Fortifying Network Security: Unveiling the Benefits of 802.1X Authentication

In the ever-evolving landscape of network security, organizations are continuously seeking robust solutions to safeguard their sensitive data and digital assets. One such powerhouse in the realm of network authentication is 802.1X, a protocol that has proven to be a game-changer. In this blog post, we’ll delve into the benefits of 802.1X authentication and how it elevates network security to new heights.

  1. Enhanced Access Control: 802.1X authentication provides a robust framework for controlling access to network resources. By requiring users and devices to authenticate before gaining network access, organizations can enforce strict access policies. This granular control ensures that only authorized individuals and devices can connect to the network, mitigating the risk of unauthorized access.
  2. User and Device Identification: The authentication process in 802.1X allows for the identification of both users and devices attempting to connect to the network. This level of visibility is crucial for network administrators, as it enables them to track and manage devices, enforce security policies, and quickly respond to potential security incidents or policy violations.
  3. Securing Wired and Wireless Networks: Whether it’s a wired Ethernet connection or a wireless network, 802.1X authentication offers a versatile solution. It can be implemented across various network infrastructures, providing a consistent and unified approach to access control. This flexibility is particularly valuable in today’s hybrid environments, where both wired and wireless connections are prevalent.
  4. Dynamic VLAN Assignment: 802.1X authentication facilitates dynamic VLAN (Virtual Local Area Network) assignment based on user or device credentials. This means that users can be dynamically assigned to specific VLANs based on their roles or attributes. This segmentation enhances network security by isolating different types of traffic and limiting the potential impact of security breaches.
  5. Centralized Authentication and Management: Implementing 802.1X allows for centralized authentication and management through a RADIUS (Remote Authentication Dial-In User Service) server. This centralization streamlines the administration of user credentials and access policies, making it easier for IT administrators to maintain and update security configurations across the entire network.
  6. Mitigation of Insider Threats: Insider threats pose a significant risk to organizational security. 802.1X authentication helps mitigate these threats by ensuring that only authorized users and devices can access sensitive resources. In the event of personnel changes or device compromises, access can be promptly revoked, preventing unauthorized individuals from exploiting network vulnerabilities.
  7. Compliance with Security Standards: Many regulatory frameworks and industry standards emphasize the importance of robust access controls for network security. Implementing 802.1X authentication aligns with these standards, helping organizations achieve and maintain compliance. This not only enhances security but also demonstrates a commitment to best practices in information security.

As organizations grapple with the ever-present challenges of securing their networks, 802.1X authentication emerges as a cornerstone in the defense against unauthorized access and potential security breaches. From enhanced access control to dynamic VLAN assignment and centralized management, the benefits of 802.1X authentication extend across wired and wireless networks. By adopting this powerful authentication protocol, organizations can fortify their network security posture and navigate the evolving landscape of cybersecurity with confidence.

Veeam – 2021 Cybersecurity Threats

I found this article to be very good at simplifying the current Cybersecurity Challenges IT faces today.

Sources of cybersecurity threats 

The sources of cybersecurity threats and attacks are seemingly endless. There are all types of reasons and motivations why someone wants to break in. Let’s look at some of the more common sources of security threats and see if we can dig a little deeper.

Corporate spies  

One source of threats is corporate spies. The larger your company gets, the more likely it is that competitors or researchers will want to figure out how you’re doing. They may want to steal data for their organization or sell it to the highest bidder. When it comes to safeguarding trade secrets, make sure to take extra precautions.

Hacktivists 

If you are engaged in activism for some cause, DDoS and hacktivists may attack your website to prove a point. They may want to do something as simple as defacing your website or they may want to put you out of business.

Disgruntled employees 

Another top security threat is disgruntled employees. A disgruntled employee may want to steal data or information to get back at the organization. They may even want to sell the data to the highest bidder. In other cases, they may wish to wreak havoc in a digital environment just because they can, and they aren’t happy.

