The second Tuesday of the month is here which means its time for more monthly security updates from Microsoft. A total of 64 vulnerabilities have been addressed this month, which include 17 updates rated Critical, 45 Important, with 1 Medium and 1 rated Low.
These updates cover releases for Windows Operating Systems, Edgeand Internet Explorer Browsers, Office, SharePoint, DHCP, Team Foundationserver, Skype for Business and of course the ChakraCore scripting engine.
Microsoft’s Edge browser updates resolve 7 Critical CVE’s that are related to memory corruption vuln's in the scripting engine, these have a regular appearance in patch Tuesday, and are caused by the way objects are handled in memory.
By exploiting these vuln’s, an attacker could execute codeas the current logged in user and take control of the target system, if theuser was logged in with admin rights. The attacker would then be able to installprograms, as well as steal, change or delete data.
The Windows DHCP client has three associated critical CVE’s (CVE-2019-0697, CVE-2019-0698 & CVE-2019-0726) that cover remote code execution vuln’s. An attacker could successfully exploit a memory corruption flaw, by sending specially crafted DHCP responses to the client. The updates released corrects the behaviour of the DHCP client and how it handles certain responses.
Updates for Internet Explorer’s VBScript engine covers more remote code execution CVE’s (CVE-2019-0666 & CVE-2019-0667). Due to weaknesses in how the VBScript engine handles objects in memory, an attacker could trick a user into accessing a specially crafted web page which would allow them to execute code with the rights of the current user. If this user has admin privileges the attacker could take control of the exploited system.
CVE-2019-0592 highlights another critical RCE vuln, this time in the Chakra scripting engine, affecting both the ChakraCore and the MS Edge browser. In what is a common theme this month, this exploit can be triggered due to improper handling of memory objects, if a user is tricked into visiting a malicious website.
Please review this month’s updates and get patching as soonas you can!
Keeping up to date with security patches for your operatingsystems and software, is a critical part of delivering and maintaining a strongsecurity posture, please ensure you test and update as quickly as possible to reducerisk, prevent exploitation and to ultimately stay secure.
For a full list of this month’s updates please see the linksbelow:
Patch Tuesday release notes: https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/ac45e477-1019-e911-a98b-000d3a33a34d
Security update guide: https://portal.msrc.microsoft.com/en-us/security-guidance
By
Stuart Hare
on
12/3/19
Welcome to the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
In their quarterly earnings call last week, the Marriot havereported a total net income of $2.2 billion for 2018, but during the call alsodisclosed that the huge data breach that occurred in late 2018, has so far costthem a whopping $28 million.
Of this $28 million, $25 million is understood to have been coveredby their insurance.
The data breach that hit the news in November 2018 originally reported that the personal details of 500 million customers had been compromised and was a result of malicious actors hacking the Starwood chains network for more than four years.
The ongoing investigation found that the real figure wasapproximately 383 million, but this still stands as one of the largest singledata breaches to date.
According to Marriot the investigation into the securityincident has now completed, they believe that impact to the company has beenlimited and that customer loyalty does not appear to have been affected. LuckyMarriot, others have not been so fortunate.
According to this post by SecurityWeek, some believe that attackwas the work of state sponsored actors working for the Chinese government, andthat the goal was less likely to be for financial gain, and more targeted at espionage.
In an effort to rid the world of the dreaded password dilemma, the World Wide Web Consortium (W3C) has this week approved the new Web Authentication API standard (called WebAuthn) which will allow users to login to websites without the need of a password.
WebAuthn will enable strong authentication for web applications,through the use of public-key crypto-based credentials, which will effectively removethe need for passwords.
This new API is already supported in common operating systemsand browsers such as Windows 10, Android, MS Edge, Firefox and Chrome.
In his speech earlier today, Jeremy Hunt, the UK ForeignSecretary, has warned that Western democratic elections are an easy target forforeign regimes, and that trust in the democratic process has been undermined.
Although he said that there was no current evidence of anyinterference in UK elections to date, he is calling for economic and diplomaticsanctions to be enforced in response to any such attacks.
Mr Hunt said:
"At a minimum, trust in the democratic process is seriously undermined.
But in a worst-case scenario, elections could become tainted exercises, robbing the governments they produce of legitimacy.
The greatest risk of all is that a hostile state might succeed in casting a permanent cloud of doubt over an entire democratic system."
Although not proven, China, Russia, Iran and North Korea areall thought to have been involved with state sponsored cyberattacks in recent times.Numerous attacks have been blamed on North Korean state hacking groups, includingthe WannaCry Ransomware attack, and the launch of the destructive ‘Olympic Destroyer’malware, that came close to bringing down the opening ceremony of the 2018 WinterOlympics held in South Korea.
Russian groups on the other hand have been blamed for a number of high-profile attacks against the Ukraine (the Nyetya destructive ransomware attack) and of course the 2016 US Presidential elections.
Mr Hunt believes that Nations involved in such attacksshould be ‘named and shamed’ and that they should pay a heavy price, thatincludes prosecution, for any interference.
What is clear is that Government’s that use online ballotservices to cast electoral votes, need to be doing more to protect thesesystems, and ensure that security is at the forefront during their developmentand operation.
Cyber Security is a complex place to live in, it is anever-evolving landscape of challenges, that changes on a daily basis, and isdifficult for the seasoned professional to keep up with.
Just keeping up with and understanding the acronyms andterms associated with Cyber can be daunting.
With this in mind, we have put together a Cyber Glossarythat provides an A to Z list of the common terms you might come across in yoursecurity travels. Each term comes with a brief and simple explanation to helpyou with your understanding.
We post periodic updates to the glossary so you can alwayscheck in later for new additions.
Happy reading!
Data and network breaches are becoming common place, makingregular appearances in our everyday news. These days no one is exempt from beinga target, as everyone has valuable data that can be used or sold by cybercriminals.
Ask yourself, do you think you are doing enough to protectyour systems, users and data? And if you were breached, would you know whataction to take?
If the answer is No to either of these why not attend the webinar‘You have been breached. Now what?’ andfind out how Cisco Umbrella and Cisco AMP for Endpoints, can help you not onlybuild strong defensive layers against cyber threats, but how they can be usedto quickly respond in the event of a breach.
Sign-up using the link below.
And that’s it for this week, please don’t forget to tune in forour next instalment.
Why not follow us on social media using the links providedon the right.
Edition #32 – 8th March 2019
By
Stuart Hare
on
8/3/19
All companies expect employees to work during business hours, and although it needs careful consideration and internal management – Cisco Umbrella can be used to block employee access to non-work-related websites, such as social networking, gambling, gaming and pornography, which are key factors in time wasting and lack of business productivity.The great thing about Umbrella is that it works both on and off your network, so if an employee takes a laptop home, or away on a work trip – you can still take advantage of these great controls. It really has lots of flexibility around how it goes about monitoring and blocking access.If you’d prefer to just monitor and know what sites people are accessing, then that is also an option, but keep in mind that Umbrella also protects your computers from cyber attack, which often originate from these particular non-work-related websites.Umbrella is fully flexible, it can be adopted in different ways, with policies for different locations – using pre-defined content categories and an unlimited number of custom block or allow lists.Devices can be assigned policies with different internet access restrictions and logging settings based on whether they’re on or off your network. When an employee visits a website that you’ve deemed as non-work related, Umbrella informs the end user of the policy with a branded and fully customisable block page.
Category-based filteringUmbrella’s has 60+ content categories that cover millions of domains (and billions of web pages) to give you control over which sites can be accessed by users on your network and as well as roaming users. If you take up the Ironshare managed service we will discuss these categories with you and implement and manage them to your own business preference.Alternatively, there is a cloud-delivered administration console to enable you to set up, manage, and test different acceptable use policies per network, group, user, device, or IP address. This wide range gives you greater control of your organisation’s internet usage. You even have the flexibility to set up different policies depending on whether devices are on or off the corporate network.Compliance Umbrella enables you to customise our category-based filtering to meet each network’s specific needs, particularly to help you meet compliance requirements. Exceptions can be created to allow or block specific domains, regardless of whether it is in a category that is allowed or blocked. Our 60+ content categories empower you to enforce acceptable web use to comply with internal policies or external regulations. Cisco are also members of the Internet Watch Foundation (IWF), enabling you to block their list of child sexual abuse sites.Allow or block specific domainsWhen category-based blocking is not granular enough, Umbrella allows for the creation of allow and block lists for specific domains. Whitelisting domains (allow) ensures that your users can always access a particular site, even if it is in a category that is being blocked. Blacklists (block) operate in the opposite fashion by ensuring that a site on the blacklist is never accessible to your users. You can have unlimited entries in your whitelist and blacklist to accommodate your specific business needs.Block page bypass optionThe Umbrella block page bypass option lets you grant special permission to circumvent filtering settings without the use of any software or appliance. This feature enables you to assign individual users, such as your marketing managers, the ability to access specific filtering categories, such as social networking, or individual domains that are normally blocked on your network. Bypass privileges can be granted persistently on a per-user basis or through use of a bypass code, which grants access for timeframes ranging from one hour to 10 years.Whitelist-only featureThe whitelist-only feature in Umbrella is best used for networks where internet access should be restricted to allowing specific domains. This allows for a “locked-down” and controlled internet environment.
Option 1 – Ironshare supply you with the licensed productMaybe you’re quite familiar with Cisco Umbrella and you want to handle the ongoing management of it internally. As Cisco partners we can provide any of the Umbrella packages as a licensed product - you can then install within your environment and manage employee access to websites along with all the other wider day-to-day analysis and the periodic reporting.Option 2 – The Ironshare Managed ServiceIronshare offer a fully managed service, so we can take the strain away from your team – feeding back detailed information to make their life easier. It’s more of a collaborative service, but let’s your staff focus on their normal daily jobs without having to adopt and learn new products.We would implement and manage category-based filtering, tackle compliance concerns, allow or block specific domains or whitelist domains as you request.
Cisco Umbrella is a very simple and yet very powerful Cloud based platform that can be remotely deployed (within a day in some instances - depending on the complexity of your network). Once it’s in operation, it provides immediate predictive security, both on-and-off your network, as well as content filtering and block lists to give better control over user activity, and much more.IronShare provide a fully managed service, meaning that all you need to do is tell us what you want, and when. We’ll tailor the service to deliver content filtering, blocking and whitelisting as requested.Our service is relevant to companies of all shapes and size, meaning that even the smallest businesses can get a full enterprise service – using Umbrella to tackle employee activity concerns.If you'd like to get detailed pricing for Umbrella, please click here to Contact Us .
