-via-javascript).

Products like Edge browsers do not utilize Javascript any longer and mitigations are available for other web browsers. Firefox has a fix readily available here (https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/). A Chrome fix is coming out this week.

Fix – What Can I Do Now?

As soon as you have actually identified vulnerable systems in your environment you definitely need to patch and repair them very quickly. Some safeguards you have to take into consideration are reports of certain Anti-Virus products causing stability concerns when the patches are applied. Information about these concerns are here (https://www.cyberscoop.com/spectre-meltdown-microsoft-anti-virus-bsod/) and here (https://docs.google.com/spreadsheets/u/1/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true).

Zenith also has the ability to help patch systems. We can monitor for systems that require patches, and direct our solution to apply those patches for you and then report success / failure and the status of those still needing patching.

Since the Zenith backend is cloud based, we can even monitor your endpoint systems and use the needed patches when and if they are not connected to your business network.

Monitor – How is it all Running?

Lastly, there may be some systems that display performance degradation after the OS fixes are used. These issues appear to be restricted to high load (IO and network) systems. The Zenith platform assists both security and operational groups within your environment. Exactly what we like to call SysSecOps (https://ziften.com/introducing-systems-security-operations-syssecops/).

We can help discover issues such as hangs or crashes of applications, and system crashes. Plus, we monitor system usage for Memory and CPU gradually. This data can be utilized to monitor and notify on systems that begin to display high usage compared to the period prior to the patch was used. An example of this monitoring is displayed in Figure 2 below (system names purposefully removed).

These ‘defects’ are still brand-new to the public, and a lot more will be discussed and found for days / weeks / months to come. Here at Ziften, we continue to monitor the situation and how we can best inform and safeguard our customers and partners.

Charles Leaver – Find Out Why You Must Have SysSecOps

Published by:

Written By Alan Zeichick And Presented By Charles Leaver

 

SysSecOps. That’s a new phrase, still not known by many IT and security administrators – but it’s being discussed within the industry, by experts, and at technical conferences. SysSecOps, or Systems & Security Operations, describes the practice of uniting security groups and IT operations groups to be able to make sure the health of enterprise technology – and having the tools to be able to react most effectively when issues happen.

SysSecOps focuses on taking apart the information walls, disrupting the silos, that get in between security groups and IT administrators.

IT operations staff are there to guarantee that end-users can access applications, and also important infrastructure is operating at all times. They wish to maximize access and availability, and need the data required to do that task – like that a brand-new worker needs to be provisioned, or a hard disk drive in a RAID array has failed, that a new partner has to be provisioned with access to a secure file repository, or that an Oracle database is ready to be moved to the cloud. It’s all about innovation to drive the business.

Same Data, Various Use-Cases

While making use of endpoint and network monitoring information and analytics are plainly tailored to fit the diverse requirements of IT and security, it ends up that the underlying raw data is really the exact same. The IT and security teams simply are taking a look at their own domain’s issues and circumstances – and doing something about it based upon those use-cases.

Yet sometimes the IT and security teams need to interact. Like provisioning that brand-new company partner: It needs to touch all the best systems, and be done securely. Or if there is an issue with a remote endpoint, such as a mobile phone or a mechanism on the Industrial Internet of Things, IT and security might need to work together to figure out exactly what’s going on. When IT and security share the very same data sources, and have access to the same tools, this task ends up being a lot easier – and therefore SysSecOps.

Imagine that an IT administrator finds that a server hard disk is nearing full capacity – and this was not expected. Perhaps the network had actually been breached, and the server is now being used to steam pirated films across the Internet. It happens, and finding and fixing that issue is a job for both IT and security. The data collected by endpoint instrumentation, and displayed through a SysSecOps-ready tracking platform, can help both sides working together more effectively than would happen with conventional, unique, IT and security tools.

SysSecOps: It’s a new term, and a brand-new idea, and it’s resonating with both IT and security teams. You can discover more about this in a short nine-minute video, where I speak to several market experts about this topic: “What is SysSecOps?”

Charles Leaver – With Ziften You Can Protect Against Microsoft Word Phishing

Published by:

Written By Josh Harriman And Presented By Charles Leaver

 

An intriguing multifaceted attack has been reported in a recent blog by Cisco’s Talos Intelligence group. I wanted to discuss the infection vector of this attack as it’s quite fascinating and something that Microsoft has promised not to fix, as it is a function and not a bug. Reports are coming in about attacks in the wild which are making use of a function in Microsoft Word, called Dynamic Data Exchange (DDE). Details to how this is accomplished are reported in this blog from SecureData.

Special Phishing Attack with Microsoft Word

Attackers constantly search for brand-new methods to breach an organization. Phishing attacks are among the most typical as opponents are counting on that someone will either open a file sent to them or go to a ‘fabricated’ URL. From there an exploit on a vulnerable piece of software normally provides access to begin their attack.

