Blog

We've all done it before — searched for instructions on something we feel like we should be able to do ourselves. Whether it's how to tie a bow tie, how to change your oil, or how to repair a smartphone, people are constantly looking to do things for themselves. Naturally there are tasks beyond our actual ability, but can you blame any of us for trying? We have the information, resources, and always the desire to save money. That being said, one of the things that is likely beyond DIY abilities is combating cyberattacks for your business.

There are a seemingly unlimited number of cybersecurity solutions created to help businesses protect the personal and financial information of their customers. These services are best supported by cybersecurity companies, but far too often business owners and IT managers look to buy the tools and attempt to do it themselves. But can you really learn everything you need to about technologies like SIEM and then defend against cyber-attacks?

This blog will explain why you not only need cybersecurity tools, but also cybersecurity vendors to provide you with effective solutions.

SIEM Systems Need Constant Management

Depending on the SIEM system, there are different approaches for cybersecurity monitoring and protection. No matter if the SIEM tool is made by Intel, IBM, or Fortinet, the overall goal of being notified of attackers is the same. However, one may have a larger range of coverage for devices and log types, while another may have a specific log manager that picks up different events. Whatever it may be, the solution will collect information and present an analysis, but to optimize your security there should be someone managing the system full-time.

Let's say you want to build a shed in your backyard to protect some equipment and toys from the rain, and you have a hammer, plenty of nails, wood, and a few other tools. Unfortunately, nothing will get done if you don't pick up the hammer. While it is great that you have the necessary tools and supplies, but you will never build a shed to protect your equipment and toys if no one is utilizing the tools. It is the same with these SIEM services, or tools — without full-time personnel, ideally from a professional cybersecurity company, you are at risk of missing critical notifications and real threats.

Why Cybersecurity is not a DIY Product

If you don't necessarily think this is the case and you feel confident that you'll be able to check up on the program every now and again, you might want to reconsider. There were 668 million breaches in the U.S. just last year alone (the year before, there were over 1.5 billion breaches); this means that over 668 million times confidential information was exposed without permission. Also, 38% of the world's cyberattacks are targeted at the United States. While we are legally required to secure our customers' information, these numbers alone highlight the magnitude of the problem and the necessity to invest in a solid cybersecurity company's services. With a constant attack from unseen sources, are you really all that confident that you'll be able to manage it all yourself?

Let's again assume you are determined in doing this all yourself. Are you proficient in programming Java or C/C++? Do you understand web application technologies? Linux operating systems? Telephony technologies (analog and Voice over IP)? Okay, well…maybe you don't but you can learn, right? If that is the case, are you planning on learning on the fly from a couple of online videos? We don't want to discourage you from learning, but we need to be realistic. Installing a SIEM program and then following a manual to figure out how to make everything work is about as easy as putting a 4th grader, who is just able to read decently well, into a college-level biology and expect them to do be successful. The information is right in front of them, but can you really expect that?

Maybe we aren't giving you enough credit and you actually do understand all of these things — if that is the case, good for you for sticking with this blog and reading all the way to here — but can you handle reading all the analyzed data for every device for your entire company every day? That's where the benefit of hiring a cybersecurity company to manage the entire SIEM system for you comes into play. Not only will you have a service that is customized to your business, but you will also have a team of experts constantly reviewing your system for dangerous activity. With just the SIEM tool at your disposition, you may be alerted when a breach is detected but what will you do from there? A Managed Security Provider like this will not only notify you but also assist with a solution.

The wisest approach when you are looking to improve your company's cybersecurity is to not only purchase one of the many tools that are on the market, but make sure you also have a cybersecurity company on your side providing you with all the support you need.


 

I was needing to add some interactive check boxes to a Word document, but found out that they only show up in the "Developer" menu, which does not show up by default in Word. To add the "Developer" tab menu, you must follow the following steps:

  1. Click the "File" drop down menu
  2. Click "Options" at the bottom of the menu
  3. Select "Customize Ribbon" on the left side of the dialog box that appears
  4. Choose "Main Tabs" from the "Customize the Ribbon" drop down menu
  5. Check the "Developer" box to enable it:

 

6. Then to add a checkbox, switch to the "Developer" tab and click the checkbox icon:


 

When a FortiGate is managed via FortiManager, administering the FortiGate outside of FortiManager can cause the configuration to become out of sync. While updating an SSL certificate used for VPN access on a FortiGate for a customer, I found that I was unable to create a certificate signing request from FortiManager. After doing some research, I found a Fortinet cookbook article that explains that the certificate must be requested and the certificate request completed from the FortiGate itself, even if the device is managed via FortiManager. To complete this process, do the following:
  • Login to the FortiGate in read-write mode
    • Create a certificate signing request on the FortiGate
    • Download the certificate signing request from the FortiGate
    • Submit the certificate signing request to the certificate authority
    • Download the issued certificate from the certificate authority
    • Import the certificate on the FortiGate to complete the certificate signing request
  • Login to FortiManager
    • Select the FortiGate in Device Manager and go to the "System: Dashboard" page
    • In the "Configuration and Installation Status" pane, click the "Revision History" (four horizontal lines) icon on the "Total Revisions" line
    • Click the "Retrieve Config" button
    • The current configuration, including the new certificate, will be retrieved.
    • The certificate should now be able to be used in configurations managed in FortiManager
If you are deleting the old certificate, you will need to write the config to the FortiGate from FortiManager so that it is no longer using the old certificate. After the old certificate is no longer in use, you can login to the FortiGate in read-write mode and delete the old certificate. After the old certificate is deleted, you will need to repeat the "Retrieve Config" operation.
 
The Fortinet cookbook article explaining this process can be found at https://kb.fortinet.com/kb/documentLink.do?externalID=FD35142

 

Unauthorized individuals have accessed nonpublic information, who do you notify? Whether it be documents discovered in dumpsters that should have been shredded, ransomware holding information hostage, or a tornado that blew files all over the county.

Definition of Information

Before we can determine appropriate action, we must first understand what exactly we are talking about. In this instance, we are talking about personally identifiable information (PII). The definition appears to be standard across all industries, whether it be financial industries, healthcare industries, or beyond. However, although information is considered publicly available information, once it is combined with consumer information for a service or product it then becomes nonpublic personal information.

U.S. Department of Homeland Security

The U.S. Department of Homeland Security released a factsheet that defines personally identifiable information (PII).

PII is any information that permits the identity of an individual to be directly or indirectly inferred, including any information which is linked or linkable to an individual. Some PII is not sensitive, such as that found on a business card. Other PII is Sensitive PII, which if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.

That definition leaves room for some interpretation, and even some misinterpretation if we are not careful.

Gramm-Leach-Bliley Act (GLBA)

In 1999, Congress adopted the Gramm-Leach-Bliley Act (GLBA) to provide a framework for the financial services industry. When talking about nonpublic information, we often reference GLBA; however, it is actually only a small section of the act. Title V of the GLBA defines nonpublic information as follows;

Nonpublic personal information may include individual items of information as well as lists of information. For example, nonpublic personal information may include names, addresses, phone numbers, social security numbers, income, credit score, and information obtained through Internet collection devices (i.e., cookies).

I like to think about it this way, what information of mine do I not want to be disclosed? When classifying data, do you assess the legal implications for information being disclosed? What about the reputational implications if customer or consumer information is disclosed?

Considerations for your Incident Response Plan

Avoiding notification does not guarantee the preservation of reputation. Notification paired with action already taken or to be taken can be used in your favor. No notification and the public learning of the disclosure from another source will rarely work to your advantage.

Your Incident Response Plan needs to include metrics to help determine what action is necessary. To help with that, address the following questions within your plan:

  • What types of information disclosure requires notification?
  • Who is notified?
    • Does your regulatory agency require notification? When in doubt, reach out to your regulatory agency. I know, I know! I hear the grumblings and eye rolls as I type this. Contrary to popular opinion, your examiners' sole purpose in their regulatory life is not to make you miserable, but rather to collaborate with you and help. Build that relationship with them.
    • Does law enforcement require notification? It is a good practice to notify law enforcement (local, FBI, Secret Service, etc.). They may not be able to assist with your incident; however, it is possible they are working on a case that is linked to yours.
    • Do service providers and/or insurance providers require notification? Some service agreements and insurance policies have very specific notification requirements identified. Make sure these are identified in your Incident Response Plan so you do not miss those in a time of crisis.
    • Do customers require notification? In 2005, the FFIEC agencies jointly issued a guidance, Response Programs for Unauthorized Access to Customer Information and Customer Notice. In it, it clearly states if customer information has been accessed in an unauthorized manner, timely customer notification is required.
    • Do consumers and/or the public require notification? What if rather than customers it was consumers affected? Individual notification may not be feasible. Assess the impact of notification, or lack thereof, to determine if notification is warranted. A consumer could be a potential customer, and the notification could be what sways them one way or the other.

As you are developing your notification procedures in your Incident Response Plan, keep in mind notification timing. For example, law enforcement may need to you hold off on notifying customers and/or the general public for investigative purposes. Your insurance policy may dictate they be notified prior to any other action taken. Make sure your plan outlines these, and are reviewed as part of your Incident Response testing.

In the End

According to the Identity Theft Resource Center, in July 2019 alone, 104,546,381 sensitive records were exposed due to varying types of breaches. This indicates information disclosure is inevitable, which means having a strong notification strategy is necessary.


 

On May 24, 2019, Fortinet published an advisory stating that certain versions of their FortiOS software are vulnerable to a path traversal attack which allows an attacker to download system files through specially crafted HTTP requests. The vulnerability is only present when the SSL VPN service is enabled – either web-mode or tunnel-mode. The vulnerable FortiOS versions and the corresponding patched versions are:

  • FortiOS 6.0.0 to 6.0.4
    • Patched version: 6.0.5 or above
  • FortiOS 5.6.3 to 5.6.7
    • Patched version: 5.6.8 or above
  • FortiOS 5.4.6 to 5.4.12
    • Patched version: 5.4.13 (upcoming)

CoNetrix Security Penetration Test engineers have confirmed this vulnerability can be used to download usernames and passwords from FortiGate devices. The usernames and passwords can then be used to establish an SSL VPN connection which would give an attacker access to internal networks and systems.

CoNetrix strongly recommends all customers ensure the patched versions of FortiOS listed above are installed on all Fortinet devices that have the SSL VPN service enabled.

CoNetrix Technology customers with managed service agreements have already been updated to the FortiOS version to protect against the vulnerability.

References:
https://fortiguard.com/psirt/FG-IR-18-384
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379


 

You can run the following command from a Windows command prompt to remove an app for all users that will login to the PC.  This should be done before deploying the PC and will not remove the apps for users that have already logged in. This command removes Solitaire as an example.
 
powershell -command "Get-AppxPackage -AllUsers -Name *solitaire* | Remove-AppxPackage -ErrorAction SilentlyContinue"
 
You can also run a similar command as the user to remove the app for that user. (Just remove the "-Allusers" string and add the "-windowstyle hidden" string)
 
powershell –windowstyle hidden -command "Get-AppxPackage -Name *solitaire* | Remove-AppxPackage -ErrorAction SilentlyContinue"
 
You can include commands for several different apps into a single script and run that on the PC or as the user at login.

 

After an HVAC crew at a customer's DR site triggered multiple power outages, their recently repurposed ESX host (an HP ProLiant DL360 G9), which wasn't connected to a UPS at the time, would no longer pass POST. It would stop at 'Loading System Firmware Modules' before faulting and hitting the RSoD. After trying multiple options we thought the power surges/outages might've caused a hardware failure, but the errors from the RSoD didn't seem to indicate this to be the case.
 
I found a related article (https://support.hpe.com/hpsc/doc/public/display?docId=mmr_kc-0128466) that is geared toward issues relating to BL460c's not being able to POST after firmware upgrades, and decided it was worth a shot before going down the hardware replacement route.

"SYMPTOM: Server May on Rare Occasions Stop Responding during Power-On Self-Test (POST)
This issue occurs because the server reads unexpected data values from the Non-Volatile RAM (NVRAM) or has found a boot block corruption and may exhibit one of the following symptoms:
•       Server may not display video
•       Server NIC port may be disabled
•       Server may not boot
 
Cause
Non-volatile ram (NVRAM) holds its state after the master device/circuit is powered off. Hardware typically use CMOS (complementary metal oxide semiconductor) to implement NVRAM and incorporate a battery power source to retain system settings. That clears the current assignments of IRQs and such. Unless user have a hardware conflict.

On the system board, there exists a 'System Maintenance Switch' with multiple pins for performing different actions. We had to power down the server, then switch pin 6 (Clear CMOS and NVRAM) to the ON position, power up the server to clear NVRAM, power it back down and change the pin position back to off, and finally power it back up. Thankfully, this cleared up the issue completely and the server could boot up without problem. Just keep in mind all your potential alternatives before assuming a hardware failure.


 

We've had some frustrations with end users shutting down their machines accidentally at end of day, causing updates and software pushes after hours to fail. We wanted users to have the ability to restart, and for administrators to be able to shut down machines if needed. We investigated a few options using group policy and user rights assignment, but both options ultimately did not work out because it removed the ability for the user to restart their machine.
 
After some research, a recent post in a Citrix forum made a note of a new registry hive that was released with either the 1703 or 1709 build of Windows 10 that allows for way more granularity when it comes to managing the desktop interface. This includes a key specifically for only removing the shutdown option from both the "Shut down" or "Sign out" menu and the Power menu.
 
 
The registry hive can be found (or created) under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Start

 

It was announced on August 16th that 22 Texas cities were attacked and infected with ransomware, rendering many of their municipal IT systems unavailable to conduct daily business. The mayor of one of these cities has said the ransom request was $2.5 million to unlock their files. The Texas Department of Information Resources believes this was a coordinated attack by a single threat actor. Source: https://dir.texas.gov/View-About-DIR/Article-Detail.aspx?id=209

We will likely get more details about how these networks were infected, but this incident should be a reminder to continually evaluate your cyber security risks and follow best practices to ensure your business or financial institution is protected. 

Below are a few comments and recommendations to consider as you examine your cyber security posture.

You don't have to be a big business to be a target

We've seen an increasing number of cyber attacks and ransomware infections directed toward small businesses where the bad actors see them as "low hanging fruit" with limited cyber security defenses. The cities listed in the recent news articles about this event are relatively small - less than 10,000 residents.

Most of these attacks rely on email phishing to gain access

A good email filtering solution is a good start, but on-going employee training and testing is critical to help them recognize potentially malicious emails. There are several tools availalble like the Tandem Phishing solution (https://tandem.app/phishing-security-awareness-software) to help design and implement a phishing plan.

Traditional Anti-Virus solutions are not good enough

Many small businesses are still relying on traditional signature-based AV solutions. These products are not sufficient to protect against the latest malware. New products such as CylancePROTECT are more effective for stopping attacks by using machine learning instead of a bulky signature database.

Monitor your network

Our IT environments are under constant attack from bad actors around the world. This is an unfortunate fact of life today. An effective monitoring solution like CoNetrix Network Threat Protection is one of the security layers that every business should implement to help identify these attacks, and help them react quickly to prevent or limit potential damage. 

Incident Response is important

While we apply controls to protect against incidents, it is important to have a plan in the event of an incident occurs. If you have a documented Incident Response plan, great! Now take that IR plan to the next level by regularly conducting table top exercises and penetration testing to validate and improve it.

Backups should be a last resort

Ideally, if several security layers are in place then restoring from a backup won't be needed. However to ensure your backup is safe from being encrypted by ransomware it should be "air gapped" from the primary network. This means the backup data should be offline or not directly accessible for the malware to encrypt. Historically this has been done using removable media like tapes, but today it is much more efficient and cost-effective to use a cloud backup service. Many of these services (like CoNetrix AspireRecovery) provide a cloud backup with an option for disaster recovery services. 

No enterprise has to be a victim to ransomware. With proper planning and intentional practice, you CAN protect your network. While there is an investment associated with implementing appropriate controls and practices, the return on investment is well worth it if you protect against just one attack, not to mention the peace of mind you gain.

Contact CoNetrix Sales if you would like more information about protecting your network.


 

The world of cybersecurity has had some fundamental shifts in the past several years that have made the vast majority of companies unprepared for today's threats. The extensive use of malware, for example, has dramatically reduced the value of traditional security solutions, such as firewalls, IDS/IPS, and anti-virus software. These solutions that used to adequately prevent attacks are now very limited in their risk mitigation value. Many organizations have not updated their cybersecurity technology and solutions to stop today's threats. It's like monitoring your front door for a break in while someone comes in through the back window.

Even companies that have taken cybersecurity seriously have not always been led the right way by cybersecurity vendors. In the past, an organization who was serious about cybersecurity was told that they needed 24x7x365 monitoring - paying for really smart cybersecurity professionals to watch the alerts and events as they happen in real-time so they could respond at a moment's notice to malicious events.

But legacy technologies have relied mostly on human review, not machine intelligence. A common metric for a traditional Managed Security Service Providers (MSSP's) is to have a security engineer for every 30 devices under management. In the U.S., the average cybersecurity professional makes $116,000/year. This means the cost to monitor a single device is $322/month, forcing traditional MSSP's to charge between $500 and $1500/device/month to be profitable. Does this sound like your MSSP?

At those rates most customers can only afford for a few devices to be monitored; usually the firewall, IDS/IPS, and possibly a Windows domain controller. When asked why they don't need to monitor more devices, these MSSP's would state "As long as you are monitoring the choke points, you are safe."

Using the home security system analogy, imagine being told that monitoring the front and back doors are enough and then having your child kidnapped through a bedroom window. No choke point only security system would detect that, allowing the worst-case scenario to happen without your system even tripping. Home security systems relied upon a few choke points because it was very expensive to run wires to the whole home (especially after it was already built). However today many home security systems use wireless technology which has made it possible to place multiple sensors throughout the house without the use of wires. This makes the cost of securing the entire home from multiple threats much less expensive.

Thankfully, IT cybersecurity has evolved as well. Automated correlation and analytics from a properly deployed, configured, and tuned Security Information and Event Management (SIEM) solution has the ability to increase the ratio of devices per cybersecurity professional exponentially. Today, SIEM technology can quickly and efficiently find the "needle in a haystack" with far less human interaction. This dramatically reduces the number of cybersecurity professionals needed for a traditional Security Operation Center (SOC) which means a lower cost per device for customers. With a lower cost to monitor each device, we can now monitor more devices. Rather than just monitoring choke points, we can monitor all of the windows, doors, and rooms; which is really what was needed from the beginning.

When all of the critical devices are being monitored and correlated, you can now stitch together pieces of information across different systems and areas of the network to give you a much more accurate picture of what is happening. In other words, the more devices that you monitor, the more accurate the monitoring becomes and, therefore, the better economies of scale can be achieved.

So, what should a customer monitor? It's still a good idea to monitor the firewall and IDS, but we need to go beyond that and focus on today's threats. Routers, servers (especially Active Directory servers), wireless access points, and endpoint security solutions should all be monitored. With current SIEM technology, you can monitor all of these systems for about the same price as you used to be able to monitor just the firewall and IDS/IPS.

Monitoring only choke points and smaller areas of a network will not protect your organization from today's threats. Cybersecurity monitoring is more important than ever, but real risk mitigation comes with a holistic approach to monitoring all of the possible security events from every possible device. Stop only monitoring your front door for a break-in and assuming that your business is safe... because your back window is open.

Contact Technology Sales at 806-698-9600 or email techsales@conetrix.com if you want to improve your Cybersecurity Monitoring and Response solution AND lower the annual cost.