Hackers/Cybercriminals

A hacker or cybercriminals are people who seek to circumvent security measures to enter a digital environment. In today’s media, the term hacker has a generally negative connotation, and the truth of the matter is we may not know their motivation. Whether it is an individual or an organization, hackers can get into your environment for just about any reason under the sun.

These are just a few items in the cybersecurity threat landscape. The fact of the matter is that a solid information security strategy and policy are paramount to keeping hackers out, no matter the motivation.

Now that we’ve reviewed the profiles of threat actors, let’s look at some types of threats and protect yourself from them.

Common cyberthreats

Here are some of the most common threats you will encounter in your environment and some things to think about when trying to protect your assets.

Malware/Spyware 

The first category I want to mention is the malware/spyware category. Most malicious software programs fall under this category, and it is one of the most widely used to gain access to a system or network. Let’s take a look at some more specific types of malware.

Trojans 

A trojan is one of the most classic malware pieces out there and one of the easiest to use to access an environment. A trojan looks like a standard piece of software to the end user, so when they think they are installing a new app, your network gets a special surprise.

Ransomware 

Ransomware is currently one of the most active pieces of malware around. You are constantly seeing stories about ransomware in the news. The most dangerous piece about ransomware is that it gets into your network and may do nothing for some time, making it difficult to detect.

When the ransomware activates, it begins to encrypt your systems and cripple them. At this point, your only hope is to recover your systems or pay the ransom.

Wiper attacks 

A wiper attack is what it sounds like; malicious operators attack your systems and wipe them. These attacks cause havoc. In this case, you have no choice but to recover your systems.

Drive-by downloads 

A drive-by download is an unwanted download of malware that happens while your users are unaware. This attack comes in a couple of different flavors. First of all, a user may end up downloading a piece of software by clicking a link or opening an email. Secondly, it can tie back in with a trojan when a user thinks they are downloading something legitimate, and it turns out to be malware.

Rogue security software 

There’s nothing worse than a user that thinks they did something wrong. They may realize that something is wrong with their computer and try to fix it on their own. There are many imposter security software packages out there that seem like they will help out an end user but end up doing more harm than good.

Social engineering attacks 

We’ve spent a lot of time talking about hackers getting into your network. Now, let’s talk about hackers getting into your user’s heads. These attacks are called social engineering. It can be as simple as someone posing that they work at your helpdesk and asking a user for a password, or it could be more sophisticated.

Phishing attacks  

A phishing attack tricks an end user by stealing credentials via email, text message, etc. Phishing happens when an email link looks like it’s coming from a legitimate site and asks you to enter your login information.

Homograph attacks 

Homograph attacks are interesting because they make users think they connect to more innocent systems, like a phishing attack. Homograph attacks use identical letters and numbers to make things look and feel legitimate — think of things like swapping a capital letter I for a lower-case letter l in many fonts.

Distributed denial of service (DDoS) attacks 

A distributed denial of service attack, also known as a DDoS, denies service. The theory behind these attacks is they overwhelm the target system entirely, making it unusable and denying service.

Botnets 

Botnets are devices used in DDoS attacks. These bot devices are connected to the internet and controlled by the attackers. In some cases, botnets have been created by exploiting devices on the internet.

TCP SYN flood attack 

An SYN flood attack takes advantage of part of the TCP handshake protocol. When creating a TCP connection, the client first sends a synchronize or SYN message to the server, acknowledging the connection, aka ACKs. The client is then supposed to respond with an ACK of its own to complete the connection. In this case, the client never responds with its ACK but continues to send SYN messages instead, ultimately flooding the connection and rendering it useless.

Teardrop attack 

A teardrop attack focuses on sending incomplete packets to a destination machine. The target can’t assemble the packets and is overwhelmed by the requests it can never complete.

Password attacks 

Another attack vector is targeting passwords to a system. There are several different ways to accomplish this.

Brute-force password guessing 

A brute force attack keeps generating passwords and attempting to access a system. It systematically keeps changing the password until the correct combination is found.

Dictionary attack 

A dictionary attack is a little bit different. Instead of randomly trying to figure out the password, a dictionary attack uses a dictionary of commonly used passwords. Passwords are meant to be protected and kept private. If your password has been made public in a data breach, change it.

Zero-day exploits 

A zero-day exploit is an exploit that becomes available before a vendor has a software patch ready to mitigate it. In most cases, attackers keep their exploits secret, and they are made available on “day zero” when they cannot be immediately fixed. In some cases, hackers or researchers may let a software vendor know that they have found a vulnerability before releasing it.

Man in the middle attack (MITH attack) 

A man in the middle attack is when a malicious actor intercepts the communication between two entities.

Session hijacking 

This method focuses on hijacking a communications session. They act as the sender or receiver and begin collecting and transmitting data as their presumed persona. If they seize a session after system access has been granted, they can gain access quickly.

Replay attack 

A replay attack is when data is saved during a communication session then replayed later. If authentication happened during a dedicated session, this is another “easy” way into a system.

Why is it necessary to protect against cyberthreats? 

As you can see from this list, there are many cyberthreats in today’s landscape. It is vital to protect against them, so data is not stolen or compromised, and systems remain accessible for users.

Any security incident has a cost associated with it. Some are larger, and some are smaller. One way to help determine the potential impact of data loss or a data breach is to classify your systems and data.

Top cybersecurity challenges  

There are many cybersecurity challenges when it comes to protecting an organization’s data and systems. In today’s world, there are a couple that stand out.

Mobile devices are difficult to secure 

First and foremost are mobile devices. These bring all sorts of threats into an environment, especially with the rise of BYOD. Besides, mobile devices may be connected to a corporate network but managed by an individual. Mobile devices are still vulnerable to common attacks like malware and phishing attacks.

Complexity of cloud environment 

There has also been a rise in cloud adoption in the last several years, but cloud environments can be complex. Everyone loves the adage of how easy it is to get started with the cloud. Just grab a credit card, and you’re up and running in no time. If organizations don’t have cloud policies and procedures in place, this can quickly become a huge security risk. Additionally, organizations may not fully understand their new cloud platform and may not secure it properly. Worse, they may assume they don’t even have to worry about security anymore since they are using the cloud.

How to protect against and identify cyberthreats 

There isn’t an easy answer when it comes to protecting against and identifying cyberthreats. The first step is to make sure you understand the basic types of cyberthreats out there and start thinking about them regarding how they can impact your organization.

There are a few places to get started when it comes to protecting against cyberthreats. First and foremost, is to make sure you understand the applications and data in your environment and the cost associated with downtime, data loss and data leaks.

If you have a disaster recovery plan in place, this is an excellent place to get started. After all, a cyberthreat is a type of disaster. Be sure you have a good understanding of the Business Impact Analysis (BIA) that has been done in your organization. If no BIA has been done, this is an excellent place to get started.

After you understand how much these events cost, you can begin to put together solutions to protect against them. How much an incident will cost you will significantly impact your ability to mitigate security risks in your environment.

If an incident is a low impact in terms of cost, you will probably not be making a significant investment to protect that system. Likewise, if a system is deemed mission-critical and has a high price with an incident, you will preserve that system differently.

How can you detect cybersecurity threats before they occur?   

Threat detection is no easy feat, but protecting your assets before they are exploited is a great first defense line. This, of course, is not a substitute for an incident response plan, but some work upfront may be able to lessen the severity and number of actual security incidents.

Monitoring systems in your environment are crucial to detect threats before they occur or as they are occurring. It is essential to have a monitoring system that can understand your environment’s baseline and alert you appropriately to things that are out of the bounds of normal. Alert fatigue is accurate, and if the monitoring system is ignored, it won’t help you detect threats.