By
Stuart Hare
on
7/3/19
In an effort to rid the world of the dreaded password dilemma, the World Wide Web Consortium (W3C) has this week approved the new Web Authentication API standard (called WebAuthn) which will allow users to login to websites without the need of a password.
WebAuthn will enable strong authentication for web applications,through the use of public-key crypto-based credentials, which will effectively removethe need for passwords.
This new API is already supported in common operating systemsand browsers such as Windows 10, Android, MS Edge, Firefox and Chrome.
Passwords have long been thought of as the vulnerable elementin user authentication and account security, with over 80% of today’s data breachesbeing caused by weak or bad password practices.
The new API relies on 3 core components: a participating Website, a supported Web Browser and an Authenticator. The Authenticator will be in the form of a Fast IDentity Online 2 (FIDO2) complaint device i.e. a smartphone, bio-metric device or USB crypto key, such as the YubiKey.
This not only increases security by providing unique logincredentials for each and every site, but also eliminates user tracking, which increasesprivacy.
At a high level it works by the website informing the webbrowser of its intention to authenticate; the web browser communicates with theauthenticator, which verifies the user via a PIN code or bio-metric reader (fingerprintor camera facial recognition); the authentication response is then passed back to the browser and the website, to grant theuser access.
In the press release Jeff Jaffe CEO of W3C stated:
“Now is the time for web services and businesses to adopt WebAuthn to move beyond vulnerable passwords and help web users improve the security of their online experiences. W3C's Recommendation establishes web-wide interoperability guidance, setting consistent expectations for web users and the sites they visit. W3C is working to implement this best practice on its own site.”
The likes of Microsoft and Dropbox have already started tointegrate WebAuthn into their products, so its over to other vendors and websitesto follow suit and integrate the new standard.
This doesn’t quite hail the death of the password, but it does moves us in the right direction and closer to a life that involves ‘No More Passwords’.
By
Stuart Hare
on
7/3/19
Umbrella is a product offered by Cisco, who are the worldwide leaders in networking for the Internet. The product itself makes companies a lot more secure as it prevents access to known bad websites, which can often cause virus infections or even worse, leak your data to others.Umbrella started life as a product called ‘OpenDNS’ which has been on the market since 2006. OpenDNS was aimed at both home and business users, with a goal to provide faster and safer internet browsing for everyone. Cisco bought OpenDNS in 2015 and rebranded it as ‘Umbrella’.
Well, let’s start by talking about the Internet. Every website we visit has a reference number associated with it, called the server IP address. That IP address is unique, just like a phone number is unique to every contact in our phone.Most of the time when we make calls, we don’t usually bother remembering a phone number - we just press a person’s name on the screen and our address book converts the name into a phone number and dials it. Cisco Umbrella acts in much the same way.When people type ‘www.’ addresses into their internet browser, it converts the website name that has been typed into a unique server IP address, and directs us to the website we wanted.This website name to IP address conversion process is part of Cisco Umbrella’s Domain Name System service (or DNS for short).But Umbrella doesn’t stop there.You know how every place in the world has good neighbourhoods and bad neighbourhoods? Well, the same can be said of the internet - it has good websites and bad websites.These bad websites are often referred to as ‘malicious’ websites, because they are aiming to harm you or your company in some way. They can be used to steal or delete personal information, or even extort money by secretly installing something called ‘ransomware’ on computers.Cisco Umbrella not only directs us to the good websites that we want to access, it also studies the internet and keeps a record of all the websites that are known to be safe, and those that are malicious (or closely associated with malicious websites). It only lets us access the websites it knows to be good.Back in 2016, AV-TEST (The independent IT-Security Institute) analysed millions of websites widely distributed on Google and other search engines, and concluded that there were 29,632 infected web pages being delivered in search results (up from 18,280 in 2015). This number continues to grow.Cisco Umbrella automatically blocks access to these sites and stops the threat at source, before you even connect.
Cisco Umbrella is an incredibly simple but very powerful service. Not only does it provide users with a very strong layer of protection from the bad/malicious websites that are out there – it can also help business leaders understand what sites employees are accessing, and gives the ability to decide which ones should or should not be accessed in the workplace. This is sometimes referred to as content filtering and you can read more about it here.
Ironshare can help you to get up and running with Cisco Umbrella within days. We not only provide and install the Umbrella service, we can also manage the day-to-day running and reporting, leaving your teams to get on with their usual day job.Our aim is to provide Security, Simplified. That means we can communicate in a non-technical manner (or technical if you prefer) and just give you the information you want.Step 1 – Simple PricingIronshare are registered Cisco partners and operate in a completely transparent manner. Unlike other providers we make no secret of our pricing and you can simply click here to get an accurate price estimate in less than 60 seconds. No nonsense – simple!
Step 2 – Simple Installation Umbrella requires no on-site hardware and can be installed very quickly, providing security coverage to all the devices connected to your network in just minutes. This means that you can immediately start to protect your users from malicious websites.If your people are using phones, laptops and other mobile devices to connect to your network and browse the internet and regardless of where they are, in the office, on the road, in a café or at home – protection will be in place immediately.Our technical team would need to speak with one of your networking personnel, but enabling the initial product is straightforward. There might be other factors to consider for wider deployment, depending on how your network is arranged – but none will be complicated and even the largest of companies can have this deployed very quickly.We will guide you through the entire process. No hidden costs – simple!Step 3 – Simple Management Although Umbrella has a great management interface, it does take time to get up to speed with the internal workings of the product, so to manage this yourself would require some dedicated resource to first of all learn, but then maintain and get the best out of Cisco Umbrella.Our experienced team at Ironshare have worked with the product for years, and have in fact been engaged with Cisco to drive continuous improvements to the overall functionality.One of the first steps we would cover is to talk to you about what you want to achieve, then after the initial setup we will deliver you a managed service that ensures your users are protected, but also work with you to tailor any content filtering restrictions you might want to put in place.In addition, we’ll provide you with a monthly report that summarises all of the interesting facts and figures, and we’ll also give you recommendations on internal actions you might need to take.A good example of this might be if we see a particular PC is repeatedly trying to contact a malicious website – it’s probably got a virus. In this scenario, Umbrella would be protecting the user in question, but it would be important to take some action to clean up and remove the virus.Ironshare are a small, niche security consultancy focused on delivery of fast and efficient solutions to businesses. Our experienced team aim to provide a fully managed service that takes the strain away from your employees and allows you to focus on your core business.Ironshare – Security, SimplifiedIf you have any questions – please Contact Us here.
By
Stuart Hare
on
6/3/19
Deployment that secures Internet Access for over 5,000 employees, internal networks and guest Wi-Fi across 31 countries
Bolster security against ransomware and other Internet threats with no impact to globalnetwork performance.
Cisco Umbrella
• Significant decrease in exposure to ransomware and other forms of advanced malware• Streamlined security management• Improved Internet performance
The company was experiencing unprecedented expansion, with employees in global locations using more and more mobile devices and cloud services. New security vulnerabilities were becoming evident and the company saw a spike in a variety of malicious activities, including ransomware.
After considering several on-premise options, the company decided the way to solve this problem was Cisco Umbrella, and it was deployed and protecting the global network within six weeks.
After Umbrella was put in place, the company drastically reduced their exposure to ransomware, and since deploying have not been a victim of ransomware as a result of clicking a malicious link. They see tens of thousands of blocks per week due to security policy; not counting blocks based on category policies.By deploying Umbrella they have covered a great risk in the web attack vector of ransomware, and greatly improved their user experience in regards to Internet connectivity. They’ve even identified numerous phishing attempts and thanks to Umbrella the sites were not accessible, leaving the attacks unsuccessful.Additional benefits were also realised, by correlating the data that comes out of the Umbrella dashboard with their internal systems, they’ve discovered infected machines that were previously undetected by their existing security products.With their security stack now able to block threats at the DNS layer, they are looking to keep reinforcing the network with proactive security management. While Umbrella is very capable of blocking sites based on category policies, it’s most effective as a security tool and with that as a focus, it’s a critical component of any defence-in-depth strategy.Cisco Umbrella Investigate has become a key investigation and analysis tool for the Security team, adding enhanced levels of visibility into potential threats, while significantly reducing the time to collate and analyse threat data.Additional Cisco tools from within the portfolio like AMP for Endpoints, Stealthwatch and Cloudlock will only continue to bolster that strategy.
By
Stuart Hare
on
3/3/19
Welcome to the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Over the past few years, we have seen a shift in how weshould be approaching Password Security, and with the death of the passwordstill years away, we must focus on educating users with good practice guidance,while delivering technical controls that simplify the whole process for ourusers.
Overall the industry felt that with the average businessuser now having close to 200 passwords, there was a real need to look atsimplifying both the guidance provided, and how we enforce the use ofpasswords.
Barely a few days go by where we are not hearing about thelatest high-profile data breach, and unfortunately a large portion of theseevents are caused by bad password security.
In the past we have tried to tackle this problem purely froma technical standpoint, and by implementing increasingly complex restrictions,us techies have made life more difficult for our users and ourselves.
Combining these password complexities, with anever-increasing number of online services that need an account, has led tousers trying to simplify things themselves. Users have resorted to using badpractice such as writing passwords down, using weaker more memorable passwords,and reusing the same passwords for multiple accounts.
The guidance provided here is not meant to be the silverbullet that solves all your password problems, but through continued educationand practice, we can make significant improvements and reduce the risk to ourbusiness and personal accounts.
Mayflex, a West Midlands based leading supplier of convergedIP solutions including infrastructure, networking and electronic security, havebeen notifying their customers this week, after receiving reports that severalcustomers had been contacted with a request to change the bank details used formaking payments to Mayflex.
An initial email titled ‘Bank Email Security’ was sent outby Mayflex on the 26th February, warning of fraudulent phone callsthat had been received by a number of customers, asking them to change theMayflex Bank account details they had on record.
In their notification email, Mayflex stated:
“We have recently been notified of some fraudulent activity and we would like to take this opportunity to encourage you to be vigilant about the communications you receive from Mayflex.”
Mayflex have advised to ignore any such calls and if in doubt, customers should refer to the bank account details contained in their invoice.
The notorious Monero crypto-miner Coinhive is shutting down allits operational services on the 8th March 2019.
