Archive | October, 2014

Evil Tor Exit Node – WSWiR Episode 127

Security FUD, Black Energy, and Tor Terror

Happy Halloween!

The Internet “threatscape” has changed drastically over the past few years, with many more cyber security incidents each year and tons of information security (infosec) news in the headlines. Can you keep up? If not, maybe my weekly infosec video will help.

In today’s quick update, I rant a bit about infosec misinformation, share the latest on the Black Energy ICS attack campaign, and talk about an Evil Tor exit node that dynamically adds malware to downloads. Press play for the scoop, and enjoy your spooky Halloween weekend.

(Episode Runtime: 10:44)

Direct YouTube Link: https://www.youtube.com/watch?v=HjejYd_9Oik

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

#CSAM: Don’t Underestimate Email Phishing

Cyber Security Awareness Month is coming to a close. We’ve enjoyed a lot of discussion (#CSAM) throughout October as the industry at large works to make sure everyone is cyber aware and secure. We thought we would end the month with another look at an important basic – email phishing security.

Stop Phishing NOW[1]

Even less savvy computer users now know not to click on executable attachments in emails. Most even know that hypertext and web links should be treated as suspect – especially as URL spoofing and disguising becomes increasingly effective in today’s phishing attempts. But, a lot of file types can catch your workforce off guard. Hence why phishing scams continue to flourish.

Many think Microsoft Office files are benign, but they may not be. Word documents, Excel spreadsheets and other Office files can execute code through software flaws. PDF files are just as susceptible. Make sure your users know it may be just as dangerous opening a Microsoft Office or PDF file as it is clicking on an executable file.

Be sure to train your users about the dangers of clicking on suspect email attachment files and embedded hypertext and web links. They are pretty easy to spot since most tend to not be customized to individual recipients. Phishing emails often have bad grammar, links that don’t match branded web domains or other flag-raising issues.

Note, however, that more sophisticated phishing attacks have now started to target their recipients specifically. These emails may contain content that is of interest to that specific user and their job function. These sophisticated attacks are more difficult to spot, but not impossible.

The answer to the growing complexity of phishing attacks is training, practice drills and up-to-date security solutions. Be sure your users are aware and vigilant about potential phishing attacks. Training is step one, but do not discount the need for practice drills. Putting phishing emails in front of your workforce demonstrates and reiterates the need for review. Think of it as creating muscle memory for their real-world email use. The goal is to keep them leery when interacting with file attachments or links in unsolicited email.

Also be sure to review and update your antispam and firewall security policies. Security threats appear and evolve rapidly. You need to stay up-to-date on the latest leaks, fixes and patches. We provide a weekly overview on our WatchGuard Security Center blog, including popular email phishing tricks and attacks. Subscribe to receive email updates and you’ll receive each update in your inbox.

LOGO

Again, October is Cyber Security Awareness Month. Make sure you are cyber aware and stay tuned for more security updates right here on the WatchGuard Smart Security Blog.

Leading Global Restaurateur Deploys WatchGuard at Airports & Motorways

HMSHost takes security very seriously. It comes with the territory when you operate in more than 100 airports worldwide, including 20 of North America’s busiest. The company operates a portfolio of award-winning national, local and proprietary restaurant brands in airports and motorways with sales in excess of $2.7 billion annually.

hmshost_airports_photo[1]

HMSHost deployed WatchGuard UTM appliances at hundreds of airports and motorways worldwide.

Each and every HMSHost transaction must be secured to protect customer information. That’s why the company recently deployed WatchGuard UTM appliances and our Dimension security visibility tool. The WatchGuard appliances report HMSHost data back into WatchGuard Dimension, allowing the company to quickly identify problems, threats and trends. The result allows HMSHost to proactively evaluate policies, optimize security and safeguard corporate and customer data.