OWASP threat model 

OWASP is the Open Web Application Security Project and a nonprofit foundation focused on software security. Getting involved with OWASP is a great way to get started on your journey to protecting your applications. OWASP also has local chapters throughout the world, making it easy to connect with like-minded individuals to solve everyday problems.

One area that OWASP can aid practitioners in is threat modeling. Threat modeling is a method of examining an application to identify potential vulnerabilities and threats that it may be susceptible to.

Best practices for cyber defense for businesses  

If you’re looking to build your cyber defenses, here are some areas that you should consider taking a look at when you are coming up with your strategy for mitigating cyberthreats in your environment. Now that you know more about the cyberthreat arena, you may have a better idea of prioritizing the following cyber defense mechanisms in your environment.

User education and awareness 

Users are one of the most significant weaknesses in coming up with a cyber defense strategy, as we can see by the threat landscape. Investing in programs to aid user education and awareness will never be wasted funds. Many organizations often overlook this area since it can be harder to measure and is less tangible than other defense mechanisms.

Network Security  

The network is, of course, another central focal point for hackers, as you can see by many types of threats. Investing in network security is a great way to get started in ensuring you can mitigate these threats. A strong network is an excellent defense against hackers. Penetration testing is a must when it comes to figuring out the weaknesses in your network, and it is often best done by a neutral third party. Sometimes we can be blinded to faults when we’re used to seeing the same networks and systems.

Malware prevention 

Preventing malware is a great way to protect your assets. This, of course, ties back to user awareness and training, but software tools can help you prevent malware from getting into your network. Think basics like ensuring all endpoints have antivirus and antimalware software installed on them and more advanced systems to help stop malware in its tracks.

Removable media controls (3-2-1 Rule) 

In the backup world, we like to talk about the 3-2-1 Rule to help protect data (LINK INTERNALLY). Stated, the 3-2-1 Rule means you should have 3 copies of your data on 2 different media types, with 1 being off site. This helps protect you if your primary data (or even your primary site) is compromised.

Secure configuration  

There are so many different software pieces that make a business run, not to mention software that controls hardware! In all cases, your software or hardware vendor likely has something they call a hardening guide or a list of secure configuration best practices. It is always a good idea to make sure your components are configured with security in mind.

Managing user privileges 

Since we know our users are often the target of so many cyberthreats, it is essential to manage user privileges. You may have also heard of the principle of least privilege. This means that we need to ensure that our users ONLY have the permissions they need to perform their essential job functions, nothing more, and no privileges that are just nice to have. There should always be a business driver for granting users additional rights.

Incident management  

Unfortunately, it isn’t if you have a cyber incident in your environment, but when you have a cyber incident. That is why it is so important to have cyber incident management processes in place so that crucial personnel know precisely what to do in the case of an incident. At the core of incident management are quick responses designed to mitigate risk and damage.

Monitoring  

Be sure you’re monitoring your environment, from your network to your servers to even your backup environment. A sound monitoring system can help you determine if a cyber incident has already started or will occur. For example, suppose you’re monitoring backups (INTERNAL LINK TO VEEAM ONE) and see they are suddenly larger and taking longer than expected. In that case, that could be a sign that ransomware is beginning to encrypt your data.

Home and mobile working  

It is imperative to have policies on home and mobile working since so many are taking advantage of technology advances. Be sure to have a clear policy on what activities are allowed on corporate devices, even at home. Furthermore, if you have a BYOD policy, make sure there are controls to protect their systems from malware.

Review your processes 

Last but not least is to periodically review the processes and policies you have in place regarding cyberthreats. The threat landscape is rapidly changing, and it is essential to make sure you can switch to protect against these threats quickly.

Summary

What are different types of security threats?

There are different types of security threats like malware, insider threats, or unauthorized access to data. To protect against them you can use security policies, antivirus software, firewalls, intrusion detection systems, and endpoint protection.

What are the three types of cybersecurity threats? 

There are three types of cyber security threats that businesses may face:  Information security, physical security and virtual security. Information security threats are the ones that involve the theft of information or data. Examples of this type of threat include malware, viruses, data loss and phishing. Physical security threats involve theft, loss or destruction of physical assets. Examples of this type of threat include theft, robbery, fire, vandalism and natural disasters. Virtual ecurity threats are the ones that involve theft or loss of virtual assets. Examples of this type of threat include malware, viruses and unauthorized intrusion.

What are the main cyberthreats of 2021?

The main cyber threats of 2021 are:

  • Data encryption
  • Cloud and SaaS
  • Mobile Devices

What Is a Cybersecurity Threat? (veeam.com) by Melissa Palmer

vcenter server

Decoding the vCenter Server Lifecycle: Update and Versioning Explained

Have you ever wondered what the difference is between a vCenter Server update and a patch? Or between an upgrade and a migration? Why don’t some vCenter Server versions align? Keep reading for the answers!

Version Numbering

The first thing you should understand is vCenter Server versioning. When reviewing your vCenter Server version’s you may see many different references to versions or builds.

One of the first places you will notice a version identifier, is in our release notes. Here you will see the product version listed as vCenter Server 6.7 Update 2a and the build number listed as 13643870.


Once you have upgraded or deployed your vCenter Server you will see version identifiers such as 6.7.0.31000 listed in the VMware Appliance Management Interface (VAMI). You will also see a build number, such as 13643870.

If you review the version information within your vSphere Client you will see the version listed as 6.7.0 and the build as 13639324.

The reason you will see differing versions among these places are because the release notes show the vCenter Server build and full release name, in the VAMI it will show the vCenter Server Appliance version in addition to the build and in the vSphere Client it will show the vCenter Server version and the build of the vSphere Client.

KB2143838 is a great resource that will explain the breakdown of versioning and builds for all vCenter Server versions.

Now that we have  explained the way versioning works, let’s jump into the different scenarios where VMware will increment a version.

vCenter Server Updates and Patches

What is a vCenter Server Update and how does It differ from a patch?

A vCenter Server Update is one that applies to the vCenter Server application. An update can include new features, bug fixes or updates for additional functionality. vCenter Server updates will have a dedicated set of release notes and will be hosted on the my.vmware.com download portal.

A vCenter Server patch is more much streamlined as these are associated with operating system and security level updates. There are no application related changes, and these can target Photon OS, the Postgres DB, Java versions and any other supporting Linux libraries on the vCenter Server Appliance.

A vCenter Server patch also has no dedicated release notes as these are part of the rolled up VMware vCenter Server Appliance Photon OS Security Patches. Patches are also not stored on the my.vmware.com download portal but on the alternate VMware Patch Portal. It is also very important to note as listed in the release notes, these should not be used for any deployment or upgrade. The only reason the vCenter Server ISO’s are hosted on the VMware Patch Portal is to be used to restore your vCenter Server Appliance if using the built-in File-Based Backup. Patches can also only be applied within one and the same update release. So for example if you are currently on 6.7 Update 1 you would not be able to patch directly to 6.7 Update 2b , you would first update to 6.7 Update  2a and then patch to 6.7 Update 2b.

Now that we have explained the differences between a vCenter Server update and patch we can review the differences between an upgrade and migration.

vCenter Server Upgrades and Migrations

In its simplest form a vCenter Server Upgrade is defined as doing a major version change between vCenter Server Appliance versions. If you are running the vCenter Server Appliance 6.5  in your environment and move to vCenter Server Appliance 6.7 this would be considered an upgrade.

A vCenter Server migration is defined as doing a major version change between vCenter Server for Windows and the vCenter Server Appliance. If you are running vCenter Server for Windows 6.5 and move to the vCenter Server Appliance 6.7 this would be considered a migration. It is not supported to do a migration between the same major version as it consists of both a change of platform and an upgrade together.

In vSphere 6.5 and 6.7 an upgrade or migration of the vCenter Server is not completed in place. During the upgrade process a brand new appliance of the newer version is deployed, and based on the settings defined the data is exported from the old version and imported into the new one retaining the same FQDN, IP, Certs and UUIDs.

A back-in-time upgrade restriction is when you are unable to upgrade from one 6.5 release to another 6.7 release. For example, Upgrade from vSphere 6.5 Update 2d to vSphere 6.7 Update 1 is not supported due to the back-in-time nature of vSphere 6.7 Update 1. vSphere 6.5 Update 2d contains code and security fixes that are not in vSphere 6.7 Update 1 and might cause regression. When performing vCenter Server upgrades and migrations it’s also very important to pay attention to unsupported upgrade paths which are normally restricted due to being a back-in-time upgrade. It is also important to note that just because two releases might have the same release date, does not mean that they will be compatible. The best resource to review supported upgrade paths will be in the vCenter Server Release Notes section titled Upgrade Notes for this Release.

Resource Wrap-Up

 Conclusion

Versioning of a complex product can be difficult, but hopefully you now have a better understanding of what these numbers mean. If you have any questions feel free to post a comment below or check out any of the resources linked.


This article was provided by our service partner : Vmware

EternalBlue reaching new heights since WannaCryptor outbreak

Attack attempts involving the exploit are in hundreds of thousands daily

It has been two years since EternalBlue opened the door to one of the nastiest ransomware outbreaks in history, known as WannaCryptor (or WannaCry). Since the now-infamous malware incident, attempts to use the exploit have only been growing in prevalence. Currently it is at the peak of its popularity, with users bombarded with hundreds of thousands of attacks every day.

The EternalBlue exploit was allegedly stolen from the National Security Agency (NSA) in 2016 and leaked online on April 14, 2017 by a group known as Shadow Brokers. The exploit targets a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol, via port 445. The flaw had been privately disclosed to and patched by Microsoft even before the WannaCryptor outbreak in 2017; yet, despite all efforts, vulnerable systems are widespread even to this day.

According to data from Shodan, there are currently almost a million machines in the wild using the obsolete SMB v1 protocol, exposing the port to the public internet. Most of these devices are in the United States, followed by Japan and the Russian Federation.

Poor security practices and lack of patching are likely reasons why malicious use of the EternalBlue exploit has been growing continuously since the beginning of 2017, when it was leaked online.

Based on ESET telemetry, attack attempts involving EternalBlue are reaching historical peaks, with hundreds of thousands of instances being blocked every day, as seen in Figure 1.

A similar trend can be observed by looking at the number of unique ESET clients reporting thousands of attempts to use the exploit daily, as seen in Figure 2.


Besides malicious use, EternalBlue numbers might also be growing due to its use for internal security purposes. As one of the most prevalent malicious tools, this exploit can be used by company security departments as a means for vulnerability hunting within corporate networks.

EternalBlue has enabled many high-profile cyberattacks. Apart from WannaCryptor, it also powered the destructive Diskcoder.C (aka Petya, NotPetya and ExPetya) campaign and the BadRabbit ransomware campaign in 2017. Well-known cyberespionage actors such as Sednit (aka APT28, Fancy Bear and Sofacy) were also caught using it against hotel Wi-Fi networks.

EternalBlue was also recently seen spreading Trojans and cryptomining malware in China – a return to what the vulnerability was first seen used for, even before the WannaCryptor outbreak – and was advertised by the black hats as the spreading mechanism for a new Ransomware-as-a-Service Yatron.

This exploit and all the cyberattacks it enabled so far highlight the importance of timely patching. Moreover, it emphasizes the need for a reliable and multi-layered security solution that can do more than just stop the malicious payload, such as protect against the underlying mechanism.


This article was provided by our service partner : eset

Vulnerability Management

6 Fundamental Best Practices of Vulnerability Management

Any security leader must be able to provide a standard for due care and help to build a comprehensive security program that is good for the entire business. This is no easy feat. With increased threats and security breaches becoming more sophisticated and pressured to be compliant, it comes as no surprise that security is today’s top buzzword. With all the security buzz on the minds of business leaders, we see an increase in demand for security initiatives. However, as leaders at small to medium-sized businesses look to their in-house staff to implement, they are discovering a lack of skills and resources to build the proper IT infrastructure to keep them secure. With the ease and greater benefits of outsourcing today, it’s creating more opportunities for their trusted managed service provider (MSP) to fill the demand with an as-a-service offering. It’s no surprise that managed security is growing at the highest rate of all Technology-as-a-Service, at a compound annual growth rate of 17%.

Often, we hear that MSP clients assume security is included as part of the standard of services already provided to them. We have also uncovered through interviews that organizations and MSPs alike often have a hard time getting their users to adopt better security practices, even simple ones to implement, like multi-factor authentication and password policies. One thing they all have in common, however, is that they want to be better at security.

Let’s start by stating that achieving ‘better security’ is all about the layers of security that can be established to protect the organization, its users, and most of all, its data. We also conclude that there is no ‘security bliss’ where all levels have been laid, and there is no longer any risk.

Security can best be established as a framework for users and the data they share. When we break down security into manageable layers, we can create the following categories. Each category has its own standards and processes to be documented and carried out by a security leader or a team of security leaders.

  • Governance
  • Policy Management
  • Awareness & Education
  • Identity & Access Management
  • Vulnerability Management

Each topic can be quite involved, so our focus for this article will be vulnerability management, as it becomes the foundational layer of the organization’s threat defense strategy.

Most MSPs are already offering services for managing vulnerabilities through patching operating systems and third-party products. Vulnerability management is just one part of the security process in identifying, assessing, and resolving security weaknesses in the organization. Often there is a focus on the technical infrastructure, like updating endpoints, managing components of a network, or the configuration of firewalls.

Let’s take a closer look at the process and practice of vulnerability management in these six steps:

  1. Policy — Your first step should include defining the desired state for device configurations. This also includes understanding the users and their minimum access to data sources in the organization. This policy discovery process should consider any compliance measures like PCI, HIPPA, or GDPR that may exist. Document your policy and your users’ access.
  2. Standardize — Next, standardize devices and operating environments to identify any existing vulnerabilities properly and to meet compliance needs noted during the policy discovery process. When you standardize all your devices, you also streamline the remediation process. If users are all operating on the same type of hardware/software setup, steps three through six have the propensity to be more effective and make the process more efficient.
  3. Prioritize — During remediation of a threat, any activities conducted must be properly prioritized based on the threat itself, the organization’s internal security posture, and how important the data residing on the asset is. Having a full understanding of your assets and the roles they play in the organization will play a critical role when prioritizing active threats. Document and classify your assets so you can easily prioritize when there is a threat.
  4. Quarantine — Have a plan in place to circumvent or shield the asset from being a bigger threat to the organization once compromised.
  5. Mitigate — Identify root cause and close the security vulnerability.
  6. Maintain — It is important to continually monitor the environment for anomalies or changes to policy, patch for known threats, and use antivirus and malware tools to help identify new vulnerabilities.

Vulnerability management is an essential operational function that requires coordination and cooperation with the business as a whole. Having the entire business buy into better security is paramount to the success of the program. The team must also have a set of supporting tools with underlying technologies that enable the security team’s success. Operational functions include vulnerability scanning, penetration testing, incident response, and orchestration. Remedial action can take many different forms: Application of an operating system patch, a network configuration change, a change to a custom-built application, a simple change in process, awareness and education for users who consume and share organizational data. Tools can range from RMM to SEIM, to simple antivirus/malware and backup toolsets.

At ConnectWise, we aim to promote security consciousness in everyday IT practices and help our partners elevate their value by offering Security-as-a-Service. With ConnectWise Automate®, you can perform multiple vulnerability management functions such as identification and management of assets, utilize the computer management screen to help quarantine and mitigate vulnerabilities, and patch Windows® operating systems, as well as third-party applications on a mass scale. You can also utilize monitoring and patching policies within ConnectWise Automate and bring automation to your vulnerability management process. Incorporate auto-approval and installation of critical and security updates once they are released from Microsoft®. When you implement automation into the workflow, you help to reduce human error and save valuable time.


This article was provided by our service partner : connectwise.com

Social Media Malware is Deviant, Destructive

We’ve seen some tricky techniques used by cybercriminals to distribute malware through social media. One common threat begins with a previously compromised Facebook account sending deceptive messages that contain SVG image attachments via Facebook Messenger. (The SVG extention is an XML-based vector image format for two-dimensional graphics with support for interactivity and animation.)

Cybercriminals prefer this XML-based image as it allows dynamic content. This enables the criminals to add malicious JavaScript code right inside the photo itself—in this case, linking to an external site. Users who click on the image find themselves on a website posing as YouTube that pushes a popup to install a browser extension or add-on or to view a video. There are plenty of red flags here like the URL clearly not being YouTube.com, as well as the fact that YouTube does not require any extensions to view videos.

 

Facebook messenger spreading an SVG image containing a harmful script

 

An example of a fake YouTube page with malicious browser extension popup

Worm-like propagation

If a you were to install this extension, it will take advantage of your browser access to your Facebook account to secretly mass-message your friends with the same SVG image file—like a worm, this is how it spreads. Victims don’t need to have very many friends for this tactic to be successful at propagating. For instance, if you have over 100 friends, then you only need less than 1% of your friends to fall for this for the scam for it to continue to propagate.

To make matters worse, the extension also downloads Nemucod, a generic malware downloader generally used to download and install a variety of other threats. Usually the go-to threat is ransomware given it’s proven business model for criminals.

Social media managers at risk

Those who manage social media accounts on behalf of businesses are particularly at risk of advanced malware and other cyberattacks. Earlier this spring, a new Windows trojan dubbed Stresspaint was found hidden inside a fake stress-relief app and likely spread through email and Facebook spam campaigns to infect 35,000 users, according to researchers at Radware who discovered the malware.

Stresspaint was rather deviant in the way it stole Facebook account credentials and logged into accounts looking specifically for data such as “each user’s number of friends, whether the account manages a Facebook Page or not, and if the account has a payment method saved in its settings,” according to Bleeping Computer.

Allowing cybercriminals to gain control of brand social media accounts can carry grave consequences such as reputation damage, loss of confidential information, and deeper access into an organization’s network. Last year, HBO was humiliated on their social profiles when the notorious hacker group OurMine breached several the network’s accounts and posted messages before the company finally regained control of their logins.

Crypto users targeted

Following the recent trend in malware, sophisticated variants of existing strains are now aimed at cryptocurrency users. A malicious Google Chrome extension called FacexWorm, which spreads through Facebook Messenger, was found to have morphed with a new ability to hijack cryptocurrency transactions made on a host of popular online exchanges, according to Coindesk. This further underlines the importance of exercising caution with the information you share on social media to avoid being a target, particularly if you are a user of cryptocurrency.

Cryptocurrency scams are another common threat that spreads throughout social media. Twitter is particularly notorious an outbreak of crypto scam bots that pose as high-profile tech leaders and industry influencers. Learn more about this type scam in my previous post.

Don’t let your guard down

Given the nature of social networks, many are likely to consider themselves to be in the company of friends on sites like Facebook, Instagram and Twitter. However, this assumption can be dangerous when you begin to trust links on social sites more than you would in your email inbox or other websites. For instance, a simple bot-spam message on Twitter was able to grant a hacker access to a Pentagon official’s computer, according to a New York Times report published last year.

It’s wise to be wary of clicking on all links, even those sent by friends, family or professional connections, as compromised social media accounts are often used to spread scams, phishing, and other types of cyberattacks. After all, just one wrong click can lead to an avalanche of cyber woes, such as identity theft, data loss, and damaged devices.


This article was provided by our service partner : webroot.com