Coinhive is a browser-based cryptocurrency miner which hasachieved infamy due to being regularly abused by malicious actors. The minerscode can be easily installed on web sites, where it can use all or a portion ofa devices compute resources to mine for crypto coin, for as long as a user isbrowsing the site.
Cybercriminals have taken advantage of Coinhive’s ease of use, by hacking websites and installing the small piece of java script, that when left in place continues to mine Monero coin and adds it to the criminal’s accounts. This malicious practice became known as ‘cryptojacking’ or ‘drive-by mining’.
Coinhive have blamed the shutdown on a huge depreciation inmarket value which has hit them hard and resulted in a reduction in both miningtraffic and profits.
Cisco have released a security advisory for the Small OfficeHome Office RV router range, after a critical vulnerability was discovered inthe routers Web Management interface.
This vuln has received a CVSS rating of 9.8 (10 being the highest level of criticality) and is due to improper input validation, when a user enters data on the web management interface.
An attacker that succeeds in exploiting this flaw, can gain higher level privileges (e.g. admin / root) that allows them to execute code on the underlying operating system of the device.
The following devices in the range are impacted by thisflaw:
Cisco have provided updates to address this vuln, which areavailable via the Software Center on Cisco.com, and as there are no known workaroundsit is advised to update your devices as soon as you can.
Vulnerabilities such as these give us further evidence andsupport why web management interfaces for your network devices should not bereachable from the internet.
Always ensure that you only manage your devices from a trustedmachine on the internal network, and of course keep your devices updated withthe latest software from the vendor.
For further information on this vuln please see the linkbelow.
Cybercrime groups continue to fill their pockets and steal personal information of unsuspecting users, through the use of Magecart, a malicious piece of code used to skim personal info and credit card details from infected websites.
Magecart has been in use for a while now, but really gained notoriety in mid-2018, with numerous large high-profile breaches such as Ticketmaster, British Airways and NewEgg.
What makes Magecart special is that the hackers do not needto compromise the site or infrastructure. By simply adding small lines ofskimming code into existing javascript, or scripts that are called from a third-partysite, user data can be captured and sent to the attackers for criminal gain.
RiskIQ, a cyber-security company that follows and classifiesMagecart groups, has issued a report that shows the activity of a certain groupthey call ‘Group 4’ and how they have had to advance and evolve their operationto a professional level, in order to stay under the radar.
Group 4 are now using a consolidated infrastructure ofdomains and IP address, condensed code, stealth techniques to hide code in knownsafe libraries and constant updates that includes testing to ensure code isoperating as required.
And that’s it for this week, please don’t forget to tune in forour next instalment.
Why not follow us on social media using the links providedon the right.
Ironshare – SecuritySimplified
Edition #31 – 1st March 2019
By
Stuart Hare
on
1/3/19
Mayflex, a West Midlands based leading supplier of convergedIP solutions including infrastructure, networking and electronic security, havebeen notifying their customers this week, after receiving reports that severalcustomers had been contacted with a request to change the bank details used formaking payments to Mayflex.
An initial email titled ‘Bank Email Security’ was sent outby Mayflex on the 26th February, warning of fraudulent phone calls thathad been received by a number of customers, asking them to change the MayflexBank account details they had on record.
In their notification email, Mayflex stated:
“We have recently been notified of some fraudulent activity and we would like to take this opportunity to encourage you to be vigilant about the communications you receive from Mayflex.”
Mayflex have advised to ignore any such calls and if in doubt, customers should refer to the bank account details contained in their invoice.
This type of Social Engineering attack is similar to a BusinessEmail Compromise, where the bad guys try to take advantage of the weak humanfactor, convincing them to carry out financial actions that result inlegitimate payments being processed and sent to the bad guys.
In a follow-up to their original email, Mayflex today (28thFeb) have issued a second email to customers, confirming the validity of thefirst notification as well as providing further information on the scam.
Further investigation into the incident has found that thefraudsters were not content with just using telephone calls to deliver theirscam, but they also sent letters using snail mail to try and seal the deal.
Fake letters claiming to be sent from Andrew Percival (Director)and Margaret Butterfield (Finance Director), were received by several customerswith the same goal of changing the Mayflex banking details.
“Yesterday, 27th February 2019, we have been informed that a number of customers have received Recorded Delivery letters, claiming to be sent from Andrew Percival and Margaret Butterfield of Mayflex, asking them in writing to update the bank details to which they make payments for Mayflex orders.”
“We would like to take this opportunity to inform you that this letter is not genuine, and our payment details have not changed.”
A copy of the latest email is below:
Mayflex have provided an annotated copy of one of these letters so that customers can easily identify what is real and what is fraudulent.
The number of these types of scams continues to rise, and companies should remain vigilant, and proceed with caution when they receive requests to change banking details.
If you ever receive a request to change any banking details,it is always worth directly contacting a known representative within thecompany to confirm that the request is indeed a valid one.
If you are a Mayflex customer that has received a call or a letter to change banking details, then please get in touch with Mayflex on 0121 326 7557, if you need more information.
Any companies that may have fallen victim to this fraud, please inform your bank & Mayflex immediately, and also consider raising a case on the Action Fraud website. https://www.actionfraud.police.uk/
By
Stuart Hare
on
28/2/19
A local golf club in the West Midlands engagedIronshare to review their current IT setup and advise them on how to improvetheir security.
The IT infrastructure of the Golf Club, services approximately 15 employees, as well as the general membership and guests who attend the course through corporate golf days, society events, or formal business meetings.
Desktops,Laptops and servers had become outdated and several concerns were raised by themanagement committee around the security of their systems and data. A lack ofIT staff or IT service provider meant that regularly maintenance and updateswere not being carried out.
Members of the club staff were working remotely without basic security in place, increasing the risk to the business. Staff were generally unaware of malware and phishing scams, and the different ways it can penetrate an organisation.
The clientapproached Ironshare about their concerns and we dispatched a Technical SecurityConsultant to undertake a full evaluation of their network. The analysis was compiledinto a detailed report, which we presented to the club along with the proposedcyber security recommendations.
Ironshareimmediately recommended that the club install numerous urgent security patchesand address several significant gaps in their network infrastructure security. Severalendpoints were found to have been infected and required remediation. A newsolution was required to ensure such threats could be detected and contained infuture.
Our Managed Security Service using Cisco Umbrella was proposed to protectthe business from phishing, malware, and advanced threats. In addition, it wasrecommended that the club address their lack of IT support, to ensure thattheir systems are maintained and updated regularly.
Based on the successof the initial Security Consulting engagement, the golf club have signed upwith Ironshare to provide a Managed IT and Security Service.
Following theinstallation of the Cisco Umbrella cloud-based security, combined with the IronshareManaged Service for on-going support and management, the club have seen significantimprovements in the security and availability of their business systems.
Please note that the identity of this client has been withheld to protect commercial confidence.
By
Stuart Hare
on
27/2/19
Ironshare were approached by the Managing Director of a NationalTransport Company to assist them with their IT Security, after they becamevictim of a Ransomware attack. They had previously experienced several minordisruptions through virus infection, so Ironshare were engaged to provideinvestigative assistance and recommend possible solutions to improve overallsecurity and prevent further occurrences.
The transport company were in the process of recovering fromthe Ransomware attack, assisted by their IT provider. Although they had been performingbackups of their systems and data, some online backups were encrypted duringthe attack, resulting in loss of data, although this was not deemed critical tobusiness operation.
The company’s IT provider had only a basic understanding ofCyber Security best practices, and as can be typical with these types ofattacks, the focus was incorrectly targeted at an email phishing compromise,involving a single host on the network.
The technical security controls in place were very limited, includingonly basic firewalls, and standard anti-virus protection. These controls werenot configured or managed effectively leaving gaps in their ability to protectthe organisation.
The Ransomware had encrypted files on the infected system, and its connected network shares, meaning that the data on a victim’s system was locked and unusable. With Ransomware, payment is demanded by the cybercriminals (via Bitcoin or other crypto currency) before they will release the encryption keys required to decrypt data. Once the keys are received, access to the data can be returned to the victim.
The solution came in two parts, the initial Incident Response and a Managed Security Service.
The transport company called on our Cyber Security Incident Response service to analyse the currentthreat, assist with recovering from the attack and seek out the root cause ofthe compromise.
Our first step was to deploy Cisco Umbrella and Cisco AMPfor Endpoints to perform initial analysis and determine whether there was any maliciousactivity on the network. This was followed by direct engagement with the ITprovider, to gain an understanding of the company’s systems.
The analysis comprised of performing full sandbox analysisof the infected server, and included firewall, PC, and external service reviews.We also used the Cisco Threat Grid advanced sandboxing service to submit andanalyse the malware samples and associated files that were found on the server.
Root cause was successfully identified as brute forced credentialsusing management protocols accessible from the internet, giving the attackeraccess to an internal server. As a result of the analysis, external access fromthe Internet to the compromised servers public IP was disabled. In parallel theIT provider worked to restore service using offline backups of the server.
The following items highlight some of the keyrecommendations provided to close off the gaps in the existing infrastructure:
Through the incident response and analysis, the customercould see the benefits that Cisco AMP for Endpoints and Umbrella would provideas a more permanent prevention mechanism. Combining that with the lack ofsecurity knowledge and experience within existing staff members, Ironshare proposeda Managed Security Service, to managetheir new Cisco products and general Cyber Security on the company’s behalf.
The Ransomware was successfully analysed, and the businessoperation was restored approx. 48 hours after initial infection. Analysisconfirmed that the Ransomware contained no propagation features, and that therehad been no further spread of the infection to the surrounding servers and networkdevices.
The customer has since adopted our Managed Security Service, including Cisco Umbrella and AMP forEndpoints throughout the organisation in order to prevent any futureoccurrences. The new software has given the customer added confidence,identifying previously undiscovered threats and vulnerabilities across thenetwork.
We have built a positive relationship with the existing ITprovider, recommending security best practice, providing technical assurance,and working together to ensure that the transport companies overall securityposture continues to improve.
Please note that the identity of this client has been withheld to protect commercial confidence.
By
Stuart Hare
on
27/2/19
Over the past few years, we have seen a shift in how weshould be approaching Password Security, and with the death of the passwordstill years away, we must focus on educating users with good practice guidance,while delivering technical controls that simplify the whole process for ourusers.
Overall the industry felt that with the average businessuser now having close to 200 passwords, there was a real need to look atsimplifying both the guidance provided, and how we enforce the use ofpasswords.