But in this case, the files didn’t have a destructive item embedded in the Word doc, which is a favorite attack vector, but rather a sly way of utilizing this function that enables the Word program to connect out to obtain the real destructive files. This way they might hope or rely on a better success rate of infection as harmful Word files themselves can be scanned and deleted prior to reaching the recipient.

Searching for Suspicious Behaviors with Ziften Zenith

Here at Ziften, we wished to have the ability to alert on this behavior for our clients. Finding conditions that exhibit ‘strange’ behavior such as Microsoft Word generating a shell is fascinating and not expected. Taking it a bit further and trying to find PowerShell operating from that generated shell and it gets ‘extremely’ intriguing. By using our Search API, we can find these habits no matter when they took place. We do not need the system to be on at the time of the search, if they have run a program (in this case Word) that displayed these behaviors, we can discover that system. Ziften is always collecting and sending pertinent procedure details which is why we can find the data without counting on the system state at the time of browsing.

In our Zenith console, I looked for this condition by trying to find the following:

Process → Filepath contains word.exe, Child Process Filepath contains cmd.exe, Child Process command line contains powershell

This returns the PIDs (Process ID) of the procedures we saw start-up with these conditions. From there we can drill down to see the critical information.

In this very first screenshot, we can see information around the procedure tree (Word spawning CMD with Powershell under that) on the left, and to the right side you can see information like the System name and User, plus start time.

Listed below in the next image, we look at the CMD procedure and get details regarding exactly what was passed to Powershell.

More than likely when the user had to address this Microsoft Word pop up dialog box, that is when the CMD shell utilized Powershell to head out and get some code that was hosted on the Louisiana Gov site. In the Powershell screenshot below we can see more information such as Network Connect details when it was reaching out to the website to pull the fonts.txt file.

That IP address (206.218.181.46) is in truth the Louisiana Gov site. Sometimes we see interesting data within our Network Connect details that may not match exactly what you anticipate.

After developing our Saved Search, we can inform on these conditions as they happen throughout the environment. We can also create extensions that change a GPO policy to not enable DDE or even take more action and go and find these files and remove them from the system if so preferred. Having the ability to discover intriguing mixes of conditions within an environment is very effective and we are very proud to have this feature in our product.

Charles Leaver – Stop Ransomware Attacks And Manage Them With This

Published by:

Written By Alan Zeichick And Presented By Charles Leaver

 

Ransomware is real, and is striking people, companies, schools, medical facilities, local governments – and there’s no sign that ransomware is ending. In fact, it’s most likely increasing. Why? Let’s face it: Ransomware is most likely the single most effective attack that cyber criminals have ever developed. Anyone can create ransomware utilizing readily offered tools; any loan received is most likely in untraceable Bitcoin; and if something goes wrong with decrypting someone’s hard drive, the hacker isn’t impacted.

A business is hit with ransomware every 40 seconds, according to some sources, and sixty percent of malware issues were ransomware. It strikes all sectors. No industry is safe. And with the rise of RaaS (Ransomware-as-a-Service) it’s gon na get worse.

The good news: We can resist. Here’s a four-step fight plan.

Great Standard Hygiene

It starts with training workers the best ways to deal with harmful emails. There are falsified messages from business partners. There’s phishing and target spearphishing. Some will make it through email spam/malware filters; employees have to be taught not to click on links in those messages, or obviously, not to allow for apps or plug-ins to be set up.

However, some malware, like ransomware, will get through, frequently making use of obsolete software or unpatched systems, as in the Equifax breach. That’s where the next step comes in:

Guaranteeing that end points are completely patched and entirely up-to-date with the latest, most safe and secure os, applications, utilities, device drivers, and code libraries. In this way, if there is an attack, the end point is healthy, and has the ability to best fight off the infection.

Ransomware isn’t an innovation or security problem. It’s a company issue. And it’s so much more than the ransom that is demanded. That’s nothing compared to loss of efficiency because of downtime, poor public relations, angry consumers if service is disrupted, and the cost of reconstructing lost data. (Which presumes that valuable intellectual property or secured monetary or client health data isn’t really taken.).

Exactly what else can you do? Backup, backup, backup, and safeguard those backups. If you don’t have safe, protected backups, you cannot bring back data and core infrastructure in a timely style. That consists of making day-to-day snapshots of virtual machines, databases, applications, source code, and configuration files.

Services require tools to identify, identify, and avoid malware like ransomware from dispersing. This requires constant visibility and reporting of exactly what’s occurring in the environment – consisting of “zero day” attacks that have not been seen prior to this. Part of that is keeping an eye on endpoints, from the smart phone to the desktop to the server to the cloud, to ensure that all endpoints are updated and safe, which no unexpected changes have actually been made to their underlying configuration. That way, if a device is contaminated by ransomware or other malware, the breach can be discovered rapidly, and the machine separated and closed down pending forensics and recovery. If an endpoint is breached, fast containment is important.

The Four Tactics.

