Monday

Tag: anti-virus

Ransomware Response Procedures

Ransomware is a type of malicious software that encrypts your files and demands a ransom to restore them. It can cause serious damage to your data, your privacy and your finances. If you discover that your computer has ransomware, you need to act quickly and follow these 10 steps:

  1. Disconnect your computer from the internet and any other devices. This will prevent the ransomware from spreading to other machines or contacting its command-and-control server.
  2. Identify the type and variant of ransomware that infected your computer. You can use online tools such as ID Ransomware or other reputable sites to upload a ransom note or an encrypted file and get information about the ransomware.
  3. Check if there is a decryption tool available for the ransomware that infected your computer. Some security researchers and companies have created free tools that can decrypt some types of ransomware. You can find a list of such tools on various security-related websites, like Avast, Emsisoft, Kaspersky, McAfee, Trend Micro, or other solutions.
  4. If there is no decryption tool available, try not to pay the ransom. It may not be possible to recover the encrypted files, so you may feel the need to pay the ransom. Paying the ransom does not guarantee that you will get your files back, and it may encourage the attackers to target you again. Moreover, you may be breaking the law by funding criminal activity.
  5. Remove the ransomware from your computer. You can use an antivirus or anti-malware program to scan your computer and remove any traces of the ransomware. You may need to boot your computer in safe mode or use a bootable USB drive to run the scan.
  6. Restore your files from a backup, if you have one. The best way to recover from a ransomware attack is to have a backup of your important files that are stored offline or on a separate device. If you have such a backup, you can quickly restore your files after removing the ransomware from your computer.
  7. Change your passwords and enable multi-factor authentication. The ransomware may have stolen your credentials or installed a keylogger on your computer, so you should change your passwords for all your online accounts and enable multi-factor authentication where possible.
  8. Update your operating system and applications. The ransomware may have exploited a vulnerability in your software to infect your computer, so you should update your operating system and applications to the latest versions and apply any security patches.
  9. Educate yourself and others about ransomware prevention. The best way to avoid ransomware is to prevent it from infecting your computer in the first place. You should learn how to recognize phishing emails, avoid clicking on suspicious links or attachments, and use reputable security software.
  10. Report the incident to the authorities and seek professional help if needed. You should report the ransomware attack to the relevant authorities in your country or region, as they may be able to assist you or investigate the attackers. You should also seek professional help from a trusted IT expert or a security company if you need assistance with removing the ransomware or recovering your files.

10 Steps to Stopping Lateral Movement Attacks

It is estimated that over 75% of cyber attacks come from outside your network. While every attack is unique and tactics may vary, the basic stages of an outsider attack are similar. During the attack, an attacker uses four basic steps to gain a foothold in your environment.

  1. Attack the perimeter – Gain access through any perimeter protections to gain access to the internal resources of the network, like a user’s computer or a server-based resource on the internal network. This can be accomplished using a known vulnerability, or by convincing the user to run a program from an email link or attached file.
  2. Malware Drop – Once they have access to an internal resource, they drop malware onto the endpoint and begin communications to the compromised device, usually though a command and control system. Using the permissions of the current user, they gather intelligence about the network and attempt to elevate their permissions on that endpoint.
  3. Lateral Movement – They now start looking for resources on other systems on the same internal network. As new systems are discovered, they are also compromised and start communicating with the attackers command and control system. They gather more intelligence and try to elevate their permissions on all compromised systems.
  4. Trigger Payload – Once your network and systems are owned by the attacker, they start exfiltrating and/or encrypting the files on the compromised internal resources. Game Over.

There are some common mitigation strategies your organization can implement to help prevent lateral movement (step 3 shown above) during an attack. You won’t always detect the initial compromise of an internal resource, but you can limit the damage that can be inflicted by implementing some basic security steps.

Here are 10 Steps to a reducing a lateral movement attack:

Continue reading “10 Steps to Stopping Lateral Movement Attacks”

Responding to Ransomware Attacks

In the event that your personal computer or even the computers on your corporate network fall victim to a successful ransomware attack, an effective response plan determine the difference between disaster and successful recovery. If you are impacted by a company-wide malware infection that takes down multiple endpoints, it could mean a permanent business closure if you are unable to recover critical data.

We will discuss  how you might respond in the beginning of an attack to help remediate any issues before you make some wrong decisions.

How to respond to a ransomware attack

If preventative measures fail, like hardening your systems from Mimikatz attacks (links here and here), making users more cybersecurity aware with Security Awareness Training tips, and all the Windows 10 hardening tips didn’t work, then your organization should take the following actions immediately after identifying a successful ransomware infection.

If you have an Incident Recovery Plan, execute the notification process and get all the teams required started communicating and remediating the systems impacted by the attack.

1. Quarantine Infected Systems

The majority of ransomware attacks will include a function to scan the target network, identifying other systems on the same network that can also be targeted for attack, and then encrypting all the files stored on network shares or other computers as the attackers movers laterally across the network. To help contain any  infection and to prevent the ransomware from spreading to all infected systems the infected systems must be removed from the network as soon as possible. This will significantly slow the spread and buy you time for analysis and troubleshooting before everything is rendered useless.