Barely a few days go by where we are not hearing about thelatest high-profile data breach, and unfortunately a large portion of theseevents are caused by bad password security.
In the past we have tried to tackle this problem purely froma technical standpoint, and by implementing increasingly complex restrictions,us techies have made life more difficult for our users and ourselves.
Combining these password complexities, with an ever-increasing number of online services that need an account, has led to users trying to simplify things themselves. Users have resorted to using bad practice such as writing passwords down, using weaker more memorable passwords, and reusing the same passwords for multiple accounts.
The guidance provided here is not meant to be the silverbullet that solves all your password problems, but through continued educationand practice, we can make significant improvements and reduce the risk to ourbusiness and personal accounts.
I have put this first for two reasons; 1. Password reuse is considered thebiggest cause of account compromise, and 2. it simply doesn’t get enough airtime.
The Infosec guys reading this are probably questioning that last statement right now, as it is something that is constantly repeated in Security circles, but that’s my point, being known to security professionals is not enough, the user populous and general public need to understand it too.
In reality, when it comes to the average business user, orJoe/Jane public, this is arguably the least communicated and understood passwordsecurity recommendation, even though it stands out as one of the mostimportant.
You only need to visit the account creation page of some ofthe big online services, such as Facebook, Instagram, Amazon and Ebay, to seeno sign of guidance on using a unique password.
In my opinion these companies could lead by example,displaying clear and simple guidance to new and existing users, that includes avoidingpassword reuse.
As a rule, when creating a new account or changing your password, never use a password that’s been used somewhere else.
The key goal around these improvements is to reduce theburden on our users, and not make their digital life more difficult. Instead ofapplying out of date restrictions, that contribute to reducing security, makeit easier for them to create and manage their passwords.
We are in an online world where we need to remember a huge numberof passwords, and if we want users to comply with recommendations such as neverreusing passwords, things need to be simple. Good points here include:
Allowing users to Copy and paste their passwords – preventing this will likely result in them writing down their complex passwords, which will increase your risk of unauthorised account access.
Users should be allowed to securely store their passwords – again this prevents users from writing down their password or storing it insecurely (in clear text, notes, text files or contacts).
Password length and complexity is still a required factor but be flexible with what you deem as complex. A minimum of 12 characters, using upper / lower case, numbers or symbols are good but may prove difficult when creating multiple unique passwords.
As an alternative the use of phrases, song lyrics, bookquotes, or the combination of 3 or 4 random words (e.g. HorsePotatoSalvage) are also effective in creating long hard toguess passwords.
Combining this alternative with the use of character substitution you can quickly and easily increase password complexity, for instance h0rsePot4to$alvag3.
Understand that a user’s ability to generate numerous complexpasswords will be limited and that they will typical resort to using simplevariations of the same password, if the complexity is too great.
Password strength meters can provide the user feedback onwhether the selected password meets the system requirements, but understandthat the capabilities may be limited. Ensure they are enforcing a flexibleapproach as described above, and not just minimum characters and complexity.
For instance, ‘Passw0rd01!’is a poor password that may comply with a minimum 10 character, upper/lowercase, number and symbol password policy.
Where possible it is recommended to integrate passwordblacklists into your systems, to prevent the use of common or already compromisedpasswords.
Lots of organisations still feel that allowing passwordmanagers introduces a security risk they can’t accept. This really is oldschool thinking and is one of the key recommendations that should be adopted byall users for both their business and personal accounts.
Password Managers, such as Dashlane, LastPass and 1Password,can be a strong technical control that helps to significantly reduce the burdenon your users. A good password manager can help you meet the recommendations mentionedabove; allowing secure storage, strong complex generation and auto filling ofpasswords.
Through the use of a password manager you can actuallyincrease your security, preventing credentials from being input and stolen byfraudulent websites, while inbuilt password generators can reduce or evenremove the password reuse problem.
The biggest misconception we have seen around good passwordpractice, is the continued reliance on changing passwords periodically. This isanother change to the guidelines that has not reached organisations and theirtechnical teams.
Gone are the days when we must force our users to changetheir passwords every 90, 60 or heaven forbid, 30 days.
We recommended that you no longer force regular passwordchanges, but instead educate your users to change their password, when it hasbeen lost, forgotten or they think it may have been compromised.
Setting accounts to lockout after several repeated failureswill not be a new thing for most organisations, but what has changed is howaggressive we are when setting these lockout requirements.
Historically account lockout recommendations have beenpretty aggressive, forcing an account to be inactive after 3 -5 failed attemptsat a login. The latest recommendation is to set account lockouts to 10 attempts, which provides a betterbalance between security and usability. This results in a better userexperience while still protecting the account from brute-force attacks.
Users can be aided with the use of an account recoverymechanism, whether this be a self-service portal or an automated feature toenable the account after an elapsed period of time.
In addition, it is also recommended that you monitor login attempts and failures, either locally on the authentication server or using a central log manager or SIEM. This will allow you to identify any abnormal behaviour related to account compromise or brute-force login attempts.
A common password failure we come across during our CyberAssessments, is the use of default passwords. Vendors publish their defaultpasswords online, so they are very easy to get your hands on and can give anattacker full administrative access to the device.
The first thing that a bad guy will do after identifying themake of a reachable device is try the default credentials, and once access isgained the compromised device can be used to infiltrate the internal network.
Always remember to change all your defaults passwords as soon as possible during the initial deployment.
Multi-factor authentication or MFA for short, addsadditional layers of security to account logons using 3 common factors;
1. something you know (a password);
2. something you have (a token or device) and
3. something you are (biometrics; fingerprint or eye scan).
The idea around MFA is that if someone gets hold of yourpassword, they still need another 1 or 2 factors before they can access youraccount. The majority of MFA we see in use today uses the first two factors andis typically referred to as 2FA (Two Factor Auth) or Two Step verification.
Common 2FA implementations use smartphones or hard tokens togenerate a random 6-digit code that will need to be entered to access youraccount. These passcodes can be generated using SMS text messaging or through asmart phone authenticator app, such as Google Authenticator, Cisco DUO orMicrosoft Authenticator.
Just to be clear here, if a site asks you for two separate passwordsthis does not mean it is 2FA, this is still single factor auth as passwords aresomething you know.
To protect your online accounts from compromise it isrecommended that you enable 2FA/MFA where possible. The smartphoneauthenticator app is the more secure version of 2FA and should be preferredover the SMS alternative. That said, if SMS is your only option then this shouldbe implemented, as this is always better than not implementing 2FA.
Sharing credentials and passwords have been common place indays gone by, and we still witness organisations that operate an open passwordsharing policy, where passwords are written down and shared between the usersor taped to computer keyboards and monitors.
This is a very risky practice that can lead to compromise, falselogging / audit trails and an evidence chain that cannot be trusted if anincident was to occur.
Users should be instructed to keep their passwords tothemselves and should never share them with other users, including your manageror IT team.
The IT team should have procedures in place to support itsusers without the need for their individual passwords and should never ask auser for their password.
A final point will be aimed at the developers out there, andthat is to ensure that systems and applications never store passwords in cleartext.
If an attacker gains access to a system that contains credentials in clear text, they can export this database of passwords, and use it in targeted attacks against other systems. Taking into consideration that users often reuse their passwords on different online services, this credential data can then be used to gain access and compromise accounts on other systems.
Always store credentials securely using cryptographic functions to hash the password prior to storage. To protect against rainbow table brute force attempts each password should also include a unique random ‘salt’ value, that is added prior to the password being hashed.
This post has aimed to outline the latest password security guidelines,based on the NIST (National Institute of Standards and Technology) and NCSC(National Cyber Security Centre) published recommendations.
Through our work helping organisations improve their overallsecurity, it has been clear that a large majority still follow outdated passwordguidance. This not only creates headaches for their users but also results in securitygaps that can be exploited by the bad guys.
For good password practice follow these Do’s and Don’ts:
By
Stuart Hare
on
26/2/19
In the last few years Cisco have made bold steps to accelerate and enhance innovation around its Security Portfolio, where security, cloud and software are all critical components in Cisco's ongoing strategy. Cisco made a big step forward when in August 2015 they announced the completed acquisition of OpenDNS, a cloud security Software-as-a-Service (SaaS) platform which provides threat protection at the DNS layer.
OpenDNS was founded in 2006, starting life as a recursive DNS service whose goal was to provide faster and safer internet browsing for both home and business users. In 2012 OpenDNS extended their services in to Enterprise Business market with the release of the Umbrella service, a cloud delivered service which enforces security at the DNS layer, protecting users both on and off the corporate network. Enterprise customers were excited by the new Umbrella service, and the focus soon turned to how Umbrella made the decisions to categorise a domain or IP as malicious or safe, and whether this information could be made available to Umbrella customers. With increasing requests for this new requirement the OpenDNS team created a product based on their internal intelligence console which in 2013 launched as OpenDNS Investigate. In 2016, after completing the successful acquisition of OpenDNS, Cisco launched the re-branded service Cisco Umbrella.
Cisco Umbrella is a Cloud driven Secure Internet Gateway that provides protection from Internet based threats, for users wherever they go. Umbrella's global network processes billions of requests per day, analysing and learning internet activity to determine where attacks are being staged, so it can block requests to unwanted and malicious destinations before a connection is even established.As a cloud-delivered service, Umbrella provides the visibility needed to protect internet access across all network devices, office locations, and roaming users. Internet activity is logged and categorized by the type of security threat or web content, and whether it was blocked or allowed.
Cisco Umbrella uses DNS, the Domain Name System, to forward requests from your networks and users to the Umbrella DNS resolvers, preventing threats over any port or protocol, not just HTTP & HTTPS traffic. With the help of the roaming client even threats over direct IP connections can be stopped.Using DNS we can make many threat discoveries, first off, all devices will send DNS requests to Cisco Umbrella, these request patterns will then be analysed to detect threats and anomalies, before a decision is made whether to permit or deny the traffic.For example we can determine if a system is infected or compromised by the requests it is making. If we see that a device is sending requests to multiple known bad domains, it is likely that the device is compromised.
The keys to Umbrella's success is in its simplicity, and its ability to protect users regardless of where they are located. We see above that we can easily secure corporate users by redirecting DNS to Umbrella, but with the addition of the lightweight Umbrella Roaming Client, or the Cisco AnyConnect with Umbrella Roaming Security module, this protection can be extended to all users on or off the network. This applies to both home or remote users connecting through public Wi-Fi, without the need to connect to the corporate VPN.In summary Cisco Umbrella provides:
For more information on Cisco Umbrella and how it can protect you, please refer to our Product & Service pages or get in touch with us using our Contact page.
By
Stuart Hare
on
22/2/19
Welcome to the Ironshare Cyber Round-up where we look back atthe events of that last week and cover some of the news, posts, views, and highlightsfrom the world of Security.
In this week’s round-up:
Are you one of those businesses who does not know what devicesare attached to your network? If so, you are not alone, but you should understandthat this can lead to a significant increase in risk and unknown gaps in your organisation’ssecurity.
Based on research conducted by Security firm Forescout, 49% of the 500 UK companies that were polled, said that they did not fully understand their IT assets and believed they had unknown devices connected to the network.
Although this is a small sample, this could mean that up to 2.8million businesses in the UK are exposed to unknown cyber threats, related tounmanaged or even malicious devices.
The Internet of Things (IoT) has caused a huge explosion inthe amount of internet connected devices, across both business and home networks,and this shows no sign of slowing down.
Security Researchers at RIPS Technologies (RIPSTECH) have disclosed a critical remote code execution vulnerability that has been present in WordPress for over 6 years.
By taking advantage of two separate vulnerabilities and theuse of a low privilege account an attacker can launch a code execution attackthat leads to full compromise of the WordPress site.
WordPress is one of the most popular website creation contentmanagement systems, and powers approximately 30% of the worlds websites.
The vulnerability which was bought to the attention of theWordPress security team back in October 2018, affects all previous versionsprior to 5.0.1 and 4.9.9.
After a turbulent week or so, VFEmail are fighting their wayback to full health. Last week we covered the destructive hack that left the companyin turmoil and fighting for its survival.
Hackers had infiltrated the systems at VFEmail and wiped alltheir servers and backup systems leaving the service inoperable, and userswithout their email data.
This week they have continued to update their customers viathe website and twitter feed, with promising news for their customers that theyare close to successfully restoring service.
!!!ALERT!!!! Update Feb 17 2019
We're not at full power yet, but we're getting there. Please see the Incident page for a timeline (last updated 2/17/19 9pCST)
A blog post on Infosecurity Magazine has covered a recent ThreatReport by CrowdStrike, that highlights the importance of speed when it comes tostate sponsored attacks.
State sponsored attacks continue to rise and grab headlinesin the news, with the main focus typically on the Russian and Chinese actors.
CrowdStrike’s 2019 Global Threat Report includes the stats onthe new ‘breakout time’ metric that focuses on how quickly a hacker can achievelateral movement during an attack, after initial infection.
On average state actors achieved a breakout time of 4 hours and37 mins, but there is quite a gap between the two ends of the timing spectrum. Atthe bottom we have an average of over 9 hours, while the Russians sit at thetop, achieving lateral movement in only 18 minutes.
CrowdStirke’s George Kurtz states in his blog:
“This report’s findings on adversary tradecraft and speed reflect what many defenders already know: We are in a veritable “arms race” for cyber superiority. However, there are some important differences between an arms race in the cybersphere versus the physical world: In cyberspace, any player can potentially become a superpower.
The capital costs are alarmingly low, compared to funding aphysical war machine. Even some of the world’s most impoverished regions provedtheir ability to make a global impact through cyber campaigns in 2018 — andthis is one genie that is not going back in the bottle.”
The CrowdStrike Report can be downloaded here and for the full Infosecurity Magazine post click Read More below.
Cisco have disclosed several high impact vulnerabilities in multiple products.
CVE-2019-5736 covers a privilege escalation in the runc container tool and affects multiple products including the Cisco Container Platform and Cisco Defence Orchestrator. If exploited an attacker could replace the runc binary file with a malicious file and run arbitrary commands with root privileges.
The extent of this vuln is not yet known and products such as the ASA firewall, Identity services engine and Nexus switches are included in the devices being investigated.
CVE-2018-15380 & CVE-2019-1664 highlight two vulns in the Hyperflex Software suite. The first is a command injection flaw, due to a lack of input validation and exploiting this can allow running commands with root privileges. The second is an unauthenticated access vuln that when exploited provides root access to all member of the HyperFlex cluster.
Software updates are available,so please get reviewing these CVE’s and plan in your firmware updates as soonas you can.
For all the latest Cisco Security Advisories please click Read More below.
And that’s it for this week, please don’t forget to tune in forour next instalment.
Why not follow us on social media using the links providedon the right.
Edition #30 – 22nd February 2019
By
Stuart Hare
on
21/2/19
Are you one of those businesses who does not know what devicesare attached to your network? If so, you are not alone, but you should understandthat this can lead to a significant increase in risk and unknown gaps in your organisation’ssecurity.
Based on research conducted by Security firm Forescout, 49% of the 500 UK companies that were polled, said that they did not fully understand their IT assets and believed they had unknown devices connected to the network.
Although this is a small sample, this could mean that up to 2.8million businesses in the UK are exposed to unknown cyber threats, related tounmanaged or even malicious devices.
The Internet of Things (IoT) has caused a huge explosion inthe amount of internet connected devices, across both business and home networks,and this shows no sign of slowing down.
With more and more IoT devices connecting to corporate networks, Gartner predicts that as many as 20 billion devices will be internet connected worldwide by 2020. The biggest risk in this area comes from a lack of visibility and control over network assets.
Ironshare have witnessed this position many times whenquestioning our existing and prospective clients about their security. Having anunderstood and documented network always seems like a very low priority formost organisations.
During our assessments we have identified numerous instancesof IoT and network devices present on customers networks that they were unawareof. These have ranged from rogue wireless network devices, to IoT security camerasdirectly accessible from the internet with no authentication, which could notonly compromise the internal network but also the sites physical security.
With ‘Inventory and Control of Hardware Assets’, sittingright at the top of the CIS list of 20 Critical Security Controls, at minimum amanual inventory should be a key item created and maintained under anyorganisations security strategy.
“After all, if you don’t know about it, you can’t manage and control it.”
The lack of visibility can lead to devices that arevulnerable to unpatched flaws, leaving them open to malicious exploitation. Whiletypical IT focus will monitor critical assets such as servers, security andnetwork devices, and possibly desktops and laptops, IoT devices are oftenforgot, ignored, or unknown, making them prime targets for bad actors.
With a single unknown device compromised it is possible for theseactors to use the device to laterally move around the network, infecting orhijacking further machines, often without the company knowing about it.
Organisations should apply a level of focus to understanding their technology estate and defend against common cyber threats. Below are a few guidelines you can follow to improve this area:
By
Stuart Hare
on
20/2/19
Security Researchers at RIPSTechnologies (RIPSTECH) have disclosed a critical remote code executionvulnerability that has been present in WordPress for over 6 years.
By taking advantage of two separate vulnerabilities and theuse of a low privilege account an attacker can launch a code execution attackthat leads to full compromise of the WordPress site.
WordPress is one of the most popular website creation and content management systems, powering approximately 30% of the worlds websites.
The vulnerability which was bought to the attention of theWordPress security team back in October 2018, affects all previous versionsprior to 5.0.1 and 4.9.9.
By gaining access to an account with ‘author’ access privilegesor above, an attacker can manipulate the way that WordPress handles images andtheir meta-data, to exploit the first Path Traversal flaw.
Combining this with a second Local File Inclusion flaw, the attacker can then execute arbitrary code on the WordPress system. RIPSTECH states:
“An attacker who gains access to an account with at least author privileges on a target WordPress site can execute arbitrary PHP code on the underlying server, leading to a full remote takeover.”
RIPSTECH have published a technical breakdown of the exploit on their blog which includes the brief video of how easy it is exploit the vulnerabilities.
A security patch has been released by the WordPress security team for versions 4.99 and 5.01, that renders this exploit unsuccessful, and prevents full remote takeover of the system.
Unfortunately, as it stands no patch or updated version is available to completely remove all these vulnerabilities, the Path Traversal vuln is still possible, but this is apparently due to be included in the next version of WordPress.
To ensure your WordPress installations are secure as possible, remember to:
By
Stuart Hare
on
20/2/19
Cisco AMP or Advanced Malware Protection, is Cisco’s answer to the Next Generation of detection, visibility, control, and protection against advanced threats for today’s internet connected world. AMP gives you real-time blocking of malware and advanced sandboxing, that is backed up by world class global threat intelligence, to provide rapid detection, containment and removal of advanced malware.Cisco AMP comes as a subscription-based security service, that is integrated into a broad range of Cisco Security products and is available with a variety of deployment options. These options look to enforce Cisco’s model for ‘AMP Everywhere’. Three main areas cover these deployment options:
Let’s start with Cisco AMP for Networks. Originally designed for operation with the Cisco Firepower network security appliances, AMP for Networks delivers real-time security enforcement at the network layer, to detect, track, analyse and remove threats.With AMP for Networks, analysis of files doesn’t end when the files enter the network, continuous analysis, and tracking of files (through File Trajectory), occur as they move around the network.By using the Talos groups global threat intelligence, network defences are strengthened by informing the security devices to block malware, through the use of known bad file signatures.Suspicious files can be captured and sent for further analysis using the Threat Grid advanced sandboxing integration. This executes and analyses the file in a safe and secure environment so there is no risk of potential malware spreading.AMP for Networks is currently available on the Cisco platforms listed below:
AMP for Endpoints gives advanced visibility into the file activity and behaviour on your computer endpoints, using continuous static and dynamic analysis to detect and remove malware.AMP for Endpoints prevents attacks by using, the latest global threat intelligence to strengthen endpoint defences, built-in anti-virus (AV) engines to detect and block attacks based on known malware signatures, and proactive protection capabilities that shutdown attacks and minimize vulnerabilities.Built-in sandboxing technology (Threat Grid integration) can be used to analyse unknown files for malicious behaviour.Our previous post ‘What is Cisco AMP for Endpoints?’ goes into this option in more detail.AMP for Endpoints currently protect devices such as:
Cisco AMP for Endpoints is also available for Apple iOS mobile devices, but in partnership with Apple, Cisco have agreed to rename AMP to Cisco Clarity. Cisco Clarity is deployed to iOS devices via the Cisco Security Connector. The Cisco Security Connector incorporates a bundle of features, which include both Cisco Clarity (AMP for Endpoints) and Cisco Umbrella.
The third option extends the AMP features discussed above to Web and Email security products.In recent years, web traffic and even more so, email traffic have become the primary transport methods for the launching of the cyber-attacks we see today.With Web traffic, AMP provides comprehensive protection against web-based threats and file downloads. Malicious files can be present anywhere on the internet, even on legitimate good websites, so AMP inspects all downloaded files to give you the confidence to determine whether they are safe or not.For Email traffic, AMP analyses your company emails for the presence of threats; this includes exploits hidden in email attachments, as well as protection against ransomware, phishing, and advanced email attacks.Like the other options AMP continuously watches and records the activity of files that pass through the web and email gateways, and it does this regardless of whether the file is good or bad. If a good file turns bad, AMP sends a retrospective alert, so the malicious file can be contained and removed.Cisco brings AMP based Security to the following:
Although each of these options on their own deliver excellent next generation malware protection, the brilliance comes from the open integration and automation that exists between each of the products running AMP. All options and products above use AMP to work together and ensure that your organisation is secure.Retrospective security is another key component of AMP, which via the use of continuous monitoring, not only informs us if an unknown or good file turns bad but understands the full extent and root cause of the infection, allowing all instances of the file to be blocked or removed.Verdicts on the status of a file can change dynamically in AMP, this status is referred to as ‘a files disposition’. The files disposition in the AMP Cloud can change based on analysis performed by the Talos research teams or via Threat Grid analysis.For example, let’s say AMP sees a file appear on the network which has an unknown disposition, if that files disposition changes to bad, the AMP cloud will be updated, which in turn pushes the status to all the AMP enabled products. AMP will know where that file has been seen before, therefore can go back and contain the threat automatically. All future detection's of this file will be blocked.
The options discussed above realise Cisco’s holistic approach of AMP Everywhere. With AMP positioned in more places throughout the network, we get increased visibility to malicious activity and multiple points where this activity can be controlled.
Through the delivery of AMP, you can achieve the following business outcomes:• Accelerate Security response• Make the unknown, known• See malware once and block it everywhereHopefully you can start to see that through this approach you can have a suite of security products that not only provide next generation levels of protection, but also have excellent levels of cross platform integration, delivering significant improvements to your overall security, through automation and retrospection.Ironshare are a small, niche security consultancy focused on delivery of fast and efficient solutions to businesses. Our experienced team aim to provide a fully managed service that takes the strain away from your employees and allows you to focus on your core business.At the time of writing Ironshare focuses on providing services relating to AMP for Endpoints, as along with Umbrella we feel that these cloud services fit with our mindset of simple security and provide the biggest immediate benefit to our customers. Email security is on the roadmap for inclusion as our portfolio increases, so watch this space for more information.Ironshare – Security, SimplifiedIf you have any questions or would like to get in touch – please Contact Us here .
By
Stuart Hare
on
19/2/19
We’ve already talked in detail (in our previous post), about how Cisco Umbrella blocks malware, ransomware, botnets and phishing threats, while containing advanced attacks before they can cause damage. These threats can typically be delivered to one of your organisation's PCs when a user clicks on an innocent looking link, that actually turns out to be malicious, or by visiting an infected website.This article goes into further detail about another very important feature of Umbrella – Roaming Security.With Roaming Security you can protect your users when they are away from the office, for example when working in their hotel room, at home, during that flight delay at an airport, or just browsing for some relaxation time in a café somewhere in the world.Businesses usually load their laptops with Virtual Private Network (VPN) connectivity which allows users to create a secure connection back to the corporate network over the Internet. This means they can access all their usual things like file shares and email, and it also brings a consistent level of protection as the security on the corporate network is extended to this out of office scenario.Unfortunately, with over 45% of workers now classed as mobile and over 80% admitting to not always using the secure VPN, this leaves a significant gap in your organisations security. This is usually because they are also using their work laptops for personal use, and sometimes corporate web browsing restrictions may mean that they can’t get to that sports website or TV programme that they want to watch, or maybe they are not allowed to access personal email accounts like Gmail.So in reality, not every connection goes through the secure VPN, but as your workers activity extends beyond the workplace environment, your security must too, and while security may never stop 100% of the threats, it must work 100% of the time.Cisco Umbrella continues to protect employees in these ‘off network / VPN’ situations by blocking malicious domain requests and links as soon as they are requested. This early security at the DNS-layer means that connections are never established, and malicious files are never downloaded.This means that malware will not infect laptops and data will not be sent out to any third parties. And what’s more your Umbrella administrators will have real-time visibility of infected laptops and will be able to identify devices that have become infected.
In order to enable Roaming protection for your users, you first need to deploy a very lightweight Umbrella Roaming Client.
Or alternatively, you can activate the Umbrella Roaming Security module, if you already use Cisco AnyConnect for your corporate VPN connectivity.
When a devices connects to the internet, the Roaming client (and AnyConnect module) builds a secure DNS tunnel from the client device to the Umbrella service. Any external DNS requests for website domains etc. are then sent directly to Umbrella, where the request is analysed, before returning a good or bad response to the client. If the response is good the user is allowed to the connect to the requested site; if it is bad the request is redirected to the configured Umbrella block page, preventing the user for connecting to the malicious site.
Umbrella and other Cisco Security products use Cisco Talos global threat intelligence to identify threats at the earliest possible time in the threat cycle. It’s unique to Cisco and is the world’s largest and most accurate hub of global threat intelligence available today.
Talos is staffed by a team of leading threat researchers and supported by advanced analytical technology, it gathers information about cyber-attacks, surveys a large swath of the public internet to learn how these threats operate, and develops solutions to prevent them in the future.The scale of this operation cannot be overstated, Talos handles:
If you are interested in learning more about Umbrella Roaming Security, why not get in touch or even register to request a FREE 21 Day Trial of Cisco Umbrella, and try it out for yourself.Ironshare can get you up and running with the Umbrella Free trial within hours of receiving your request. So don't delay click here to Register Now!WHAT’S INCLUDED?
For more information on Cisco products or our services please get in touch by Clicking here.Ironshare – Security, Simplified
By
Stuart Hare
on
16/2/19
Welcome to the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.In this week’s round-up:
On the 11th February secure email provider VFEmail, alerted users via its website, that a catastrophic outage had occurred to its email service, after a hacker had gained unauthorised access and launched a destructive attack against their systems.This malicious attack has resulted in complete wiping of the VFEmail primary servers and their associated backup systems. The owner of the service posted to his twitter feed that this may be the end of VFEmail.The website alert reads:
“!!!ALERT!!!! Update Feb 11 2019www.vfemail.net and mail.vfemail.net are currently unavailable in their prior form. We have suffered catastrophic destruction at the hands of a hacker, last seen as aktv@94.155.49.9. This person has destroyed all data in the US, both primary and backup systems. We are working to recover what data we can.”
Wow can’t believe we are in the middle of February already (tempus fugit), so it’s that time of the month again for Microsoft’s security updates.February 2019’s Patch Tuesday has included approx. 70 vulnerabilities across numerous MS products. Of those listed, 20 of these flaws have been rated as Critical with the ability to fully compromise the vulnerable system. In addition, more than 45 vulns are considered Important, with 3 rated Moderate and 1 rated Low severity.Vulnerable products impacted include the ever-present Chakra scripting engine, MS Edge and Internet Explorer browsers, MS Exchange, and SharePoint 2010.
A new variant of the notorious Emotet trojan has emerged over the last month that is using techniques to try and evade Anti-virus programs.Emotet has been around for some time, but new variants of the malware are being created on what seems a regular basis. It uses spam email to infect its targets, before stealing personal and financial information, in order to gain access to bank accounts and cryptocurrency wallets.The malicious payloads delivered by Emotet have varied over time, but this new variant commonly uses XML files, opened using Word that contain Base64 encoded data to hide the malicious macro that launches the infection. Using the XML files with Base64 data means that standard signature-based anti-virus engines will typically not detect this kind of malicious macro-enabled document.Once launched the macro spawns multiple processes, calling PowerShell scripts that download the Emotet payload to the victim’s device. Once received Emotet calls out to several URL’s which is believed to be the attackers Command & Control (C2) infrastructure, to gain control of the host and steal information.Next-Generation Endpoint Security such as AMP for Endpoints can help protect against these kinds of advanced threats, where standard Anti-virus products fail.
Customers of the Network Attached Storage vendor QNAP have been reporting strange activities that have been preventing system updates on their devices.Investigation into the problem has identified that a malware infection has hijacked QNAP NAS devices, forcing a change to the hosts file on the machine.The unix hosts file ‘/etc/hosts/’ is used to statically define host or domain name mappings to an IP address, and depending upon the devices configuration can be used to override DNS queries.By high jacking the device and changing these hosts file entries the malicious actor can control where traffic is sent to.
If you are looking for Love over this Valentine weekend, and you are using the OkCupid Dating App, then be aware that a vulnerability in the app could expose your personal information, steal your login details and result in complete takeover of the app by the attacker.The flaw is present in the OkCupid’s Android application which uses WebView (a bundled browser inside the mobile application) to open what it calls MagicLinks from the app.An attacker can simply send a crafted URL to a victim from within the app, that when clicked allows the attacker to take control of the app, read all the victims messages, monitor usage, impersonate the victim and even track the victim’s location.Because these links are sent from within the app, users tend to trust that they are legitimate, clicking them without much thought.Due to the nature of the app takeover it is also possible for a malicious actor to spread malware after the first victim is infected, using the apps contact list.An update for this app is available, so please update as soon as possible.Dating and Sextortion scams are all too common these days, so if you are using these types of apps, please ensure that you stay safe and vigilant, and always remember to update your apps regularly.
And that’s it for this week, please don’t forget to tune in for our next instalment.
To keep up to date with our news and posts why not join our mailing list by using the link to subscribe: http://bit.ly/IronMailListYou can also follow us using the social media links provided.
Ironshare – Security SimplifiedEdition #29 – 15th February 2019
By
Stuart Hare
on
15/2/19
Customers of the Network Attached Storage vendor QNAP have reported strange activities that have been preventing system updates on their devices.Investigation into the problem has identified that a malware infection has hijacked QNAP NAS devices, forcing a change to the hosts file on the machine.The unix hosts file ‘/etc/hosts/’ is used to statically define host or domain name mappings to an IP address, and depending upon the devices configuration can be used to override DNS queries.By hijacking the device and changing these hosts file entries the malicious actor can control where traffic is sent to.The hackers in this case added a large number of entries (over 700 according to The Register) to the host file and redirected each host or domain to the IP address 0.0.0.0. These entries included the domains for QNAP software and anti-virus updates, and by pointing them to this incorrect IP address the traffic was effectively blackholed, causing all associated updates to fail.A customer has confirmed that once the entries are removed all updates will succeed as expected, but the unfortunate news is, that once the devices is rebooted the host file is modified once again, highlighting the presence of persistent malware.After some forum discussion QNAP have eventually published a security advisory on their website, which although it includes some recommendations and workarounds, it doesn’t explain the malware or vulnerability. It states:
“A recently reported malware is known to affect QNAP NAS devices. We are currently analyzing the malware and will provide the solution as soon as possible.”
A few days later and it appears that QNAP are still non-the-wiser when it comes to the cause of the compromise, and they can still not confirm which devices and models are impacted.Customers affected by the bug have been recommended to run QNAPs Malware Remover tool, but for some this proved to be ineffective, as it appears to only be supported by certain models.This malware infection, for now at least, remains a mystery.Is this the first sign of something more sinister, who knows, but my thoughts immediately track back to last year’s router wiper malware dubbed VPNFilter, which infected more than 500,000 devices worldwide. VPNFilter had multiple stages to its behaviour and included numerous malicious payloads, aimed at wreaking havoc, so let’s hope not hey.For now, any QNAP admins out there should ensure that their devices are placed in their own network segment, so you can control traffic to and from the device. If your device does not need Internet connectivity, then disable it.
To keep up to date with our news and posts why not join our mailing list by using the link to subscribe: http://bit.ly/IronMailListYou can also follow us using the social media links provided.
Ironshare – Security Simplified
By
Stuart Hare
on
14/2/19
Wow can’t believe we are in the middle of February already (tempus fugit), so it’s that time of the month again for Microsoft’s security updates.February 2019’s Patch Tuesday has included approx. 70 vulnerabilities across numerous MS products. Of those listed, 20 of these flaws have been rated as Critical with the ability to fully compromise the vulnerable system. In addition, more than 45 vulns are considered Important, with 3 rated Moderate and 1 rated Low severity.Vulnerable products impacted include the ever-present Chakra scripting engine, MS Edge and Internet Explorer browsers, MS Exchange, and SharePoint 2010.Nine of the 20 Critical vulnerabilities exist in the MS Edge browser and how its Chakra scripting engine handles objects in memory. By directing a user to access a specially crafted web page, these vulnerabilities can be exploited, corrupting the objects in the systems memory and allowing the actor to gain remote access and code execution to the victim’s machine.More memory corruption vulns exist in Internet Explorer, marked as CVE-2019-0606&CVE-2019-0676. While CVE-2019-0606 is like the Edge vulns above, allowing a remote hacker to execute code following access to a specially created website, an actor exploiting CVE-2019-0676 can search and test for specific files located on the victim’s hard disk.CVE-2019-0604 highlights a critical vuln in SharePoint 2010 where it fails to properly check an application package. By successfully exploiting this issue an attacker could use a crafted application package to launch remote code against the target system.The update for CVE-2019-0686 in MS Exchange email server resolves a privilege elevation vuln, where an attacker can gain rights to a machine, allowing access to the mailbox of other users in the organisation. A man-in-the-middle attack can be used to forward authentication requests to the server, allow the attacker gain access by impersonating another user.Please don’t delay, review and get patching as soon as you can!Keeping up to date with security patches for your operating systems and software, is a critical part of delivering and maintaining a strong security posture, please ensure you test and update as quickly as possible to prevent exploitation and stay secure.For a full list of this months updates please see the links below:Patch Tuesday release notes: https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/51503ac5-e6d2-e811-a983-000d3a33c573Security update guide: https://portal.msrc.microsoft.com/en-us/security-guidance
To keep up to date with our news and posts why not join our mailing list by using the link to subscribe: http://bit.ly/IronMailListYou can also follow us using the social media links provided.Ironshare – Security Simplified
By
Stuart Hare
on
13/2/19
On the 11th February secure email provider VFEmail, alerted users via its website, that a catastrophic outage had occurred to its email service, after a hacker had gained unauthorised access and launched a destructive attack against their systems.This malicious attack has resulted in the complete wiping of the VFEmail primary servers and their associated backup systems. The owner of the service posted to his twitter feed that this may be the end of VFEmail.The website alert reads:
“!!!ALERT!!!! Update Feb 11 2019www.vfemail.net and mail.vfemail.net are currently unavailable in their prior form. We have suffered catastrophic destruction at the hands of a hacker, last seen as aktv@94.155.49.9. This person has destroyed all data in the US, both primary and backup systems. We are working to recover what data we can.”
VFEmail have been around since 2001, providing a secure privacy-oriented email service for business and personal use. It included both free and paid for services of differing levels, that scanned each email for spam and virus’s prior to delivering to the mailbox.During the investigation several tweets appeared on the company feed, giving evidence that the attacker was caught in the act of wiping data from the servers, but unfortunately it was too late to prevent further damage.https://twitter.com/VFEmail/status/1095021927972909056https://twitter.com/VFEmail/status/1095038701665746945Customers in the Netherlands appear to have not been impacted as this was a separate set of data and the backups of the systems were still intact. Partial service has now been restored, in the form of incoming email and webmail, but unfortunately for users in the US, all of their data now appears to be lost.https://twitter.com/VFEmail/status/1095040044316925953The destroyed virtual servers did not all share the same credentials for authentication, and although details are not known, we assume that this is either a sophisticated attack, or possibly an insider threat. Time will tell.This attack has left the VFEmail business in an horrific state that it may never recover from, and could see the sad end of a service that has spanned nearly 20 years.In this case a robust backup solution that included both online and offline backups would have provided a more reliable recovery path for VFEmail.This devastating act should be a lesson to all businesses, delivering a solid cyber security plan is critical to your continued operation, as well as protecting your brand and reputation.Updates on the incident are being provided on the VFEmail website at the following link: https://www.vfemail.net/incident.php
After a turbulent week or so, VFEmail are fighting their way back to full health. Last week we covered the destructive hack that left the company in turmoil and fighting for its survival.Hackers had infiltrated the systems at VFEmail and wiped all their servers and backup systems leaving the service inoperable, and users without their email data.This week they have continued to update their customers via the website and twitter feed, with promising news for their customers that they are close to successfully restoring service.
!!!ALERT!!!! Update Feb 17 2019We're not at full power yet, but we're getting there. Please see the Incident page for a timeline (last updated 2/17/19 9pCST)
Although this will be good news for some it might not be for all. Status updates on their twitter feed confirmed that they have abandoned their US offering, and the restored service will now be run from the Netherlands.https://twitter.com/VFEmail/status/1098404538346811393With the new hope that some data between 2016 and 2019 may be recovered, and hopefully a greater focus on system wide security, this is a great news from a company that looked dead and buried this time last week.
To keep up to date with our news and posts why not join our mailing list by using the link to subscribe: http://bit.ly/IronMailListYou can also follow us using the social media links provided.
Ironshare – Security Simplified
By
Stuart Hare
on
13/2/19
AMP stands for Advanced Malware Protection.The term malware derives from malicious software and is any piece of software that was written with the intent of doing harm to data, devices or to people. When you hear talk of viruses, trojans, spyware and the like, what you're really hearing is talk of different kinds of malware.Cisco provide various AMP products; the network version (AMP for Networks) is integrated into network infrastructure such as firewalls, routers and intrusion prevention systems, another variant concentrates on improving security for cloud email systems like Outlook within Office 365.Cisco AMP for Endpoints is of course aimed specifically at ‘endpoints’ – and in this case an ‘endpoint’ refers to any PCs, Macs, Linux, and mobile devices that are connected to your network.Most organisations will have anti-virus protection in place, but AMP for Endpoints goes beyond the traditional ‘point-in-time’ detection to provide another level of visibility and control that is needed in these modern times of advanced threats.
Files on your endpoints are initially inspected by AMP, just like traditional anti-virus products do - but things don’t stop there. AMP continues to monitor, analyse, and record all file activity and behaviour, even if the file doesn’t initially seem to contain any threat.If a previously deemed “unknown” or “good” file then exhibits malicious behaviour, AMP automatically sends an alert and shows you the history of that file’s activity and behaviour so that you can investigate and quickly remediate.It also gives you the ability to roll back time on attacks and find evidence of what the malware has been doing, addressing fundamental questions such as:
AMP’s easy-to-use browser-based management console helps to answer these questions allowing security teams to quickly take action.
AMP for Endpoints introduces a new level of intelligence, as it gathers information from all of your endpoints over a period of time. It looks for patterns of malicious behaviour that are common across a number of devices, and once it finds something that looks suspicious, it presents that information to you for analysis, allowing you to hunt down and eliminate further attacks.
The Cisco AMP for Endpoints console interface provides complete management, deployment, policy configuration, and reporting for Windows systems, Mac systems, Linux systems, mobile devices, and virtual systems. The dashboards show exactly where threats have been, what they did, and the root causes so you can quickly contain and remediate them (see Figure 1 below).
Organisations are under attack, and security breaches are happening every day. Hackers are creating advanced malware that can evade even the best signature based detection tools, like anti-virus and intrusion prevention systems. These tools inspect traffic at the point of entry into your extended network, but they will never detect 100 percent of all the threats trying to infiltrate the organisation.Furthermore, they provide little visibility into the activity of threats after they evade these first-line defences. This leaves IT security teams blind to the scope of a potential compromise and unable to quickly detect and contain malware before it causes damage.Organisations are rendered incapable of stopping an outbreak from spreading or preventing a similar attack from happening again.Cisco AMP for Endpoints goes beyond point-in-time capabilities and is built to protect organisations before, during, and after an attack:Before an attack, AMP uses Cisco Talos global threat intelligence to strengthen defences.Cisco Talos is the world’s largest and most accurate hub of global threat intelligence. It is staffed by a team of leading threat researchers and supported by advanced analytical technology. Talos gathers information after cyber-attacks, surveys a large swath of the public internet to learn how these threats operate, and thereby develop solutions to prevent them in the future.The scale of this operation cannot be overstated:
During an attack, AMP uses that intelligence, known file signatures, and dynamic file analysis technology to block malware trying to infiltrate your IT environment.After an attack, AMP continuously monitors and analyses all file activity, processes, and communications. If a file exhibits malicious behaviour, AMP will detect it and provide retrospective alerts, indications of compromise, tracking, and analysis, so security teams can quickly respond and resolve issues.
Today’s malware is more sophisticated than ever. Evolving quickly, it can evade discovery after it has compromised a system while providing a launching pad for a persistent attacker to move throughout an organisation. Here are just some of the ways that malware can hide from view:Sleep techniquesSome malware designers avoid traditional anti-virus software and catch their victims unaware, or "sleeping" by having their creation sleep for a defined period of time before executing - waiting perhaps to detect mouse movements to ensure that a human is at the wheel.PolymorphismOther malware (viruses, trojans, worms or spyware) constantly morph, evolve or change appearance to make it difficult for anti-virus programs to detect.EncryptionTraditional anti-virus gateways are not generally able to scan the contents of files protected by encryption.Use of unknown network protocolsSometimes there is a reasonable explanation for suspicious, unknown network traffic; it could be caused by a new and unfamiliar application, but it might also indicate the presence of dangerous command and control malware that is trying to avoid detection.The continuous analysis and retrospective security features of Cisco AMP for Endpoints let you uncover these types of elusive malware.
Powerful innovations like ‘file trajectory’ and ‘device trajectory’ (Figure 3) use AMP’s big data analytics and continuous analysis capabilities to show you the systems affected by malware.
These capabilities help you quickly understand the scope of the problem by identifying malware gateways and the path that attackers are using to gain a foothold into other systems.
Cisco AMP for Endpoints File Analysis (Figure 4), is backed by the Talos Security Intelligence and Research Group and powered by AMP Threat Grid’s sandboxing technology.This provides a safe, highly secure sandbox environment for you to upload malware and suspect files to analyse their behaviour.The AMP Threat Grid technology provides over 350 unique behavioural indicators that evaluate the actions of a file submission, providing insight to unknown malware and providing users with context-rich, actionable content, every day. More than 8 million samples are analysed every month!
File analysis produces detailed information on file behaviour, including the severity of behaviours, the original filename, screenshots of the malware executing, and sample packet captures. Armed with this information, you’ll have a better understanding of what is necessary to contain the outbreak and block future attacks.
Cisco AMP for Endpoints Outbreak Control gives you a suite of capabilities to effectively stop the spread of malware and malware-related activities, like call-back communications or dropped file execution, without waiting for updates from your security vendor.This gives you the power to move directly from investigation to control with a few mouse clicks, significantly reducing the time a threat has to spread or do more damage and the time it normally takes to put controls in place.Furthermore, AMP can automatically fix systems without a full scan. The technology continuously cross-references files analysed in the past against the latest threat intelligence and quarantines any files that are now known to be a threat.
Cisco AMP for Endpoints protects you against advanced malware and increases security intelligence across all endpoints - PCs, Macs, mobile devices, and virtual systems.Its lightweight connector requires less storage, computation, and memory than other security solutions and speeds up protection against advanced malware attacks, eliminating the need for traditional anti-virus security layers that can affect performance and put resource constraints on endpoints.
AMP works well for any organisation and is optimised for the larger enterprises. In terms of privacy, all Cisco AMP for Endpoints connectors use metadata for analysis and actual files are not needed and not sent to the cloud for analysis, unless you allow it.For organisations with high privacy requirements, a private cloud option is also available. This single on-premises solution delivers comprehensive advanced malware protection using big data analytics, continuous analysis, and security intelligence stored locally on premises.
Ironshare can help you to get up and running with Cisco AMP for Endpoints within days.We not only provide step-by-step guidance on deployment within your organisation, we can also manage the day-to-day running and reporting, leaving your teams to get on with their usual day job.Our aim is to provide Security, Simplified. That means we can communicate in a non-technical manner (or technical if you prefer) and just give you the information you want.Step 1 – Simple PricingIronshare are Certified Cisco partners who specialise in security and operate in a completely transparent manner. Unlike other providers we make no secret of our pricing and you can simply click here to get an accurate price estimate. No nonsense – simple!
Step 2 – Simple DeploymentCisco AMP for Endpoints requires no on-site hardware and can be deployed very easily, providing advanced protection for all of your endpoints.Our technical team would need to speak with your software deployment teams but rolling out the lightweight connector is straightforward. There might be other factors to consider for wider deployments – but none will be complicated and even the largest of companies can have this up and running very quickly.We will guide you through the entire process. No hidden costs – simple!Step 3 – Simple ManagementAlthough AMP for Endpoints has a great management interface, it does take time to get up to speed with the product, so to manage this yourself would require some dedicated resource to first of all learn, but then maintain and get the best out of AMP for Endpoints.Our team at Ironshare are experienced with the product, and we would talk to you about what you want to achieve, then after the initial setup we will deliver you a managed service that ensures your IT support or security team are aware of threats from day one.In addition, we’ll provide you with a monthly report that summarises all of the interesting facts and figures, and we’ll also give you recommendations on internal actions you might need to take.ConclusionIronshare are a small, niche security consultancy focused on delivery of fast and efficient solutions to businesses. Our experienced team aim to provide a fully managed service that takes the strain away from your employees and allows you to focus on your core business.Ironshare – Security, Simplified If you have any questions – please Contact Us here.
By
Stuart Hare
on
11/2/19
Welcome to the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.In this week’s round-up:
Motherboard have reported how the UK’s Metro Bank has fell victim to a two-factor authentication (2FA) attack that exploits the legacy Signalling System 7 (SS7) protocol, to intercept 2FA codes.The SS7 protocol was originally developed in 1975, and in 1980 the ITU formerly approved it as the international standard for telephone signalling, call establishment and routing.Flaws in SS7 are known to have been exploited for quite some, and successful attacks against the protocol are capable of tracking phones, as well as intercepting calls and text messages.It has previously been believed that the ability to exploit SS7 has been firmly in the hands of intelligence agencies, but Motherboard confirmed that this is far more wide spread. Cyber criminals are using this to attack bank customers with the aim of clearing out their bank accounts.
The European Commission has ordered the child smart watch provider ENOX to recall its Safe-KID-One product, after it was found the watch could be used by bad actors to send messages to the watch and use the inbuilt GPS to find the locations of their child users.The Commissions rapid alert system, which is used to inform other European nations of dangerous products, states that these smart watches pose a ‘serious’ risk; potentially threatening the child’s safety.
Google have released a new security update for their Android OS after it was disclosed that devices were vulnerable to a number of flaws that include three critical remote code execution vulns.The Android Security Bulletin for Feb 2019 includes a total of 42 CVE’s; 11 vulns were classed as Critical, 30 High, and 1 moderate, spanning Framework, System, Kernel, NVIDIA graphics, and Qualcomm network components.Google consider the three PNG based critical flaws to be the most severe included in this month’s bulletin, which impacts millions of devices worldwide running Android v7.0 to v9. A PNG is a common type of image file format similar to bitmap (BMP) and JPEG.
A new phishing method has been witnessed this week, where attackers have hidden their phishing websites behind the Google translate service.Like most phishing attacks the intent of the actors here is to scam you into providing personal information and login details, that they can steal and use for malicious purposes.This particular attack focuses on attempts to steal your Google and Facebook account credentials.It all typically starts with a fake security email notifying the user of a new device login and includes a link to verify that the login activity was you.
To finish off this week we wanted to give a quick mention to a useful site called:‘Take Five to Stop Fraud’.This site is provided by Financial Fraud Action UK and is backed by Her Majesty’s Government, with a goal to provide easy to understand advice, so the public can be more prepared and protect themselves against the fraudulent activities of bad actors.We have covered a lot of news reports over the last few months related to financial fraud, delivered through scams and phishing attacks, and they do not appear to be slowing down.Take Five to Stop Fraud is a great resource for the general non-technical public, explaining the different scams in use and how to spot them. There are also a bunch of helpful educational videos that give examples and practical advice.Head over to their website below and make sure you can identify fraud the next time you receive a dodgy call or email.https://takefive-stopfraud.org.uk/And that’s it for this week, please don’t forget to tune in for our next instalment.
To keep up to date with our news and posts why not join our mailing list by using the link to subscribe: http://bit.ly/IronMailListYou can also follow us using the social media links provided.If your business needs to improve its security, kick-start your Cyber plans with our Free Cyber Assessment: http://bit.ly/IronFreeCyberReviewIronshare – Security SimplifiedEdition #28 – 8th February 2019
By
Stuart Hare
on
8/2/19
A new phishing method has been witnessed this week, where attackers have hidden their phishing websites behind the Google translate service.Like most phishing attacks the intent of the actors here is to scam you into providing personal information and login details, that they can steal and use for malicious purposes.This particular attack focuses on attempts to steal your Google and Facebook account credentials.It all typically starts with a fake security email notifying the user of a new device login and includes a link to verify that the login activity was you.By clicking the link, you are presented with a lookalike Google login page, but what makes this interesting is you are first directed to Google Translate that then opens the malicious phishing site.This appears to be an effort to convince the user that checks the email link that they are indeed going to Google, giving a valid Google domain and certificate in the address bar. Although the email body content may look convincing a quick check of the email sender confirms that this is not from Google.Users that are unfortunate to enter their credentials and click the sign in link on the page, will trigger a script to run that will email the information entered to the attackers.If you are using a desktop / laptop browser this threat should be easily identified as fake, as the sender email and translated URLs should be clearly visible to the user as not belonging to Google.Mobile users will have a tougher time though, due to the condensed view it will be more difficult to identify the phish, as the translated domain is not as visible.What’s surprising is that the attack has a second phase. Once a user signs in with their Google credentials they are immediately redirected to a fake older version of the Facebook login page that then tries to steal your username and password for Facebook. This should be an immediate red flag for most users.All this said the whole attack is poorly configured and its unknown how successful this has actually been.The phishing site displayed in Google Translate uses the following hijacked URL:httpx://mediacity[.]co[.]in/social/js/index.htmlAlthough the top-level domain is considered clean, Cisco Umbrella customers are protected from accessing this URL which is blocked as a phishing threat.For more information and screenshots please see Akamai’s blog post on the topic:https://blogs.akamai.com/sitr/2019/02/phishing-attacks-against-facebook-google-via-google-translate.html
To keep up to date with our news and posts why not join our mailing list by using the link to subscribe: http://bit.ly/IronMailListIronshare – Security Simplified
By
Stuart Hare
on
8/2/19
No results found.