Each and every HMSHost transaction must be secured to protect customer information. That’s why the company recently deployed WatchGuard UTM appliances and our Dimension security visibility tool. The WatchGuard appliances report HMSHost data back into WatchGuard Dimension, allowing the company to quickly identify problems, threats and trends. The result allows HMSHost to proactively evaluate policies, optimize security and safeguard corporate and customer data.

hmshost_motorway-1[1]

“We have hundreds of food and beverage locations throughout airports and motorways worldwide, and thousands and thousands of employees and customers that rely on the networks at these locations. Network security is critical to keeping their data, our data, and the customer’s data safe,” said HMSHost Chief Information Officer, Sarah Naqvi. “We choose to work with WatchGuard because they not only had the best combination of security services, performance and affordability, but also because they had great reporting capabilities for PCI so we can more easily ensure compliance standards are met.”

WatchGuard helps secure HMSHost locations by delivering a complete set of UTM services, including Packet Filtering, Intrusion Prevention, Application Control, WebBlocker, Gateway AntiVirus, spamBlocker, Reputation Enabled Defense, Data Loss Prevention and Advanced Persistent Threat Protection.

Cryptowall Malvertising – WSWiR Episode 126

Windows 0day, iCloud MitM, and Cryptowall Rises

You’re a busy IT guy that barely has time to brush your teeth before running off to work, so who has time to follow security news too? Does this sound like you? If so, let our short weekly video inform you of the most important security news in the time it takes you to enjoy your first cup of coffee.

Today’s episode covers another Microsoft zero day flaw, a recent man-in-the-middle (MitM) attack against iCloud, and the latest developments with a nasty piece of ransomware called CryptoWall. Press play below to learn about all that and more, and peruse the Reference section for other stories.

(Episode Runtime: 8:40)

Direct YouTube Link: https://www.youtube.com/watch?v=0y5lBIQ0CEI

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

#CSAM: 5 Tips for Getting Password Protection Right

LOGO

Cyber Security Awareness Month is in full effect, sparking a lot of great ongoing discussion across social media channels and Internet forums using #CSAM. We thought we’d use the occasion to highlight the foundation of any strong security protocol – the password.

Here are five tips for getting your password protocols and requirements right.

  1. One is Never Enough

Bud showed us long ago the importance of choosing strong passwords. We’ll assume that everyone in your company is already using passwords that meet minimum requirements set to safeguard security. And, we’re assuming that these passwords are actually passphrases to add complexity. If not, setting proper requirements is a great place to start.

bud2

The question then becomes if your workers are using enough passwords. We constantly hear about password breaches and leaks. If you’re using a single password, thieves have access to every online account you own. A leaked mobile app password opens access to financial services, corporate networks and so much more.

In the case of a breach, you must proactively remember each account, log in and change your password. Or, you can create individual passwords for each online account to minimize major security threats if your one and only password is compromised.

  1. Get a Manager

Better yet, get a password manager. Using a different password for each online account is very difficult for most people – if not impossible. Using a password manager simplifies the proposition and can help ensure compliance.

  1. Change is Good

Even strong and unique passwords can be stolen or leaked. The scary part is that we don’t always know about the leaks. Thieves often lay in wait for months to use stolen credentials. The answer is to change your passwords on a regular basis – at least every 120 days. You changed your clocks and replace your smoke detector batteries – change your passwords too (only more frequently). At a minimum, be sure to change your password when there is a known issue or breach.

  1. Turn On Two-Factor Authentication

Even strong, unique and frequently changing passwords can be stolen or leaked. Two-factor authentication helps to mitigate the damage of a stolen password. Consider implementing a two-factor authentication system in your organization.

We’re particular fans of SMS authentication codes. Primarily because they offer an easy second token that almost anyone can use. Also be sure to encourage your workers to use two-factor authentication whenever it’s offered by a website or cloud service.

  1. Stay Up-to-Date

Security leaks and threats appear and evolve rapidly. You need to stay up-to-date on the latest leaks, fixes and patches. We provide a weekly overview on our WatchGuard Security Center blog. Subscribe to receive email updates and you’ll receive each update in your inbox.

securityreview

Again, October is Cyber Security Awareness Month. Make sure you are cyber aware and stay tuned for more security updates right here on the WatchGuard Smart Security Blog.

POODLE Bites SSL – WSWiR Episode 125

October Patch Bonanze, Leaky Apps, and POODLE

Cyber security has gone main stream, which means we’re getting a lot more security news each week than we used to. This week was even busier than usual, with updates fixing hundreds and hundreds of security vulnerabilities, as well as a significant vulnerabilities in a encryption standards. If you’re having trouble keeping track of the most important security info on your own, let our week video summary do it for you.

Today’s episode covers a ton of updates for October’s Patch Day, data leaks affecting SnapChat and DropBox, and a relatively serious SSL vulnerability called POODLE. The video is a bit longer than usual in order to better describe the POODLE flaw. Press play to learn more, and check the references for other interesting stories.

Enjoy your weekend, and beware what you click online.

(Episode Runtime: 16:37)

Direct YouTube Link: https://www.youtube.com/watch?v=AFX9DXDizu4

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

How to Neuter POODLE (New SSL Vulnerability)

Surprise, surprise… Researcher’s have found yet another OpenSSL vulnerability. They’ve named this one POODLE. Silly name, I know, but at least it stands for something—Padding Oracle On Downgraded Legacy Encryption.

Attack POODLE

In short, POODLE is a protocol level cryptography flaw in Secure Sockets Layer version 3 (SSLv3), which is one of the many encryption protocols available to SSL/TLS implementations like OpenSSL, used to encrypt network traffic. While SSL can encrypt any traffic, it’s most commonly associated with secure web communications (HTTPS). SSLv3 is one of the older encryption protocols in OpenSSL’s library, having been around for 18 years or so. Newer protocols like TLS 1.0-1.2 are much more secure, but we’ve kept SSLv3 around for legacy interoperability reasons. Since this new vulnerability allows attackers to decrypt SSLv3 traffic, it’s time we get rid of SSLv3 for good.

The POODLE flaw is fairly complex, and hard to understand without a deeper comprehension of cryptography. If you’d really like to dive into the details, I recommend you read the paper [PDF] by the Google researchers who found the flaw, or check out this detailed explanation. However, here are the basics:

  1. First, this vulnerability requires a Man-in-the-Middle (MitM) attack to succeed. An attacker can only perform it if he can intercept traffic between you and the SSL server. Performing MitM attacks can range from extremely difficult to trivial, depending on the circumstances. For instance, if you join an unsecured WiFi network, attackers on the same network can quite easily intercept your traffic, whereas intercepting Internet traffic is exceptionally more difficult, and typically requires ISP level interception (or at least DNS poisoning) to pull off.
  2. Next, this attack only works against SSLv3 encrypted traffic, so the attacker needs to somehow force you to use it. This is a much easier hurdle for attackers to overcome. The SSL/TLS protocol includes a “downgrade” feature that allows SSL clients and servers to negotiate which encryption protocol they agree on, depending on what they both support. With a MitM attack, the attacker can intercept and manipulated the negotiations to ensure your browser and the server settle on SSLv3 encryption.
  3. At this point, an attacker can take advantage of the SSLv3 flaw (which is essentially a vulnerability in how SSLv3’s CBC cipher suites use padding) to decrypt certain bytes of your secured traffic. Again, see the paper if you are interested in the technical and mathematical detail. However, there are some caveats here. Basically, the educated guesses used in this attack will only work 1 in 256 times.  So this attack requires the same data be sent over newly created SSLv3 connection hundreds of times. Forcing hundreds of requests is easy when targeting web browsers, since the MitM attack allows the attacker to inject malicious javascript into your web session. This javascript allows the attacker to silently force your browser to do what he needs. However, there are many other clients that use SSL/TLS to encrypt communications, including VPN clients, and apps on your mobile device. Since this attack relies on malicious javascript, attackers can’t easily exploit it against non-browser SSL clients. In any case, once this attack succeeds in decrypting one byte, it’s trivial for the attacker to decrypt the rest of your secure message.
  4.  So what can attackers do by decrypting SSL encrypted web sessions? Most likely, they’d leverage this flaw to try to intercept your encrypted HTTP session cookie. This essentially allows them to hijack your secure web sessions, and do anything you could do on the particular secure site you’re visiting. They wouldn’t obtain your passwords, but they’d have access to your secure web account.

While this sounds pretty bad, and it can be when the attack succeeds, the mitigating factors mentioned above really lessen the severity of this flaw. MitM attacks are not trivial to pull off in most cases, and this exploit’s javascript requirement means it can only easily target web browsers, not other SSL-based clients. Furthermore, if either end (client or server) disables SSLv3, the attack is dead in the water. In fact, NIST only assigns this vulnerability (CVE-2014-3566) a CVSS severity rating of 4.3, which is on the lower medium range of their severity scale. Though many of the media outlet reporting on this flaw have made it sound extremely dangerous, I would only give it a medium severity. It’s definitely something you want to mitigate, but it is not nearly as dangerous as the Heartbleed and Shellshock flaws the media has compared it to.

How to Protect Yourself from POODLE:

Simply put, disable SSLv3!

SSLv3 is an antiquated and broken encryption protocol. Every modern browser and SSL client supports much more recent encryption options. Disabling SSLv3 is the only way to completely protect yourself.

That said, some organizations may still use some legacy web applications, especially ones that require Internet Explorer (IE) 6 running on XP, which depend on SSLv3. Frankly, it’s time you get rid of those applications. In order to quantify today’s minimal SSLv3 usage, CloudFlare monitored all their customers’ traffic and found only 0.09% of it was SSLv3. When monitoring only secure web (HTTPS) traffic, SSLv3 usage jumped to 0.65%, but that’s still a tiny fraction of web traffic. We recommend you help bring this number to zero by getting rid of SSLv3 in your organization

So how do you disable SSLv3? There are two sides to the equation—the server and the client. You only have to disable one side for the attack to fail.

Since this attack targets clients, and seems to primarily affect web browsers, I recommend you disable SSLv3 in your browsers first. All popular web browsers have configuration settings that allow you to do so. The folks at Zmap.io have kindly provided an instruction page detailing how to disable SSLv3 in the popular browsers; check it out. Furthermore, most browser vendors have promised to disable SSLv3 by default in their next software release. Once you have disabled SSLv3 in your browser, attackers cannot leverage this flaw to decrypt your traffic, even if you connect to a web server that still has SSLv3 enabled.

That said, you also should disable SSLv3 on any servers you run, just to help protect the rest of the world against this flaw. The creators of OpenSSL have released an update that fixes this vulnerability (and three others). Besides allowing you to disable SSLv3 on your server, the latest version of OpenSSL supports a feature called TLS_FALLBACK_SCSC, which essentially prevents MitM attackers from forcing clients to downgrade to a certain encryption protocol. Many other Linux distributions and SSL implementations have also released updates. Go get them.

As an aside, once you’ve disabled SSLv3 in your browsers and servers, you can check the results using the following sites:

Are WatchGuard Products Affected by POODLE?

In short, yes.

WatchGuard appliances use OpenSSL and are affected by this vulnerability to varying degrees. The impacted products include:

  • XTM appliances – WatchGuard’s web-based user interfaces (UI), whether the administrative interface or the VPN client portal, do support SSLv3, and are vulnerable to this. However, you can mitigate this flaw by limiting exposure to the Web UI. There is no reason to allow Internet users to access that administrative interface. Also, our SSL VPN clients do NOT support SSLv3. So mobile VPN connections are not affected. We are making updates to our XTM firmware to disable SSLv3 by default.
  • XCS appliances – The XCS’s Web UI does support SSLv3 by default. However, you can disable it for the Web UI, and should do so. Our mail engine does also support SSLv3, and you can’t currently disabled it in the mail engine. That said, this exploit primarily targets web browsers, so the exposure in the mail engine should be low. In any case, we are making changes to the XCS firmware to disable SSLv3.
  • SSL VPN appliances – The SSL VPN appliances administrative Web UI uses SSLv3, and your currently can’t disable it. However, you can limit exposure simply by not allowing external access to the Web UI. As far as client VPN connections, you can disable SSLv3 in the Manage System => Device Setting page. Doing so ensures attackers can’t exploit this flaw to intercept and decrypt mobile SSL VPN traffic. We will release and update to disable SSLv3 in the Web UI.

This vulnerability’s impact to our appliances is relatively low. Nonetheless, WatchGuard will release updated versions for all affected software and devices that are under support. We are currently planning all these releases, and we will update this post as the dates and releases become available. In any case, if you limit access to the web-based administration interfaces on your WatchGuard appliances, the vulnerability poses you little risk. Furthermore, if you disable SSLv3 in your browser, attackers can’t even leverage it against you, whether or not the appliance uses SSLv3.

To summarize, POODLE is a big enough issue that you should definitely disable SSLv3 in all your browsers and servers as soon as you can. However, despite the wide and alarming coverage of this issue, it does not pose a huge, real-world risk to most users. If you update your browsers, and avoid unsecured WiFi connections, POODLE will likely not bite, and is easy to neuter. — Corey Nachreiner, CISSP (@SecAdept)

 

How to Neuter POODLE (New SSL Vulnerability)

Surprise, surprise… Researcher’s have found yet another OpenSSL vulnerability. They’ve named this one POODLE. Silly name, I know, but at least it stands for something—Padding Oracle On Downgraded Legacy Encryption.

Attack POODLE

In short, POODLE is a protocol level cryptography flaw in Secure Sockets Layer version 3 (SSLv3), which is one of the many encryption protocols available to SSL/TLS implementations like OpenSSL, used to encrypt network traffic. While SSL can encrypt any traffic, it’s most commonly associated with secure web communications (HTTPS). SSLv3 is one of the older encryption protocols in OpenSSL’s library, having been around for 18 years or so. Newer protocols like TLS 1.0-1.2 are much more secure, but we’ve kept SSLv3 around for legacy interoperability reasons. Since this new vulnerability allows attackers to decrypt SSLv3 traffic, it’s time we get rid of SSLv3 for good.

The POODLE flaw is fairly complex, and hard to understand without a deeper comprehension of cryptography. If you’d really like to dive into the details, I recommend you read the paper [PDF] by the Google researchers who found the flaw, or check out this detailed explanation. However, here are the basics:

  1. First, this vulnerability requires a Man-in-the-Middle (MitM) attack to succeed. An attacker can only perform it if he can intercept traffic between you and the SSL server. Performing MitM attacks can range from extremely difficult to trivial, depending on the circumstances. For instance, if you join an unsecured WiFi network, attackers on the same network can quite easily intercept your traffic, whereas intercepting Internet traffic is exceptionally more difficult, and typically requires ISP level interception (or at least DNS poisoning) to pull off.
  2. Next, this attack only works against SSLv3 encrypted traffic, so the attacker needs to somehow force you to use it. This is a much easier hurdle for attackers to overcome. The SSL/TLS protocol includes a “downgrade” feature that allows SSL clients and servers to negotiate which encryption protocol they agree on, depending on what they both support. With a MitM attack, the attacker can intercept and manipulated the negotiations to ensure your browser and the server settle on SSLv3 encryption.
  3. At this point, an attacker can take advantage of the SSLv3 flaw (which is essentially a vulnerability in how SSLv3’s CBC cipher suites use padding) to decrypt certain bytes of your secured traffic. Again, see the paper if you are interested in the technical and mathematical detail. However, there are some caveats here. Basically, the educated guesses used in this attack will only work 1 in 256 times.  So this attack requires the same data be sent over newly created SSLv3 connection hundreds of times. Forcing hundreds of requests is easy when targeting web browsers, since the MitM attack allows the attacker to inject malicious javascript into your web session. This javascript allows the attacker to silently force your browser to do what he needs. However, there are many other clients that use SSL/TLS to encrypt communications, including VPN clients, and apps on your mobile device. Since this attack relies on malicious javascript, attackers can’t easily exploit it against non-browser SSL clients. In any case, once this attack succeeds in decrypting one byte, it’s trivial for the attacker to decrypt the rest of your secure message.
  4.  So what can attackers do by decrypting SSL encrypted web sessions? Most likely, they’d leverage this flaw to try to intercept your encrypted HTTP session cookie. This essentially allows them to hijack your secure web sessions, and do anything you could do on the particular secure site you’re visiting. They wouldn’t obtain your passwords, but they’d have access to your secure web account.

While this sounds pretty bad, and it can be when the attack succeeds, the mitigating factors mentioned above really lessen the severity of this flaw. MitM attacks are not trivial to pull off in most cases, and this exploit’s javascript requirement means it can only easily target web browsers, not other SSL-based clients. Furthermore, if either end (client or server) disables SSLv3, the attack is dead in the water. In fact, NIST only assigns this vulnerability (CVE-2014-3566) a CVSS severity rating of 4.3, which is on the lower medium range of their severity scale. Though many of the media outlet reporting on this flaw have made it sound extremely dangerous, I would only give it a medium severity. It’s definitely something you want to mitigate, but it is not nearly as dangerous as the Heartbleed and Shellshock flaws the media has compared it to.

How to Protect Yourself from POODLE:

Simply put, disable SSLv3!

SSLv3 is an antiquated and broken encryption protocol. Every modern browser and SSL client supports much more recent encryption options. Disabling SSLv3 is the only way to completely protect yourself.

That said, some organizations may still use some legacy web applications, especially ones that require Internet Explorer (IE) 6 running on XP, which depend on SSLv3. Frankly, it’s time you get rid of those applications. In order to quantify today’s minimal SSLv3 usage, CloudFlare monitored all their customers’ traffic and found only 0.09% of it was SSLv3. When monitoring only secure web (HTTPS) traffic, SSLv3 usage jumped to 0.65%, but that’s still a tiny fraction of web traffic. We recommend you help bring this number to zero by getting rid of SSLv3 in your organization

So how do you disable SSLv3? There are two sides to the equation—the server and the client. You only have to disable one side for the attack to fail.

Since this attack targets clients, and seems to primarily affect web browsers, I recommend you disable SSLv3 in your browsers first. All popular web browsers have configuration settings that allow you to do so. The folks at Zmap.io have kindly provided an instruction page detailing how to disable SSLv3 in the popular browsers; check it out. Furthermore, most browser vendors have promised to disable SSLv3 by default in their next software release. Once you have disabled SSLv3 in your browser, attackers cannot leverage this flaw to decrypt your traffic, even if you connect to a web server that still has SSLv3 enabled.

That said, you also should disable SSLv3 on any servers you run, just to help protect the rest of the world against this flaw. The creators of OpenSSL have released an update that fixes this vulnerability (and three others). Besides allowing you to disable SSLv3 on your server, the latest version of OpenSSL supports a feature called TLS_FALLBACK_SCSC, which essentially prevents MitM attackers from forcing clients to downgrade to a certain encryption protocol. Many other Linux distributions and SSL implementations have also released updates. Go get them.

As an aside, once you’ve disabled SSLv3 in your browsers and servers, you can check the results using the following sites:

Are WatchGuard Products Affected by POODLE?

In short, yes.

WatchGuard appliances use OpenSSL and are affected by this vulnerability to varying degrees. The impacted products include:

  • XTM appliances – WatchGuard’s web-based user interfaces (UI), whether the administrative interface or the VPN client portal, do support SSLv3, and are vulnerable to this. However, you can mitigate this flaw by limiting exposure to the Web UI. There is no reason to allow Internet users to access that administrative interface. Also, our SSL VPN clients do NOT support SSLv3. So mobile VPN connections are not affected. We are making updates to our XTM firmware to disable SSLv3 by default.
  • XCS appliances – The XCS’s Web UI does support SSLv3 by default. However, you can disable it for the Web UI, and should do so. Our mail engine does also support SSLv3, and you can’t currently disabled it in the mail engine. That said, this exploit primarily targets web browsers, so the exposure in the mail engine should be low. In any case, we are making changes to the XCS firmware to disable SSLv3.
  • SSL VPN appliances – The SSL VPN appliances administrative Web UI uses SSLv3, and your currently can’t disable it. However, you can limit exposure simply by not allowing external access to the Web UI. As far as client VPN connections, you can disable SSLv3 in the Manage System => Device Setting page. Doing so ensures attackers can’t exploit this flaw to intercept and decrypt mobile SSL VPN traffic. We will release and update to disable SSLv3 in the Web UI.

This vulnerability’s impact to our appliances is relatively low. Nonetheless, WatchGuard will release updated versions for all affected software and devices that are under support. We are currently planning all these releases, and we will update this post as the dates and releases become available. In any case, if you limit access to the web-based administration interfaces on your WatchGuard appliances, the vulnerability poses you little risk. Furthermore, if you disable SSLv3 in your browser, attackers can’t even leverage it against you, whether or not the appliance uses SSLv3.

To summarize, POODLE is a big enough issue that you should definitely disable SSLv3 in all your browsers and servers as soon as you can. However, despite the wide and alarming coverage of this issue, it does not pose a huge, real-world risk to most users. If you update your browsers, and avoid unsecured WiFi connections, POODLE will likely not bite, and is easy to neuter. — Corey Nachreiner, CISSP (@SecAdept)

 

ATM Trojan – WSWiR Episode 124

Nine MS Bulletins, Sneaky DRM, and ATM Trojan

Every week, the security community learns about new attacks, exploits, breaches, security patches, and more. However, keeping track of all this fresh information security (infosec) news can be challenging for most IT practitioners. If you need a little help separating the security wheat from the chaff, this weekly video podcast is for you.

Today’s episode warns you about next week’s upcoming Microsoft patch, covers how Adobe DRM snoops on your reading habits, and shares details about an ATM trojan that has helped its creators steal millions in cold hard cash. Watch the video for details, and check out the reference section for most interesting infosec stories.

(Episode Runtime: 5:45)

Direct YouTube Link: https://www.youtube.com/watch?v=5xi3vtc5bAQ

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Overcoming the Myths of Network Segmentation with the New Firebox M440

As the industry was reminded in the wake of recent high profile security breaches such as Target, being able to limit a hacker’s access to resources within the corporate network once they’ve penetrated the perimeter defense is almost as important as keeping them out to begin with. Of course, we’re talking about the value of trusted network segmentation. Unfortunately, this long-time best practice has created some very real challenges for organizations looking to created layered defense. Not only is it complex, but many myths and misconceptions exist surrounding what qualifies as real network segmentation.

headermyth

Five such myths include:

  • That role-based authentication is segmentation.
  • That switches and WLANs provide adequate network segmentation.
  • That passing PCI-DSS means a company’s segmentation is strong.
  • That setting up my network segmentation is expensive and requires multiple security devices and firewalls.
  • Finally, and scariest of all, that network segmentation just isn’t a priority for business.

Read the entire “Myths of Network Segmentation” infographic here.

Effective internal network segmentation allows administrators to place different levels of security on key corporate assets inside the perimeter, in effect establishing multiple layers of firewalls as additional barriers to entry. While segmentation isn’t something new, it is misunderstood. And, with the Internet of Things looming, and with employees wanting anytime, anywhere access, it’s more important than ever.

To help organizations simplify network segmentation, WatchGuard today announced the Firebox M440, the first appliance rich in truly independent ports, which helps reduce the complexity of segmentation and instantly simplifies the critical process of applying security policies across multiple network segments.

m440-l

The WatchGuard Firebox M440 delivers 25 1Gb Ethernet ports, eight that deliver Power over Ethernet (PoE), plus two 10 Gb SFP+ (fiber) ports.

When combined with WatchGuard’s visibility solution, Dimension™, the Firebox M440 provides the industry’s only real-time, single-pane-of-glass view of the effect each policy is having on a specific segment of the network. For example, in the Policy Map image below you can see what type of network traffic travels across each network segment, and IT pros can drill down to get real time information on application usage, security services, and more.

Screen-Shot-2014-10-01-at-3.05.34-PM-300dpi

IT pros can get real-time visibility into how policies are performing across different segments network of the network.

In conclusion, John Stengel, President of J Stengel Consulting, a network security, management and training firm, said it best.  “Effective segmentation has never been more critical. The common misconception that strategies such as role-based authentication, or basic VLAN switching and routing constitutes effective network segmentation delivers a false sense of security. With the increased expectation for anytime employee access and advances around embedded Internet devices (IoT) and recent breaches like Target tied to a lack of proper segmentation, it has never been a better time for organizations to reevaluate how they segment the network and ensure they have the right policies applied.”

For complete product information, click here.

%d bloggers like this: