Savvy security practitioners understand that one of the most important, preventative steps they can take to bolster their cyber security posture is to secure privileged access – including privileged accounts, credentials and secrets. Protecting privilege is a process, and it’s often a key element of an enterprise-wide security program. Perhaps you are wondering if there a guide with actionable – yet easy-to-understand – information about establishing and maintaining a privileged access security program that you could flip open and reference.

Look no further than the new Privileged Access Security for Dummies guide. Brought to you by CyberArk, this guide is meant for an extended team to read – from CISOs to Developers – and not just IT security. Often, cyber security books go into significant technical depth, which is great for highly technical audiences. You should expect this guide to be conversational, with plenty of examples, analogies and elements designed to make this important security topic more approachable. With this quick and easy guide, readers can better understand and articulate the need to prioritize risk reduction associated with privileged-related access.

Inside, you’ll meet a full cast of characters – from Billy the “freelance hacker” who has made a career out of phishing unsuspecting corporate victims, to “Liam the Leak,” an engineer with access to sensitive data, who’s been passed over for a promotion one too many times. Through their stories, you’ll gain tips, technical insights and lessons others have learned – sometimes painfully so.

Download Privileged Access Security for Dummies today to:

• Discover the many types of privileged access used by humans and non-human automated processes
• Learn more about data loss, compliance, audit and third-party risks
• Get tips for establishing a privileged access security program
• Explore a 10-step approach for securing privileged access across the enterprise

Get smart on privileged access security. Download the free guide today.

You can read the original article, here.

Yesterday evening I felt an all-too-familiar mix of pride and embarrassment as my seven-year old daughter patiently walked me through some of the more advanced features on our TV.

As well as enhancing my viewing it also got me thinking: if I hadn’t had my own ‘advanced technical adviser’, I would have missed out on a whole range of things that our TV package has to offer.

I suspect this is a pretty common scenario with a host of software and devices, both at home and at work.

Fortunately, when it comes to Sophos Central Endpoint and Intercept X, help is at hand.

Intercept X Endpoint Resource Page

The Intercept X Endpoint resource page is your new go-to place for all things Intercept X and Sophos Central Endpoint.

It gives you easy access to the Knowledge Base, community forums and documentation, as well as links to important product lifecycle information.

New customers can take advantage of practical tips to help them get up and running, including the new Getting Started overview video.

Intercept X Endpoint How-to Library

The How-to Library is designed to help you make the most of your investment. It brings together a collection of videos, articles and PDF guides on a range of topics, from getting started, to malware detection and troubleshooting.

Whether you’re new to Sophos or an old-hand, we hope you’ll find it useful.

Both pages can be accessed by the support section on our website, or directly at:

• sophos.com/endpointsupport
• sophos.com/endpointlibrary

Not just for Endpoint!

Running Sophos XG Firewall or Sophos Central Server Protection? If so, we have new resource pages for you too.

The XG Firewall resource page and How-to Library give you easy access to all our most popular firewall resources, while the Server Protection resource page and How-to Library brings together all things Sophos Central Server.

You can read the original article, here.

To understand what cryptojacking is, you first need to understand cryptomining.

Cryptomining is a lot like gold mining in that, like gold, there are millions of cryptocoins in existence, they just haven’t all been made available yet. What miners do is extract them, by solving complex algorithms with powerful computer power harnessed from less powerful computers. Once they are verified, the miner is rewarded.

Cryptomining becomes cryptojacking when this is done illegally, without authorization. All cybercriminals have to do to make money through cryptomining is steal CPU power – from any user – to solve the algorithms and bring the cryptocoins to light.

Cryptojacking can happen in two different ways. An in-browser approach injects the script into a consumer’s browser and uses their CPU power to mine for coins. Alternatively, cybercriminals can bypass the browser and install a cryptominer directly on the consumer’s machine via a dodgy link.

To find out more about in-browser cryptominers vs installed cryptomining malware, and how to tell and what to do if you have a cryptominer installed, check out the Naked Security article «Cryptojacking for beginners – what you need to know».

Read the original article, here.

Sophos Intercept X Advanced was the top-ranked solution for both enterprise endpoint protection and small business endpoint protection in the new SE Labs endpoint protection test report (Apr-Jun 2018). Sophos received a 99% protection accuracy rating, 100% legitimate accuracy rating and 100% total accuracy rating. Each of these scores were the highest in the test.

This is the first time the combination of Intercept X and Central Endpoint Advanced (Intercept X Advanced) has been tested publicly and we are delighted with the results.

SE Labs tested endpoint solutions on their abilities to stop targeted and live, in-the-wild attacks in real time, as well as their false positive impacts. According to the SE Labs test: “Sophos Intercept X Advanced blocked all of the public and targeted attacks. It also handled the legitimate applications correctly”.

As a result, SE Labs awarded Sophos Intercept X Advanced its AAA award for both enterprise and small business protection.

Sophos was also recently ranked #1 for malware protection and exploit protection by MRG Effitas. The endpoint protection in Intercept X Advanced is driven by the combination of deep learning, anti-exploit capabilities, anti-ransomware technology, and other modern endpoint protection techniques – all paired with our foundational endpoint security technology.

Like Sophos, SE Labs is an active member of the Anti-Malware Testing Standards Organization (AMTSO). In fact, SE Labs were the first testing organization to achieve AMTSO Standard compliance.

You can read the original article, here.

Sophos is proud to be positioned among the “Visionaries” in the 2018 Gartner Magic Quadrant for Unified Endpoint Management (UEM).

Gartner states that: Unified endpoint management (UEM) tools combine the management of multiple endpoint types in a single console.

UEM tools perform the following functions:

• Configure, manage and monitor iOS, Android, Windows 10 and macOS, and manage some Internet of Things (IoT) and wearable endpoints.
• Unify the application of configurations, management profiles, device compliance and data protection.
• Provide a single view of multidevice users, enhancing efficacy of end-user support and gathering detailed workplace analytics.
• Act as a coordination point to orchestrate the activities of related endpoint technologies such as identity services and security infrastructure.

Sophos Mobile has evolved from a best in class mobile management software to becoming a fully-fledged UEM and security service that helps businesses spend less time and effort to manage and secure corporate and personal devices and users.

Sophos Mobile is the only UEM service that integrates natively with a leading next-gen endpoint security platform, supporting management of Windows 10, macOS, iOS, and Android devices.

Discover Unified Endpoint Management with Sophos Mobile at sophos.com/mobile

https://news.sophos.com/en-us/2018/07/24/gartner-names-sophos-as-a-visionary-in-the-first-uem-magic-quadrant/

Eric Vanderburg, Vice President of Cybersecurity at TCDI, highlights the key questions to consider when identifying your organisation’s data, its importance and the level of protection required…

I always figured that you would need to know what you have in order to protect it. However, I have seen far too many companies implement “best practices,” standards, or compliance programs without first understanding what they have to protect.

Asset inventory systems are bundled into many security systems or other management tools, but these systems track only hardware. IT systems management software tracks operating systems and software, but neither of these systems addresses the security need. The loss of a laptop or smartphone is a loss of a few hundred dollars. The loss of customer records, business strategies, software code or proprietary formulas, however, far exceeds the cost of the hardware. Thus, it is the data that information security needs to protect, and while the data does reside on top of hardware and software, the key to protecting data resides in first understanding the data.

Data can be described by the five W’s. Who, what, where, when and why.

Who created the data?

Presumably, someone created the data for a reason. This person, the data owner, has the initial responsibility for storing the data in an appropriate location and for granting access to the data, so it is important to know who these people are.

What information does the data contain?

Classify the data so that you can understand if it should be protected from loss or disclosure and how much effort should be expended in defending it.

Where is the data located?

The location of the data determines the level of organizational control that can be enacted over the data. An organization would have little control over data on a social network, but they may have a great deal of control over data in an Enterprise Resource Planning (ERP) tool.

When was the data created?

Other good questions include when was it accessed and when was it archived? This standard metadata, consisting of items such as creation, access and archive date, creator, file size, and type, are important because it can show how important the data is to the company. Less frequently used data is generally considered less important. It is also important to know when the data was last archived or backed up since this determines whether the data can be recovered if it is lost, stolen or corrupted.

Why does the data exist?

This is one of the most important questions because data that is not needed should be deleted. There is no reason to protect data that provides no value. This data is only a liability, for the loss of the data could impact the organization. Even if the loss is inconsequential, storing, indexing and managing data takes time and money, so organizations would be well served to remove nonessential data.

Why waste time and money implementing security that does not address the data itself? This all too common approach often results in some data being under protected or not protected at all, while other data is overprotected. Furthermore, since the organization does not know of some data, a breach of that data is more likely to go unnoticed. Understand the five W’s and create security controls, policies and procedures to govern how the data is used, stored, shared and deleted.

https://www.boldonjames.com/the-5-ws-of-data-identification-and-inventory/

If you haven’t been keeping track, there’s been a flurry of updates for XG Firewall recently. In fact, we just released Maintenance Release (MR) 4 for XG Firewall v16.5. This marks the fourth update in as many months, rapidly responding to field reported issues and improving the stability and performance of your XG Firewall.

It’s extremely important that you keep your XG Firewall up to date with the latest firmware release. Every update contains important patches, bug fixes, and enhancements.

But, one of the questions I often hear is… How do I stay up to date with all the latest XG Firewall releases?

Release Notes for XG Firewall

All Release Notes for XG Firewall are published on the XG Firewall Community Release Notes Blog.

Automatic Email Notification

Of course you can periodically monitor the Release Notes Blog however, I have some inside tips for getting automatic email notification for every XG Firewall release.

First, if you don’t already have one, you’ll need to create a Sophos ID…

Go to sophos.com/xg-community and click the silhouette icon in the upper right corner of the screen to login or create your Sophos ID:

Once you’ve signed up or signed in, you can go to the XG Firewall Community Release Notes Blog, click the gear icon in the upper right of the blog roll, and select “Turn Blog notifications on”…

You will now receive an automatic email notification to your Sophos ID email address whenever there is an update.

You can check the status of your subscriptions by clicking your account icon in the very upper right of the screen, choosing “Settings”, and then selecting the “Subscriptions” tab…

Keeping your XG Firewall Firmware Up to Date

Whenever you see a firmware update in your XG Firewall Notifications Area, apply it as soon as you can schedule a reboot.

If you want to see how easy it is to update your device firmware, watch this short How-To Video…

You can read the original article, here.

Cyber-attacks are making the lives of internet users very difficult. Ransomware in particular has been one of the most disruptive types of attack that hackers are using. Unfortunately, ransomware attacks are accelerating and intensifying with more victims each and everyday. Take the most recent example of WannaCry that took over the news at the end of last week, which has infected over 200,000 computers in over 74 countries.

Small businesses and start-ups are highly susceptible to cyber-attacks like this. Last year alone, 43% of attacks were on small businesses, a number that continues to increase. With a smaller budget and lack of resources, it can be almost impossible to recover your data, find the attacker or even pay the ransom.

That is why you need a strategy for preventing ransomware before it wreaks havoc on your day-to-day business.

What Is Ransomware?

Ransomware is a type of malware that accesses the operating system of a device and encrypts user data, blocking the user from the access of that information. In order to regain the access to blocked data, the person has to pay a ransom amount demanded by the hacker.

Until the ransom amount is paid; the attacker will not decrypt the data files or release them back to your business. You can’t even be sure that when you pay the ransom, your data is sent back to you the same way it was stolen or that the hacker hasn’t retained a copy for themselves.

Types of Ransomware That Can Affect Your Start-Up

To avoid becoming a ransomware victim, you must be aware of the various types of ransomware attack and their intensity. There are certain signs that can tell you about the type of ransomware trapping your system data.

Scareware

This type of ransomware is the least harmful and unlike its name, not very scary at all. When a device is attacked by scareware, it shows a warning of umpteen issues in the system. The warnings consist of spurious antivirus or clean-up tools through which a demand money is made in order to fix those given warnings.

In this kind of ransomware attack, your system remains working and your data is normally safe. Although, if you leave it unresolved, it could continue to give pop-up warnings claiming to ‘discover’ new issues in your system.

Lock-Screen Ransomware

If you start your device and find a frozen window, you might have lock-screen ransomware on your device. This ransomware with the locked-screen full-sized window, sometimes shows an FBI or Department of Justice logo claiming you have participated in an illegal act and for that, they demand a fine.

Encrypting Ransomware

Encrypting ransomware is ultimately the most popular and troublesome to resolve (and also the kind used in the aforementioned, widespread WannaCry attack). Encrypting ransomware as its name implies, encrypts the files of the trapped device and demands money for decrypting the data. It is considered as one of the most harmful ransomware types because of the fact that once you are a victim, it is highly unlikely you can recover or access your data without paying.

How to Prevent Ransomware

The best way to protect your device from a ransomware attack is to follow some effective precautionary measures outlined in this article. All of these discussed methods will allow you to prevent a ransomware invasion without spending a cent.

Data Backup

For all of your valuable and sensitive data files, the most important step is to create backup support. To keep the record and copy of your worthy data, you could use cloud storage (many companies offer free services under a certain limit). You could also use removable disks to maintain data backups.

This won’t stop the attacker from gaining access to your systems but you can still access your files and you will be able to remove the ransomware and recover all your most valuable company data.

Enhancing Spam and Email Security

A ransomware attacker spreads their destructive malware through botnets and deliver a huge portion of spam emails. They create a link that instantly downloads the malware from an email and all you have to do is fall into the trap! Recent advancements in email allow you to adjust and modify your anti-SPAM filters. Consider changing your SPAM filter settings in a way that the virus contaminated emails can’t make into your inbox.

More importantly, educating employees on how to identify phishing emails can go a long way in preventing ransomware from entering your network, since these spoofed emails are commonly used to trick people into downloading malicious attachments. Phishing simulation tests are a tried and true method for introducing employees to common tactics so they don’t fall victim.

Install Firewall Protection and Anti-Virus Software

Most ransomware requires connection to your command and control servers to obtain important keys needed during the encryption process. However, Windows Firewall and additional firewall apps could recognize and cease this kind of traffic, preventing data encryption by the virus. Thus, the attack is stopped before it has even started.

Block Risky File Extensions

Extensions such as pif, .cmd, .bat, .scr, .vbs, .rtf. docm, .rar. .zip, .js, .exe, are risky file attachments that could contain ransom Trojans. It is a good move for your business to configure your email program in such a way that it could stop incoming messages with potentially harmful content on board.

You should block any attachment that requires activation of macros in office documents or wants to execute scripts.

Avoid Using Remote Services

Sometimes the ransomware attackers use remote support apps to execute an infection into a device. Such an attack was reported by a surprise ransomware in March 2016 through using TeamViewer remote support app. To prevent such an attack, you should set up two-factor authentication when connecting to a remote service.

Rename ‘vssadmin.ext’

An attacker can use the vssadmin.exe file and enter the: Delete Shadows/All/Quiet command, in order to delete Shadow Volume Copies of your files, rendering you incapable of accessing previously restored versions of your files.

It is recommended that you rename vssadmin.exe so that the ransomware attacker cannot find the file and delete it.

Last Resort – Find a Decryptor

In the event that you still find yourself held at ransom by an attacker, you might be lucky enough to be infected by a ransomware that has already been decrypted by a security researcher. There are many free decryption ransomware tools that you can have a look through to find one that looks like yours and run a program to get access to your data back.

Conclusion

In the period of such cyber-threats, ransomware can do a lot of damage to your business, even halt operations completely. It’s better not to wait until you are a victim of the attack and pray that someone has released a decryption tool. You should make some small changes to your business IT in order to prevent the attacks from happening in the first place.

If you aren’t IT savvy yourself, my advise is to look into hiring an IT consultant for a day to update and adjust your network. But it shouldn’t stop there, make sure you bring them back every three to six months to get updates and configured based on new best practice. The IT industry is always changing and if you aren’t keeping protected from the latest attack vulnerabilities, you are leaving your business open to data theft and ransomware attacks.

You can read the original article, here.

• WannaCry malware continues to spread on a global basis and organizations are still at risk of being infected;
• Patching the Microsoft vulnerability can prevent infection via the SMB worm, but cannot prevent direct infection via phishing;
• CyberArk Labs tested prevention tactics on WannaCry over the weekend and found that the combination of enforcing least privilege on endpoints and application greylisting control was 100 percent effective in preventing WannaCryptor from encrypting files.

The ransomware behind this attack is known as WannaCryptor, also referred to as WannaCrypt or WannaCry. Over the weekend, CyberArk Labs investigated the ransomware strain, broke down the attack vectors, and analyzed how it compares to other recent ransomware attacks. Here’s what organizations need to know now.

To date, CyberArk Labs has tested more than 600,000 ransomware samples – including WannaCryptor – in order to better understand common infection, encryption and removal characteristics.  Unlike previous strains of ransomware, WannaCryptor is differentiated by a worm that spreads the ransomware as quickly as possible to as many machines as possible. The worm spreads using the “eternalblue” SMB vulnerability in Microsoft systems.

Microsoft issued a patch for this vulnerability in March 2017, but details on the vulnerability were released into the wild, freely available to attackers, as part of the Shadow Brokers leaks. Any individual and organization with an unpatched Microsoft system remains vulnerable to the worm in WannaCryptor.

• Important Protection Note: The Microsoft patch will prevent infection via the SMB worm, but it cannot prevent infection and file encryption if the ransomware is delivered through a direct means, such as phishing.

WannaCryptor is able to execute on an infected machine without administrative privileges. However, to propagate through the organization’s network, WannaCryptor needs to escalate privileges through a Microsoft vulnerability that enables it run code in SYSTEM user context. WannaCryptor is able to operate in an offline environment, encrypting the user’s files with an RSA-2048 key pair. After the encryption process, the ransomware demands $300-$600 in bitcoin to decrypt the files.

While the built-in worm differentiates WannaCryptor’s ability to spread from previous versions of ransomware, there is nothing inherently unique about its encryption and extortion techniques. Like most ransomware, WannaCryptor was missed by traditional anti-virus solutions.

• Important Protection Note: Organizations should immediately implement a combination of least privilege and application control policies on endpoints and servers throughout their organizations.

This proactive approach is not dependent on the ability to detect advanced malware; instead, it treats all unknown applications as potentially suspicious and protects information accordingly. This prevents one infected end-point from causing an organizational pandemic.

When tested in the CyberArk Lab, the combination of least privilege and application greylisting controls proved 100 percent effective in preventing WannaCryptor and dozens of other ransomware families from encrypting files.

This attack should serve as a reminder that back-ups alone are no longer enough to protect against data loss, especially if organizations are exposing privileged credentials to attackers. This means organizations may have to choose between complete data loss and paying the ransom. Eliminating the attacker’s ability to access administrative credentials to propagate ransomware beyond the initially compromised machine is an essential action to defend against future ransomware attacks and limit damage.

You can read the original article, here.

On Friday 12, May 2017, the internet got hit by a massive malware attack. This malware spread like wildfire around the world and more than 200,000 computers were affected over the weekend. This notorious malware is called WannaCry, a deadly “ransomware” which locks your computer and all the files become inaccessible and encrypted.

Organizations and individuals in more than 150 countries were affected including UK, Spain, Germany, Japan, Pakistan and India. Technical staff have been working day and night trying reinstall operating systems and recover data. Some of them have succeeded, but the majority of are still in pursuit of success. Several organizations already appear to have given in and paid the ransom amount to retrieve their data because there was no other feasible resolution.

There must be many questions tangling in our minds like:

• “where did it come from?”
• “why did our security systems failed to block it?” and
• “will there be another attack in the future?”

Where Did WannaCry Come from and How Does It Work?

Sources are identifying a hacker group named Shadow Broker may behind this massive chaos. The attackers have locked data of more than 200,000 computers and will release it for Bitcoin payment equivalent of USD $300-600. The payment mode is conveniently Bitcoins because it’s an untraceable method of pay.

This malware is targeting PCs with older operating systems like Windows XP and Windows 7 that are vulnerable to the EternalBlue exploit. Compared to other types of ransomware and making it that much scarier, WannaCry is a bit unique in that it doesn’t rely on the end user to click a link or download a file to access the machine. Instead, it leverages that exploit and can then self-spread to other machines as well (e.g. those connected to the same local network). In the wake of the attack, Microsoft released an emergency patch for XP systems, but in the meantime, hundreds of thousands of computers have been infected and locked, including big names like National Health Service in UK, National Petroleum Company in China and Renault Factories in France.

The attack is not yet over. Someone from Malware Tech claimed to have found the “kill switch” and stopped it from spreading, but as it turns out, it was just slowed down from spreading. Kaspersky lab security confirmed a new more powerful version of this malware was detected immediately after the “kill switch” news. This new version cannot be stopped by the “kill switch” and a new wave of infection is expected to continue this week.

How Can You Protect Yourself from WannaCry?

In this case, prevention is really your best option. A critical piece of this is to update your system. If your personal computer or office system is running on an older version of Windows, then you are at serious risk. Keeping your systems patched is a must to reduce risk to critical vulnerabilities.

Additionally, as mentioned above, the feature that sets WannaCry apart from other malware is it can spread in a local network system without any interaction. So if you’ve found one of your systems or servers has been affected, the only way to make sure it doesn’t spread further is to disconnect the LAN cable or turn off the wireless connection.

Although phishing emails don’t seem to be at play for spreading WannaCry, you should still be wary of suspicious emails and files. Especially considering, as this article points out, other bad guys will likely try to leverage the WannaCry scare to scam people into downloading fake decryption solutions.

Ransomware is no joke and WannaCry is exposing yet another reason why a layered security strategy is so important today. A single vulnerability can be exploited and cause significant damage. You must make sure you have the proper defense and maintenance in place to prevent such issues.

You can read the original article, here.

It was a difficult Friday for many organizations, thanks to the fast-spreading Wanna Decrypter 2.0 ransomware that started its assault against hospitals across the UK before spilling across the globe.

The attack appears to have exploited a Windows vulnerability Microsoft released a patch for in March. That flaw was in the Windows Server Message Block (SMB) service, which Windows computers use to share files and printers across local networks. Microsoft addressed the issue in its MS17-010 bulletin.

SophosLabs said the ransomware – also known as WannaCry, WCry, WanaCrypt and WanaCrypt0r – encrypted victims’ files and changed the extensions to .wnry, .wcry, .wncry and .wncrypt.

Sophos is protecting customers from the threat, which it now detects as Troj/Ransom-EMG, Mal/Wanna-A, Troj/Wanna-C, and Troj/Wanna-D. Sophos Customers using Intercept X will see this ransomware blocked by CryptoGuard. It has also published a Knowledge Base Article (KBA) for customers.

NHS confirms attack

National Health Service hospitals (NHS) in the UK suffered the brunt of the attack early on, with its phone lines and IT systems being held hostage. NHS Digital posted a statement on its website:

The UK’s National Cyber Security Centre, the Department of Health and NHS England worked Friday to support the affected hospitals, and additional IT systems were taken offline to keep the ransomware from spreading further.

Victims of the attack received the following message:

More guidance from Sophos

Here is an update of the specific ransomware strains in this attack that Sophos has now provided protection against:

As noted above, Sophos has issued protection for customers. Users of Intercept X and EXP don’t have to do anything. Users of Sophos Endpoint Protection and Sophos Home should update their versions immediately.

Sophos Home

Stop ransomware with our free personal security software

Learn More

Defensive measures (updated 2017-13-05T10:05:00Z)

Since we published this article Microsoft has taken the highly unusual step of making a security update for platforms in custom support (such as Windows XP) available to everyone: “We also know that some of our customers are running versions of Windows that no longer receive mainstream support. That means those customers will not have received the above mentioned Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download here“.

We urge those who haven’t yet done so to:

• Patch your systems, even if you’re using an unsupported version of XP, Windows 8 or Windows Server 2003 and read Microsoft’s customer guidance for WannaCrypt attacks.
• Review the Sophos Knowledge Base Article on Wana Decrypt0r 2.0 Ransomware.
• Back up regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands.
• Be cautious about unsolicited attachments. The crooks are relying on the dilemma that you shouldn’t open a document until you are sure it’s one you want, but you can’t tell if it’s one you want until you open it. If in doubt, leave it out.
• Use Sophos Intercept X, which stops ransomware in its tracks by blocking the unauthorized encryption of files.

Resources

Other links we think you’ll find useful:

• To defend against ransomware in general, see our article How to stay protected against ransomware.
• To protect against JavaScript attachments, tell Explorer to open .JS files with Notepad.
• To protect against misleading filenames, tell Explorer to show file extensions.
• To learn more about ransomware, listen to our Techknow podcast.
• To protect your friends and family against ransomware, try our free Sophos Home for Windows and Mac.

Updates

• Multiple news reports have focused on how this attack was launched using NSA code leaked by a group of hackers known as the Shadow Brokers. That’s certainly what seems to have happened based on SophosLabs’ own investigation. A more detailed report on that is planned for early next week.
• Sophos will continue to update its Knowledge Base Article (KBA) for customers as events unfold. Several updates were added today, and are summarized below in the “More guidance from Sophos” section.
• Microsoft took the highly unusual step of making a security update for platforms in custom support (such as Windows XP) available to everyone. The software giant said in a statement: “We know some of our customers are running versions of Windows that no longer receive mainstream support. That means those customers will not have received the Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download here.”
• With the code behind Friday’s attack in the wild, we should expect copycats to cook up their own campaigns in the coming days to capitalize on the money-making opportunity in front of them, said Dave Kennedy, CEO and founder of information security consultancy TrustedSec.
• The attack could have been worse, if not for an accidental discovery from a researcher using the Twitter handle @MalwareTechBlog, who found a kill switch of sorts hidden in the code. The researcher posted a detailed account of his findings here. In the post, he wrote: “One thing that is very important to note is our sinkholing only stops this sample and there is nothing stopping them removing the domain check and trying again, so it’s incredibly important that any unpatched systems are patched as quickly as possible.”

You can read the original article, here.

Corroborating the recent surge in headlines, a new industry study reveals that 56 percent of security professionals surveyed say insider threat incidents have become more frequent in the past 12 months.

As we’ve covered in previous posts, insiders present a particularly challenging security conundrum.

Those who gain access to privileged credentials can initiate seemingly legitimate privileged user sessions.

Take, for example, reports of a former IT director at a sportswear company who created a privileged, unauthorized backdoor account that provided him access to the corporate network for nearly two years after he left the company.

Though insiders may have a variety of motives, the attack pathway they follow is similar. The first step in carrying out an insider attack is to gain inside access.

This image shows the typical path attackers follow to complete their mission.

Without the automated real-time detection and alerting on risky activities within privileged sessions, an inside attacker may operate undetected for long periods of time.

In order to block insider attacks, it’s critical to first block the privileged pathway that leads to your organization’s most sensitive assets and information.

CyberArk’s comprehensive solution for privileged account security offers proactive controls to reduce the risk of intentional and unintentional insider threats, as well as real-time monitoring and threat analytics to aid in detection of unauthorized accounts and in-progress attacks.

Here’s a look at how the CyberArk solution works at each critical step of the privileged pathway to control and monitor privileged accounts to minimize the risk of insider threats.

Learn more about how CyberArk can help you protect against the growing insider threat, and download our free eBook, The Danger Within: Unmasking Insider Threats.

You can read the original article, here.

After a long period of development, we are now ready with the largest feature release of the LogPoint agent in the history of LogPoint.

With this release the agent will be faster, more stable and offer more features. Combined with the recent changes in LogPoint 5.6 (Policy Based Routing), the new agent can make drastic cuts in resource consumption!

New Features

• File Integrity Monitoring and Windows Registry Scanning is now supported.
• The agent now supports localized environments (non-English Windows).
• The agent now processes logs more than 300% faster than in the previous version.
• Centralized management of agents in large deployments is now supported.
• The Agent can now operate in either encrypted and clear-text modes.

With our new release, we introduce FIM and Registry monitoring as fundamental new features. Additionally, we now support distributed environments for LogPoint Agents to exist in. That is; if you have multiple back-ends and collectors, the Agents will be manageable from a single location.

Also with this release we have released a new compiled normalizer for Windows. This compiled normalizer extracts data from the Windows eventlog in XML and uses the LPA to translate it to JSON before sending it in. JSON being faster to parse and more efficient to store compared to XML and the raw eventlog data, we achieve a substantial performance improvement.

NOTE: The LPA_Windows normalizer can be used by our NXLog Enterprise customers too, they need to add a simple  to_json();, to the existing XML based eventlog collection.

Enhancements

• Major upgrade of the underlying agent code
• A memory leak and performance degradation scenario has been resolved
• More robust communication with the management API

LogPoint is proud to announce LogPoint 5.6. Since our last large upgrade back in April 2016 (5.5.0), we have had minor releases and in parallel worked on this release.

Note: Please go through the release notes and ensure you have prepared your platform and fulfilled all the prerequisites before upgrading.

New Features

Policy Based Routing

The feature allows your organization to:

• Reduce costs of storage: Filter messages before they are stored.
• Optimize workflows: Store logs in repositories based on urgency and severity
• Take the outputs of alerts and store them with enhanced meta data for efficient long-term correlations.

How it works:

During collection and after normalization, we define a filter

Based on the contents of the logs, an action will be taken:

• Drop the log?
• Keep only key-value pairs?
• Keep everything
• Where to store the logs

We walk through the configuration in the video below.

You can read the original article, here and here.

Drawing on your feedback and requests, we have developed Sophos UTM 9.5. This latest update of our award-winning unified threat management (UTM) platform makes managing your IT security easier, faster and more flexible.

And, it includes new features for Web Application Firewall and our next-gen sandboxing technology, Sophos Sandstorm.

So, what does this update include?

Sophos Sandstorm Enhancements

• Datacenter location selection option for Sophos Sandstorm without relying on DNS based location detection
• Sandstorm activity reporting expanded to include email attachments for improved visibility
• Scan exceptions for Sophos Sandstorm to exclude specific filetypes from being sent to Sophos Sandstorm analysis

Web Application Firewall Enhancements

• WAF URL Redirection allows you to redirect traffic for a WAF protected URL to a different backend system or URL
• WAF protection and authentication policy templates were added for common Microsoft services for protection and authentication
• Configure minimum allowed TLS version to improve security
• WAF Proxy Protocol Support to use the client IP info inside the ProxyProtocol header to make policy decisions and improve logging
• True File Type Scanning enables you to block uploads and downloads based on MIME type

Management and Reporting Enhancements

• Download all UTM logs in a single archive
• Support Access with SSH is extending the existing Support Access feature
• 64-bit PostgreSQL Database to generate reports with big datasets faster. The existing database will be migrated without impacting any data.
• SNMP Monitoring of full filesystem to integrate UTM filesystem monitoring in regular SNMP based monitoring solutions
• Certificate Expiration Notification 30 days before expiration date via WebAdmin and e-Mail, giving you plenty of notice for certificate renewal
• RESTful API to configure Sophos UTM 9

How to get Sophos UTM 9.5

Free for existing customers, this update is being rolled out to systems via Up2Date in a staged release fashion over the coming weeks. However, there’s no need to wait, everyone running 9.4 can get the latest Up2Date release directly via the Community Blog and next week the ISOs will be available via the Sophos UTM downloads area.

Get more information on what’s new in UTM 9.5 or get the full release notes on the Sophos Community Blog. Also join in the discussion with your peers on the Sophos Community Forums.

You can read the original article, here.

Protecting your online anonymity is no piece of cake. After all, today’s internet ecosystem – which is becoming increasingly surveilled and ad-driven – seeks to achieve the exact opposite. Whether it’s for national security or to steer you towards a product, marketers and governments want to find out everything about you.

That’s why throwing them off your trail is not easy. While it’s possible to hide your browsing history and stay anonymous online, let’s face it – it’s becoming more difficult with the passage of time. Though there’s not a lot you can do, a few measures can be taken to make it more difficult for anyone to expose you, at least to some extent.

Anonymity on the internet has its benefits as you can gain certain freedoms by being unrecognizable. But how can you keep your digital footprints safe, especially in this era of mass surveillance? Keeping this in mind, the following tools are perfect for being able to browse the internet safely without being tracked:

Use PureVPN Chrome Extension

Did you know PureVPN’s Chrome Extension gives you instant online protection and anonymity at the click of a button? With servers installed in 35 countries around the globe and access to all the best VPN features such as WebRTC protection, malware, ads and tracker protection, and built-in VPN capability, you have what it takes to ensure your anonymity and privacy is protected. I tried this out myself and was personally very impressed, which is why I am suggesting it in this section over other VPN services.

The extension is something like an IP changer for the Chrome browser and it doesn’t have a significant impact on your browsing speed. Moreover, PureVPN Chrome Extension also has the added functionality of a tracker and ad-blocker, keeping your online activities safe from prying eyes and allowing you to get rid of those pesky ads and malicious files masked as ads!

Use Tor

Tor – also known as “The Onion Router”– makes use of a series of relays and nodes to mask your traffic and hide your identity by disguising origins and IP addresses. Although there are a number of ways you can go about using the anonymity network, Tor Browser is considered to be the best option for privacy protection.

Simply install the Firefox-based application on your PC or Mac and start browsing the web anonymously. However, Tor has a few downsides. For one, it’s not suitable for torrenting files or streaming video as it offers a much slower browsing experience. Second, even though your traffic is untraceable and encrypted, your ISP can detect whether you are using Tor or not.

Since Tor is often misused by criminals and hackers to conduct online attacks and extortion, this alone may be enough to create suspicions. Your ISP can limit your bandwidth, fire off a cease-and-desist letter to you, or worse report you to the law enforcement authorities even if you haven’t done anything illegal or particularly wrong.

Use a Proxy

When you use a proxy server and enter the URL of the website you would like to visit, the pages are retrieved by the proxy instead of the person actually browsing the web (i.e. you). As a result, the remote server does not see your IP address and other browsing information because it’s replaced with that of the proxy server.

While this ensures you remain anonymous online, the bad news is a lot of proxies record your data to sell it or infect your system to turn your PC into a bot, which will be then used for a DDoS attack without you ever knowing about it. Furthermore, not only will you experience a slow browsing speed, but you will also find annoying ads on the top of your browser’s window (well, they have to make money somehow, right?).