Note: This includes blocking them from wired and wireless network access.

This will also help prevent infected system from access resources like internal email, backup systems, employee record systems, critical databases, etc.

2. Block Internet Access

Every system on the network may already have the malware copied to the system and it just might not have started the encryption process yet because it hasn’t been able to access the command and control server on the internet. Disconnect all systems from the internet. Those that are still working will not start encrypting the drives, and those already encrypting have been removed from their ability to communicate to the safe systems by the step listed above.

Note: This includes blocking internet access from wired and wireless networks.

Now you have known bad systems (they are actively encrypting the user files or have already encrypted all the user files) isolated from the network (can’t see other systems on your network) and are blocked from the internet (can’t see other systems on the internet). You also have suspected good systems that are blocked from accessing the internet and are disconnected from the bad systems. You can now verify those clean looking systems are definitely clean and return them to normal as you are sure they are not infected. More about that in Step  5 below.

3. Identify Ransomware

Identify the “brand” of ransomware that has infected your systems. While this might seem strange, there are many types of ransomware from many different malware groups. Knowing which one has infected your systems could help you better identify the methods used in the attack, how to stop the spread, and how you might be able to get your data back without paying a ransom.

There have been instances of law enforcement agencies shutting down a  ransomware authors “business” and releasing the decryption keys. Also older  ransomware from groups that no longer are actively infecting new systems have sometimes released their decryption keys.

You can visit a  website like this to help identify which malware has infected your systems so you can get help stopping, removing, and decrypting your locked files. To get a better understanding of the volume of internet threats that exist today, a visual threat map can be helpful. This threat map from Fortinet helps visualize the threats in a more “real-time” visual presentation.

4. Disable Scheduled Tasks

You  should immediately disable any automated or system-scheduled maintenance tasks such as user or system clean-up routines, log deletion tasks,  deleting old backup files, etc. because these automated tasks can remove files you might wish you had later, might be something  your forensic teams might need, or you might perform an action that could prevent a successful remediation from the ransomware attack.

5. Remove Ransomware from Infected Systems

You can use available antivirus tools to identify and successfully remove the ransomware from your computer. If you are already using anti-virus and it didn’t stop the infection, this is probably a good time to investigate your current configuration issues or get a better solution. Once you have scanned and cleaned the system, it is ready to restore your files.

Once you find the right software to scan and detect the malware, run the scanner on all your systems, not just the infected systems. You might think you know which systems are infected, but the scanner can help you determine which systems are actually infected.  You want to do the clean-up and remediation just one time, so do it right the first time.

6. Don’t Pay the Ransom

Note: Only restore your files to systems that you know are clean.

I realize you may not have an option if your critical business files are encrypted, you don’t have good backups you can recover, and you can’t find a free decryption tool. If backups are unavailable or damaged and there is no free decryption tool available, you will be tempted to pay the ransom and recover your files. Just remember you may pay the ransom and still not get your files back. These people are criminals looking for easy money, they are not in the business of being your friend.

While paying the ransom may seem like an easy answer, only consider paying the ransom if all other options have been exhausted and the loss of data will likely result in your company going out of business. Paying the ransom might also get you into trouble with the law, so be very careful and consult an attorney.

7. Restore Your Backups

Note: Only restore your files to systems that you know are clean.

Hopefully you were able to jump right past Step 6 (Don’t Pay the Ransom) because you know not to pay a ransom to a criminal because it only encourages them and finances their next attack. You don’t need to pay the ransom because you either don’t need the files that were encrypted, you were able to find a free decryption tool, or you had good backups ready for you to use.

Restoring backups can take a long time, be difficult to perform, and you still might lose some data. If you have been verifying your backups, practicing the restore process at least once a year, and have a well documented process the effort will be less likely to fail.

If your user files are also backed up to the cloud using a tool like OneDrive, this might also be useful and a quick way to restore a user’s personal files including documents, music, and pictures.

8. Restore Network

Now that you know which systems are clean, the cleaned machine can have access to the internet and other network resources. The infected machines can be cleaned one at a time, files can be restored, then the systems can be returned to the proper network.

Don’t forget to restore internet access for the clean systems. Once you have verified your backup files won’t be over-written, the log files are intact, and what files are required for the audit and forensics teams are saved, you can re-enable scheduled tasks that you have reviewed and know are safe to enable.

9. Change Passwords

Now that you know someone has had access to your systems, you can’t be sure they did not steal your user and system passwords. Have all users reset their passwords. Reset the passwords for all service accounts, accounts used to run scheduled tasks, the KRBTGT account (used by Active Directory), and any enabled accounts used by your systems. Make sure all administrator-level users also change their passwords. Do a full inventory of accounts, looking at the last time the password was changed, and either change the password or disable the account.

10. Investigate Intrusion

Things are now back to normal. Users are back onto their computers, the files are all back where they should be, and users are back to work and not on the telephone with you. That doesn’t mean you are done.

You have to look at what happened so you can make sure it doesn’t happen again.

  • How was the ransomware able to get past your computer controls and be easily installed onto a user’s computer without being detected? Was it a user bypassing a control (authorized or unauthorized), or did the ransomware just not get stopped by any existing security control?
  • Are there changes required to your anti-virus software to make it a stronger defense against ransomware? Is it time to remove the existing solution and replace it with something more powerful or can you just change the configuration of the solution you already own to make it work better?
  • Do you need to make changes to the hardening of your Windows 10 devices to make it harder to bypass your security controls and encrypt the users files?
  • Do you need to alter or improve your corporate firewall controls? What about the security of your remote users and they way they connect to the Virtual Private Network (VPN)?
  • Do you need to make changes to your network to make it harder for software running on the user’s computer to get access to systems like Domain Controllers, Database Servers, File Servers, Web Servers, etc.?
  • Do you need to change the way you perform (or don’t perform) backups of user and system files? How about changes to the way you restore files? Do you have adequate documentation of the procedures used for backing up and restoring files?
  • Do user accounts have the correct level of authorization? Maybe now is a good time to remove elevated permissions from normal users, limit who has elevated permissions, and lock down the use of all admin-level accounts?

Summary

If you need help, now is the time to really get some help figuring out the changes that can help prevent a repeat of the security event. A ransomware incident can stop a company from normal business for days, weeks, or forever.  It can chase away customers, compromise business critical data, and cost you a lot of money to remediate.

Looking at the steps required now can help you practice and plan for a future incident. Careful planning, remediation of security gaps, and technical training can help prevent a successful ransomware attack, shorten the remediation timeline, and help promote confidence in your Information Technology team.

10 Steps to Stopping Lateral Movement Attacks

It is estimated that over 75% of cyber attacks come from outside your network. While every attack is unique and tactics may vary, the basic stages of an outsider attack are similar. During the attack, an attacker uses four basic steps to gain a foothold in your environment.

  1. Attack the perimeter – Gain access through any perimeter protections to gain access to the internal resources of the network, like a user’s computer or a server-based resource on the internal network. This can be accomplished using a known vulnerability, or by convincing the user to run a program from an email link or attached file.
  2. Malware Drop – Once they have access to an internal resource, they drop malware onto the endpoint and begin communications to the compromised device, usually though a command and control system. Using the permissions of the current user, they gather intelligence about the network and attempt to elevate their permissions on that endpoint.
  3. Lateral Movement – They now start looking for resources on other systems on the same internal network. As new systems are discovered, they are also compromised and start communicating with the attackers command and control system. They gather more intelligence and try to elevate their permissions on all compromised systems.
  4. Trigger Payload – Once your network and systems are owned by the attacker, they start exfiltrating and/or encrypting the files on the compromised internal resources. Game Over.

There are some common mitigation strategies your organization can implement to help prevent lateral movement (step 3 shown above) during an attack. You won’t always detect the initial compromise of an internal resource, but you can limit the damage that can be inflicted by implementing some basic security steps.

Here are 10 Steps to a reducing a lateral movement attack:

Continue reading “10 Steps to Stopping Lateral Movement Attacks”

How to Avoid Ransomware

Ransomware is malware installed on your machine intended deny access to your critical files. Once you can’t access you documents, pictures, and music the attacker offers to release the files back to you for a fee. Sometimes the fee might be several hundred dollars, but for businesses the fee might be in the millions.

The attacker uses fairly standard attack methods to install software on your computer that scans your system for specific file types, then encrypts the files using a method that is usually not recoverable. Then the malware will present you with a key value to redeem for a decryption key. If you present your key and the appropriate fee, the cyber criminals provide you with a decryption key that makes you files available again. Usually. Sometimes you pay and they don’t respond or the key that is provided doesn’t work correctly.

There are some specific things you can do to make the risk much smaller of a successful attack on your computer, as well as ways to make the impact smaller so you might not have to pay the ransom. Some of these are easy for a non-technical user to tackle, but others are better suited for technical personnel at a business or government agency.

Inexpensive Ways to Reduce Ransomware Attack Success
  • Backup Your Important Data – If you have a backup of your data that hasn’t been encrypted, you probably won’t have to pay the attacker a fee. Depending on how often your data changes, you might be able to perform a weekly backup (there is a utility built into Windows 10, or you can buy a program that doesn’t a backup either to an external hard drive or the cloud). Keep backups separate from your computer so that a successful attack won’t have access to the backup files. If your files get encrypted, you can safely reload Windows 10 onto your computer and copy your files from the backup to the clean laptop.
  • Enable Microsoft DefenderMicrosoft Defender is included with Windows 10. It has some powerful feature to protect your computer from malicious attacks, but only if they are enabled and properly configured. Enable controlled folder access to prevent unauthorized applications from modifying protected files, turn on cloud-delivered protection and automatic sample submission for better protection, and enable tamper protection to prevent the protection from being disabled when you need it the most.  You should also enable the attack surface reduction rules in Defender, including rules that block ransomware activity and other activities associated with and attack.
  • Protect Systems – Don’t have anything directly on the internet that isn’t correctly hardened and patched to prevent an easy attack surface. If you don’t know how to properly configure a server or other infrastructure item, don’t guess because the hackers know what they are looking for when they stage an attack.
  • Use MFA – Enable Multi-Factor Authentication (MFA) when possible. Many online sites now allow you to enable this extra protection that requires you to know your standard account password as well as have possession of a specific device to successfully log into their systems. This can be really handy to prevent someone guessing your password and accessing your Facebook, Twitter, or O365 account from anywhere in the world.
  • Education – Educate yourself on how to detect and avoid phishing emails and potentially malicious websites.

Continue reading “How to Avoid Ransomware”

What is Cybersecurity?

Cybersecurity is the process of protecting networks, systems, data, and programs from digital attacks. Cyberattacks are usually organized and planned attacks intended to gain unauthortized access to business or personal computer systems to allow changing, stealing, or destroying sensitive information. This activity can lead to unplanned business interruptions or subject the victims to extortion in order to get continued access to their data or to prevent the release of sensitive data to the internet.

Understanding Cybersecurity

Cyberattacks are often launched by people employed by organized crime or malicious state actors and are constantly evolving their attacks from one technique to the next as older techniques become less effective and newly discovered vulnerabilities are weaponized.

You don’t have to be a cybersecurity expert to understand the risk and learn how to provide some basic protection for your systems and critical data. This article is intended to provise some basic guideance and to send you in the correct direction to become more effective in protecting your personal or business data.

Continue reading “What is Cybersecurity?”

Securing Windows 10

A Windows 10 laptop right out of the box is not a truly secure laptop. Building a secure laptop using Windows 10 will take a little work. Microsoft has done a good job balancing usability and security, making sure the device is mostly compatible with what an average person wants to do without security getting in the way.

If you want a secure laptop there are some tweaks you need to make to get your laptop to the next level of security.  Some are done by default, but you should make sure you have the settings correct, and some of off by default so you’ll need to configure the settings and turn them on.

I’ll go through some of the settings to show you how you can go from default settings to secure, but you have to understand there are always more things you can do to make your Windows 10 device even more secure. Continue reading “Securing Windows 10”

Protecting High-Profile Employees from Cyber Attacks

As you look to protect your employees from a cyberattack, there are specific steps you must take that include training your employees how to detect and avoid phishing emails, training all employees on how to select and protect a complex password, helping employees configure and use MFA for all their business accounts, providing secure laptops to remote workers, etc. But what about those employees that present a higher risk, based on their knowledge, location, system access, or activity? Higher profile targets have a greater risk of attack and breach of essential data, so what can you do to provide elevated security?

As with a lot of things in life, a “one size fits all” type of security may not adequately protect these high-profile accounts from compromise. Many of your users may be low risk users that aren’t subject to a concentrated attack. All accounts must be protected to prevent a successful attack on a common user from being leveraged to gain access to the privileged accounts. Privileged accounts (usually an administrator-level account) must be protected to prevent an attacker from using stolen credentials used by these privileged accounts to gain elevated access to the network and company resources.

Traditional high-profile accounts also belong to executive members, members of the finance team, the payroll department, and accounts used to control corporate social media accounts. Continue reading “Protecting High-Profile Employees from Cyber Attacks”

10 Steps to Stopping Lateral Movement Attacks

It is estimated that over 75% of cyber attacks come from outside your network. While every attack is unique and tactics may vary, the basic stages of an outsider attack are similar. During the attack, an attacker uses four basic steps to gain a foothold in your environment.

  1. Attack the perimeter – Gain access through any perimeter protections to gain access to the internal resources of the network, like a user’s computer or a server-based resource on the internal network. This can be accomplished using a known vulnerability, or by convincing the user to run a program from an email link or attached file.
  2. Malware Drop – Once they have access to an internal resource, they drop malware onto the endpoint and begin communications to the compromised device, usually though a command and control system. Using the permissions of the current user, they gather intelligence about the network and attempt to elevate their permissions on that endpoint.
  3. Lateral Movement – They now start looking for resources on other systems on the same internal network. As new systems are discovered, they are also compromised and start communicating with the attackers command and control system. They gather more intelligence and try to elevate their permissions on all compromised systems.
  4. Trigger Payload – Once your network and systems are owned by the attacker, they start exfiltrating and/or encrypting the files on the compromised internal resources. Game Over.

There are some common mitigation strategies your organization can implement to help prevent lateral movement (step 3 shown above) during an attack. You won’t always detect the initial compromise of an internal resource, but you can limit the damage that can be inflicted by implementing some basic security steps.

Here are 10 Steps to a reducing a lateral movement attack:

  1. Malware and Virus Detection – Install and properly configure an anti-malware and anti-virus solution on every endpoint. This offers, as a minimum, basic protection from known malware signatures, and probably offers advanced heuristic protection algorithms to detect behavior to indicate malicious activity even on zero-day attack attempts. The Microsoft Defender endpoint protection features in Windows 10 is a good example of this type of software that is highly rated and very effective.
  2. Standard User Accounts – Since users are usually the ones that allow the initial compromise through drive-by downloads or clicking on a phishing email, you must limit the power of the malware by limiting the power of the user. Require all users to login with a standard standard user account and don’t make them a local administrator on any computer. Even administrators should log into their computer with a standard account as a normal practice. They should only log into systems with administrative rights when they need to actually perform administrative tasks.
  3. Enforce Least Privilege – Only allow users access to systems if they have a business need to that resource. Only allow the minimum privileges to allow the user to do exactly what they need to do, nothing more. This helps prevent malware from using the users permissions to gain unauthorized access to sensitive data.
  4. Multifactor Authentication – Implement multi-factor authentication for access to internal and external systems, all applications, and  even social media. This basically requires the user to approve access through an mobile application or SMS message before their computer password is accepted. This means that even if a user’s password is stolen or guessed by an attacker, they can’t access the resource without the user’s cellphone.
  5. Conditional Access Controls – Restricting access based on static elements like location, operating system, or even time of day is a basic control that limits account login, even with approved credentials, to enforce compliance dynamically. Microsoft O365 and Azure offers a wide range of conditional access features based on location, operating systems, user risk, etc. to add security options for greater account protections.
  6. Strong Password Management – Require strong passwords that are different for every account. Never allow users to reuse passwords and encourage users to use password managers so they have strong password hygiene. Block common unsafe passwords (i.e. password1, qwerty123, etc.) and configure systems to log password failure attempts. Configure systems and devices to change or eliminate default passwords and  require every system to have a unique passwords across all privileged accounts. Never store passwords inside a script. Implement SSH key management tools.
  7. Patch Management – Configure systems and devices to automatically download and install vendor patches as soon as they become available. If the system needs to be tested before any patch is applied, do the testing as soon as possible to target installing all vendor patches within 30 days. Less vulnerabilities mean it is harder for an attacker to get into a system through a software security weakness.
  8. Network Segmentation – Group assets (users, application servers, etc.) into logical units that do not trust each other. Segmenting your network reduces the “line of sight” access attackers must have into your internal systems. For access that needs to cross trust zones, require a secured jump server with multi-factor authentication, adaptive access authorization, and session monitoring. If malware can’t access systems, it severely limits an attackers ability to jump from one system to the next. Where possible, go beyond standard network segmentation to segment based on context of the user, role, application and data being requested.
  9. Implement Threat Behavior Monitoring – Implement base security event monitoring and log events that will help you later understand what systems were compromised. Using  advanced threat detection (including user behavior monitoring) you can quickly detect compromised account activity as well as symptoms of insider privilege misuse.
  10. Application Whitelisting – If possible, implement policies to only allow known good applications to execute while you block and log all other applications launch attempts. Windows 10 allows you to implement this functionality using AppLocker. As a minimum you can pre-install the software required by a user and block them from installing any new software.

While backups will not help prevent a successful lateral movement attack, if your files are compromised by an attack your only remediation may be to restore/replace the missing or encrypted files from a recent backup. Don’t forget to include offline backups in your security efforts as a safely net when all preventative measures fail.

While none of these steps will prevent a successful attack on their own, a combination of tactics can truly limit the ability of a successful attack from doing severe damage to your business.  By limiting the scope of an attack you can reduce the cost of recovery, limit the scope/quantity of lost or damaged files, prevent a compromise of critical business intelligence, and build confidence in your ability to protect critical business assets.

Network Design Security Checklist

Network design starts with creating a secure network infrastructure. While it is assumed that network design processes are obvious when it comes to placement and configuration of routers, firewalls, and switches it can often be helpful to document some of the best practices for the less experienced people that might be tasked with this process at their company.

Remember that having an established procedure and setting realistic expectations allow you to provide some consistency into your IT processes. Consistent processes tend to be repeatable and reliable, which also means you reduce the chance of surprises and security headaches.

Firewalls – Generally speaking you want a firewall placed between network segments that require a high degree of security and to keep unauthorized users off your network. This is easily demonstrated when talking about the connection between your company network and the general internet. Since you don’t want uncontrolled traffic between those two network segments, you implement a firewall. A firewall is designed to block all traffic except the specific traffic you wish to allow. You should verify your firewall has the latest vendor updates applied, all unused ports and protocols are blocked by default, and Intrusion Detection is enabled at the firewall.

Continue reading “Network Design Security Checklist”

Spam and Outlook

Many people don’t understand how a spam filter works, especially with the email software from Microsoft called Outlook. In my experience, people are confused about how emails are blocked, or how emails are filtered into the Junk Email folder inside Outlook.

Generally speaking, your email server is usually used to block common unwanted emails, known as spam. This means the email server has the ability built into the server software to detect and filter (block) emails from being delivered to your email interface, or there is some additional software installed and configured to perform that filtering process. This means less unwanted email is delivered to your inbox.

There is an additional feature built into Outlook that looks at the emails delivered to your Outlook client to determine if it should block the email and redirect it into your “Junk E-mail” folder.

Any email forwarded from your email server (usually Exchange, but could be Gmail, Yahoo, etc.) but identified as spam by our Outlook client will be automatically moved to your “Junk E-mail” folder. Depending on your spam filter settings inside the Outlook Options, you may find you missing emails in this folder. You may disable the filter, but that doesn’t mean all your emails will now be delivered to your Outlook inbox.

As we discussed already, the spam filter on the email server could have blocked the email, Outlook may move the email to Junk E-mail, or even your anti-virus software might have blocked the email. If you work with your team in you IT department, they have tools available that can tell them if the server ever received the email, if it was forwarded to our computer, if it was intercepted by your anti-virus software, etc. They will need to know the address of the person sending you the email, when it was sent, and the subject line (when known).

How can I disable the Outlook spam filter?

How can I mark emails detected as spam by Outlook as “not spam”?

Starting an Information Security System

The diverse and open nature of the Internet makes it important for businesses to focus on the security of their networks. As companies move business functions to the public network and rely more on remote access, they need to take precautions to ensure that corporate data cannot be compromised. You must also verify that business data is not accessible to unauthorized users.

The traditional problem, before the internet, was securing business assets from physical threats like buglers, and the threat was fairly low because the people with physical access to your office was a fairly low number when compared to the population of the planet. Now anyone with an internet connection can attack your corporate assets, from almost anywhere in the world. Your threat profile has now grown exponentially.

If you haven’t already done so, you should develop an Information Security program to protect your corporate assets.

  1. Define the Perimeter – When you look at your network digram, you should draw a circle around those systems and devices you choose to protect from unauthorized access. This circle will probably include everything, but you might not include systems managed by trusted vendors, or temporary systems you might be using in a test environment. You must also accept that protecting the included systems will cost you money, and you might make a decision to exclude systems because the risk to those systems or devices doesn’t justify the expense. What you have now is your “in-scope systems”, and these are the systems that must be properly configured, monitored, patched, etc.
  2. Properly Configured – Create documentation around how to properly configure each in-scope system, and verify each system has been configured to match that documentation. This includes newly installed systems or replacement devices. You must also put controls in place to verify these systems have the correct version of software installed. This must include service packs, patches, hot fixes, etc. You may also need to work with cloud and vendor supported systems to make sure they consistently meet your standards as well. This includes how to properly configure the network settings, installing anti-virus or anti-malware software, configuring the operating system, etc.
  3. Minimize Access – Each user or system account should only have the minimal access required to operate correctly. There should be a security process for approving any requests for elevated privileges, and those requests should be rarely and infrequently approved. While it will vary depending on your environment and the size of your technology team, you want very few people to have complete control on these critical in-scope systems. Your users should never have access to systems, devices, file shares, etc. when that access isn’t absolutely required. If fewer people have access to critical information or systems, the risk of unauthorized access is significantly diminished.
  4. Change Management – All proposed systems and device changes, including requests for elevated user permissions, should be formally documented and there should be an approval process to review each requested change. There must also be a separation of duties between the person requesting the change and the person making the change. This prevents unauthorized changes from sneaking around the the approval process. You must also have a manager reviewing all actual changes at the end of the week or month and matching them back to the changes submitted through the formal approval process. This will help catch those changes made but not formally approved.
  5. Periodic Reviews – Your team needs to be performing quarterly vulnerability scans. There are multiple tools to help overworked IT technicians complete this task, but what we are recommending is scanning all in-scope systems and devices and matching them against a long list of known security issues. These periodic scans will alert your team to systems that have missing patches or are subject to a known vulnerability that must be addressed to prevent a potential security threat from leading to an attack. This also includes reviewing that circle you put around your in-scope systems. Maybe it is time to move that line to exclude more systems, or to include some additional systems or new devices as your business changes. You should also schedule periodic reviews of who has authenticated access to your network. This includes standard users accounts, employees with remote access, automated system accounts, or remote vendor accounts. This will give you an opportunity to disable or delete terminated employee accounts, remove vendor accounts that no longer need access, etc. All policies and procedures will also require periodic review to make sure they stay accurate and relevant.
  6. Security Training – Every employee plays a part in your overall network security. In the physical security world, it doesn’t make sense to lock the front door but leave all the windows open. It also doesn’t make sense to secure the network and allow your users to tape their network passwords to their monitor or keyboard. Users must be educated about how to secure their passwords, how to select a strong network password, how to secure their mobile devices, etc. There should be initial training for any new employee, and every employee should get a refresher course at least once each calendar year.
  7. Monitor Vendor Alerts – Most vendors have the ability to alert you if they discover a vulnerability for their product. You should sign-up for these alerts and monitor the emails on a daily basis. If there is an email alert about a vulnerability to an in-scope system you need to have procedures around assigning a priority to the alert, how you will score the risk in your environment, and a timeline for taking action on the alerts.
  8. Stay in Control – You must have technical controls in place (firewalls, VPN, ACLs, IPS, etc.) to protect your in-scope systems, but you must also look at non-technical physical controls (door locks, safes, video cameras, fire suppression systems, battery backups, etc.) to protect those same in-scope systems. Make sure you limit physical access to critical systems, and implement any physical controls you need in your environment to protect your systems and business data.
  9. Policies and Procedures – You must document your expectations and verify constant compliance. This includes threats from insider attacks. Make sure you write policies that says what must be done and the penalty for non-compliance, and then write the procedures around how people are to complete technical tasks so that your compliance expectations are met. You must also make sure people are following your policies and procedures while understanding that there are consequences to non-compliance.
  10. Monitor Logs – Someone on your team needs to be monitoring and reviewing the logs from your in-scope systems. This process can be time-consuming and difficult without some additional software to collect and automate that process, but that will depend on your environment and the quantity of in-scope systems. There are multiple solutions available from third-party vendors to simplify this process. The logs from your in-scope systems can be used to track system changes, discover system vulnerabilities, track potential internal or external attacks, list unauthorized access attempts, investigate malware infections, etc.

These steps do not address what you should do to react to an attack or suspected network breach. These listed steps could reduce the risk of a successful attack, but you also need to think about how you must react to an attack or breach and begin planning and documenting your response.

Anti-Virus and SQL Server Exclusion Recommendation

Anti-virus software is useful for scanning systems for infected files. Anti-virus software basically works by scanning files as they are accessed, looking for “signatures” of known viruses. The issue with this process is SQL Server is very heavily a disk-based storage system, and anti-virus solutions will have to essentially scan the files associated with your databases all the time. This will slow down your server performance, maybe just a second here or there, but that could be the difference in your overall server performance.

Here is my recommendation on what files to exclude from standard anti-virus scanning. Before you implement these changes to seek faster performance, you also need to make sure your server is protected from general internet access. Exclude these files in the configuration of your anti-virus software:

Files:

  • SQL Server data files – Including *.mdf, *.ldf, and *.ndf files.
  • SQL Server backup files – *.bak, and *.trn files.
  • Trace files – *.trc files.
  • SQL audit files (for SQL Server 2008 or later versions) – *.sqlaudit files.
  • SQL query files – *.sql files.
  • Analysis Services data – by default the files are located in the “Program Files\Microsoft SQL Server\MSSQL.X\OLAP\Data” folder.
  • Full-Text catalog files – by default located in the “Program Files\Microsoft SQL Server\MSSQL\FTDATA” folder for default instances and “Program Files\Microsoft SQL Server\MSSQL$instancename\FTDATA” for named instances.

You may need to tweak the list based on your configuration or security concerns, but some basic testing and analysis will tell you if the effort is worth the boost in server performance. Some of the common anti-virus vendors agree with this recommendation. Even Microsoft recommends these exclusions.

Threats to Corporate Security

There are things that employees do that can present serious treats to corporate security, and you might not even realize that these simple things can undermine your security efforts. If you are responsible for security at your company, you need to start investigating these issues as simple ways to improve the corporate security at your place of business by educating your team about these risks.

  1. BYOD – Bring Your Own Device is something that almost everyone does today, even at places that specifically ban this process. With smart watches, personal cell phones, cheap tablets, etc. it is almost impossible to keep employees from brings their own devices into the workplace. Many companies don’t even have format policies around what devices are allowed or what systems these devices are banded from being connected to in their environment. The risk is an employee brings an infected device into the office and connects that device to one of your corporate assets like a laptop or server. The infected device is then able to bypass the typical network security and attack that device, potentially stealing corporate secrets or customer data. Education and formal policies are the best security against this type of dangerous behavior, as well as updating your security profile to detect rogue devices.
  2. Social Media – A post on social media may seem harmless to most people, but if the post includes information about a new business project, issues with a new business system, how many servers recently we re infected with a virus, etc. these posts can be used by your business completion to gain an advantage or even used as a source of technical information for international hackers to target your business for a cyber attack. Education is your best weapon against this type of issue.
  3. Poor Technical Security – Your technical team has to always be thinking of system security. This includes assuming responsibility for securing the business systems from both internal and external attacks. The obvious security measures include strong perimeter security through firewalls and intrusion detection, but not so obvious steps around keeping systems updated with security patches, education around recent security threats,  and monitoring vendor sites for announcements about newly discovered vulnerabilities. Make sure the technical team has formal policies and procedures around periodic security checks, and that there is some oversight into the process to it stays important to the entire team.
  4. Social Hacking – Hackers and scammers don’t always attack your assets through remotely hacking your computers, sometimes they just hack your employees. It can start as a simple telephone call asking someone in your office to download a vendor update because their system is outdated and causing a data issue. That seemingly harmless update is really a program that installs an backdoor into your system that allows the hacker access into the secure network. A scammer can also call someone in accounting acting as the CEO, requesting an emergency wire transfer to an off-shore account of $50,000. You need to make sure there are policies and procedures in place that will capture these types of unusual events and route them to someone who can ask the correct questions to uncover a scam and block silly mistakes like these.
  5. Anti-Virus Software – Just because your computer is behind a firewall doesn’t mean it can’t be infected with a virus. Computer viruses can do harmless and annoying things, but they can also do some really serious damage to your corporate computer systems and even shut down your business. While anti-virus software isn’t the most important part of your network security, it is just one part of an overall security infrastructure that will help keep your network secure.
  6. Weak Passwords – Any secure computer system starts with good passwords. A weak password is useless and puts your entire network at risk. Verify the business systems your company uses require strong passwords, and make sure you educate our team to always avoid weak passwords. This education should extend past internal corporate assets to include personal email accounts, social media sites, and their personal banking accounts.

 

Anti-Virus Engines might have Exploitable Flaws

While most computer users have an anti-virus product installed, it might not be making your computer safer. A security researcher has claimed to have found exploitable flaws in 14 major anti-virus engines used by some of the largest security vendors. In a presentation by Joxean Koret, a researcher at Singapore-based consultancy COSEINC, we see the details about how he used a custom fuzzing suite to find bugs in 17 of the major antivirus engines. These are the engines that are used by anti-virus software companies like AVG, Bitdefender, ESET, and F-Secure.

 

Koret explained that almost all of the engines he looked at were written in C and/or C++ coding languages, which could allow attackers to discover and leverage buffer and integer overflow bugs. “Exploiting AV engines is not different to exploiting other client-side applications,” he said. “They don’t offer any special self-protection. They rely on the operating system features (ASLR/DEP) and nothing else. And sometimes they even disable such features.”

If you are interested in software security, this makes for a good read.

AV engines not only need to support such large list of file formats but they also need to do this quickly and better than the vendor.

If an exploit for a new file format appears, customer will ask for support for such files as soon as possible. The longer it takes, the higher the odds of losing a customer moving on to another vendor.

Sample list of vulnerabilities:

  • Avast: Heap overflow in RPM (reported, fixed and paid Bug Bounty)
  • Avg: Heap overflow with Cpio (fixed…)/Multiple vulnerabilities with packers
  • Avira: Multiple remote vulnerabilities
  • BitDefender: Multiple remote vulnerabilities
  • ClamAV: Infinite loop with a malformed PE (reported & fixed)
  • Comodo: Heap overflow with Chm
  • DrWeb: Multiple remote vulnerabilities (vulnerability with updating engine fixed)
  • ESET: Integer overflow with PDF (fixed)/Multiple vulnerabilities with packers
  • F-Prot: Heap overflows with multiple packers
  • F-Secure: Multiple vulnerabilities in Aqua engine (all the F-Secure own bugs fixed)
  • Panda: Multiple local privilege escalations (reported and partially fixed)
  • eScan: Multiple remote command injection (all fixed? LOL, I doubt…)

    Exploiting an AV engine is like exploiting any other client-side application.

    • Is not like exploiting a browser or a PDF reader.
    • Is more like exploiting an Office file format.

Anti-Virus and SQL Server

As a security precaution in your corporate environment, you are usually asked to have anti-virus software installed on all production systems. Some compliance guidelines require anti-virus software on all in-scope systems. So what is a Database Administrator to do, when you are wanting every CPU cycle to be utilized on queries, not scanning data files for virus signatures?

McAfee, Symantec, and other solutions have some basic guidelines for how to configure their anti-virus products on your SQL Server instances, and I’ll review those today. Basically, you want anti-virus to do real-time scanning of files that may be contaminated with virus data, but you want to exclude those files used by the database. Since database files are constantly accessed, this should reduce the wasted CPU cycles and disk I/O delays caused by anti-virus scanning.

You want to exclude scanning of database specific files, including .MDF, .NDF, .LDF, .TRN, .TRC, and .BAK files.

You probably also want to exclude the scanning of SQL Server specific directories, which will reduce time spent by the anti-virus scanner examining the file contents each time they are accessed. The default directories are listed here, but you probably have changed the default paths so you should also specifically exclude those custom paths used by your specific instance.

  • \Program Files\Microsoft SQL Server\MSSQL$instancename\DATA\
  • \Program Files\Microsoft SQL Server\MSSQL$instancename\BACKUP\
  • \Program Files\Microsoft SQL Server\MSSQL$instancename\FTDATA\
  • \Program Files\Microsoft SQL Server\MSSQL.X\OLAP\Data\
  • \Program Files\Microsoft SQL Server\MSSQL.X\OLAP\Backup\
  • \Program Files\Microsoft SQL Server\MSSQL.X\OLAP\Log\

The idea is to target those files which you are concerned might be contaminated, and exclude those files which are in constant use by SQL Server. These exclusions can be configured in the product installed on the server, or through the enterprise configuration tool, to effectively manage these settings.

Consult you specific anti-virus provider for details on how their product can make these exclusions work on your SQL Server instance. These changes are designed to help guide you to a security compromise that helps balance security with your desire for optimal performance.

%d bloggers like this: