If that headline makes no sense, you may not have been following CyberSecurity news closely enough! The weeks since October 24th have seen 2017’s 3rd major propagation of a piece of Ransomware, as a modified version of Not Petya, named Bad Rabbit, has spread throughout much of Europe and Asia. The major path for distribution of the malicious code looks to be via a fake Flash update, which appears as a pop-up on legitimate websites that have been compromised. This is an effective attack vector, as users will typically be far more likely to accept such a download from a previously trusted site, than in an email from an unknown sender.
Bad Rabbit appears to have been coded by fans of pop-culture, as the name is a play on Director JJ Abrams’ company Bad Robot, and the code contains the names of three dragons from the immensely popular series Game of Thrones. Taking a queue from Hollywood that they would likely complain about, Bad Rabbit appears to be largely just a reboot of Not Petya, and WannaCry; analysis by Crowdstrike has determined Bad Rabbit to be nearly 70% identical code to its predecessors.
The most interesting difference between Bad Rabbit and the two major outbreaks earlier in the year is that Bad Rabbit appears to discriminate in who it infects. Where WannaCry and NotPetya would infect any environment into which they were execute, Bad Rabbit appears to be able to determine the potential value of users who land on a distribution page, prior to launching an attack. Attacks directly distributed against several specific networks are also suspected in the spread of Bad Rabbit.
The ransomware seizes machines it can access, spreading laterally across an environment by brute-forcing password combinations, encrypts accessible data, and pops-up a familiar message demanding payment in Bitcoin for the release of company/user data. The good news is, since it was identified early, and largely familiar, most organizations have quickly released updates and patches to help block the spread of Bad Rabbit.
CIS’ advises review and deployment of any critical security updates be done regularly as a Best Practice, to ensure the latest protections. While Bad Rabbit does not utilize a known exploit like Eternal Blue, most of the victims in that attack were only exploited because they lacked current updates and patches that had already
Additional information for CIS’ Managed Services Clients who are operating Webroot and Sonicwall:
From cleaning the gutters to re-sealing the deck every two Springs to getting your oil changed, nobody enjoys the routine maintenance that comes with life. The same is true for many Administrators and ongoing maintenance, particularly when it comes to Patches.
Manufacturers issue patches for two primary reasons: features and security. Feature patches provide new options for users that can provide additional value to the originally purchased software. While it is always a Best Practice to keep software within a version or two of current-release, Feature patches are mostly non-critical. Security patches are issued to close known exposures in software and operating systems, after they have been discovered. These should be treated with paramount concern, but can frequently fall by the wayside as items that are perceived as more important take precedence.
Zero-Day Attacks are difficult and infrequent; exploiting known vulnerabilities is easy!
It’s true, while Zero-Day Attacks are frightening, they are very difficult to architect. Think of Zero-Day Attacks like a heist pulled by the Oceans’ Eleven crew, high-profile, well planned, and expertly executed, taking significant time and resources. Such heists are extremely rare, even in the movies, as they are simply impractical. By comparison, exploits of known vulnerabilities is a far easier and more common approach.
A typical “Black Hat” will spend time knocking on the virtual doors of numerous companies and government organizations, looking for anyone foolish enough to have left vulnerabilities unpatched. Once identified, these organizations can be breached within seconds, utilizing common toolkits, following well-publicized attack vectors, allowing for maximum damage. Simply applying Security Patches as they are released will dramatically reduce exposure to this type of attack.
What’s the frequency?
Patch Management should be handled on a multi-tiered schedule, with daily, weekly, and monthly reviews and scheduled patching. Daily, available patches and security bulletins should be reviewed, and anything critical should be applied. Weekly, non-security Feature Patches that provide valuable functionality should be reviewed and applied as needed. Monthly, a review of all available patches should be conducted, and any remaining items should be applied. Additionally, it is a good idea to review Security Logs, to see where attempts at access occur, to better protect those areas proactively. This can become quite cumbersome for an internal team to tackle on their own. The average IT group is already understaffed by more than two people, with most resources juggling too many tasks in too few hours.
How do I alleviate the stress on my IT team, while keeping up with critical Security Patches?
CIS conducts regular Patch Management as part of a Managed Services Program, while providing a team of experts to deploy, implement, integrate, customize, secure, and support solutions of all types. Clients utilize CIS to offload the monotonous task of handling things like patching, allowing an internal team to focus on the more critical aspects of their job. CIS resources will monitor, review, and deploy any critical patches, with a customized approach to each client’s individual needs and requirements.
As a Premiere Micro Focus Identity and Access Partner, CIS is excited to announce that we will be hosting a webinar on December 5th, from 12:30 to 1:30pm EST, to formally introduce our Managed Services offering for Micro Focus NetIQ Identity and Access Management Solutions.
CIS has been architecting, implementing, and supporting large-scale Identity implementations since the first release of the product. The CIS Identity team is comprised of the foremost subject matter experts and thought-leaders who are known worldwide, are now available to provide ongoing support and production functionality in our CIS-MIAMITM services model.
Support is provided in various optional tiers, including:
When thinking about end-users and IT Security two related things leap to mind; the first is an early 2000s gameshow, the second an adage about chain strength. Both serve to say the same thing, when it comes to network security, your end-users ARE your weakest link.
Regardless of the amount of money spent on firewalls, intrusion detection, log management, compliance, and network vulnerability testing, security surveys are unanimous that end-user actions are directly responsible for more than 80% of global security breaches. Whether direct or indirect, intentional or accidental, end-users are reliable only in that they expose their employers to massive security risks. Because of this, diligence is required in making sure your users understand the corporate risks inherent to a data breach, and what they as individuals and as a collective can do to prevent such unauthorized access.
End-user focused security services have become of paramount concern in the age of the cloud and remote-worker, there are simply too many paths open for an industrious hacker to exploit. Computer Integrated Services works with clients to help identify the key users and topics of concern, then conducts end-user security seminars, focused on education and awareness of best practices for security.
“But a lot of my users are Millennials, they were born online, they know this stuff”
While that may be true of an increasing number of companies, the truth is that a large portion of the workforce is still comprised of the opposite end of the user spectrum, aging users who are not generally inclined to keep up with changes in technology. And, often, these are your power users, key executives with the most access and the most privileged information.
The first step CIS’ elite Network Security Team recommends is to conduct end-user testing from several vectors. It is critical to identify potentially troublesome users in your environment. This identification allows CIS and our client’s IT staff to provide guidance to specific users, as well as attempt to establish technology barriers to help protect them.
Testing also serves as a guideline for focusing the development of CIS’ Security Seminar program, a customized end-user focused presentation, or series of presentations, from CIS’ Chief Information Security Officer. Training seminars are conducted in groups of users, typically coordinated by need and level of capability, to allow for focused learning, as well as efficient use of time.
Seminar material varies from client to client, depending on the needs of each specific user base, as well as the continual emergence of new network security threats. Seminars are typically best when they are engaging and interactive, so CIS always encourages questions within the covered topics. Follow-up materials such as best-practices reminders, written tests to review and reinforce the subject matter covered, and follow-up one-on-one sessions are also typically provided on an as-needed basis.
Topics covered will typically include:
Regularly covering these topics, and more, and staying diligent about end-user education is the only path toward real security. Users are notoriously demanding of any IT Staff, it’s time to be demanding back; IT Security should be every employee’s concern.
For further details, or to schedule a CIS Security Seminar, please contact us today.
Computer Integrated Services’ Network Security Team is monitoring the following…
At 12:37AM EST on October 16th, 2017, ARS Technica disclosed to the World a “new” flaw in a wireless protocol (communication language). They call it KRACK (“Key Reinstallation Attacks”). This vulnerability theoretically makes it possible for attackers to eavesdrop Wi-Fi traffic passing between computers and access points.
This issue potentially affects any device using WPA2 (Wi-Fi Protected Access II). To quote one report, “Both Windows and iOS aren’t believed to be vulnerable to the most effective attacks. Linux and Android appear to be more susceptible.”
CIS is monitoring this issue on behalf of our clients, and will provide patches or further advisories when they are available from manufacturers. At the time of this writing, the attack has NOT been reported to have stolen any information. If you have specific concerns about this issue, please contact the CIS Service and Support Desk at email@example.com.
CIS and Micro Focus, global leaders in Identity and Access Governance, are teaming up on October 5th to bring an exciting engaging dinner event to C-Level executives interested in learning more about the organizations and their cutting-edge Identity solution. The event will feature a private dinner and discussion with Dan Shmitt, Chief Information Officer, Major League Baseball (MLB) Advanced Media. Mr. Shmitt will share his experiences working with both organizations, and host a round-table discussion focused on the many advantages gained from implementing the solution. Highlights will include:
The event will take place at a famous New York City steakhouse, and is by invitation only. If you are interested in attending, please contact your CIS rep, or email us and someone will get right back to you.
To celebrate our many years of partnership, and reward our treasured mutual clients with a top-end dinner and night out, CIS and ShoreTel are pleased to announce we will be hosting an exclusive Client Appreciation Dinner on the evening of September 27th. The Italian restaurant selected for the event is among the most well-reviewed in New York City, and is sure to provide a first-class experience for everyone in attendance. We are doing everything possible to touch base with personal invitations, but if you are a CIS or ShoreTel client who has not heard from us, and would like to attend, please contact your CIS rep today!
Well, probably not, but that could largely be due only to the fact that the KGB was disbanded in 1991. The current iteration of Russia’s State Security organization is known as the Federal Security Service of the Russian Federation, or FSB; this is the organization alleged to be utilizing ties to Kaspersky Lab for nefarious purposes.
Kaspersky Lab is the 4th most widely adopted anti-virus platform in the world, and holds the largest market share of European cyber-security manufacturers. With over 400 million users added since the company was founded in 1997, Kaspersky is a very large player in the global security space. Which makes dire warnings about the company’s product line, such as those issued by the U.S. Cybersecurity Coordinator, Rob Joyce, at the end of August, extremely concerning.
“I worry that as a nation state Russia really hasn’t done the right things for this country and they have a lot of control and latitude over the information that goes to companies in Russia.” – Rob Joyce, U.S. Cybersecurity Coordinator
Following Joyce’s commentary about the security of Russian companies, he continued to say that he would not recommend Kaspersky Lab products to family and friends, further confirming an official stance by the U.S. government that Kaspersky products are not to be trusted.
Suspicions about Kaspersky Lab have been abundant in tech and government communities for several years now, persisting despite strong denials by Kaspersky Lab and its founder, Eugene Kaspersky. Kaspersky, acting as CEO of the company, has gone so far as to offer source code for his security products for independent review; an offer which has yet to be accepted by any government organization.
A great deal of the suspicion in this case is directed at Kaspersky himself. A member of Russia’s elite, Kaspersky was educated in a KGB-connected University, and maintains many connections to high-profile figures in Russian government and national industry. The Russian government, and this community of oligarchs, has repeatedly and publicly made attempts to exploit Russian companies for their own benefit, both legally and illegally. There is a growing fear that even if Kaspersky Lab is not willingly cooperating with the Russian government, they may be otherwise compromised.
Recent news reports have confirmed that, throughout the summer, the United States Federal Bureau of Investigation has been meeting with U.S. energy and technology sector companies, to quietly advise them to remove all Kaspersky Lab products from their systems. Additionally, all products from Kaspersky Lab will no longer be utilized by any branch of the U.S. Federal Government. This is an extremely aggressive step which we believe the government would not have taken without careful consideration, as it has potentially broad impact.
At this point, CIS is recommending a highly cautious approach to this situation, and advising our clients to follow the lead of the U.S. Government, and begin to remove Kaspersky Lab products from any critical systems. Additionally, we advise that any current Kaspersky Lab clients either conduct a Network Vulnerability Assessment, or, at minimum, run network security scanning tools. Our team of security experts is available to discuss your requirements at any time, and make recommendations for alternate technology from more trustworthy organizations. If you would like to coordinate a call with our team, please contact your CIS rep today.
Running the entire IT Operation for even the smallest business can be a tremendous challenge. Between keeping up with new technologies and threats that emerge on almost a daily basis, to handling licensing and budgeting, to squeezing extra life out of stubborn aging equipment, to handling an end-user community that may be “less than computer-savvy,” one wonders where the hours in the day for sleep can be found. And, in our experience, this is frequently not the only job the “Computer Person” has at their organization! Many people in a solo support role have ended up there simply through taking on various technology-related tasks. As their company grew over time, their responsibilities increased to the point where they are doing at least two full-time jobs.
CIS has worked with the small and medium sized business community throughout the company’s 22-year history. The organization provides both monthly managed IT services as well as IT support blocks, both of which lead to directly working with many individuals who are that sole “IT Person” for their organization. Through this experience we’ve come to recognize certain common challenges and things left undone from client to client. Typically these are issues that a larger staff, or a support organization, can handle as priority items. For the small and medium sized IT person, they can typically be found on the “if I had more time” list.
The following suggestions are 25 quick recommendations we’ve provided to countless Small and Medium Sized Businesses to improve Security, Policy, Administration, and Stability. CIS can provide direct support for any or all of these efforts, and many more, with an ongoing managed services agreement, or can provide staff augmentation and consultative services for clients that prefer to handle things mostly internally.
To get us warmed up, here are a few easy logical IT practices that everyone should follow
Unified Security Management provides a “single pane of glass” view into your organization’s network security, asset inventory, vulnerability, intrusion detection, behavior monitoring, SIEM, and log management, dramatically reducing time-consuming tasks such as log reviews, and condensing everything into easily understood reports that can be immediately acted upon.
This may seem obvious, but the vast majority of devices end up in “set and forget” mode, leaving them vulnerable to brute-force and phishing attacks, as well as breach from a current or former employee. Where applicable, have passwords that are a phrase, the more complex but memorable the better.
A thought straight from the oft-quoted The Art of War, if you don’t understand your “enemy” – in this case hackers of all types as well as, unfortunately, internal threats – you cannot hope to defeat them. If you approach your layering of network security not from an internal place of comfort, but from an external place of seeking access, you will be on your way to thinking like the enemy.
Nobody knows everything, not even our team, but sometimes the hardest thing to do can be to ask for help. We’ll just leave this here: Contact a CIS Rep Today
A well-documented environment is a well-protected environment. This is a crucial but often forgotten step in the disaster recovery planning process. Backups and the ability to spin up virtual or even physical servers are great, but good documentation is the roadmap on how to get from hopelessly lost back to functionality.
What would happen if your primary production server crashed? What would happen if the office lost power for a week? If you can answer basic questions like these, you’re on the way toward disaster readiness.
Have a backup. Use your backup. TEST your backup. Sending your data offsite is a great start, but how long does it take to bring it back, stand up a new server, and get everything running? Know your Recovery Point Objective (RPO) and Recovery Time Objective (RTO), the point in time to which your business must recover, and the time it can tolerate it taking to get there. Be sure that you have full image based backups. If there is anything important, have a backup. Have at least one backup offsite.
As Harold Melvin and the Blue Notes sang, “If you don’t know me by now…”. We could list endless examples of company breaches based on one user clicking a bogus link in an unknown email, corporate messages landing in the News, or payments being sent to phony vendors based on invoices that “looked real to me.” Educating yourself and your end users about the looming threat posed by everyday email is critical.
CIS recommends running a network vulnerability assessment on at least a yearly basis, if not quarterly. Our team’s offers NVAs that are geared toward the Small and Medium Sized Business, designed specifically for affordability and effectiveness. Additional security can be gained by running more regular reports with tools such as Network Detective or Nessus. Management reviews of security reports should be undertaken on at least an annual basis, to provide visibility for issues potentially impacting compliance and finances.
A wall with a hole in it is not a wall at all.
Stronger encryption standards yield more secure communications. If you can use the same encryption as a federal agency, why wouldn’t you?
Limiting traffic is a great way to manage bandwidth as well as security, only allow business-related traffic to flow.
Exposing the network to remote access and control can be a dangerous proposition, unless it is well implemented. Restrict access to only those who absolutely need these services. Putting SSH behind a VPN provides an additional layer of security.
Hackers are knocking on the virtual door every day, it’s best to keep an eye on them and monitor any suspicious traffic. If patterns emerge, it’s best to consider if attempts are random or targeted and more nefarious.
Administration & Policy
This is the easiest path into any environment. If someone looking to breach your environment finds an end of life OS, it’s Game Over. End of Life systems receive no security patches, no updates, and no support from vendors, leaving the business at risk. Even a system as recent as Windows 7 is already in “extended support” and should be updated.
Patching is so simple and so frequent that it has become a mundane part of the routine, one that’s easy to ignore or postpone for something more interesting. Unfortunately, patching is the one surefire way to stay up to date with known vulnerabilities. CIS strongly recommends monthly patch review and deployment; systems that were patched on even a quarterly basis were impacted by WannaCry. Any device that has an IP address on the network is vulnerable; maintain the latest patches and updates to stay a step ahead.
You’re not President Skroob, the password for your network – or your luggage – should not be 1-2-3-4-5! Don’t make it easy on someone looking to breach your environment, as a standard practice and written policy, change standard or default usernames and passwords to something non-standard. The frequency with which we see “admin/admin” credentials is astounding.
Basic security administration can be accomplished with simple policies such as these. If an employee is leaving their workstation for 30 seconds for coffee refill, typically, it is fine to leave their computer unlocked, but if they’re gone for 15 minutes? An open computer leaves both data and privilege open to anyone who happens to pass by. Rotating passwords, no matter how much users may grumble, is simply basic entry-level security.
SSL, or Secure Sockets Layer, is the current standard for secure access between web browsers and web servers. Http is antiquated and no longer secure, it must be replaced.
Typically database information is considered critical company data, it is where you store information about clients, projects, and vendors. Most organizations protect database information while it is at rest by deploying encryption, however as the workforce changes, more users access database information remotely. If a user’s application exists outside of the server on which the database resides, the data will be in transit while it travels to the user. It is critical that this communication maintain the same level of encryption as when the database is at rest.
The best approach to access is to provide a Least Privilege model, giving users only the access they need to do their jobs, and nothing more. No user should have access to systems they have no need for, and no users should have access in overlapping systems such as accounts payable and accounts receivable. Separation of Duties reviews should be conducted on a regular basis and enforced via policy and automation.
Tracking what workflows reside on what servers is critical in supporting an environment. A proper assessment of the risk to any critical business application must include thoughts about the hardware or server environment in which it resides. As hardware goes end of life, tremendous benefits can be reaped from migrating its applications to cloud-based virtual servers.
Documenting things makes process easier to implement. Any documentation of passwords should be stored safely.
Active Directory is the backbone of your network environment, it should be kept up to date and healthy. CIS recommends a Active Directory management utilities such as DRA from Micro Focus, to help with regular AD administration.
Monitoring server thresholds and utilization, network equipment online status and access attempts, and many more things going on in any environment is a key component of successful management. Without monitoring and the associated alerts, we would constantly be putting out fires, rather than handling things proactively.
Nobody likes upgrades or changes to back-end infrastructure that, on a typical day, just works. Such is the life of the server. Server operating systems are typically a “quoset and forget,”
with the knowledge that this group of servers runs on that flavor of Windows, which will be upgraded at the same time as the hardware. However, there are compelling reasons to consider an upgrade to Windows Server 2016.
The MOST pressing concern for most IT Departments we work with is Security.
One of the primary vulnerabilities CIS’ elite Security Team uncovers on a regular basis is the continued use of unpatched, unsupported, aging software and operating systems. Critical vulnerabilities emerge rapidly as products age out of their support model. If you are currently running Windows 2003 at the server or Windows XP at the desktop; please stop reading and make the change, we will wait. It’s that important. For more “current” users who are running Windows 2008 R2, or even Windows 2012, we’d like to ask you to look at those years, and consider where you were at the time. Now that we have a real feel for how long those products have truly been in the environment, we can understand the inherent security risk in areas like Access Controls and Privileges. Upgrading Windows provides a chance to both utilize the new tools, such as JEA (Just Enough Access) utilities, and to utilize the opportunity to review who has access to what, and why, across your environment.
Providing a more efficient and reliable platform for applications
At long last, Microsoft has decided to adopt a Container model in their Windows Server product. With a stated goal of making Windows 2016 a cross-platform operating system for a seamless Hybrid Cloud and On-Premises model, Containers are a hugely important new development in Windows Server 2016.
The idea behind containers is to “park” or “Dock” processes that typically chew on memory resources, segregating them from other processes in a bubble of sorts. This frees all the other applications to consume required memory and resources, functioning more reliably and efficiently either locally or remotely. Windows Server 2016 actually includes two versions of Containers, a standard Docker and a customized Hyper-V version.
Ok, you probably read about or used 10 products already today that have nano in their name, but this one may be the most interesting innovation of all. Included with Windows 2016, under the hood, is Microsoft’s new small footprint Operating System, known as Nano Server. Nano server utilizes significantly fewer resources, currently able to run on 512MB of disk space and barely 300MB of RAM, and yields a staggering 92% fewer critical bulletins and 80% fewer reboots than typical Windows Server.
Nano Server is not a typical Operating System, it does not have a GUI or command line, it is intended entirely as infrastructure, to work with Hyper-V and in the Hybrid Cloud or Native-Cloud application space. A single implementation of Nano Server with 1TB of RAM today can run 1,000 Virtual instances of Nano Server, an impressive feat on which Microsoft hopes to dramatically improve. As Microsoft puts it, Windows 2016 is here to Virtualize any workload, without exception.
We don’t work in the cloud, should we care? YES!
We get it, the cloud isn’t for everyone. It can be a daunting effort just getting there, and sometimes the learning curve for end users can be too steep. This is why Microsoft made certain to pack Windows Server 2016 with On-Premises focused enhancements as well. A primary change is that Windows Server 2016 includes up to 24 TB of RAM to run the resource-intensive applications used by most businesses. Significant changes have been made to Hyper-V’s encryption capabilities, access via PowerShell, and the ease with which modification of memory and network configurations are performed.
All of these changes are aimed at delivering a better experience to clients not ready to move to the cloud or hybrid cloud, while providing a platform from which to make, first, the step to Hybrid, followed by an enthusiastic leap to Cloud!
Server power equals business capability
Servers are the underappreciated backbone of a business. The more powerful the server the more stable and better performing it will be. By upgrading to Windows Server 2016, your end users will get the best possible experience while running their applications and workloads, and you will gain significant scalability and flexibility to meet the changing needs of your company’s growing dynamic business.
Interested? Contact your CIS rep today!
CIS has helped clients of all shapes and sizes restructure their Windows Server environment, through most of the previous iterations of Windows. The CIS team has unrivaled experience providing customized upgrade and migration experiences, utilizing proprietary tools and approaches, to ensure success. CIS can provide consultation as well as hands-on integration and implementation work for any On-Premises, Hybrid, or Cloud Server Windows environment, get in touch with us today to start the discussion!