Are You Truly Anonymous?

The answer is a simple, no. You are never truly anonymous and because of this, you should never do, say or search for anything online unless you are aware of the risk and understand that someone can be watching you. BUT, you can use these tools to minimize the information available to prying eyes, tracking and later use in intrusive personalized advertising.

You can read the original article, here.

“This demands your attention no matter what size your organization.”

SC Media has given XG Firewall its top five-star rating across all areas including features, documentation, performance, support, ease of use, and value. They had tons of great things to say about it, including comments such as: “Very creative convergence of a lot of solid functionality.”

The reviewer, Peter Stephenson, examined the key protection areas XG Firewall provides, such as IPS, application security, web protection and advanced threat protection. He highlighted the unique Sophos Security Heartbeat that facilitates endpoint communication and information exchange as well as Sophos Sandstorm’s sandboxing of suspicious files and User Threat Quotient for identifying risky users.

The reviewer also commented that “editing rules is easy” and “policies are equally easy to work with”.

We weren’t surprised that SC Media cited XG Firewall’s reporting as being a strong suite for the product. We are the only vendor to include more than 1,000 reports at no extra charge as an integral part of the product.

SC Media also reviewed the documentation and support, noting that: “Documentation is presented in a novel way on the web portal … there is a large collection of very focused articles and lots of instructions and community discussions.”

But I think SC Media’s reviewer summed XG Firewall up accurately when he said: “This demands your attention no matter what size your organization.”

Learn more about XG Firewall at sophos.com/xgfirewall.

You can read the original article, here.

Phishing isn’t an unfamiliar term in these parts. In a previous blog post, we tackled the many ways hackers use phishing emails to trick users into downloading malicious attachments or visit malicious websites. In 2016 alone, phishing attacks have increased by a staggering 400%, and this year, the trend is likely to progress. So today, we’ll continue the campaign to end phishing by tackling another mode of attack in the form of phishing websites.

Sending malicious emails is only one part of the phishing process. The aspiring phisher usually also builds a fake website with the intention of tricking victims into entering login credentials, banking information or both, which the phisher then has access to. Phishing has victimized millions of users over the years. To prove how effective it is, consider this curious case from back in 2013. A trio of hackers were arrested in the UK for attempting to phish almost £60 million from unsuspecting customers by crafting over 2,600 fake banking websites.

To help you avoid falling victim to these attacks, we’ve compiled some of the most common scenarios in which you could encounter phishing sites and also some tips for how to spot them so you can avoid handing over your info.

How Do Phishing Websites Reach You?

Scenario 1: Opening a phishing email

Let’s start with a scenario that you’re already familiar with. Nick is a proud earner. He worked very hard over the years to earn $1 million dollars for his retirement. Just a few months before his retirement party, Nick was receiving emails from his “bank”, telling him to update his banking information. He logged in to the “bank’s website” and changed his credentials. The very next day, he found out his savings were wiped clean, just like what happened to a woman from the UK in 2012.

Scenario 2: Clicking a suspicious ad

Ads serve as another medium to carry out phishing attacks. Mary, for instance, was searching for easy-bake recipes online. She typed “easy cake recipes” on Google and without examining the link, she clicked on a Google Ad that reads “Easy Cake Recipes Today”. The ad led her to a webpage asking for credit card details in exchange for recipes. Luckily, Mary was suspicious of the payment request, so she promptly closed the webpage. She dodged a bullet there because these fake Google Ads were being used to carry out phishing attacks back in 2014.

Scenario 3: Accessing a fake login page

Phishers will stop at nothing to steal information. Take the case of Sophia who is looking to update her passport, as an example. Sophia types the name of the passport agency she’s looking for into her search engine and clicked the first link she saw. Everything looked good to her since the login page had nothing weird about it. She typed in her login credentials and her passport information. After submitting, she wondered why she didn’t receive any response from the agency. She found out the next day that her accounts have been compromised, similar to Singaporean citizens last year who fell for phishing attacks that spoofed government login pages.

Scenario 4: Engaging in social media

Ron had a problem with his bank, and thinking he could get a faster response via Twitter, he tweeted his concern to the bank’s Twitter handle. Within a few hours, a “bank representative” replied by providing him a link to the “bank’s support page”. Ron was smart enough not to trust the “representative” because he knows not to trust unverified Twitter accounts. Ron just encountered, and fortunately avoided, one of the most popular types of phishing attacks on social media.
Tips for Spotting a Phishing Website

In case you haven’t figured out the pattern, all the scenarios were based on real-life phishing attacks and scams. Nick, Mary, Sophia and Ron may be fictional, but the threats they faced are very real. Here are some helpful tips to avoid getting phished by these harmful websites. Let’s divide our solutions into two.

Before Clicking

Always check and study the URL before you click it. Whenever someone sends you a link via email or social media, or in any platform for that matter, take time to study the URL before you click. You don’t have to be an expert in spotting a suspicious URL. You should also make sure to hover over any hyperlinked text before clicking.

Identify the source of the link. Did you know the person who sent you the link? If you have even a drop of doubt, don’t click the link. 

After Clicking

Check and study the URL BEFORE logging any information. Let’s say you accidentally clicked a phishing link. You shouldn’t panic just yet. As mentioned above, study the URL of the webpage and look for the obvious red flags.

Scan the page for a Trust Seal. Most legitimate sites takes advantage of trust seals, small badges issued by third party companies that show how safe a site is (e.g. by showing a trust score, sales sites, or whether the site is encrypted with SSL/TLS). Pages that collects login or payment information should have a trust badge or a Secure Site Seal in order to assure visitors that the website is legitimate.

Check the address bar for the organization’s details. SSL/TLS Certificates play an essential role in web security by encrypting sessions and protecting information sent between browsers and web servers. Extended Validation (EV) SSL, the highest level of SSL, adds another important element by presenting the website operator’s verified identity, usually in a dedicated green address bar.

Check the website address isn’t a homograph. Some major browsers do not understand foreign languages such as the Cyrillic alphabet. A hacker can register a domain such as xn--pple-43d.com, which is the equivalent of apple.com and purchase an SSL for it. This is also known as script spoofing.

There is one way you can catch this type of attack. If you feel the link is suspicious, copy and paste it into another tab

It’s as simple as that. The true nature of the domain is revealed right away and you know that the website cannot be trusted. You can also spot these homographs by clicking through the certificate details to see which domain is covered by the certificate.

In the example above, you’d see the certificate was actually issued to https://www.xn--80ak6aa92e.com/’ and not ‘apple.com’.

Phishing attacks may see a rise in the coming years, but as long as you’re educated in preventing them, these cheap methods of stealing will claim fewer and fewer victims in the future. Your best defense against hackers is your extensive knowledge of their dirty tricks.

You can read the original article, here.

Ransomware has been on the computer security radar for some time now but are you aware that it’s increasingly targeting servers?

Servers are the treasure trove of an organization’s data and the applications that access it. As senior vice president and general manager of Sophos’ Enduser and Network Security Groups Dan Schiappa explains, “Servers are considered the jackpot for cybercriminals, since they can store confidential corporate and employee information, medical records with social security numbers or private customer documents.”

We understand that servers differ from user endpoints, with higher performance and availability requirements. Therefore, we’ve enhanced our server capabilities with two technologies to assist Server Admins in meeting these needs:

CryptoGuard

Much like you’ve seen with Intercept X for endpoints, Sophos Server Protection now has signature-less detection capabilities in the form of CryptoGuard. This additional layer of defense detects and reverses unsolicited encryption of data on servers, so that cyber criminals don’t get the chance to hold organizations captive for extortion. Even if ransomware on a rogue endpoint connects to a server and attempts to encrypt files on a server, Sophos Central Server Protection Advanced protects the organization.

Sophos Security Heartbeat for Windows Servers

We have also broadened our Synchronized Security by adding Sophos Security Heartbeat capabilities to Sophos Central Server Protection Advanced, which includes:

• The Destination Heartbeat feature, introduced in XG Firewall, was designed with Servers in mind. Should a server become infected, the XG Firewall can isolate it and prevent other endpoints from accessing it.
• Positive identification of compromised servers: To alert an admin that a key asset may be compromised. Machines are explicitly labelled as servers in the Sophos XG Firewall Control Center, helping admins to prioritize their response efforts.
• The Missing Heartbeat capability is another valuable feature for server admins. Because servers should always send a heartbeat, a missing beat could indicate that it’s been compromised.

You can read the original article, here.

We know that a firewall is the first line of defense against external threats. It can block hackers, isolate potentially harmful information and stop targeted malware attacks from getting into your network and affecting your users.

But, what are the defining characteristics of a great firewall? We think it comes down to four critical areas: Security, Insight, Simplicity and Performance.

That’s why you’ll find all of these and more in the Sophos XG Firewall. Sophos XG it’s easier to use, with new navigation, enhanced logging and troubleshooting tools, and streamlined workflows.

It’s more powerful, with new policy tools that make it easy to build sophisticated web, email, and routing policies custom tailored to your needs.

It’s got more innovative, with new Synchronized Security features like dynamic app identification and new Security Heartbeat options that improve protection, response, and visibility into what’s happening on your network. See for yourself what makes our firewall great.

Looking for a new firewall?

As firewalls become more complex deciding which one to buy can be a daunting task. We’ve created a Firewall Buyers Guide to make finding the right firewall easy. It will help you establish your firewall needs, shortlist suitable vendors and provide you with key questions to ask your vendor.

You can read the original article, here.

UTM 9.5, including many new features you’ve asked us for, is just around the corner – and we’d like to invite you to join the beta test of the release.

This version builds on our industry-leading protection and performance, with several new features for Web Application Firewall, Sophos Sandstorm sandboxing and to make management and reporting even easier, faster and more flexible.

Here’s a brief overview of what’s new:

Web Application Firewall Enhancements

• WAF URL Redirection gives you the ability to redirect traffic for a WAF protected URL to a different backend system or URL.
• Configure minimum allowed TLS version to improve security.
• WAF protection and authentication policy templates were added for common Microsoft services for protection and authentication.
• True File Type Scanning to be able to block uploads and downloads based on MIME type.
• WAF Proxy Protocol Support to use the client IP info inside the ProxyProtocol header to make policy decisions and improve logging.

Sophos Sandstorm Enhancements

• Datacenter location selection option for Sophos Sandstorm without relying on DNS-based location detection.
• Scan exceptions for Sophos Sandstorm to exclude specific filetypes from being sent to Sophos Sandstorm analysis.
• Sandstorm activity reporting expanded to include email attachments for improved visibility

Management and Reporting Enhancements

• 64-bit PostgreSQL Database to generate reports with big datasets faster.
• Download all UTM logs in a single archive.
• Certificate Expiration Notification 30 days before expiration date via WebAdmin and e-Mail to be able to react early on certificate renewal.
• Support Access with SSH is extending the existing Support Access feature.
• SNMP Monitoring of full filesystem to integrate UTM filesystem monitoring in regular SNMP based monitoring solutions.
• RESTful API to configure Sophos UTM 9

Where to get the beta firmware and provide feedback

The full release notes along with the beta firmware files are in the UTM 9.5 Beta Forums on the Sophos Community Site, where you can also give us your feedback. As usual, we don’t recommend you run beta firmware in a production environment but we highly value and appreciate your contribution in testing the beta and helping make this release the best it can be.

We’re expecting to start rolling out the update to UTM 9.5 at the end of April, so don’t delay if you’d like to be part of the beta test – and we’d really value your input.  Click here to join us in the beta test!

You can read the original article, here.