Great user training. Updating systems with patches and repairs. Backing up everything as typically as possible. And utilizing monitoring tools to assist both IT and security groups find issues, and react rapidly to those issues. When it comes to ransomware, those are the four battle tested tactics we need to keep our companies safe.

You can find out more about this in a brief 8 minute video, where I speak with numerous industry professionals about this concern:

Charles Leaver – Enhanced Cyber Protection From Microsoft And Ziften

Published by:

Written By David Shefter And Presented By Charles Leaver

 

This week we revealed a partnership with Microsoft that unites Ziften’s Zenith ® systems and security operations platform, and Windows Defender Advanced Threat Protection (ATP) providing a cloud based, “single pane of glass” to detect, see, examine, and respond to sophisticated cyber attacks and breaches on Windows, macOS, and Linux-based devices (desktops, laptops, servers, cloud, etc).

Windows Defender ATP plus Ziften Zenith is a security service that makes it possible for enterprise customers to spot, examine, respond and remediate advanced dangers on their networks, off-network, and in the data center and cloud.

Imagine a single option across all the devices in your enterprise, supplying scalable, state of the art security in an economical and simple to use platform. Enabling enterprises throughout the world to protect and handle devices through this ‘single pane of glass’ delivers the promise of lower functional expenses with true enhanced security delivering real time international danger protection with information collected from billions of devices worldwide.

Microsoft and Ziften Architecture

The diagram listed below offers an overview of the service parts and integration struck between Windows Defender ATP and Ziften Zenith.

Endpoint examination capabilities let you drill down into security signals and understand the scope and nature of a prospective breach. You can send files for deep analysis, get the outcomes and take remediation without leaving the Windows Defender ATP console.

Spot and Contain Risks

With the Windows Defender ATP and Ziften Zenith integration, organizations can easily discover and contain threats on Windows, macOS, and Linux systems from an individual console. Windows Defender ATP and Ziften Zenith offer:

Based on behavior, cloud-powered, advanced attack detection. Discover the attacks that get past your other defenses (post breach detection).

Abundant timeline for forensic examination and mitigation. Quickly examine the scope of any breach or presumed habits on any device through an abundant, 6-month device timeline.

Built in special threat intelligence knowledge base. Hazard intelligence to quickly identify attacks based on tracking and data from billions of devices.

The diagram below highlights a lot of the macOS and Linux hazard detection and response capabilities now readily available with Windows Defender ATP.

At the end of the day, if you’re seeking to protect your end points and infrastructure, you need to take a tough look at Windows Defender ATP and Ziften Zenith.

Charles Leaver – You Have Heard Of The KRACK Vulnerability Here Is What You Do

Published by:

Written By Dr Al Hartmann And Presented By Charles Leaver

 

Enough media attention has actually been generated over the Wi-Fi WPA2-defeating Key Reinsertion Attack (KRACK), that we do not have to re-cover that ground. The original discoverer’s website is a good location to review the problems and link to the in-depth research paper. This might be the greatest attention paid to a fundamental communications security failure since the Heartbleed attack. In that earlier attack, a patched variation of the vulnerable OpenSSL code was released on the same day as the public disclosure. In this brand-new KRACK attack, similar accountable disclosure guidelines were followed, and patches were either currently released or quickly to follow. Both wireless end points and wireless network devices should be appropriately patched. Oh, and good luck getting that Chinese knockoff wireless security camera bought off eBay patched quickly.

Here we will simply make a couple of points:

Take inventory of your wireless devices and take action to ensure proper patching. (Ziften can carry out passive network stock, including wireless networks. For Ziften monitored endpoints, the available network interfaces in addition to applied patches are reported.) For business IT personnel, it is patch, patch, patch every day anyhow, so absolutely nothing new here. However any unmanaged wireless devices ought to be identified and verified.

Windows and iOS end points are less susceptible, while unpatched Linux and Android end points are extremely prone. A lot of Linux endpoints will be servers without wireless networking, so not as much direct exposure there. However Android is another story, particularly given the balkanized state of Android updating across device producers. Most likely your business’s biggest direct exposure will be IoT and Android devices, so do your risk analysis.

Prevent wireless access by means of unencrypted protocols such as HTTP. Adhere to HTTPS or other encrypted protocols or utilize a secure VPN, but know some default HTTPS sites allow jeopardized devices to coerce downgrade to HTTP. (Note that Ziften network monitoring reports IP addresses and ports used, so have a look at any wireless port 80 traffic on endpoints that are unpatched.).

Continue whatever wireless network hygiene practices you have been employing to identify and silence rogue access points, unapproved wireless devices, and so on. Grooming access point placement and transmission zones to lessen signal spillage outside your physical boundaries is likewise a smart practice, considering that KRACK aggressors should be present locally within the wireless network. Don’t give them advantaged placement chances inside or near your environment.

For a more wider conversation around the KRACK vulnerability, have a look at our current video on the topic: