Confusion between the terms ‘penetration testing’ and ‘vulnerability assessments’ often begins at the level of language. Those who are not full-time professionals in web security, such as journalists reporting on a big story that affects consumers, use the terms interchangeably, as if referring to the same process.

Experienced professionals in the industry know the difference, but those new to it can be easily confused. Why? Even professionals sometimes use terms in fuzzy or inexact ways, when they should distinguish between things that differ. Let’s be clear on the difference between the two.

What Are Vulnerability Assessments?

A vulnerability assessment involves running a series of multiple tests, against defined websites, web applications, IP addresses and ranges, using a known list of vulnerabilities, such as the OWASP Top 10 list. Assessors may also run tests against systems they know to be incorrectly configured or unpatched. Often, automated security scanning tools are used. Commercially licensed, subscription-based tools are regarded as coming with less risk – regular updates, release notes bring less chance of the inclusion of malicious code. (Their open source equivalents, however, have the significant advantage of being the exact same tools that malicious hackers prefer.)

Vulnerability assessments tend to include the following stages:

• Identifying all resources, and connected resources, within an organisation’s IT systems
• Assigning a value or priority to each one
• Conducting an assessment of lists of known vulnerabilities across a large number of attack surfaces (from login screens to URL parameters to mail servers)
• Fixing the most critical vulnerabilities and making decisions about how to the deal with the rest

What is Penetration Testing?

Penetration testing (pen testing), on the other hand – while it may be considered to be a type of vulnerability assessment – involves replicating a specific type of attack that might be carried out by a hacker. A pen tester will often explore the systems until they find a vulnerability. They may even employ a vulnerability assessment tool to uncover a vulnerability. Once they find something, they will then try to exploit it, to determine whether it would be possible for a hacker to achieve a certain objective (access, change or delete data, for example). Often, while doing this, they may accidentally encounter other vulnerabilities, and follow where they lead. The pen tester may use an automated tool at this point to run a series of exploits against the vulnerability.

Some penetration tests are referred to as ‘white box’ to indicate that the penetration tester has been given detailed information about the environment, such as a list of assets belonging to the organization, source codes, employee names and email addresses etc. When they are referred to as ‘black box’, this indicates tests that are conducted without any prior information about the internal structure, access to source code etc.  This kind of pen test of course, can more closely resemble the activities of a malicious hacker, but may also lead to less thorough coverage of the companies potentially vulnerable assets.

What Results Can I Expect From Each Approach?

The answer to this question might best be asked by thinking backwards: What results do you want?

Vulnerability Assessments Report Across All Vulnerabilities

The results are collated in an automated, lengthy report, with a comprehensive list of detected vulnerabilities arranged by priority, determined by how by severe and business-critical they are. As time goes on, this list can reveal changes since the last report. One of the criticisms of the results achieved is that, unlike in penetration testing, they can contain false positives or false negatives. Naturally, this is not the case if you use Netsparker web application vulnerability scanner to conduct your vulnerability testing. It is one of our key features – automatically verifying identified vulnerabilities with Proof-Based Scanning.

Reports should include guidance on how to remediate the detected vulnerabilities, and tools sometimes come with patches subscribers can use. In most cases, results are then allocated to dedicated development teams who conduct fixes, remove the most serious vulnerabilities, and otherwise address the less serious ones. In an ideal world, this activity is ongoing, scheduled regularly, and built into the organisation’s SDLC.

Penetration Testing Reports Deep Into Each Vulnerability

With pen testing, there is no lengthy public report, though some record and publish their actions and anonymized findings, blog about their experiments, or live hack at conferences. If you hire a pen tester, however, they should deliver a (pen test) report, but it tends to be focused on the attack method or exploit, and exactly what data can be compromised. It will generally be accompanied by suggestions on what a hacker might be able to do to, or with, it. This helps business analysts and non-technical professionals, who may not understand all of the technology behind such tests, grasp business process impacts quickly.

Sometimes reports also incorporate remediation advice. However, not all pen tests incorporate exploitation of vulnerabilities in the way that Netsparker does. It may be sufficient simply to illustrate that an attack is possible. In some cases the pen test report may simply report theoretical vulnerabilities because attempting to exploit them may result in a catastrophic denial of service (DoS). And, finally, there is no assessment of vulnerabilities, since the goal is simply to do one thing, or least to determine whether it can be done.

Which Approach Should My Organisation Adopt?

The main question to ask is: What is your current security posture?

To be continued…

With the introduction of Sophos Wireless v2.0 and the new APX Series Access Points, we’re continuing the evolution of our security in order to connect multiple products via our Sophos Central security management platform.

When connected through our new APX Series access points, Sophos Wireless can not only talk to your endpoints but also your mobile devices and even your servers – as long as they’re connected via Wi-Fi.

What does synchronized security with Wireless do?

In this first phase, Wireless receives the Security Heartbeat of any Wi-Fi connected device, which is managed through the same Sophos Central account.

The heartbeat communicates the health state – green, yellow or red – and should a red heartbeat be detected, which can indicate anything from a minor compliance violation for a mobile device, to a ransomware attack on an endpoint or server – the device is automatically put into a ‘walled garden’.

As pleasant an image as that may conjure up in the horticultural sense, here it means that internet access is restricted to a list of pre-defined URLs – a safe environment – thus potentially preventing call-home attempts and further propagation of threats.

So generally speaking, walled gardens are much less fun in the world of Wi-Fi.

Take a look at this short video to see how it works.

Find out more at the Sophos Wireless page or take a look at the Sophos Central demo.

You can read the original article, here.

Cryptocurrencies like Bitcoin have been a source of worry since their creation. Fans of the technology say it’s the future of money in terms of privacy, and the verifiability of complex transactions; but there has always been a great debate that the real ‘value’ of cryptocurrency is in the application and use of the currency such as tax avoidance and for purchases of illicit items and services.

While governments, various financial institutes and law enforcement have begun to crackdown on those concerns by attempts to regulate the market place, cryptocurrencies remain as an attractive form of income when linked to malicious activities such as malware infections, increasing the popularity of these strains.

Because they are valuable, digital, anonymous, and work across borders—anyone can send cryptocurrencies to anyone else, anytime or anywhere – they have become an irresistible target for cybercriminals. It’s no accident that the increasing popularity of cryptocurrencies has seen a parallel rise in malware infections that turn laptops and servers into zombie machines, quietly doing the bidding of a distant and remote bitcoin ‘mining’ operation.

Bitcoin mining or Crypto-jacking takes place when someone else uses your computer to ‘mine’ a cryptocurrency like Bitcoin or Ethereum. Rather than benefit yourself, however, any mined (collected) coins go into the attacker’s (or their client’s) account. By crypto-jacking your machine the crypto-jacker steals and utilizes your resources, in the form of your machine processing power and electricity, and converts them into capital for themselves.

Those computing resources include taking over your graphics processing unit (GPU) and central processing unit (CPU). Bitcoin mining is an exceptionally power and resource-intensive task, pushing those processors into overdrive and requiring large amounts of energy to complete the complex calculations necessary to generate a virtual coin. Pushing your machinery to these levels without the correct cooling and provisions in place can easily cost you your pride and joy or witness a loss of productivity in a workplace environment due to hardware failing from overheating challenges.

That’s what motivated a team of Russian scientists to use the supercomputer at a nuclear research facility to run an unsanctioned bitcoin mining operation. It’s also what motivates crypto-jacking. By creating a distributed computing network compromised of hundreds or thousands zombie/compromised machines, they sidestep the upfront costs of a single, expensive super-powered computer, and then pass on the ongoing costs of powering it.

Those costs are passed on to us

The UK and Australian governments recently suffered website outages thanks to a crypto-jacking malware that infected thousands of government machines. The source of infection was a compromised browser plug-in made by a third-party. Thousands of websites in and outside of Australia, including the UK’s National Health Service, and the UK’s own data protection watchdog, were affected.

Windows machines tend to be the target of crypto-jacking malware, but other devices and operating systems can also be turned into bitcoin mining bots:

• Mac OS and iOS device, including iPhones
• Gaming consoles
• Environment-monitoring devices, used in data centers
• IoT devices within a Smart Home instance
• Home WIFI routers
• Android-run smart TVs and mobile devices

A compromised device is often forced by the malware to run at the maximum of what its components can handle. Mining can slow other processes, overwork cards and processors, or even brick the machine. With degraded capabilities and the connection between the infected host and the command and control server for the crypto mining software being unsecured, the machine can also be vulnerable to infection from other kinds of malware.

While an end user or network admin might realize that a machine is running more slowly than normal, or that CPU usage on the network is high, determining the source of the issue can be difficult. The fact that a crypto-jacked machine is running slowly also makes it harder to investigate. The mining processes initiated by the malware can also mask themselves as normal system tasks.

To stop crypto-jacking, cross correlate network anomalies

Unfortunately, there is no blanket protection against crypto-jacking. As with any malware there are multiple vectors of infection and keeping them out of connected machines is part of the long-term battle against malware.

Security teams should of course, follow standard mitigation techniques – updating antivirus and firewall settings, ensuring all devices are updated with the latest patches, changing or strengthening default credentials, application whitelisting and so on.

But the biggest challenge to stopping crypto-jacking is detection. Proactively monitoring network traffic and machine status can help spot the indicators of infection – spikes in CPU usage, excessive memory usage, network congestion, or servers inexplicably slowing down. However, when seen in isolation, these red flags may not be enough to raise the alarm.

The key is to have network monitoring systems capable of cross-correlating the anomalies. Only then can a system administrator or SOC team can identify the behavioral patterns that point to bitcoin or another cryptocurrency mining. They can then decide on the best approach to stopping it, mitigating the damage, and limiting the size of the energy bill created by the infection.

Securing email gateways, developing countermeasures against web injections, implementing best practice for mobile devices, BYOD (Bring your own device), and promoting a security-aware business culture can all form part of a defense-in-depth against crypto-jacking and other breaches.

Ultimately, however, the security of internet-connected devices against cryptocurrency-mining malware is going to be a top item on the cybersecurity agenda for some time to come.

You can read the original article, here.

This three-day training program was designed and intended for experienced technical professionals who want to install, configure and support the XG Firewall in production environments and is the result of an in-depth study on the next generation firewall of Sophos.

The program consists of presentations and practical workshops for the enhancement of teaching content. Due to the nature of the traditions and the varied experience of the trainees, open discussion is encouraged during the training.

Prerequisites

Participants should have attended the XG Engineer Course.

Recommended Knowledge

•  Knowledge of networking to a CompTIA N+ level
•  Knowledge of IT security to a CompTIA S+ level
•  Experience configuring network security devices
•  Be able to troubleshoot and resolve issues in Windows networked environments
•  Experience configuring and administering Linux/UNIX systems

Contents

• Module 1: Enterprise Deployment Scenarios
• Module 2: Advanced Firewall
• Module 3: Authentication
• Module 4: Webserver Protection
• Module 5: RED Management
• Module 6: Wireless Protection
• Module 7: Enterprise VPN
• Module 8: High Availability
• Module 9: Troubleshooting
• Module 10: Sizing

Certification

+ exam: Sophos XG Architect

Duration

3 days 

Agenda

Trainer: Michalis Eleftheroglou

Day 1 Monday, October 29th, 2018

9:30-10:15 Module 1: Enterprise Deployment Scenarios Part I

• Bridge mode
• Gateway mode
• Mixed mode

10:15-10:30 Break

10:30-12:00 Enterprise Deployment Scenarios Part I

• VLAN
• Link Aggregation
• Routing protocols

12:00-12:15 Break

12:15-13:45 Advanced Firewall  Part I

• Stateful inspection
• Strict policy
• Fast path
• Intrusion prevention
• Anti Dos/floofing
• Advanced Threat Protection

13:45-14:45 Break – Lunch

14:45-16:15 Advanced Firewall  Part II

• Asymmetric routing
• Local NAT policy
• DHCP options
• Bind to existing DHCP scope
• Country list
• Drop packet capture
• IPS tuning

16:15-16:30 Break

16:30-17:15 Webserver Protection

• Overview
• Web Servers
• Application Protection policies
• Path specific routing
• Authentication policies
• Certificates

Day 2 Tuesday, October 30th, 2018

9:30-10:15 Module 4: Authentication

• Single sign-on (SSO)
• LDAP integration
• Secure LDAP
• STAS (Sophos Transparent Authentication Suite
• Troubleshooting STAS

10:15-10:30 Break

10:30-12:00 Authentication part II

• Sophos Authentication for Thin clients (SATC)
• Troubleshooting SATC
• NTLM
• Troubleshooting NTLM

12:00-12:15 Break

12:15-13:45 Module 5: Red Management

• Overview
• RED Models
• Deployment
• Adding a RED interface
• Balancing and failover
• VLAN port configuration

13:45-14:45 Break – Lunch

14:45-15:30 Module 6: Wireless Protection

• Overview
• Access Points
• Wireless networks
• Security modes
• Deployment
• Built-in wireless
• Mesh networks
• Radius authentication
• Class Activity

15:30-15:45 Break

15:45-17:15 Module 7: Enterprise VPN

• Huge and spoke topology
• Ipsec VPN configuration
• Ipsec VPN policies
• NAT overlap
• Route precedence
• VPN failover
• Logs
• Troubleshooting

Day 3, Wednesday, October 31st, 2018

9:30-11:00 Module 8: High Availability

• Overview
• Prerequisites
• HA packet flow
• Configuration
• HA status
• Console commands
• Logs
• General Administration

11:00-11:15 Break

11:15-12:00 Module 9: Troubleshooting

• Consolidated Troubleshooting Report
• SF loader
• Tcpdump

12:00-12:15 Break

12:15-13:45 Module 10: Sizing

• Hardware appliance models
• Hardware appliance sizing
• Software and virtual devices
• Sizing scenarios
• Class activity

13:45-14:45 Break – Lunch

14:45-17-15 Labs and Exams

There are numerous things you can do with Sophos Central, our cloud-based management platform. You can manage networking products, mobile devices, phishing training and more. You’d think with so much functionality it would be complicated, but as happy customer Igor Bovio explains, it’s easy to use:

“With Sophos Central, the IT system is able to respond to cyber attacks with a simple click” says Igor Bovio.

More than 90% of our Sophos Central customers already combine it with some form of endpoint product, whether it’s our Endpoint Advanced offering or Intercept X.

For first-time customers logging into Sophos Central, and for those who just want a refresher, we’ve created a 12-minute guided video tour that provides a quick overview of the Sophos Central platform. It walks through how to set up various endpoint policies, offers advice for getting end users into the system, and covers how to deploy the all-in-one software agent onto those users’ machines.

Think of Sophos Central as a theme park: you can burst through the gates and head right for the roller coaster, or you can hop on the trolley and take a little tour first. For those of you looking to get a lay of the land, we hope this video serves you well. Enjoy!

CyberArk, the global leader in privileged access security, today announced the availability of its SAP-certified CyberArk Privileged Access Security Solution. The solution can strengthen and extend security across SAP environments, including SAP ERP systems, by protecting against privileged access-related risk and credential compromise.

The CyberArk Privileged Access Security Solution achieved SAP certification as Integrated with SAP NetWeaver technology platform. It enables organizations to improve operational efficiencies and safeguard critical assets from external attackers and malicious insiders. With more than 90 percent of the Global 2000 relying on SAP applications to run their organizations, powerful credentials for these applications and systems are sought out by attackers to gain access to business-critical information and assets.

This certification extends CyberArk’s existing SAP integrations, which are available to customers on the CyberArk Marketplace. SAP is also a new member of the C³ Alliance, CyberArk’s global technology partner program.

The CyberArk Privileged Access Security Solution enables organizations to:

• Manage and secure SAP credentials: Organizations can strengthen their overall security posture and improve operational efficiencies by onboarding accounts into CyberArk’s encrypted centralized repository. With CyberArk they can also automate password rotation and enable multi-layered privilege access security control across the SAP stack – from the application layer to databases, operating system and servers.
• Reduce privileged access security risk: Organizations can quickly detect and halt suspicious activity by monitoring SAP privileged user activity. CyberArk complements SAP’s security controls by managing, protecting and controlling the use of privileged accounts. CyberArk provides a consistent approach to reducing privileged access security risk across the entire enterprise for SAP solutions and other high-value applications and infrastructure.
• Meet compliance requirements: Organizations can easily demonstrate compliance with internal enterprise policies and various industry regulations – including SOX, PCI DSS, GDPR and more – with complete visibility into SAP privileged account controls and activity records.

“The CyberArk Privileged Access Security Solution enables SAP-focused organizations to move forward with the confidence that only an SAP certified solution delivers,” said Adam Bosnian, executive vice president, global business development, CyberArk. “CyberArk enhances existing risk management and compliance initiatives in SAP environments and extends privileged access security, a critical layer of IT security, to essential business systems. CyberArk delivers an innovative and impactful solution for privileged access security that can scale effectively with these organizations.”

Real-life cyber threat headlines, Hollywood scripts and great animations come to Phish Threat.

“I’ll admit I’m not the most avid reader. The annual holiday-readathon when TV and YouTube are put on pause for 2 weeks is usually as far as I get.

It’s the same when it comes to training or learning new skills. With a choice between wading through notes and attending a lecture or watching a video with real stories and examples, most of us would choose the video every time.”

Security awareness training the Sophos way

Phish Threat from Sophos is all about delivering security awareness training in this way – consumable and engaging, with a variety of videos, games and interactive quizzes to make training content memorable.

Combining phishing simulations with security awareness and compliance training modules, we’re able to seize that ‘teachable moment’ directly following someone’s cybersecurity mistake (such as clicking on a simulated phishing email link).

https://vimeo.com/148154237

Bringing training to life

Stories help make training resonate, and they inspire us to act – moving training on from you simply ‘knowing’, to you ‘doing’. That’s why we’re excited to announce our latest Phish Threat learning partnership with Ninjio.

Ninjio shares our approach of short, engaging training, and its unique style recently scooped it the Gartner Customer Choice award for Computer Based Training 2018. By dramatizing real-life cyber threat headlines, with Hollywood script writers and great animations, Ninjio brings these stories to life for employees.

Launching later this summer, we’re excited to add these great additions to the growing range of Sophos Phish Threat learning videos. Look out for the launch information soon, and, for now, take a sneak peek at Ninjio’s latest work…

You can read the original article, here.

Savvy security practitioners understand that one of the most important, preventative steps they can take to bolster their cyber security posture is to secure privileged access – including privileged accounts, credentials and secrets. Protecting privilege is a process, and it’s often a key element of an enterprise-wide security program. Perhaps you are wondering if there a guide with actionable – yet easy-to-understand – information about establishing and maintaining a privileged access security program that you could flip open and reference.

Look no further than the new Privileged Access Security for Dummies guide. Brought to you by CyberArk, this guide is meant for an extended team to read – from CISOs to Developers – and not just IT security. Often, cyber security books go into significant technical depth, which is great for highly technical audiences. You should expect this guide to be conversational, with plenty of examples, analogies and elements designed to make this important security topic more approachable. With this quick and easy guide, readers can better understand and articulate the need to prioritize risk reduction associated with privileged-related access.

Inside, you’ll meet a full cast of characters – from Billy the “freelance hacker” who has made a career out of phishing unsuspecting corporate victims, to “Liam the Leak,” an engineer with access to sensitive data, who’s been passed over for a promotion one too many times. Through their stories, you’ll gain tips, technical insights and lessons others have learned – sometimes painfully so.

Download Privileged Access Security for Dummies today to:

• Discover the many types of privileged access used by humans and non-human automated processes
• Learn more about data loss, compliance, audit and third-party risks
• Get tips for establishing a privileged access security program
• Explore a 10-step approach for securing privileged access across the enterprise

Get smart on privileged access security. Download the free guide today.

You can read the original article, here.

Yesterday evening I felt an all-too-familiar mix of pride and embarrassment as my seven-year old daughter patiently walked me through some of the more advanced features on our TV.

As well as enhancing my viewing it also got me thinking: if I hadn’t had my own ‘advanced technical adviser’, I would have missed out on a whole range of things that our TV package has to offer.

I suspect this is a pretty common scenario with a host of software and devices, both at home and at work.

Fortunately, when it comes to Sophos Central Endpoint and Intercept X, help is at hand.

Intercept X Endpoint Resource Page

The Intercept X Endpoint resource page is your new go-to place for all things Intercept X and Sophos Central Endpoint.

It gives you easy access to the Knowledge Base, community forums and documentation, as well as links to important product lifecycle information.

New customers can take advantage of practical tips to help them get up and running, including the new Getting Started overview video.

Intercept X Endpoint How-to Library

The How-to Library is designed to help you make the most of your investment. It brings together a collection of videos, articles and PDF guides on a range of topics, from getting started, to malware detection and troubleshooting.

Whether you’re new to Sophos or an old-hand, we hope you’ll find it useful.

Both pages can be accessed by the support section on our website, or directly at:

• sophos.com/endpointsupport
• sophos.com/endpointlibrary

Not just for Endpoint!

Running Sophos XG Firewall or Sophos Central Server Protection? If so, we have new resource pages for you too.

The XG Firewall resource page and How-to Library give you easy access to all our most popular firewall resources, while the Server Protection resource page and How-to Library brings together all things Sophos Central Server.

You can read the original article, here.

To understand what cryptojacking is, you first need to understand cryptomining.

Cryptomining is a lot like gold mining in that, like gold, there are millions of cryptocoins in existence, they just haven’t all been made available yet. What miners do is extract them, by solving complex algorithms with powerful computer power harnessed from less powerful computers. Once they are verified, the miner is rewarded.

Cryptomining becomes cryptojacking when this is done illegally, without authorization. All cybercriminals have to do to make money through cryptomining is steal CPU power – from any user – to solve the algorithms and bring the cryptocoins to light.

Cryptojacking can happen in two different ways. An in-browser approach injects the script into a consumer’s browser and uses their CPU power to mine for coins. Alternatively, cybercriminals can bypass the browser and install a cryptominer directly on the consumer’s machine via a dodgy link.

To find out more about in-browser cryptominers vs installed cryptomining malware, and how to tell and what to do if you have a cryptominer installed, check out the Naked Security article «Cryptojacking for beginners – what you need to know».

Read the original article, here.

Sophos Intercept X Advanced was the top-ranked solution for both enterprise endpoint protection and small business endpoint protection in the new SE Labs endpoint protection test report (Apr-Jun 2018). Sophos received a 99% protection accuracy rating, 100% legitimate accuracy rating and 100% total accuracy rating. Each of these scores were the highest in the test.

This is the first time the combination of Intercept X and Central Endpoint Advanced (Intercept X Advanced) has been tested publicly and we are delighted with the results.

SE Labs tested endpoint solutions on their abilities to stop targeted and live, in-the-wild attacks in real time, as well as their false positive impacts. According to the SE Labs test: “Sophos Intercept X Advanced blocked all of the public and targeted attacks. It also handled the legitimate applications correctly”.

As a result, SE Labs awarded Sophos Intercept X Advanced its AAA award for both enterprise and small business protection.

Sophos was also recently ranked #1 for malware protection and exploit protection by MRG Effitas. The endpoint protection in Intercept X Advanced is driven by the combination of deep learning, anti-exploit capabilities, anti-ransomware technology, and other modern endpoint protection techniques – all paired with our foundational endpoint security technology.

Like Sophos, SE Labs is an active member of the Anti-Malware Testing Standards Organization (AMTSO). In fact, SE Labs were the first testing organization to achieve AMTSO Standard compliance.

You can read the original article, here.

Sophos is proud to be positioned among the “Visionaries” in the 2018 Gartner Magic Quadrant for Unified Endpoint Management (UEM).

Gartner states that: Unified endpoint management (UEM) tools combine the management of multiple endpoint types in a single console.

UEM tools perform the following functions:

• Configure, manage and monitor iOS, Android, Windows 10 and macOS, and manage some Internet of Things (IoT) and wearable endpoints.
• Unify the application of configurations, management profiles, device compliance and data protection.
• Provide a single view of multidevice users, enhancing efficacy of end-user support and gathering detailed workplace analytics.
• Act as a coordination point to orchestrate the activities of related endpoint technologies such as identity services and security infrastructure.

Sophos Mobile has evolved from a best in class mobile management software to becoming a fully-fledged UEM and security service that helps businesses spend less time and effort to manage and secure corporate and personal devices and users.

Sophos Mobile is the only UEM service that integrates natively with a leading next-gen endpoint security platform, supporting management of Windows 10, macOS, iOS, and Android devices.

Discover Unified Endpoint Management with Sophos Mobile at sophos.com/mobile

https://news.sophos.com/en-us/2018/07/24/gartner-names-sophos-as-a-visionary-in-the-first-uem-magic-quadrant/

Eric Vanderburg, Vice President of Cybersecurity at TCDI, highlights the key questions to consider when identifying your organisation’s data, its importance and the level of protection required…

I always figured that you would need to know what you have in order to protect it. However, I have seen far too many companies implement “best practices,” standards, or compliance programs without first understanding what they have to protect.

Asset inventory systems are bundled into many security systems or other management tools, but these systems track only hardware. IT systems management software tracks operating systems and software, but neither of these systems addresses the security need. The loss of a laptop or smartphone is a loss of a few hundred dollars. The loss of customer records, business strategies, software code or proprietary formulas, however, far exceeds the cost of the hardware. Thus, it is the data that information security needs to protect, and while the data does reside on top of hardware and software, the key to protecting data resides in first understanding the data.

Data can be described by the five W’s. Who, what, where, when and why.

Who created the data?

Presumably, someone created the data for a reason. This person, the data owner, has the initial responsibility for storing the data in an appropriate location and for granting access to the data, so it is important to know who these people are.

What information does the data contain?

Classify the data so that you can understand if it should be protected from loss or disclosure and how much effort should be expended in defending it.

Where is the data located?

The location of the data determines the level of organizational control that can be enacted over the data. An organization would have little control over data on a social network, but they may have a great deal of control over data in an Enterprise Resource Planning (ERP) tool.

When was the data created?

Other good questions include when was it accessed and when was it archived? This standard metadata, consisting of items such as creation, access and archive date, creator, file size, and type, are important because it can show how important the data is to the company. Less frequently used data is generally considered less important. It is also important to know when the data was last archived or backed up since this determines whether the data can be recovered if it is lost, stolen or corrupted.

Why does the data exist?

This is one of the most important questions because data that is not needed should be deleted. There is no reason to protect data that provides no value. This data is only a liability, for the loss of the data could impact the organization. Even if the loss is inconsequential, storing, indexing and managing data takes time and money, so organizations would be well served to remove nonessential data.

Why waste time and money implementing security that does not address the data itself? This all too common approach often results in some data being under protected or not protected at all, while other data is overprotected. Furthermore, since the organization does not know of some data, a breach of that data is more likely to go unnoticed. Understand the five W’s and create security controls, policies and procedures to govern how the data is used, stored, shared and deleted.

https://www.boldonjames.com/the-5-ws-of-data-identification-and-inventory/

If you haven’t been keeping track, there’s been a flurry of updates for XG Firewall recently. In fact, we just released Maintenance Release (MR) 4 for XG Firewall v16.5. This marks the fourth update in as many months, rapidly responding to field reported issues and improving the stability and performance of your XG Firewall.

It’s extremely important that you keep your XG Firewall up to date with the latest firmware release. Every update contains important patches, bug fixes, and enhancements.

But, one of the questions I often hear is… How do I stay up to date with all the latest XG Firewall releases?

Release Notes for XG Firewall

All Release Notes for XG Firewall are published on the XG Firewall Community Release Notes Blog.

Automatic Email Notification

Of course you can periodically monitor the Release Notes Blog however, I have some inside tips for getting automatic email notification for every XG Firewall release.

First, if you don’t already have one, you’ll need to create a Sophos ID…

Go to sophos.com/xg-community and click the silhouette icon in the upper right corner of the screen to login or create your Sophos ID:

Once you’ve signed up or signed in, you can go to the XG Firewall Community Release Notes Blog, click the gear icon in the upper right of the blog roll, and select “Turn Blog notifications on”…

You will now receive an automatic email notification to your Sophos ID email address whenever there is an update.

You can check the status of your subscriptions by clicking your account icon in the very upper right of the screen, choosing “Settings”, and then selecting the “Subscriptions” tab…

Keeping your XG Firewall Firmware Up to Date

Whenever you see a firmware update in your XG Firewall Notifications Area, apply it as soon as you can schedule a reboot.

If you want to see how easy it is to update your device firmware, watch this short How-To Video…

You can read the original article, here.

Cyber-attacks are making the lives of internet users very difficult. Ransomware in particular has been one of the most disruptive types of attack that hackers are using. Unfortunately, ransomware attacks are accelerating and intensifying with more victims each and everyday. Take the most recent example of WannaCry that took over the news at the end of last week, which has infected over 200,000 computers in over 74 countries.

Small businesses and start-ups are highly susceptible to cyber-attacks like this. Last year alone, 43% of attacks were on small businesses, a number that continues to increase. With a smaller budget and lack of resources, it can be almost impossible to recover your data, find the attacker or even pay the ransom.

That is why you need a strategy for preventing ransomware before it wreaks havoc on your day-to-day business.

What Is Ransomware?

Ransomware is a type of malware that accesses the operating system of a device and encrypts user data, blocking the user from the access of that information. In order to regain the access to blocked data, the person has to pay a ransom amount demanded by the hacker.

Until the ransom amount is paid; the attacker will not decrypt the data files or release them back to your business. You can’t even be sure that when you pay the ransom, your data is sent back to you the same way it was stolen or that the hacker hasn’t retained a copy for themselves.

Types of Ransomware That Can Affect Your Start-Up

To avoid becoming a ransomware victim, you must be aware of the various types of ransomware attack and their intensity. There are certain signs that can tell you about the type of ransomware trapping your system data.

Scareware

This type of ransomware is the least harmful and unlike its name, not very scary at all. When a device is attacked by scareware, it shows a warning of umpteen issues in the system. The warnings consist of spurious antivirus or clean-up tools through which a demand money is made in order to fix those given warnings.

In this kind of ransomware attack, your system remains working and your data is normally safe. Although, if you leave it unresolved, it could continue to give pop-up warnings claiming to ‘discover’ new issues in your system.

Lock-Screen Ransomware

If you start your device and find a frozen window, you might have lock-screen ransomware on your device. This ransomware with the locked-screen full-sized window, sometimes shows an FBI or Department of Justice logo claiming you have participated in an illegal act and for that, they demand a fine.

Encrypting Ransomware

Encrypting ransomware is ultimately the most popular and troublesome to resolve (and also the kind used in the aforementioned, widespread WannaCry attack). Encrypting ransomware as its name implies, encrypts the files of the trapped device and demands money for decrypting the data. It is considered as one of the most harmful ransomware types because of the fact that once you are a victim, it is highly unlikely you can recover or access your data without paying.

How to Prevent Ransomware

The best way to protect your device from a ransomware attack is to follow some effective precautionary measures outlined in this article. All of these discussed methods will allow you to prevent a ransomware invasion without spending a cent.

Data Backup

For all of your valuable and sensitive data files, the most important step is to create backup support. To keep the record and copy of your worthy data, you could use cloud storage (many companies offer free services under a certain limit). You could also use removable disks to maintain data backups.

This won’t stop the attacker from gaining access to your systems but you can still access your files and you will be able to remove the ransomware and recover all your most valuable company data.

Enhancing Spam and Email Security

A ransomware attacker spreads their destructive malware through botnets and deliver a huge portion of spam emails. They create a link that instantly downloads the malware from an email and all you have to do is fall into the trap! Recent advancements in email allow you to adjust and modify your anti-SPAM filters. Consider changing your SPAM filter settings in a way that the virus contaminated emails can’t make into your inbox.

More importantly, educating employees on how to identify phishing emails can go a long way in preventing ransomware from entering your network, since these spoofed emails are commonly used to trick people into downloading malicious attachments. Phishing simulation tests are a tried and true method for introducing employees to common tactics so they don’t fall victim.

Install Firewall Protection and Anti-Virus Software

Most ransomware requires connection to your command and control servers to obtain important keys needed during the encryption process. However, Windows Firewall and additional firewall apps could recognize and cease this kind of traffic, preventing data encryption by the virus. Thus, the attack is stopped before it has even started.

Block Risky File Extensions

Extensions such as pif, .cmd, .bat, .scr, .vbs, .rtf. docm, .rar. .zip, .js, .exe, are risky file attachments that could contain ransom Trojans. It is a good move for your business to configure your email program in such a way that it could stop incoming messages with potentially harmful content on board.

You should block any attachment that requires activation of macros in office documents or wants to execute scripts.

Avoid Using Remote Services

Sometimes the ransomware attackers use remote support apps to execute an infection into a device. Such an attack was reported by a surprise ransomware in March 2016 through using TeamViewer remote support app. To prevent such an attack, you should set up two-factor authentication when connecting to a remote service.

Rename ‘vssadmin.ext’

An attacker can use the vssadmin.exe file and enter the: Delete Shadows/All/Quiet command, in order to delete Shadow Volume Copies of your files, rendering you incapable of accessing previously restored versions of your files.

It is recommended that you rename vssadmin.exe so that the ransomware attacker cannot find the file and delete it.

Last Resort – Find a Decryptor

In the event that you still find yourself held at ransom by an attacker, you might be lucky enough to be infected by a ransomware that has already been decrypted by a security researcher. There are many free decryption ransomware tools that you can have a look through to find one that looks like yours and run a program to get access to your data back.

Conclusion

In the period of such cyber-threats, ransomware can do a lot of damage to your business, even halt operations completely. It’s better not to wait until you are a victim of the attack and pray that someone has released a decryption tool. You should make some small changes to your business IT in order to prevent the attacks from happening in the first place.

If you aren’t IT savvy yourself, my advise is to look into hiring an IT consultant for a day to update and adjust your network. But it shouldn’t stop there, make sure you bring them back every three to six months to get updates and configured based on new best practice. The IT industry is always changing and if you aren’t keeping protected from the latest attack vulnerabilities, you are leaving your business open to data theft and ransomware attacks.

You can read the original article, here.

• WannaCry malware continues to spread on a global basis and organizations are still at risk of being infected;
• Patching the Microsoft vulnerability can prevent infection via the SMB worm, but cannot prevent direct infection via phishing;
• CyberArk Labs tested prevention tactics on WannaCry over the weekend and found that the combination of enforcing least privilege on endpoints and application greylisting control was 100 percent effective in preventing WannaCryptor from encrypting files.

The ransomware behind this attack is known as WannaCryptor, also referred to as WannaCrypt or WannaCry. Over the weekend, CyberArk Labs investigated the ransomware strain, broke down the attack vectors, and analyzed how it compares to other recent ransomware attacks. Here’s what organizations need to know now.

To date, CyberArk Labs has tested more than 600,000 ransomware samples – including WannaCryptor – in order to better understand common infection, encryption and removal characteristics.  Unlike previous strains of ransomware, WannaCryptor is differentiated by a worm that spreads the ransomware as quickly as possible to as many machines as possible. The worm spreads using the “eternalblue” SMB vulnerability in Microsoft systems.

Microsoft issued a patch for this vulnerability in March 2017, but details on the vulnerability were released into the wild, freely available to attackers, as part of the Shadow Brokers leaks. Any individual and organization with an unpatched Microsoft system remains vulnerable to the worm in WannaCryptor.

• Important Protection Note: The Microsoft patch will prevent infection via the SMB worm, but it cannot prevent infection and file encryption if the ransomware is delivered through a direct means, such as phishing.

WannaCryptor is able to execute on an infected machine without administrative privileges. However, to propagate through the organization’s network, WannaCryptor needs to escalate privileges through a Microsoft vulnerability that enables it run code in SYSTEM user context. WannaCryptor is able to operate in an offline environment, encrypting the user’s files with an RSA-2048 key pair. After the encryption process, the ransomware demands $300-$600 in bitcoin to decrypt the files.

While the built-in worm differentiates WannaCryptor’s ability to spread from previous versions of ransomware, there is nothing inherently unique about its encryption and extortion techniques. Like most ransomware, WannaCryptor was missed by traditional anti-virus solutions.

• Important Protection Note: Organizations should immediately implement a combination of least privilege and application control policies on endpoints and servers throughout their organizations.

This proactive approach is not dependent on the ability to detect advanced malware; instead, it treats all unknown applications as potentially suspicious and protects information accordingly. This prevents one infected end-point from causing an organizational pandemic.

When tested in the CyberArk Lab, the combination of least privilege and application greylisting controls proved 100 percent effective in preventing WannaCryptor and dozens of other ransomware families from encrypting files.

This attack should serve as a reminder that back-ups alone are no longer enough to protect against data loss, especially if organizations are exposing privileged credentials to attackers. This means organizations may have to choose between complete data loss and paying the ransom. Eliminating the attacker’s ability to access administrative credentials to propagate ransomware beyond the initially compromised machine is an essential action to defend against future ransomware attacks and limit damage.

You can read the original article, here.

On Friday 12, May 2017, the internet got hit by a massive malware attack. This malware spread like wildfire around the world and more than 200,000 computers were affected over the weekend. This notorious malware is called WannaCry, a deadly “ransomware” which locks your computer and all the files become inaccessible and encrypted.

Organizations and individuals in more than 150 countries were affected including UK, Spain, Germany, Japan, Pakistan and India. Technical staff have been working day and night trying reinstall operating systems and recover data. Some of them have succeeded, but the majority of are still in pursuit of success. Several organizations already appear to have given in and paid the ransom amount to retrieve their data because there was no other feasible resolution.

There must be many questions tangling in our minds like:

• “where did it come from?”
• “why did our security systems failed to block it?” and
• “will there be another attack in the future?”

Where Did WannaCry Come from and How Does It Work?

Sources are identifying a hacker group named Shadow Broker may behind this massive chaos. The attackers have locked data of more than 200,000 computers and will release it for Bitcoin payment equivalent of USD $300-600. The payment mode is conveniently Bitcoins because it’s an untraceable method of pay.

This malware is targeting PCs with older operating systems like Windows XP and Windows 7 that are vulnerable to the EternalBlue exploit. Compared to other types of ransomware and making it that much scarier, WannaCry is a bit unique in that it doesn’t rely on the end user to click a link or download a file to access the machine. Instead, it leverages that exploit and can then self-spread to other machines as well (e.g. those connected to the same local network). In the wake of the attack, Microsoft released an emergency patch for XP systems, but in the meantime, hundreds of thousands of computers have been infected and locked, including big names like National Health Service in UK, National Petroleum Company in China and Renault Factories in France.

The attack is not yet over. Someone from Malware Tech claimed to have found the “kill switch” and stopped it from spreading, but as it turns out, it was just slowed down from spreading. Kaspersky lab security confirmed a new more powerful version of this malware was detected immediately after the “kill switch” news. This new version cannot be stopped by the “kill switch” and a new wave of infection is expected to continue this week.

How Can You Protect Yourself from WannaCry?

In this case, prevention is really your best option. A critical piece of this is to update your system. If your personal computer or office system is running on an older version of Windows, then you are at serious risk. Keeping your systems patched is a must to reduce risk to critical vulnerabilities.

Additionally, as mentioned above, the feature that sets WannaCry apart from other malware is it can spread in a local network system without any interaction. So if you’ve found one of your systems or servers has been affected, the only way to make sure it doesn’t spread further is to disconnect the LAN cable or turn off the wireless connection.

Although phishing emails don’t seem to be at play for spreading WannaCry, you should still be wary of suspicious emails and files. Especially considering, as this article points out, other bad guys will likely try to leverage the WannaCry scare to scam people into downloading fake decryption solutions.

Ransomware is no joke and WannaCry is exposing yet another reason why a layered security strategy is so important today. A single vulnerability can be exploited and cause significant damage. You must make sure you have the proper defense and maintenance in place to prevent such issues.

You can read the original article, here.

It was a difficult Friday for many organizations, thanks to the fast-spreading Wanna Decrypter 2.0 ransomware that started its assault against hospitals across the UK before spilling across the globe.

The attack appears to have exploited a Windows vulnerability Microsoft released a patch for in March. That flaw was in the Windows Server Message Block (SMB) service, which Windows computers use to share files and printers across local networks. Microsoft addressed the issue in its MS17-010 bulletin.

SophosLabs said the ransomware – also known as WannaCry, WCry, WanaCrypt and WanaCrypt0r – encrypted victims’ files and changed the extensions to .wnry, .wcry, .wncry and .wncrypt.

Sophos is protecting customers from the threat, which it now detects as Troj/Ransom-EMG, Mal/Wanna-A, Troj/Wanna-C, and Troj/Wanna-D. Sophos Customers using Intercept X will see this ransomware blocked by CryptoGuard. It has also published a Knowledge Base Article (KBA) for customers.

NHS confirms attack

National Health Service hospitals (NHS) in the UK suffered the brunt of the attack early on, with its phone lines and IT systems being held hostage. NHS Digital posted a statement on its website:

The UK’s National Cyber Security Centre, the Department of Health and NHS England worked Friday to support the affected hospitals, and additional IT systems were taken offline to keep the ransomware from spreading further.

Victims of the attack received the following message:

More guidance from Sophos

Here is an update of the specific ransomware strains in this attack that Sophos has now provided protection against:

As noted above, Sophos has issued protection for customers. Users of Intercept X and EXP don’t have to do anything. Users of Sophos Endpoint Protection and Sophos Home should update their versions immediately.

Sophos Home

Stop ransomware with our free personal security software

Learn More

Defensive measures (updated 2017-13-05T10:05:00Z)

Since we published this article Microsoft has taken the highly unusual step of making a security update for platforms in custom support (such as Windows XP) available to everyone: “We also know that some of our customers are running versions of Windows that no longer receive mainstream support. That means those customers will not have received the above mentioned Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download here“.

We urge those who haven’t yet done so to:

• Patch your systems, even if you’re using an unsupported version of XP, Windows 8 or Windows Server 2003 and read Microsoft’s customer guidance for WannaCrypt attacks.
• Review the Sophos Knowledge Base Article on Wana Decrypt0r 2.0 Ransomware.
• Back up regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands.
• Be cautious about unsolicited attachments. The crooks are relying on the dilemma that you shouldn’t open a document until you are sure it’s one you want, but you can’t tell if it’s one you want until you open it. If in doubt, leave it out.
• Use Sophos Intercept X, which stops ransomware in its tracks by blocking the unauthorized encryption of files.

Resources

Other links we think you’ll find useful:

• To defend against ransomware in general, see our article How to stay protected against ransomware.
• To protect against JavaScript attachments, tell Explorer to open .JS files with Notepad.
• To protect against misleading filenames, tell Explorer to show file extensions.
• To learn more about ransomware, listen to our Techknow podcast.
• To protect your friends and family against ransomware, try our free Sophos Home for Windows and Mac.

Updates

• Multiple news reports have focused on how this attack was launched using NSA code leaked by a group of hackers known as the Shadow Brokers. That’s certainly what seems to have happened based on SophosLabs’ own investigation. A more detailed report on that is planned for early next week.
• Sophos will continue to update its Knowledge Base Article (KBA) for customers as events unfold. Several updates were added today, and are summarized below in the “More guidance from Sophos” section.
• Microsoft took the highly unusual step of making a security update for platforms in custom support (such as Windows XP) available to everyone. The software giant said in a statement: “We know some of our customers are running versions of Windows that no longer receive mainstream support. That means those customers will not have received the Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download here.”
• With the code behind Friday’s attack in the wild, we should expect copycats to cook up their own campaigns in the coming days to capitalize on the money-making opportunity in front of them, said Dave Kennedy, CEO and founder of information security consultancy TrustedSec.
• The attack could have been worse, if not for an accidental discovery from a researcher using the Twitter handle @MalwareTechBlog, who found a kill switch of sorts hidden in the code. The researcher posted a detailed account of his findings here. In the post, he wrote: “One thing that is very important to note is our sinkholing only stops this sample and there is nothing stopping them removing the domain check and trying again, so it’s incredibly important that any unpatched systems are patched as quickly as possible.”

You can read the original article, here.