Author Archives: leavmecha

The Cybersecurity Industry Needs More Women And The Girl Scouts Take The Lead – Charles Leaver

Written By Kim Foster And Presented By Charles Leaver

 

It’s clear that cybersecurity is getting more international attention than ever before, and businesses are truly worried if they are training enough security professionals to satisfy growing security threats. While this issue is felt throughout the business world, lots of people did not expect Girl Scouts to hear the call.

Starting this fall, millions of Girl Scouts nationwide have the opportunity to earn cybersecurity badges. Girl Scouts of the U.S.A partnered with Security Company (and Ziften tech partner) Palo Alto Networks to create a curriculum that educates girls about the fundamentals of computer security. According to Sylvia Acevedo, CEO of GSUSA, they developed the program based on need from the ladies themselves to safeguard themselves, their computers, and their household networks.

The timing is good, considering that in accordance with a study launched in 2017 by (ISC), 1.8 million cybersecurity positions will be unfilled by 2022. Factor in increased demand for security pros with stagnant development for ladies – only 11 percent for the past few years – our cybersecurity staffing problems are poised to get worse without substantial effort on behalf of the industry for better inclusion.

Obviously, we cannot depend on the Girl Scouts to do all of the heavy lifting. Broader instructional efforts are a must: according to the Computing Technology Industry Association, 69 percent of U.S. ladies who do not have a profession in infotech pointed out not being aware exactly what opportunities were offered to them as the reason they did not pursue one. One of the great untapped opportunities of our market is the recruitment of more varied experts. Targeted curricula and increased awareness must be high concern. Raytheon’s Ladies Cyber Security Scholarship is a fine example.

To gain the benefits of having women invested in shaping the future of innovation, it is necessary to eliminate the exclusionary understanding of “the boys’ club” and keep in mind the groundbreaking contributions made by females of the past. Numerous folk know that the very first computer programmer was a woman – Ada Lovelace. Then there is the work of other well-known pioneers such as Grace Hopper, Hedy Lamarr, or Ida Rhodes, all who may stimulate some vague recollection amongst those in our industry. Female mathematicians developed programs for one of the world’s very first totally electronic general-purpose computers: Kay McNulty, Jean Jennings Bartik, Betty Snyder, Marlyn Meltzer, Fran Bilas, and Ruth Lichterman were simply a few of the first programmers of the Electronic Numerical Integrator and Computer system (much better referred to as ENIAC), though their essential work was not extensively recognized for over 50 years. In fact, when historians first discovered photos of the women in the mid-1980s, they mistook them for “Fridge Ladies” – models posing in front of the machines.

It’s worth keeping in mind that many think the very same “boys’ club” mentality that neglected the accomplishments of ladies in history has actually resulted in minimal management positions and lower incomes for modern-day women in cybersecurity, along with outright exemption of female luminaries from speaking opportunities at industry conferences. As trends go, omitting intense individuals with suitable knowledge from influencing the cybersecurity industry is an unsustainable one if we hope to stay up to date with the bad guys.

Whether or not we collectively take action to cultivate more inclusive offices – like educating, recruiting, and promoting females in greater numbers – it is heartening to see an organization associated with fundraiser cookies effectively inform a whole market to the fact that ladies are truly thinking about the field. As the Girls Scouts of today are given the tools to pursue a profession in information security, we need to expect that they will become the very women who ultimately reprogram our expectations of what a cybersecurity expert looks like.

Mac Computers Can Be A Threat To Your Security – Charles Leaver

Written By Roark Pollock And Presented By Charles Leaver

 

Do you have Mac computers? That’s fine. I also own one. Have you locked your Macs down? If you haven’t, your business has a potentially major security weak point.

It’s a misconception to think that Macintosh computers are inherently safe and don’t have to be secured against malware or hacking. Many believe Macs are undoubtedly probably more safe than Windows desktops and notebooks, due to the design of the Unix-oriented kernel. Definitely, we see fewer security patches issued for macOS from Apple, compared with security patches for Windows from Microsoft.

Less security problems is not zero defects. And safer doesn’t mean complete safety.

Some Mac Vulnerability Examples

Take, for instance, the macOS 10.13.3 upgrade, released on January 23, 2018, for the present variations of the Mac’s operating system. Like many current computers running Intel processors, the Mac was vulnerable to the Meltdown defect, which implied that destructive applications may be able to read kernel memory.

Apple needed to patch this defect – as well as numerous others.

For example, another problem could permit destructive audio files to execute arbitrary code, which might violate the system’s security integrity. Apple needed to patch it.

A kernel defect suggested that a destructive application may be able to execute random code with kernel advantages, providing hackers access to anything on the device. Apple needed to patch the kernel.

A defect in the WebKit library indicated that processing maliciously crafted web material may cause random code execution. Apple had to patch WebKit.

Another defect meant that processing a harmful text message may result in application denial of service, locking up the system. Whoops. Apple had to patch that flaw as well.

Don’t Make The Exact Same Mistakes as Customers

Numerous customers, believing all the hype about how wonderful macOS is, choose to run without security, relying on the macOS and its built-in application firewall to obstruct all manner of bad code. Bad news: There’s no integrated anti virus or anti malware, and the firewall program can just do so much. And lots of enterprises wish to neglect macOS when it concerns visibility for posture monitoring and hardening, and hazard detection/ hazard hunting.

Consumers frequently make these presumptions due to the fact that they do not know any better. IT and Security experts should never ever make the exact same mistakes – we should understand much better.

If a Mac user installs bad software, or includes a harmful internet browser extension, or opens a bad email attachment, or clicks on a phishing link or a nasty advertisement, their computer is corrupted – similar to a Windows computer. But within the enterprise, we need to be prepared to handle these issues, even on Macs.

What To Do?

What do you have to do?

– Set up anti-virus and anti malware on corporate Macs – or any Mac that has access to your organization’s material, servers, or networks.
– Track the state of Macs, much like you do with Windows computers.
– Be proactive in applying fixes and patches to Macs, again, similar to with Windows.

You should likewise eliminate Mac computers from your business environment which are old and cannot run the latest variation of macOS. That’s a great deal of them, since Apple is pretty good at keeping hardware that is older. Here is Apple’s list of Mac designs that can run macOS 10.13:

– MacBook (Late 2009 or newer).
– MacBook Pro (Mid 2010 or newer).
– MacBook Air (Late 2010 or more recent).
– Mac mini (Mid 2010 or newer).
– iMac (Late 2009 or more recent).
– Mac Pro (Mid 2010 or newer).

When the next version of macOS comes out, some of your older devices may drop off the list. They should fall off your stock also.

Ziften’s Viewpoint.

At Ziften, with our Zenith security platform, we strive to preserve visibility and security feature parity between Windows systems, macOS systems, and Linux-based systems.

In fact, we have actually partnered with Microsoft to incorporate our Zenith security platform with Microsoft Windows Defender Advanced Threat Protection (ATP) for macOS and Linux monitoring and hazard detection and response coverage. The combination allows clients to spot, view, investigate, and react to sophisticated cyber-attacks on macOS devices (as well as Windows and Linux-based endpoints) directly within the Microsoft WDATP Management Console.

From our point of view, it has constantly been necessary to provide your security groups self-confidence that every desktop/ notebook endpoint is protected – and thus, the enterprise is secured.

Believe it or not, 91% of enterprises say they have a number of Macs. If those Macs aren’t protected, and also correctly incorporated into your endpoint security systems, the business is not protected. It’s just that simple.

Why Strategic Alliances In The Security Industry Work – Charles Leaver

Written By Charles Leaver

 

Nobody can resolve cybersecurity alone. No single product business, no one provider, nobody can deal with the whole issue. To take on security needs cooperation between different players.

In some cases, those companies are at different levels of the solution stack – some install on endpoints, some within applications, others within network routers, others at the telco or the cloud.

In some cases, those companies each have a specific best of breed component: one player concentrates on e-mail, others in crypto, others in interrupting the kill chain.

From the enterprise client’s viewpoint, efficient security requires putting together a set of tools and services into a working whole. Speaking from the suppliers’ point of view, reliable security requires tactical alliances. Sure, each supplier, whether making hardware, composing software applications, or offering services, has its own products and intellectual property. Nevertheless, all of us work much better when we work together, to enable integrations and make life easy for our resellers, our integrators- and that end consumer.

Paradoxically, not just can suppliers make more profit through tactical alliances, but end consumers will save money at the same time. Why? A number of reasons.

Customers do not lose their cash (and time) with solutions which have overlapping capabilities. Clients do not have to waste profits (and time) creating customized integrations. And consumers won’t lose profits (and time) attempting to debug systems that fight each other, such as by causing extra notifications or hard-to-find incompatibilities.

It’s the Trifecta – Products, Solutions, and Channels

All three work together to meet the requirements of the business consumer, as well as benefit the suppliers, who can concentrate on doing what they do best, relying on tactical alliances to develop complete services out of jigsaw puzzle pieces.

Usually speaking, those solutions require more than easy APIs – which is where strategic alliances are so important.

Think about the integration in between solutions (like a network hazard scanner or Ziften’s endpoint visibility options) and analytics services. End consumers don’t want to operate a dozen various control panels, and they do not wish to by hand correlate anomaly findings from a dozen different security tools. Strategic alliances between product vendors and analytics solutions – whether on-site or in the cloud – make sense for everyone. That includes for the channel, who can provide and support total options that are currently dialed in, already debugged, already documented, and will deal with the least fuss possible.

Or consider the integration of products and managed security services providers (MSSPs). They want to provide prospective clients pre-packaged options, ideally which can run in their multi-tenant clouds. That suggests that the items need to be scalable, with synergistic license terms. They must be well-integrated with the MSSP’s existing control panels and administrative control systems. And naturally, they need to feed into predictive analytics and incident response programs. The very best method to do that? Through tactical alliances, both horizontally with other product suppliers, and with major MSSPs too.

How about significant value add resellers (VAR)? VARs need products that are simple to understand, easy to support, and simple to include into existing security implementations. This makes new products more enticing, more economical, easier to install, much easier to support – and reinforce the VAR’s consumer relationships.

What do they try to find when contributing to their solution portfolio? New solutions that have strategic alliances with their existing solution offerings. If you do not dovetail in to the VAR’s portfolio partners, well, you most likely do not fit in.

2 Examples: Fortinet and Microsoft

Nobody can resolve cybersecurity alone, which includes giants like Fortinet and Microsoft.

Think About the Fortinet Fabric-Ready Partner Program, where innovation alliance partners integrate with the Fortinet Security Fabric by means of Fabric APIs and are able to actively collect and share information to improve risk intelligence, improve overall threat awareness, and broaden threat response from end to end. As Fortinet discusses in their Fortinet Fabric-Ready Partner Program Overview, “partner inclusion in the program signals to consumers and the industry as a whole that the partner has teamed up with Fortinet and leveraged the Fortinet Fabric APIs to establish confirmed, end-to-end security services.”

Likewise, Microsoft is pursuing a similar strategy with the Windows Defender Advanced Threat Protection program. Microsoft recently chose only a few key partners into this security program, saying, “We have actually heard from our clients that they desire security and visibility into prospective threats on all their device platforms and we have actually turned to partners to help resolve this requirement. Windows Defender ATP provides security teams a single pane of glass for their endpoint security and now by teaming up with these partners, our consumers can extend their ATP service to their whole set up base.”

We’re the very first to admit: Ziften cannot resolve security alone. No one can. The best way forward for the security market is to move forward together, through strategic alliances bringing together product vendors, service companies, and the channel. That way, all of us win, suppliers, service companies, channel partners, and business consumers alike.

Flexibility Is A Critical Component Of SysSecOps – Charles Leaver

Written By Charles Leaver

 

You will discover that endpoints are everywhere. The device you read this on is an endpoint, whether it’s a desktop, notebook, tablet, or phone. The HEATING AND COOLING controller for your structure is an endpoint, assuming it’s linked to a network, and the WiFi access points and the security electronic cameras too. So is the connected car. So are the Web servers, storage servers, and Active Directory site servers in the data center. So are your IaaS/PaaS services in the cloud, where you are in control of bare-metal servers, VMware virtual machines, or containers operating on Windows and/or Linux.

They’re all endpoints, and each and every one is very important to handle.

They have to be managed from the IT side (from IT administrators, who ideally have proper IT-level visibility of each connected thing like those security video cameras). That management implies making sure they’re connected to the ideal network zones or VLANs, that their software applications and setups the current version, that they’re not flooding the network with bad packets because of electrical faults etc.

Those endpoints likewise have to be managed from the security viewpoint by CISO teams. Every endpoint is a prospective front door into the business network, which indicates the devices must be locked down – no default passwords, all security patches used, no unauthorized software applications set up on the device’s ingrained web server. (Kreb’s outlines how, in 2014, hackers got into Target’s network through its HEATING AND COOLING system.).

The Operations of Systems and Security.

Systems Security Operations, or SysSecOps, brings those 2 worlds together. With the best type of SysSecOps frame of mind, and tools that support the appropriate workflows, IT and security employees get the same data and can team up together. Sure, they each have various tasks, and react in a different way to difficulty notifications, however they’re all managing the exact same endpoints, whether in the pocket, on the desk, in the energy closet, in the data center, or in the cloud.

Test Report from Ziften Zentih.

We were thrilled when the recently published Broadband-Testing report praised Zenith, Ziften’s flagship end-point security and management platform, as being ideal for this kind of scenario. To quote from the recent report, “With its Zenith platform, Ziften has a product that ticks all the SysSecOps boxes and more. Because its definition of ‘endpoints’ extends into the Data Centre (DC) and the world of virtualisation, it holds true blanket protection.”.

Broadband-Testing is an independent testing facility and service based in Andorra. They describe themselves as, “Broadband-Testing communicates with suppliers, media, investment groups and VCs, experts and consultancies alike. Checking covers all elements of networking software and hardware, from ease of use and performance, through to increasingly crucial aspects such as device power usage measurement.”

Back to versatility. With endpoints everywhere (again, on the desk, in the energy closet, in the data center, or in the cloud), a SysSecOps-based endpoint security and management system should go everywhere and do anything, at scale. Broadband-Testing composed:

“The configuration/deployment choices and architecture of Ziften Zenith allow for a really flexible deployment, on or off-premise, or hybrid. Agent implementation is simplicity itself with zero user requirements and no endpoint intrusion. Agent footprint is likewise very little, unlike numerous endpoint security solutions. Scalability also seems exceptional – the biggest customer implementation to this day is in excess of 110,000 endpoints.”

We can’t help but take pride in our product Zenith, and exactly what Broadband-Testing concluded:

“The emergence of SysSecOps – combining systems and security operations – is an unusual milestone in IT; a hype-free, sound judgment method to refocusing on how systems and security are managed inside a business.

Key to Ziften’s endpoint method in this category is overall visibility – after all, how can you protect what you cannot see or have no idea exists in the first place? With its Zenith platform, Ziften has a product that ticks all the SysSecOps boxes and more.

Implementation is basic, specifically in a cloud-based scenario as checked. Scalability also seems outstanding – the greatest customer implementation to this day remains in excess of 110,000 endpoints.

Data analysis choices are extensive with a big amount of information readily available from the Ziften console – a single view of the whole endpoint infrastructure. Any object can be analysed – e.g. Binaries, applications, systems – and, from a procedure, an action can be defined as an automatic function, such as quarantining a system in the event of a potentially harmful binary being found. Numerous reports are predefined covering all areas of analysis. Alerts may be set for any occurrence. Furthermore, Ziften supplies the principle of extensions for custom data collection, beyond the reach of most suppliers.

And with its External API functionality, endpoint data gathered by Ziften can be shared with a lot of 3rd party applications, thereby including more value to a consumer’s existing security and analytics infrastructure financial investment.

In general, Ziften has a really competitive offering in exactly what is an extremely worthy and emerging IT classification through SysSecOps that is extremely worthy of examination.”.

We hope you’ll consider an examination of Zenith, and will agree that when it comes to SysSecOps and endpoint security and management, we do tick all the boxes with the true blanket protection that both your IT and CISO groups have been searching for.

Be Warned Of Spectre And Meltdown And Find Out How We Help – Charles Leaver

Written By Josh Harriman And Presented By Charles Leaver

 

Ziften understands the most recent exploits affecting almost everybody who works on a computer system or digital device. While this is a very large statement, we at Ziften are working diligently assisting our consumers discover susceptible assets, fixing those vulnerable systems, and keeping track of systems after the fix for prospective performance problems.

This is a continuous investigation by our team in Ziften Labs, where we keep up to date on the latest malicious attacks as they progress. Today, the majority of the discussions are around PoC code (Proof of Concept) and what can theoretically occur. This will soon alter as opponents take advantage of these opportunities. The exploits I’m speaking, naturally, are Meltdown and Spectre.

Much has actually been blogged about how these exploits were found and what is being done by the industry to find workarounds to these hardware problems. To get more information, I feel it’s best to go right to the source here (https://spectreattack.com/).

What Should You Do, and How Can Ziften Assist?

An essential location that Ziften aids with in case of an attack by either method is keeping an eye out for data exfiltration. Since these attacks are basically taking data they shouldn’t have access to, our company believe the first and most convenient approaches to secure yourself is to take this confidential data and remove it from these systems. This data might be passwords, login qualifications or even security secrets for SSH or VPN access.

Ziften checks and alerts when procedures that typically do not make network connections begin showing this unusual behavior. From these signals, users can quarantine systems from the network and / or eliminate processes related to these situations. Ziften Labs is keeping track of the advancement of the attacks that are likely to become readily available in the real world related to these vulnerabilities, so we can better protect our customers.

Find – How am I Vulnerable?

Let’s look at areas we can monitor for vulnerable systems. Zenith, Ziften’s flagship product, can simply and rapidly find OS’s that need to be patched. Despite the fact that these exploits are in the CPU chips themselves (Intel, AMD and ARM), the repairs that will be available will be updated to the OS, and in other cases, the web browser you utilize as well.

In Figure 1 below, you can see an example of how we report on the offered patches by name, and what systems have effectively set up each patch, and which have yet to install. We can also track failed patch installs. The example below is not for Meltdown or Spectre, however the KB and / or patch number for the environment could be populated on this report to show the susceptible systems.

The exact same is true for web browser updates. Zenith monitors for software application versions running in the environment. That data can be utilized to comprehend if all browsers are up to date once the repairs become available.

Mentioning browsers, one area that has actually currently gained momentum in the attack circumstances is utilizing Javascript. A working copy is revealed here (https://www.react-etc.net/entry/exploiting-speculative-execution-meltdown-spectre-via-javascript).

Products like Edge browsers do not utilize Javascript any longer and mitigations are available for other browsers. Firefox has a repair offered here (https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/). A Chrome repair is coming out this week.

Repair – Exactly What Can I Do Now?

When you have actually recognized susceptible systems in your environment you definitely want to patch and fix them as soon as possible. Some safeguards you need to think about are reports of specific Anti-Virus items triggering stability problems when the patches are applied. Details about these issues are here (https://www.cyberscoop.com/spectre-meltdown-microsoft-anti-virus-bsod/) and here (https://docs.google.com/spreadsheets/u/1/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true).

Zenith likewise has the capability to help patch systems. We can monitor for systems that require patches, and direct our solution to apply those patches for you then report success / failure and the status of those still needing patching.

Considering that the Zenith backend is cloud based, we can even monitor your endpoint systems and apply the required patches when and if they are not linked to your corporate network.

Monitor – How is Everything Running?

Lastly, there could be some systems that show performance deterioration after the OS fixes are used. These concerns appear to be restricted to high load (IO and network) systems. The Zenith platform helps both security and operational teams within your environment. Exactly what we like to call SysSecOps (https://ziften.com/introducing-systems-security-operations-syssecops/).

We can assist reveal problems such as application crashes or hangs, and system crashes. Plus, we monitor system usage for Memory and CPU gradually. This data can be used to monitor and inform on systems that start to exhibit high usage compared with the duration prior to the patch was used. An example of this tracking is shown in Figure 2 below (system names purposefully removed).

These ‘defects’ are still new to the general public, and far more will be gone over and discovered for days / weeks / months to come. Here at Ziften, we continue to monitor the circumstance and how we can best educate and safeguard our clients and partners.

SysSecOps Is Something That You Need Right Now – Charles Leaver

Written By Alan Zeichick And Presented By Charles Leaver

 

SysSecOps. That’s a new term, still unseen by many IT and security administrators – but it’s being talked about within the industry, by analysts, and at technical conferences. SysSecOps, or Systems & Security Operations, describes the practice of uniting security groups and IT operations teams to be able to guarantee the health of enterprise technology – and having the tools to be able to respond most efficiently when problems occur.

SysSecOps focuses on taking apart the information walls, disrupting the silos, that get in between security teams and IT administrators.

IT operations staff exist to make sure that end-users can access applications, and that crucial infrastructure is running 24 × 7. They wish to maximize access and availability, and require the data needed to do that task – like that a brand-new worker must be provisioned, or a disk drive in a RAID array has actually failed, that a new partner needs to be provisioned with access to a secure file repository, or that an Oracle database is ready to be migrated to the cloud. It’s all about innovation to drive business.

Exact Same Data, Different Use-Cases

While making use of endpoint and network monitoring info and analytics are clearly customized to fit the diverse needs of IT and security, it ends up that the underlying raw data is actually the same. The IT and security groups merely are looking at their own domain’s problems and circumstances – and acting based on those use-cases.

Yet in some cases the IT and security groups need to work together. Like provisioning that brand-new service partner: It should touch all the ideal systems, and be done securely. Or if there is an issue with a remote endpoint, such as a mobile device or a mechanism on the Industrial Internet of Things, IT and security might have to collaborate to identify exactly what’s going on. When IT and security share the exact same data sources, and have access to the very same tools, this job ends up being a lot easier – and thus SysSecOps.

Think of that an IT administrator identifies that a server hard drive is nearing total capacity – and this was not expected. Possibly the network had been breached, and the server is now being used to steam pirated movies across the Web. It occurs, and finding and fixing that issue is a job for both IT and security. The data collected by endpoint instrumentation, and showed through a SysSecOps-ready tracking platform, can help both sides working together more efficiently than would occur with standard, distinct, IT and security tools.

SysSecOps: It’s a new term, and a brand-new concept, and it’s resonating with both IT and security teams. You can discover more about this in a brief nine minute video, where I talk to a number of market experts about this topic: “What is SysSecOps?”

Protect Yourself From Microsoft Word Phishing Attacks With Ziften – Charles Leaver

Written By Josh Harriman And Presented By Charles Leaver

 

An interesting multifaceted attack has actually been reported in a current blog by Cisco’s Talos Intelligence team. I wished to discuss the infection vector of this attack as it’s quite fascinating and something that Microsoft has actually promised not to fix, as it is a function and not a bug. Reports are becoming available about attacks in the wild which are making use of a function in Microsoft Word, called Dynamic Data Exchange (DDE). Information to how this is achieved are reported in this blog from SecureData.

Unique Phishing Attack with Microsoft Word

Attackers continuously look for brand-new ways to breach a company. Phishing attacks are among the most common as opponents are counting on the fact that someone will either open a file sent to them or go to a ‘faked’ URL. From there an exploit on a susceptible piece of software typically gives them access to start their attack.

However in this case, the documents didn’t have a destructive item embedded in the Word doc, which is a preferred attack vector, but rather a sly way of utilizing this function that enables the Word program to connect out to recover the genuine destructive files. In this manner they might hope or rely on a much better success rate of infection as harmful Word files themselves can be scanned and erased before reaching the recipient.

Searching for Suspicious Behaviors with Ziften Zenith

Here at Ziften, we wanted to be able to inform on this behavior for our clients. Finding conditions that display ‘unusual’ behavior such as Microsoft Word generating a shell is interesting and not expected. Taking it a bit further and searching for PowerShell running from that spawned shell and it gets ‘very’ intriguing. By using our Search API, we can discover these habits no matter when they occurred. We do not need the system to be on at the time of the search, if they have run a program (in this case Word) that exhibited these behaviors, we can discover that system. Ziften is always gathering and sending relevant process info which is why we can discover the data without counting on the system state at the time of browsing.

In our Zenith console, I looked for this condition by trying to find the following:

Process → Filepath contains word.exe, Child Process Filepath contains cmd.exe, Child Process commandline includes powershell

This returns the PIDs (Process ID) of the procedures we saw start-up with these conditions. After this we can drill down to see the important details.

In this very first screenshot, we can see information around the process tree (Word spawning CMD with Powershell under that) on the left, and to the right side you can observe information such as the System name and User, plus start time.

Below in the next image, we look at the CMD process and get information regarding what was passed to Powershell.

More than likely when the user had to address this Microsoft Word pop up dialog box, that is when the CMD shell used Powershell to head out and obtain some code that was hosted on the Louisiana Gov site. In the Powershell image shown below we can see more information such as Network Link info when it was reaching out to the site to pull the fonts.txt file.

That IP address (206.218.181.46) is in fact the Louisiana Gov site. Often we see interesting data within our Network Connect information that may not match exactly what you expect.

After developing our Saved Search, we can inform on these conditions as they occur throughout the environment. We can likewise develop extensions that change a GPO policy to not permit DDE and even take further action and go and discover these documents and eliminate them from the system if so desired. Having the ability to discover intriguing mixes of conditions within an environment is extremely powerful and we are delighted to have this feature in our offering.

Prevent Devastating Ransomware Attacks With These 4 Actions – Charles Leaver

Written By Alan Zeichick And Presented By Charles Leaver

 

Ransomware is real, and is threatening individuals, services, schools, health centers, local governments – and there’s no indication that ransomware is stopping. In fact, it’s most likely increasing. Why? Let’s be honest: Ransomware is most likely the single most efficient attack that cyber criminals have actually ever created. Anybody can develop ransomware using easily available tools; any cash received is most likely in untraceable Bitcoin; and if something fails with decrypting someone’s hard disk, the cyber criminal isn’t really affected.

A business is impacted by ransomware every forty seconds, in accordance with some sources, and 60% of malware problems were ransomware. It strikes all sectors. No industry is safe. And with the rise of RaaS (Ransomware-as-a-Service) it’s gon na worsen.

The good news: We can resist. Here’s a four-step fight strategy.

Great Standard Hygiene

It starts with training workers ways to manage malicious emails. There are falsified messages from service partners. There’s phishing and target spearphishing. Some will survive email spam/malware filters; employees have to be taught not to click on links in those messages, or naturally, not to give permission for plugins or apps to be set up.

However, some malware, like ransomware, is going to get through, often making use of out-of-date software or unpatched systems, just like in the Equifax breach. That’s where the next action comes in:

Ensuring that end points are completely patched and totally up-to-date with the latest, most safe and secure operating systems, applications, utilities, device drivers, and code libraries. That way, if there is an attack, the endpoint is healthy, and has the ability to best battle the infection.

Ransomware isn’t really an innovation or security problem. It’s an organization problem. And it’s so much more than the ransom that is demanded. That’s nothing compared to loss of efficiency because of downtime, poor public relations, disgruntled clients if service is disrupted, and the expense of reconstructing lost data. (And that presumes that important intellectual property or protected financial or client health data isn’t stolen.).

What else can you do? Backup, backup, backup, and safeguard those backups. If you don’t have safe, secured backups, you cannot bring back data and core infrastructure in a prompt style. That consists of making daily snapshots of virtual machines, databases, applications, source code, and setup files.

Services require tools to spot, identify, and avoid malware like ransomware from dispersing. This needs continuous visibility and reporting of exactly what’s occurring in the environment – including “zero day” attacks that haven’t been seen before. Part of that is keeping track of endpoints, from the smart phone to the PC to the server to the cloud, to guarantee that endpoints are up-to-date and protected, and that no unexpected changes have been made to their underlying configuration. That way, if a machine is infected by ransomware or other malware, the breach can be identified rapidly, and the device isolated and closed down pending forensics and recovery. If an endpoint is breached, quickly containment is critical.

The Four Tactics.

Great user training. Upgrading systems with patches and fixes. Supporting whatever as frequently as possible. And utilizing tracking tools to help both IT and security groups identify problems, and react quickly to those problems. When it comes to ransomware, those are the four battle-tested strategies we need to keep our companies safe.

You can learn more about this in a brief eight-minute video, where I talk with a number of market professionals about this concern:

Your Security Will Improve With Microsoft And Ziften – Charles Leaver

Written By David Shefter And Presented By Charles Leaver

 

Recently we announced a partnership with Microsoft that combines Ziften’s Zenith ® systems and security operations platform, and Windows Defender Advanced Threat Protection (ATP) providing a cloud based, “single pane of glass” to identify, see, investigate, and respond to sophisticated cyber-attacks and breaches on Windows, macOS, and Linux-based devices (desktops, laptop computers, servers, cloud, etc).

Windows Defender ATP plus Ziften Zenith is a security service that makes it possible for enterprise clients to identify, investigate, respond and fix innovative risks on their networks, off-network, and in the data center and cloud.

Imagine a single option throughout all the devices in your business, providing scalable, state of the art security in an economical and easy to use platform. Enabling business throughout the world to protect and manage devices through this ‘single pane of glass’ delivers the guarantee of lower operational costs with real improved security providing real time international risk security with details collected from billions of devices worldwide.

Microsoft and Ziften Architecture

The diagram below provides an overview of the service elements and integration between Windows Defender ATP and Ziften Zenith.

Endpoint examination abilities allow you to drill down into security signals and comprehend the scope and nature of a prospective breach. You can submit files for deep analysis, receive the results and take action without leaving the Windows Defender ATP console.

Detect and Contain Risks

With the Windows Defender ATP and Ziften Zenith integration, organizations can easily find and contain threats on Windows, macOS, and Linux systems from a single console. Windows Defender ATP and Ziften Zenith provide:

Based on behavior, cloud-powered, innovative attack detection. Find the attacks that make it past your other defenses (after a breach has been detected).

Rich timeline for forensic examination and mitigation. Quickly investigate the scope of any breach or presumed habits on any machine through a rich, 6-month device timeline.

Built in special threat intelligence knowledge base. Risk intelligence to quickly spot attacks based on monitoring and data from hordes of devices.

The diagram below shows many of the macOS and Linux danger detection and response abilities now available with Windows Defender ATP.

In conclusion, if you’re wanting to secure your endpoints and infrastructure, you need to take a tough look at Windows Defender ATP and Ziften Zenith.

Safeguard Your Organization Against The KRACK Vulnerability – Charles Leaver

Written By Dr Al Hartmann And Presented By Charles Leaver

 

Enough press has been generated over the Wi-Fi WPA2-defeating Key Reinsertion Attack (KRACK), that we don’t need to re-cover that again. The initial discoverer’s site is an excellent location to review the problems and connect to the detailed research paper. This may be the most attention paid to a core communications security failure since the Heartbleed attack. In that earlier attack, a patched variation of the vulnerable OpenSSL code was launched on the very same day as the general disclosure. In this brand-new KRACK attack, comparable responsible disclosure standards were followed, and patches were either currently launched or quickly to follow. Both wireless endpoints and wireless network devices need to be properly patched. Oh, and all the best getting that Chinese knockoff wireless security camera bought off eBay patched quickly.

Here we will just make a couple of points:

Take inventory of your wireless devices and follow up to ensure appropriate patching. (Ziften can carry out passive network stock, consisting of wireless networks. For Ziften monitored end points, the readily available network interfaces in addition to applied patches are reported.) For enterprise IT staff, it is patch, patch, patch every day anyhow, so absolutely nothing brand-new here. But any unmanaged wireless devices must be identified and vetted.

Windows and iOS end points are less prone, while unpatched Android and Linux end points are highly prone. The majority of Linux endpoints will be servers without wireless networking, so not as much exposure there. But Android is another story, especially provided the balkanized state of Android upgrading throughout device manufacturers. More than likely your enterprise’s greatest exposure will be IoT and Android devices, so do your risk analysis.

Prevent wireless access by means of unencrypted protocols such as HTTP. Stick to HTTPS or other encrypted protocols or utilize a safe VPN, but be aware some default HTTPS sites enable compromised devices to coerce downgrade to HTTP. (Note that Ziften network monitoring reports IP addresses and ports used, so take a look at any wireless port 80 traffic on endpoints that are unpatched.).

Continue whatever wireless network health practices you have actually been using to identify and silence rogue access points, unapproved wireless devices, etc. Grooming access point positioning and transmission zones to decrease signal spillage outside your physical borders is likewise a sensible practice, since KRACK opponents must exist locally within the wireless network. Do not give them advantaged placement opportunities within or close by to your environment.

For a more broad discussion around the KRACK vulnerability, check out our current video on the topic: