Category: Cybersecurity

Types of Cyber Attacks to Expect in 2024

By Zoe Wick

Posted On March 8, 2024

Types of Cyber Attacks to Expect in 2024:
Insights from the SonicWall Cyber Threat Report

In today’s interconnected world, where digital transformation is rapidly evolving, cyber threats continue to pose a significant risk to businesses of all sizes. The SonicWall Cyber Threat Report for 2024 sheds light on the evolving landscape of cyber attacks, offering valuable insights into the types of threats organizations can expect to face in the coming year. Let’s delve into some of the key takeaways from the report and explore the potential types of cyber attacks on the horizon.

The Target: Small Businesses

Contrary to popular belief, small businesses are not immune to cyber threats; in fact, they are three times more likely to be targeted than larger organizations. SonicWall’s commitment to researching and publishing the latest threat intelligence is crucial, especially considering that small and medium-sized businesses (SMBs) make up 80% of their end users.

Trends from 2023

The year 2023 witnessed a significant acceleration in cyber threats, with an 11% year-over-year increase in malware attacks. Encrypted threats rose by a staggering 117%, while cryptojacking experienced an alarming 659% surge. Despite the overall increase in attack volumes, the report highlights a decline in never-before-seen malware detections by 38%. This data implies that attackers are sticking to their traditional methods and constantly improving those instead of creating new never-before-seen malware.

Malware Landscape

Malware attacks reached a global volume of 6.06 billion in 2023, marking the highest since 2019. While Asia and Europe experienced a decrease in malware, North America and LATAM saw increases of 15% and 30%, respectively. Interestingly, malicious OneNote files emerged as a popular initial threat vector, showcasing threat actors’ adaptability.

Ransomware Resilience

Ransomware attacks totaled 317.6 million, indicating a 36% decrease year-over-year. Despite this decline, Asia witnessed a record high in ransomware volumes, rising by a staggering 1,627% since 2019. LockBit remained a formidable ransomware group, showcasing consistent innovation with bug bounty programs and regular toolkit updates. Threat actors aren’t slowing down, but for the time being, they’re finding variants that work and using them repeatedly.

Intrusion Attempts on the Rise

Intrusion attempts continued to climb, reaching 7.6 trillion in 2023, a 20% increase over the previous year. Malicious intrusion volumes rose across various industries, contributing to alert fatigue and potential data breaches.

Encrypted Threats Surge

Encrypted attacks more than doubled in 2023, reaching 15.7 million. While North America saw a 30% increase, Europe, Asia, and LATAM experienced triple-digit spikes. Industries such as healthcare, education, government, and retail witnessed significant encrypted threat surges.

Attackers are using encryption protocols more frequently to hide malware, ransomware, zero-day attacks and more. Older generation firewalls and other traditional security controls lack the capability to detect, inspect and mitigate threats sent over HTTPs traffic. This means the older the hardware and software you have, the easier it is for attackers to deploy and execute attacks on your business. If you have outdated firewalls or software, take a look at SonicWall’s Gen 7 Firewalls and other licensing here. There are affordable options for any size business that will protect you from these types of cyber attacks.

Cryptojacking’s Unprecedented Growth

Cryptojacking hits skyrocketed by 659% in 2023, reaching 1.06 billion. XMRig, a legitimate tool often abused by threat actors, remained a prevalent choice for cryptojacking attacks. The environmental and financial costs associated with crypto mining underline the seriousness of this growing threat.

Looking Ahead to 2024

As threat actors continue to adopt advanced technologies, the future threat landscape is expected to evolve rapidly. The use of AI in refining phishing attempts, executing convincing Business Email Compromise (BEC) attacks, and generating malicious code poses new challenges for defenders.

Recommendations for Enhanced Cybersecurity

Enable Multifactor Authentication (MFA): Strengthen authentication security by implementing MFA to prevent unauthorized access.
Patch Promptly: Stay vigilant in applying patches promptly, as most exploit attempts target vulnerabilities that may have been known for months or years.
Conduct Regular Security Assessments: Identify vulnerabilities, assess risks, and fortify defenses through regular security assessments.
Ongoing Security Training: Educate employees on cybersecurity best practices to build a vigilant and informed workforce.
Scan Encrypted Traffic: Given the rise in encrypted attacks, ensure that all network traffic, especially encrypted traffic, is regularly scanned for potential threats.
Extend Protection to the Cloud: With the increasing adoption of cloud services, implement comprehensive security measures such as Security Service Edge (SSE) and Zero-Trust Network Architecture (ZTNA).
Update Security Appliances and Software: Legacy firewalls and software do not detect or mitigate threats as well as new generation products. Secure your business with updated firewalls now.

In conclusion, the SonicWall Cyber Threat Report for 2024 highlights the persistent and evolving nature of all types of cyber threats. By staying informed and implementing robust cybersecurity measures, businesses can enhance their resilience against the ever-changing threat landscape.

Unsure About Your Network Security?

If you’re unsure about the security measures you have in place, our team can assess what you currently have and help patch any holes. Give us a call or send us an email and we would be happy to help.

You can also browse the newest SonicWall products that are sure to detect and mitigate all types of cyber attacks that threaten your business.

Chip Shortages & Firewalls: What You Need To Know

By Andrew Neita

Posted On August 25, 2021

Chip Shortages & Firewalls: What You Need To Know

electronic chip shortage firewalls inventory supply chain

Why Is There A Shortage Of Firewall Inventory & Other Network Security Products

Since 2020, we’ve seen the global supply chain get disrupted, which in turn created shortages of products in most sectors. Although network security products have been readily available, we are now seeing shortages in firewall inventory and other network security products as well. The primary reason for the shortage in firewall inventory is because of their internal electrical components. Firewalls – like other electronic devices – require electronic chips to function. Currently there is a backlog of orders and supply is tight for electronic chips. In turn, that limits the manufacturing of all electrical products including firewalls.

The Electronic Chip Shortage Explained

Electronic chip production has long played a major role in day-to-day life, as these chips make so many everyday items tick. These chips are used in phones, alarm clocks, cars, computers, and TVs to name just a few essentials. Fast forward to 2020, and manufacturing delays show how these electronic chips may have been taken for granted. By now, it is clear how important these products are to daily life and how hard things can sometimes be without them.

Electronic chip factories, mostly located in Taiwan, were not immune to the global effects of the pandemic, which led to downtime in production. Since most manufacturing – like the rest of the world – came to a halt for awhile, these factories also had their supply of raw goods limited as well. One could simply say that the shortage of electronic chips is due to the downtime of factories and their inability to receive raw materials needed for production.

When Will Electronic Chip Production Improve

With electronic chip demand being as high as it is and continuous delays in production, the world is in the midst of a widespread supply shortage. In turn, products – like firewalls – that require these chips have slowed down in production because they simply won’t work without them. Until backorders catch up and a steady supply of electronic chips returns, manufacturers will likely continue to experience inventory issues with firewalls and other network security products.

The condition will simply improve with time and continuous production. At the moment, there is still a massive backlog of orders with the ever increasing weight of growing demand for electronic goods. If factories stay open and chip prioritization continues, this issue should solve itself moving forward. As far a timeline for when this will end, the future is murky. But conditions do look better ahead than in the rear view mirror.

Who Has Firewalls In-Stock & How To Check Their Inventory

It’s important for buyers to know that not everyone who sells firewalls or network security products has the same access to inventory or variety of products. Here at Firewalls.com, we are top tier partners with all of the manufacturers we sell, which gives us better access than most. With that being said, there are still products that may simply be unavailable. We suggest reaching out to our team of certified experts and telling them about your needs. Rest assured, we’ll work with you to find the right solution. Give us a call at 317-225-4117 or browse our inventory at Firewalls.com.

Sophos XDR: Extended response & advanced AI for the whole network

By Andrew Harmon

Posted On June 17, 2021

Sophos XDR: Extended response & advanced AI for the whole network

detection edr endpoint protection intercept x response siem soar Sophos xdr

Sophos has long been known for creating holistic network security solutions that work across devices to provide broad views of network security posture. We have talked about the boons of Synchronized Security with Sophos Security Heartbeat for years on this blog! Now that cross-device monitoring and high-powered AI security goes a step further with the introduction of XDR.

What is XDR?

XDR stands for Extended Detection and Response. This sounds similar to another industry technology: EDR, or Endpoint Detection and Response. But XDR takes the concept of Endpoint Detection & Response and extends it across multiple security layers. It brings together real-time network data and automated decision-making to provide advanced threat responses that stop attacks before they become a breach.

How is Sophos XDR different from other solutions?

Sophos Intercept X Advanced with XDR (formerly Intercept X Advanced with EDR) integrates email, cloud, mobile, and endpoint data across your network, pulling data from multiple sources across security layers and products to provide broad, high-level security determinations orchestrated by deep learning AI. XDR leverages data from endpoints, servers, firewalls, switches, and other security devices spread across your network and centralizes that intelligence in a single ecosystem.

This pitch may sound familiar to you if you’ve used SOAR (Security Orchestration, Automation, & Response) or SIEM (Security Information & Event Management) solutions. What SOAR and SIEM do is quite similar in function: collect large volumes of data from multiple sources, analyze events, and provide guided response recommendations. Where XDR shines and soars above preceding solutions lies in its ability to take action. Sophos XDR not only creates a roadmap of how admins should respond to an event but takes the initiative to apply those steps before a security incident can grow.

All in all, XDR goes beyond data gathering and helpful suggestions. Sophos XDR orchestrates responses and applies them across devices on a network.

How to get Sophos XDR

XDR found a home with Sophos as part of its Intercept X product suite, an advanced endpoint protection suite built to stop malware, ransomware, exploits, viruses, and zero-day threats. In previous years, Intercept X Advanced could be paired with EDR to automatically detect and prioritize threats. While Intercept X’s EDR capabilities suggest where and how network admins focus their attention, XDR is now fully closing the monitor-detect-respond decision-making loop.

Sophos Intercept X Advanced uses the latest machine learning technology to make security verdicts on unknown threats by comparing the behavior of potentially dangerous files or apps to the known behavior of currently understood threats.

Shop Sophos XDR

Shop Sophos Intercept X Advanced with XDR

Try Sophos XDR for yourself

Try a free online demo of Sophos XDR and see how endpoint detection and response driven by AI can tie together the loose threads of your network.

Palo Alto PA-3220 Firewall Overview

By Andrew Neita

Posted On June 4, 2021

firewalls palo alto

PA-3220 Overview

The Palo Alto PA-3220 is a powerful mid-range firewall engineered to perform in the strictest of business environments. To begin, Palo Alto is known as one of the leaders in the network security industry, and their firewalls have garnered the respect of many IT professionals. In this article, we’ll be taking a look at the PA-3220 and providing key information about its security features, specs, form factor, and price.

Key Security and Connectivity
Features

Machine Learning-Powered Firewall

Deep within the core of the PA-3220 is machine learning technology. This technology leverages a cloud-based machine learning process that delivers instant signatures and instructions back to the firewall. On top of that, there is behavior analysis to identify IoT devices and even make policy recommendations.

Full 7 Layer Inspection

The PA-3220 categorizes all applications on every port ALL THE TIME! This security feature uses the application and not the port as the framework for all safe enablement policy decisions.

Unique Packet Processing with Single Pass Architecture

Efficiency and performance is a strength for the Palo Alto PA-3220. In a single pass, networking, policy lookup, application & decoding, and signature matching is done. What this means to the network and firewall is that this greatly reduces the amount of processing time and other functions needed for a speedy network environment.

PA-3220 Specs

Recommended Users: 200-300
Max Sessions: 1,000,000
New Sessions Per Second: 57,000
Firewall Throughput: 4.5 Gbps
Threat Prevention Throughput: 2.2 Gbps
VPN Throughput: 2.8 Gbps
Storage Capacity: 240 GB SD
Max BTU/hr: 819
Weight: 29 lbs

Palo Alto PA-3220 Front Panel

The front panel on the PA-3220 comes with a variety of different ports. Below is a list of hardware capabilities;

12 – 1 G ports
4 – 1 G SFP ports
4 – 1 G/10G SFP/SFP+ ports
1 – Out of band management port
2 – 10/100/1000 high availability ports
1 – 10G SFP+ high availability port
1 – RJ-45 console port
1 – Micro USB port

View Datasheet

PA-3220 Price

The Palo Alto PA-3220 is priced at $18,900 MSRP as an appliance only. But of course, you’ll also need a security services subscription or subscriptions to maximize its performance – Shop PA-3220 security services.

PA-3220 Hardware Guide

Navigating your way around the PA-3220 may be difficult for some. To make it easier we’ve included a link to the hardware guide on PaloAlto.com for reference.

Managed Firewall Services & The Top 5 Reasons You Should Consider Them

By Andrew Neita

Posted On May 7, 2021

firewall managed firewall services mss network security

Managed Firewall Services

Since early 2020, the digital threat landscape has vastly changed. What used to work no longer does, and there are countless new ways for bad actors to compromise systems. One of the biggest trends in 2020 was for small and medium size businesses to shift the responsibility of managing the firewall and other network security systems to specialized 3rd parties. Managed firewall services have seen massive growth and consolidation of providers.

If you haven’t received a call or email introducing you to these services you probably will soon, but that might not be a bad thing. While you’re running your business or your jack-of-all-trades IT guy is busy fixing the Wi-Fi, hackers are most likely strategizing ways to penetrate your network. This is where managed firewall services take over and provide an added layer of security on top of your security equipment to ensure your business is safe and won’t suffer a potential catastrophic setback.

The Benefits To 3rd Party Managed Firewall Services

In this article, we’ll discuss the top 5 reasons why it’s important to have managed firewall services and what you need to know. Now, some of the benefits to managed firewall services you may already know – and some you may not. What we’ve found is that even if you know the benefits of 3rd party managed firewall services, for some reason you haven’t strengthened your business with it. Hopefully by the end of this article you understand the sophisticated threat landscape and why hiring a 3rd party network security company makes sense.

1. Your Current Firewall Configuration Settings Are Probably Wrong

When we onboard a new client, 95% of the time they had their firewall misconfigured. Even the companies that have an IT staff most often get this important part of the setup wrong because the firewall is such a specialized piece of IT. In our experience it takes a highly trained network engineer to properly configure a firewall specific to an individual network. Even missing minor parts of the configuration can render the purchase of a firewall useless because that is precisely where hackers will spot a vulnerability. Having a properly configured firewall is just as import as purchasing the correct firewall. This is where having managed firewall services really makes sense. Before the 3rd party can monitor the network they first have to have it set up correctly, which makes this the first realized benefit a client receives when they begin their 3rd party firewall management journey.

2. Maintaining Compliance

Depending on the industry, you may experience stricter compliance but none the less, every business and organization has a responsibility to protect the data of their clients and employees. Having a specialized, highly trained team of network security engineers not only aids in keeping your business compliant but also shows customers your due diligence in providing the best security environment for their sensitive data.

3. Talent & Specialty

Scarcity in the marketplace for individuals who have this skillset is a real thing. Businesses frequently leave their security in the hands of an internal IT guy who is knowledgeable with everything but the firewall. Often we find that IT guy struggles to maintain the security of the organization. What that means is unless you are lucky enough to have a fully-trained network security engineer on staff, you’ll always be one step behind bad actors or completely exposed to all sorts of digital threats. 3rd party managed firewall service companies recruit top talent and hire only the ones that have the necessary skillset required to remotely manage firewalls and the surrounding touchpoints of our clients networks.

4. 24/7 Network Monitoring

Hackers work around the clock and so should your network security team. Network security management isn’t a 9-5 Monday through Friday responsibility. Firewall managed services provides 24/7 monitoring and threat detection protection for your business. This is important because no matter what time it is, you have trusted professionals actively protecting what matters and ensuring the safety of your business.

5. Cost

Since one of the main offerings Firewalls.com provides is managed firewall services, we are afforded the luxury of hiring & paying top talent to protect our clients. We can do this because those expenses aren’t sunk costs, they are revenue generating. Human assets can be deployed across multiple organizations and can be done so for much less than what our clients can do if they hired a full time network security engineer. Outside the salary of a full time engineer there are also costs that involve money and time to be able to find in-house employees, which may never happen. Recruiting can be expensive and can easily take well over a year. Skipping the line and getting expert firewall management for less is one of the main reasons why our clients hire us. The Firewalls.com team has the ability to deploy quickly (time) and can be had for less (money) than a full time employee.

Trust The Security Of Your Network With Firewalls.com

Our clients have trusted us with their network’s security because we offer US based support, a real person picks up the phone, we have a lighting fast ticket resolution rating, and affordable prices. Contact us to day to get started or to receive a quick quote.

Anatomy of a Phishing Email – How to spot social engineering emails targeting your small business

By Andrew Harmon

Posted On November 20, 2020

Anatomy of a Phishing Email – How to spot social engineering emails targeting your small business

email security phishing sandboxing social engineering spearphishing

The local fire department is reaching out to let our small business know that we’ve passed our inspection. Very important! Or is it? Let’s take a close look at an innocuous email that slipped into a Firewalls.com inbox in an article we’re calling “Anatomy of a Phishing Email.”

How phishing attacks work

Building false trust – The above email was definitely targeted. By providing accurate information about our company, street address, and employee names, this attacker was attempting to build trust with the recipient. Social engineering attackers often attempt to impersonate legitimate mail senders by doing pre-emptive research on their targets.

Setting the bait – Phishing attackers are always on the lookout for some theme to build their scam around. This bait often relates to trending news topics, routine business processes, or impersonating someone you know. In this example, our phisher relied on quarterly fire inspections in an attempt to trick our recipient. Fire inspections are routine, but infrequent enough that the average employee will not have much knowledge about their last checkup. On top of that, the setup sounds critical to everyday business operations at first glance.

Springing the trap – Fortunately, our team was quick to spot the fake. This attacker wanted our recipient to visit a certain URL where something far more nefarious lies in wait. Here, the attackers provide a hyperlink that they know will not function properly and provide further instructions to manually enter a URL, rerouting victims to their intended trap.

How can you spot a phishing attempt?

There are several questions you should ask yourself if you think you may be the target of social engineering. Here are a few things that stuck out to Firewalls.com that made us suspicious.

Sender legitimacy – Is your local fire department really going to send you an invoice by email? Have you ever received an email from this person/organization before? Most businesses and institutions won’t suddenly reach out to you via a new platform without some warning first. If the legitimacy of the senders gives you pause, you may be a target!

What information do they know about me? – Building trust by personalizing phishing emails to their target is common sense. You are more likely to believe hackers’ schemes if they seem to have accurate information about you. However, what exactly do they know? In this case, our attacker seems to know an email address, company name, and a physical address. Impressive at first sniff, but this is all publicly-available information! Never take the bait just because it has your name on it.

What is being asked of me? – While the initial setup seems believable enough, this ruse starts to fall apart when you peel back the layers. Why would the fire department send me a link that they know is broken? Why send complicated instructions on how to manually edit URLs to work around a defunct web portal?

Does it all match up? – If an email says it is from the local fire department, but the send domain contains something completely unrelated (mobile-eyes?), you may be onto something! In this example, the attacker is instructing our recipient to visit a web domain that has nothing to do with fire inspections. More like “mobile-eye-don’t-think-so.”

What to do if you think you received a phishing email

Never spring the trap – First and foremost, do not click anything! Links, attachments, replies, forwards—leave it all alone. You cannot be breached simply by receiving the email, so stop while you are ahead.

Get IT involved – Alert your IT team and immediate supervisors. If you have even an inkling of doubt about the legitimacy of an email, there’s no harm in getting a second opinion from an expert. Reach out to your IT department for further guidance.

Block the sender – If this is just one attempt in a more persistent or complex spearphishing campaign, there will be further emails brewing. Blocking the email domain of a bad actor prevents a future lapse in judgment or mistake from providing a second point of entry for foiled attackers.

Rely on defense-in-depth – Want to know the easiest way to sidestep an attempted phishing scam? Do not let it ever land in your inbox. Defense-in-depth network security strategies employ email encryption, cloud-based sandboxing, and Time-Of-Click protection to provide email security before, during, and after delivery of suspicious messages. Tools such as SonicWall Capture Advanced Threat Protection and Barracuda Essentials take the guesswork out of checking your mailbox.

Ransomware and malware delivered through phishing emails are more rampant than ever before. Whether hackers are relying on coronavirus scams, election news, Black Friday deals, fire inspections, or otherwise, there’s always some new social engineering scheme on the horizon. Protecting yourself starts with educating yourself against these attacks. Stay safe while holiday shopping by tuning into our podcast episode “Black Friday Becomes Cyber November 2020” featuring Dan Lohrmann.

Want to learn more about phishing and social engineering?

Check out our podcast on Phishing with SonicWall’s Matt Brennan.

Check out our Firewalls.com Threat Dictionary entries on ransomware, phishing, and spearphishing.

Ransomware Attack Clapback: How to Prepare if You’re Targeted

By Andrew Harmon

Posted On October 9, 2020

Ransomware Attack Clapback: How to Prepare if You’re Targeted

barracuda backup intercept x phishing Ransomware Sophos sophos intercept x

Ransomware Attack 2020: Why Prepare

It seems like every week in 2020, we hear about another major ransomware attack. While volume continues to grow in recent years, more troubling is the fact that ransomware is getting more targeted. Why is this more troubling? Because of its more targeted nature, it’s also getting more effective. Many ransomware cells now study their targets to pinpoint weaknesses, then customize attacks to exploit them. Not only that, they select targets and set ransom amounts based on knowledge of what those victims can pay.

And one more troubling fact to keep you up at night: soft targets are particularly vulnerable. That is, bad actors are placing local governments, school systems, nonprofit organizations, and even healthcare providers in the crosshairs. So even if your business avoids attack, a successful breach of one of these targets has major effects on day to day life. Enough preamble though. If you made it this far, you know the situation is serious. Here are three ways to prepare to clapback, so an attack won’t stop you in your tracks.

Train Your Staff

Your employees can be either the point of entry or the first line of defense for a ransomware attack. The choice is yours. Among the most common ways for ransomware to infect your network is once again through phishing emails. If your network users don’t know what to look for, they may unsuspectingly click on an attachment that delivers the malicious payload. Simple training makes all the difference, sharing tips like:

Double-check the domain name that sent the email
Look for spelling errors as well as numbers replacing letters
Review the signature & legitimacy of the request
Hover over links – without clicking – to check where they lead
Don’t click on attachments unless you’re sure of the source

There are applications available to let you test your employees & reinforce training without the consequence being an actual breach. Check out Sophos Phish Threat and Barracuda PhishLine for a couple worthy examples. Oh and one other key piece of training? Teach your employees to report any suspicious contacts asking for a way into your network.

Layer Your Security

The best approach to network security in 2020 is a layered one. As we just noted, well-trained employees are one layer, but there are many others to consider. If you haven’t heard by now, it all starts with the firewall. Your firewall – operating the latest and greatest security services – should be the cornerstone of a protected network setup. A current generation firewall plus those security services protects against just about any threat that comes your way. Companies now commonly incorporate threat intelligence – both human and the artificial variety – plus machine learning into their security offerings. That means they’re on the cutting edge to recognize and stop ever evolving ransomware and malware varieties.

But with the workforce extended beyond the perimeter now more than ever, your security must do the same. That means endpoint protection and secure access to your network for remote employees are also musts. Endpoint protection not only gives you visibility into these remote devices, it also extends many of the same security services to them individually. Ensuring secure access via VPN then brings your teleworkers back under the security of your firewall and network setup. And the layering shouldn’t stop there. Ensure you have email security in place to filter out suspicious messages before they even reach the eyes of an employee. And segment your network so a breach of one device doesn’t extend throughout. This may sound like a lot, but bundling services is surprisingly reasonable, and security costs much less than a successful ransomware attack ever will.

Backup So You Can Rollback

This could easily fall under the layers above, but when it comes to a ransomware attack, backup deserves a spotlight all its own. If you are successfully breached and your files encrypted, the smart money isn’t on paying the ransom, it’s on rolling back. Regular backups of your data allow you to get right back to work with minimal interruption, even if a ransomware attack occurs. A Sophos survey of 5,000 IT managers found more than half of firms whose data was encrypted by ransomware restored it through backups. Why is that? There are no guarantees when you pay the ransom. Plus, you don’t really want to support a criminal enterprise. And on a more practical note, Sophos also found that paying the ransom resulted in twice the remediation costs of restoring data from backups. Even if the ransomware cell you’re working with gives you the encryption key when you pay up, you still have to dedicate time and effort to restoration. So why not just have the restoration already available in house. Learn about Barracuda Backup and Sophos Intercept X with CryptoGuard for a couple of options to ensure you’re not caught flat-footed when a ransomware attack comes.

Equinix Data Center Hit With $4.5 million Ransomware Attack

By Andrew Neita

Posted On September 11, 2020

Equinix Data Center Hit With $4.5 million Ransomware Attack

data breach data center Ransomware

One of the world’s largest global data centers has announced an investigation into a ransomware incident. On Sept. 9th, Equinix – which directly connects to AWS, Google Cloud, Azure, Oracle, and AT&T – revealed the inquiry. It’s been a rough few weeks for enterprise organizations and ransomware. Less than a month ago, we saw a thwarted breach of Tesla which could have commanded a massive ransom. Below is an official statement from Equinix.

“Equinix is currently investigating a security incident we detected that involves ransomware on some of our internal systems. Our teams took immediate and decisive action to address the incident, notified law enforcement and are continuing to investigate. Our data centers and our service offerings, including managed services, remain fully operational, and the incident has not affected our ability to support our customers. Note that as most customers operate their own equipment within Equinix data centers, this incident has had no impact on their operations or the data on their equipment at Equinix. The security of the data in our systems is always a top priority and we intend to take all necessary actions, as appropriate, based on the results of our investigation.”

Equinix was reportedly hit with a Netwalker ransomware attack in which attackers asked for $4.5 million, threatening to release stolen data to the public. If 7 days lapse without payment, Equinix will face double the ransom amount. It’s not hard to imagine these guys are scrambling right now, assessing all their options.

From photos released to the public by the hacking group, it seems data centers in Australia were the weak points for the breach. The information stored in those data centers may also be what’s at risk of exposure.

About Equinix

Equinix is a global data center headquartered in Redwood City, California. Leadership of the organization includes CEO Charles Meyers and Founder Jay Adelson. Equinix is a publicly traded company on NASDAQ (EQIX). With revenue hitting $5.5 billion in 2019, Equinix is a major player in the global data center industry.

Learn More About Ransomware

Don’t be the next victim of a ransomware attack. Strong cloud-based sandboxing, frequent firmware updates, & smart network security practices can keep you secure.

What Is SonicWall NetExtender & How Can It Improve Your Remote Workforce?

By Andrew Neita

Posted On August 6, 2020

netextender network security remote workforce sonicwall netextender sonicwall vpn VPN

What Is SonicWall NetExtender

SonicWall NetExtender is an application for Windows, Mac, and Linux that allows a remote user to access applications, files, resources, and more from the base network while being protected by that base network’s security apparatus.

To use it, a remote user will need an active SonicWall VPN license. A VPN, also known as virtual private network, is a secure way of accessing company data from anywhere in the world. SonicWall VPNs work in tandem with NetExtender as a means of routing a remote user’s device, desktop or mobile device, safely to the base network.

How Can SonicWall NetExtender Improve Your Remote Workforce

By offering VPN licenses to a remote workforce, you provide your business & users all the same protection capabilities they’d receive if they were working in the office. When remote employees work through NetExtender, they have the freedom to work at efficient speeds with more direct access to files and apps. On top of that, they get security capabilities only available to users connected to your base network.

Benefits At A Glance

Access secure files from anywhere in the world
Use all the business-critical applications you’re used to
Secure communications
Extend on-premises levels of security to employees working from home
Maintain compliance requirements

How Much Do VPNs With SonicWall NetExtender Cost

SonicWall virtual private network solutions are designed for scalable cost. The solution depends on the number of licenses you’ll need, which VPN protocols you use, and what configuration or support options are included. To learn more about the different types of SonicWall VPN clients that work through NetExtender, check out our comparison between SonicWall SSL VPN & Global VPN.

Looking For A NetExtender VPN Solution?

Configure A Scalable NetExtender Solution

Configuring the right SonicWall VPN solution isn’t the easiest thing to do. Our network security experts are on standby to help guide you through the decision making process. To start your scalable SonicWall VPN solution through NetExtender, call 317-225-4117 or reach out via our secure contact form.

What is a firewall? Why does my business need a firewall?

By Andrew Harmon

Posted On April 24, 2020

What is a firewall? Why does my business need a firewall?

firewall Firewall configuration firewalls

What is a firewall & why do I need a firewall?

What is a firewall exactly? Here at Firewalls.com, we believe that firewalls are not only your primary line of defense against advanced threats but also the heart of your larger network security environment. Firewalls keep users safe as they use the Internet, send or receive emails, and access company files. Firewalls scan all incoming and outgoing traffic on your network, choosing to either permit or block any data packet they read.

By configuring your firewall with a set of common sense security rules and policies, you can safeguard your confidential data against hackers. By analyzing traffic at your network’s entry points, firewalls are able to keep potential threats out while letting employees and business applications communicate safely across the open web.

How do firewalls work?

Firewalls work by monitoring inbound and outbound traffic on your network. When a data packet requests access to your network, your firewall inspects the packet head to determine whether the request is valid or potentially dangerous. Next generation firewalls such as SonicWall TZ and SonicWall NSa firewalls go a step farther with Deep Packet Inspection, cracking open the entire data packet to inspect its contents before reaching a security determination.

Traditional firewalls relied on signature-based scanning to look out for threats. That meant that each packet’s contents were checked against a database of millions upon millions of known threat signatures. However, more advanced firewalls and endpoint protection platforms, such as Sophos XG, rely on machine learning and AI to make behavior-based verdicts. Super smart security engines actually think and learn inside your firewall, using global threat data to constantly improve their understanding of what a threat looks like, how it behaves, and how to stop it.

Firewall configuration

Why do businesses need to configure their firewall and how hard is a configuration? While some deployments can be fairly simple, most businesses should have a custom configuration for their primary firewall, tailored to suit the unique needs of their network. The firewall setup wizard just doesn’t cut it. Firewalls.com recommends that you entrust a certified firewall expert with the configuration of your firewall to ensure your attack surfaces are minimized, your firewall is stealthy, and no pesky bottlenecks are jamming up your Internet speeds.

A quality firewall configuration service should include a one-on-one discussion with your organization to determine how your network is used and what unique factors may present risks to your data. Phone-based deployment and post-deployment support are a must. You can simplify installation and minimize downtime by ensuring you have a knowledgeable support engineer on the line to walk you through every step. Want to see the steps involved in a configuration?

How many different types of firewalls are there?

Firewalls come in all shapes and specifications, so finding the right one for your network can be a challenge. While datasheets and firewall comparisons are easy to find, it can still be tough to wrap your head around what types of firewalls you can choose from. We’ll break down a few different ways firewalls are classified to help you better understand the appliance landscape.

Form Factors

Desktop Firewalls – Small, but powerful. Desktop firewalls are made with SMBs in mind & fit next to your favorite coffee mug
Rackmount Firewalls – Able to be mounted in any standard 19″ server rack with a rackmount kit
Virtual Firewalls – No appliance? No problem. Virtual firewalls live in the cloud & secure networks with no on-prem footprint

Firewall Sizing

Small Business Firewalls – Fit for home offices or SMBs up to 100 users, small business firewalls make advanced security affordable
Mid-Sized Firewalls – For businesses that need a bit more room for users & bandwidth, like SonicWall NSa series
Enterprise Firewalls – 2,500 users or more? Enterprise firewalls are security powerhouses with unmatched performance

Firewall Generations

Stateful Inspection Firewalls – Simple, signature-based analysis of inbound & outbound traffic
UTM Firewalls – Holistic appliances combining basic firewalling with multiple other security services & functions
Next Generation Firewalls – The latest generation of firewalls integrating entire networks in real time with machine learning

Firewalls. Defined.

Curious for more information about firewalls, network security, or cyber threats? The Firewalls.com Knowledge Hub is crammed full of resources to learn how firewalls work and understand what kinds of firewalls there are. Check out our firewall podcast or subscribe to our YouTube channel for firewall reviews, firewall comparisons, tutorials, and more.

What is EDR? Automated endpoint detection & real-time response to threats

By Andrew Harmon

Posted On April 23, 2020

What is EDR? Automated endpoint detection & real-time response to threats

capture client edr fortiedr fortinet SonicWALL Sophos sophos intercept x

To continue our recent theme of decoding abbreviations, EDR means Endpoint Detection & Response, and that means that the age of AI is upgrading networks. This automated, real-time endpoint solution ensures that end users can work securely no matter where in the world they’re located in relation to a firewall.

With EDR, your network defenses constantly scan for the kinds of elusive malware, ransomware, and zero day threats that signature-based detection platforms miss. And in the event a security incident occurs, advanced Endpoint Detection & Response platforms such as Sophos Intercept X Advanced with EDR or FortiEDR stop attacks even if the endpoint is compromised. Guided response lets administrators easily walk through the steps of an attack to see its root cause and isolate infected machines.

EDR’s machine learning systems deter, detect, disarm, dissect, deescalate, and do away with any cyber threats you can throw its way.

Why EDR works for small businesses

Survey after survey several years running have revealed two facts: a majority of small businesses find it difficult to hire qualified IT talent–especially talent focused on network security–and their budgets often struggle to accommodate the talent they do find. Automated endpoint detection and response monitored by 24-hour machine learning intelligence adds just the kind of cybersecurity expertise that SMBs need without a higher employee headcount.

Just like modern grocery stores have self-checkout lines and autoworkers now benefit from the assistance of robotics, automation enables small businesses to do more with less to get the job done. Farm out malware expertise and incident response to the bots!

Sophos Intercept X Advanced with EDR

Intercept X Advanced has been a longstanding go-to for network admins looking to add advanced protection to their networks in a comprehensive, integrated system. Sophos Intercept X Advanced now also consolidates that industry-leading protection and EDR into a single solution. Intercept X’s advanced malware prevention significantly eases the workload on the EDR component, allowing you to utilize more of the speed and performance you pay your Internet Service Provider for.

Minimize staffing by automating IT tasks usually done by skilled experts
Prioritize potential threats & automatically detect security incidents
Provide visibility into attack scope, root cause, impact, & network health
Hunt for indicators of compromise that may leave your network vulnerable

Fortinet FortiEDR

FortiEDR will be made available to order on May 4th and is already boasting some big benefits and features. An EDR solution purpose-built to detect potential threats, FortiEDR stops breaches in real time, and mitigate the damage of ransomware even on machines that have already been compromised. FortiEDR also extends security to IOT devices with the ability to protect everything from PCs to servers to point-of-sale systems and more.

Creates very small network footprint thanks to native cloud infrastructure
Enjoy automated EPP with orchestrated response across platforms
Stop file-based malware with Fortinet’s kernel-level Next Gen AV engine
Eliminate dwell time & reduce post-breach expenses

SonicWall Capture Client

Automated endpoint detection and response is integrated into SonicWall’s Capture Client, bringing together EDR, advanced threat protection, and integrated network security. With unique ransomware rollback capabilities and intuitive attack visualizations, Capture Client offers a comprehensive endpoint protection and EDR environment for any SonicWall network.

Next-generation SentinelOne malware protection engine
Advanced threat protection with sandbox integration
Behavior-based scanning powered by machine learning
Unique attack rollback capabilities using Volume Shadow Copy Service
Install & manage trusted TLS certificates to leverage DPI-SSL

Remote Worker Bundle options make working from home fast & secure

By Andrew Harmon

Posted On March 5, 2020

Remote Worker Bundle options make working from home fast & secure

remote workforce sma SonicWALL

Small businesses are rushing to get their employees working from home. The popularity of virtual conferences and webinars has skyrocketed in response to the threat of coronavirus, influenza, daycare emergencies, potholes, perilous traffic, and political ads on the morning commute. If you’re looking to keep your workforce out of harm’s way, our new Remote Worker Bundle comes with everything you need to maintain network security while employees work from home. Establish fast, safe remote access with a SonicWall SMA 210 or SonicWall SMA 410 expertly configured for your unique network demands, then pair it with 24×7 Support to make the experience flawless for remote employees.

Security risks posed by working from home represent just one problem surrounding secure remote access. Ensuring that the home experience is simple and seamless is integral to maintaining productivity. In addition, small businesses struggle with issues of flexibility, compatibility, and scalability. The Remote Worker Bundle tackles these issues with affordable add-on options for technical support and further concurrent user licensing.

Benefits of the Remote Worker Bundle

When workers come into the office sick, they risk spreading illnesses to the whole staff, but self-quarantining at home doesn’t mean the work has to stop! Our Remote Worker Bundle includes all the fundamental pieces organizations need to set up basic work-from-home security for their employees. Projects never need to be put on pause when remote workers are able to work with all of the company resources and apps they’re used to at their workstation. This bundle is also ideal for any company with a high volume of business travel.

Flexible, scalable remote access for all

SonicWall SMA appliances are compatible with any firewall brand or model you may already be using. Remote workers will be able to access any company printers, applications, files, or cloud resources from the comfort of their home while their session sits behind the same company firewall that protects their data in the workplace! SonicWall’s SMA 210 and SMA 410 appliances are compatible with any cable or DSL connection from any Internet service provider, meaning whatever Internet provider your workers already have at home will work.

Need to add more users? The SMA 210 can support up to 50 users with concurrent licensing and the SMA 410 can protect up to 250 remote workers at once. The best part? Because these stackable user licenses are perpetual, you’ll only ever pay for each user one time–no need for renewals.

Remote worker bundle: configuration included

Ready to wash your hands of remote security risks? To provide secure network access for employees working from home, optimization of remote access appliances and services is critical. The Remote Worker Bundle includes our proprietary remote access configuration service, in which our team of network engineers expertly configure profiles and access groups via SSL or IPSec settings. Additional access control optimization is also incorporated to help further safeguard your data.

All configuration work is completed by our manufacturer-certified network architects at the Firewalls.com Security Operations Center (SOC) in Indianapolis. You’ll even get post-deployment support from the same team of engineers that configured your appliance.

Security best practices when working from home

Bolster your password hygiene – Remote workers carry additional risks to company data. Ensuring that users rely on strong, complex, and lengthy passwords guarantees that your data stays safe even in the case of a lost or stolen device.

Make sure end user protection is up to par – Any device operating on the company network should be properly protected by strong anti-virus capabilities such as SonicWall Capture Client, web filtering, encryption, anti-spam, and malware protection. Mobile workers should enjoy the same air-tight security when roaming as they would at their desk.

Avoid public Wi-Fi – As we covered in Episode 14 of our podcast, public wireless networks can be a breeding ground for wireless threats. Advanced threats like evil-twin attacks, rogue access points, ad-hoc networks, and client misassociation can wreak havoc on BYOD users. In a world with growing open wireless networks, Wi-Fi attacks using Emotet malware infected systems are able to not only steal personal information but also spread malware by laterally scanning public wireless networks.

Email security & encryption – The inbox represents one of the biggest attack vectors for users of all kinds, but remote workers are especially at risk. Email applications are the most popular form of remote work as employees peer at their inbox several times throughout the day. Encryption, anti-spam, and email sandboxing services such as Capture ATP for SMA are all great ways to keep the team safe, whether home or away.

Preparing for the Tempest: SonicWall’s 2020 Cyber Threat Report

By Andrew Harmon

Posted On February 28, 2020

Preparing for the Tempest: SonicWall’s 2020 Cyber Threat Report

cyber threat cyber threats IoT Ransomware SonicWALL

The Past is Prologue

As Shakespeare once wrote, “the past is prologue.” When it comes to cybersecurity, knowing the recent past – and trends in the threat landscape – is vital to protecting your network against the latest and greatest hazards. And so the past – as in 2019 – is prologue in the 2020 SonicWall Cyber Threat Report. The report is prepared by SonicWall’s Capture Labs threat research team. It provides an in depth look at the cyber threats of 2019 to help businesses, governments, and organizations of all sizes better prepare to stop the threats of 2020. Let’s take a look at some of the highlights of the Cyber Threat Report.

Ransomware Shifts Strategy

The good news: Ransomware attacks were down in 2019 – 6% in fact – from the all-time high recorded in 2018. There were a grand total of 187.9 million last year. The less good news? Well, you probably saw it in the news. There was an increase in targeted attacks, hitting government networks, power grids, and even schools & hospitals. Attackers more and more are focusing on quality over quantity, looking for targets that are most likely to pay rather than blanketing all corners of the connected world.

Just how many of these targets were hit last year? It’s probably under-reported because victims can be hesitant to reveal a breach. But more than 140 state and local governments were successfully targeted for the year, and over 600 schools and hospitals – just through September. The Cyber Threat Report warns, however, that the average individual can still be a target, too. Researchers note that ransomware operators are more willing than ever to have a dialog and negotiate with their victims to get a payout. They’ll even use things like sextortion scams, a form of blackmail that suggests the attacker has compromising information or images that they’ll release unless the victim pays.

IoT Malware on the Rise

You down with I-o-T? Yeah, probably! While internet of things devices are hardly Naughty By Nature, they’re becoming more and more ubiquitous. As in, if you’re reading this, there’s virtually zero chance you don’t use some type of IoT device(s) in your everyday life. But with that popularity comes greater exposure. In 2019, the Cyber Threat Report indicates there were 34.3 million IoT malware attacks. Oh, and those attack numbers – much like the number of IoT devices – are trending up.

Security has not initially been a priority for most IoT device manufacturers. With no standards in place, devices commonly come with out-of-the-box vulnerabilities like weak or hard-coded passwords, unsecured interfaces, and a lack of secure update mechanisms. An otherwise secure network with vulnerable IoT devices may be leaving a backdoor wide open for hackers to access data.

Encrypted Threats Continue Growth

While transport layer security (TLS) and its predecessor, secure sockets layer (SSL) encryption standards are largely meant for good, bad actors are always looking to spoil the fun. Encryption when used for wholesome purposes ensures privacy and protects data. But hackers use this encryption against a network, sending malicious packers to obfuscate malware files. That can get them through a network’s standard defenses. The Cyber Threat Report shows our aforementioned bad actors sent 3.7 million malware attacks over TLS/SSL traffic in 2019, 27.3% more than the year prior. Why is this technique on the rise? Many firewall appliances don’t have the capability or power to detect, inspect, and stop attacks sent through encrypted traffic.

Defenses Are Improving, Too

Most of this Cyber Threat Report analysis is probably giving you anxiety, so let’s end on a positive note. The forces for good are continually improving their (which also means your) defenses against these hazards. Security advances include faster identification – and in turn faster mitigation – of zero-day threats. For instance, SonicWall is able to ID never-before-seen malware variants about 2 days before malware repository VirusTotal receives samples. Also noted are advancements made in deep memory inspection technology to combat side-channel attacks among others. In SonicWall’s case, that technology is a part of its Real-Time Deep Memory Inspection (RTDMI) engine. You can get a taste of it with a new SOHO 250 or TZ350 bundle. The report additionally spotlights growing momentum of perimeter-less security as traditional boundaries go by the wayside. This includes the introduction of the secure access service edge (SASE), which would combine software and service-based security solutions.

Want to Learn More?

Visit our Threat Dictionary to get updated on some of the latest cyber threats out there today. Shop for SonicWall security solutions like firewalls, web application firewalls, and cloud app security to name a few. And get your very own copy of the full 2020 Cyber Threat Report to dig into all the nitty gritty details yourself.

Fortinet Cyber Threat Assessment for SD-WAN, FortiGate, & FortiMail

By Andrew Harmon

Posted On February 14, 2020

Fortinet Cyber Threat Assessment for SD-WAN, FortiGate, & FortiMail

ctap fortigate fortimail fortinet sd-wan

The Cyber Threat Assessment Program

There are exactly two ways to test your network’s security against cyber threats: run validation testing to assess precisely how your network performs or wait for the real thing to happen and draw conclusions while you’re picking up the pieces in the aftermath. While trial-by-fire is certainly a conclusive way to assess your network security, Firewalls.com strongly recommends the former option. Fortinet’s Cyber Threat Assessment Program is a convenient and non-intrusive process that lets you see where your network stands without interrupting day-to-day operations.

The assessment is free of charge, requires little to no legwork on your part, and yields results in just over a week. Check out the infographic below to see how it works, or listen to our recent podcast episode where we discuss Cyber Threat Assessments with Fortinet’s Ben Bolen.

See How Fortinet’s Secure SD-WAN Can Save You Time & Money

Been curious about SD-WAN? The very same process described in the infographic above can be used for an SD-WAN assessment as well! Fortinet’s Secure SD-WAN allows for high-speed application performance at the WAN edge, intelligently determining the ideal routes for MPLS, 3G/4G, or broadband traffic. Since traditional WAN architectures are not equipped to accommodate the high-demand workloads modern organizations who may be using applications spanning multiple cloud environments. Now you’re one FREE assessment away from seeing exactly how Secure SD-WAN can transform your network.

What Information Is Included In CTAP Report?

The Fortinet Cyber Threat Assessment focuses on three key areas: Security, User Productivity, & Network Utilization.

Security: Details network vulnerabilities and helps to identify which devices and applications are at an elevated risk so that they can be properly secured. In this section of the report you’ll get to see which vulnerabilities and threats were observed bypassing your existing security solutions.
User Productivity: Provides extensive visibility into peer-to-peer, messaging, and other application usage to see how users are using your network in their daily work. In this section you’ll see how spam, newsletters, and other cyber nuisances impact how your users navigate the network.
Utilization: Provides real-world numbers about throughput and bandwidth usage during peak traffic. In this section, you’ll get to see when your network resources are needed most and where waste can be eliminated.

No Risk, No Extra Work, No Commitments

The infographic above outlines the basic process for receiving, setting up, and reviewing your results. At no point in the process are you required to make any purchases, change any settings, or meet any deadlines. Fortinet’s Cyber Threat Assessment is a risk-free program that requires no more extra work than plugging in a cord. If at any point you decide you want to end the test, pull the cord back out! That’s it. No money changes hands, no contracts are signed, and no network settings are changed. If you want to dump your final assessment in the trash, no problem. The report is yours to use as you see fit.

Ready For Your Free Assessment?

Getting your Cyber Threat Assessment is as easy as filling out a form on our Fortinet Cyber Threat Assessment Program page. Leave us your contact info and Firewalls.com will work behind the scenes to get a test set up for you. We work closely with Fortinet to make sure the test requires as little effort on your part is possible.

Intelligence in the Threat Landscape

By Andrew Harmon

Posted On November 1, 2019

cyber threats firewalls

Arm yourself

The modern threat landscape has many pitfalls. The best way to set yourself up to successfully negotiate this hazardous terrain is with the proper armor. What is the right armor? Knowledge. Personal knowledge of the types of threats that exist. Organizational knowledge of how to behave online. And the knowledge of dedicated threat intelligence experts that goes into the security solutions offered by top network security providers. Companies like SonicWall, Fortinet, and Sophos have teams of security analysts keeping tabs on the threat landscape 24/7/365. They incorporate this knowledge with artificial intelligence and machine learning to offer the most comprehensive protection possible against the latest threats.

In our latest video, we take a closer look at the threat landscape, what you can do to arm yourself, and what these companies are doing to fortify that armor. Watch below:

Thirsty for more?

If you finished that video yearning for even more threat intelligence, read through the Firewalls.com Threat Dictionary to get an A to Z guide through the current landscape.

To complete your multimedia quest for threat knowledge, we also offer an audio option. Listen to Episode 5 of Ping: A Firewalls.com Podcast in which we talk cyber threats with two experts in the field, SonicWall’s Daniel Kremers and Fortinet’s Douglas Santos.

Don’t Give Me Them Digits: Cyber criminals target mobile phone numbers

By Andrew Harmon

Posted On October 31, 2019

Don’t Give Me Them Digits: Cyber criminals target mobile phone numbers

firewalls mobile security

You’ve got a chip in your credit card. Your social security card’s locked away in a safe. Now cyber criminals are turning their attention to another number: your mobile phone number. Next time that creep at the bar asks for your digits, you may have more to worry over than turning down a date.

Why criminals are targeting mobile phones

As security around financial data tightens, hackers have set their sights on mobile numbers, which tick many of the same boxes as your social security or credit card combos:

It’s unique to you
It’s one of the most common pieces of info stored in databases
It’s a crucial step in identifying yourself to financial authorities

Criminals are using this information to take over accounts using a patchwork of personally identifying information gleaned from multiple databases. In 2016, over 160,000 mobile accounts were usurped according to studies conducted by Javelin Strategy & Research–a record high for fraudsters.

And the kicker? Losing control of your phone number creates logistical nightmares when it comes time to prove ownership in the aftermath of an attack. Many companies request to verify account ownership either over VoiP or SMS and if you are no longer in control of the phone line, proving your identity becomes a challenge outside the norms of account recovery.

How to prevent a mobile phone takeover

Distribute your number judiciously
Use a secondary or virtual phone number for account signups
Do not reuse passwords over multiple accounts
Avoid using public WiFi when accessing sensitive information
Use two-factor authentication where possible
Take advantage of mobile security platforms like Sophos Central Mobile Security

Learn about more cyber threats

Hungry for more insight into Internet threats? Check out the Firewalls.com Threat Dictionary to learn about all of the latest network security threats.

Prefer to listen and learn? Check out Episode 5 of Ping: A Firewalls.com Podcast where we talk cyber threats with SonicWall’s Daniel Kremers and Fortinet’s Douglas Santos.

What is a Man in the Middle attack? How to keep your online footsteps hidden

By Andrew Harmon

Posted On October 29, 2019

What is a Man in the Middle attack? How to keep your online footsteps hidden

Firewall configuration phishing

Today we’re going to talk about a ghost in the machine. But don’t get all Gilbert Ryle’d up. We’re not waxing philosophic or discussing Scar Jo movies. No, we’re going to demask that phony bogeyman playing trapeze among your unsecured wires: the Man in the Middle. For those unfamiliar with the term, a Man in the Middle (MITM) breach is a cyber-attack in which the bad guys park themselves between you and the web. Man in the Middle is one of the many common attacks discussed in our Spooky Cyber Threats episode of Ping: A Firewalls.com Podcast, and today we’ll give a more in-depth picture of what the threat looks like.

What is the goal of a Man in the Middle attack?

The objective is simple: gather as much personal data about the victim as possible. If an opening presents itself, cyber criminals will pursue it. This means that if attackers can trick you into revealing or changing your login credentials, they will. If they can swipe your financial data, they will. The Man in the Middle attack is primarily a recon job with an opportunistic slant.

How does a Man in the Middle attack work?

Let’s simplify your web surfing to an easily-digested scenario: your computer, Point A, wants to fetch data from a web server, Point B. Point A requests data, the request travels over the web, and the web server receives the request. The web server gathers the data and ships it back to Point A. Man in the Middle attacks occur when a cyber attacker plants a toolkit between Point A and Point B and acts as a stepping stone between the two.

From this position, the Man in the Middle employs keyloggers, social engineering, and monitoring tools to either abscond with personal data or attempt to manipulate the user at Point A into further jeopardy. This can mean anything from serving fake versions of requested websites, tricking users with bogus password change requests, or tricking your contacts into providing sensitive information through phishing.

While old-school Man in the Middle attacks required attackers to literally plug into your network via close physical proximity, savvy cyber criminals have perfected the technique to take place completely through your browser. No longer do criminals need to crawl through the ventilation system to smuggle a bug onto your mainframe. Now they can do it all from the comfort of home.

How do you prevent Man in the Middle attacks?

1 – Firewalls & Configuration

The most powerful tool you have in the war for cyber security is the firewall. However, an appliance alone is rarely sufficient. It is important to also ensure that your firewall hardware is configured correctly. Think about it, if you buy a fancy home security system, you’re not just going to plug it into an outlet and call it a day. Instead, your security devices should be fine-tuned to fit the needs of your network.

Take your blind spots and unique vulnerabilities into account. No two networks are built the same and so no two firewalls should be configured the same. Ensuring that you have a suitable setup from the start will save a lot of pain down the road.

2 – Comprehensive Endpoint Protection

Even the most expensive hardware will fail once an unsuspecting employee opens a malicious file. Building a tall fence is great and all, but without strong security at the gates, you’re just redirecting network raiders to specific doorways. Sandboxing, ransomware damage rollback, antivirus clients, and browser protection are all fantastic options to add on to your security infrastructure.

Sophos Intercept X is a powerful security suite built to run alongside your current applications. Give it a two week trial for free to see if it works with your network.

3 – Exercise Safe Web Practices

This is the part of the article that preaches about strong passwords and email attachments. So, here goes:

– Use strong, complicated passwords. Never use default credentials like “admin” or “1234”

– If you’re asked to follow a link in an email, always type the URL into your browser. Don’t click! Spoofed domains, typo-squatting, and crucial differences between HTTP and HTTPS mean that every href you click is a potential malware minefield

– Don’t open suspicious attachments from unknown senders

– Avoid public Wi-Fi if possible. If you must connect to a public router, do so indirectly through Virtual Private Networks. Public networks are a watering hole where hungry cyber crocodiles are just waiting for their prey to exhibit vulnerability

Following cyber security best practices and deploying next-generation firewalls with an endpoint solution mean instead of dealing with a Man in the Middle, you’ll more likely be playing monkey in the middle with desperate cyber criminals trying, and failing, to get their hands on your data.

Learn about more cyber threats

Now that you’ve mastered the Man in the Middle, maybe it’s time to conquer keyloggers, trounce trojans, or make persistent threats perish. Check out the Firewalls.com Threat Dictionary to learn about all of the latest network security threats.

Prefer to listen and learn? Check out Episode 5 of Ping: A Firewalls.com Podcast where we talk cyber threats with SonicWall’s Daniel Kremers and Fortinet’s Douglas Santos.

Originally published by Andrew Harmon on LinkedIn Pulse, October 2017

BlueKeep: Recognizing & preventing RDP vulnerabilities

By Andrew Harmon

Posted On October 24, 2019

BlueKeep: Recognizing & preventing RDP vulnerabilities

bluekeep rdp

Firewalls.com is cracking open our case files to take a closer look at one of the net’s most dangerous suspects: BlueKeep.

Vulnerability Name: BlueKeep

Common Vulnerability & Exposures ID: CVE-2019-0708

Affected Operating Systems:

Windows 2000
Windows Vista
Windows XP
Windows 7
Windows Server 2003
Windows Server 2008

Type of Vulnerability: Remote Code Execution

First Reported: May 2019 by UK National Cyber Security Centre

Summary

BlueKeep is a vulnerability found in Windows Remote Desktop Services. This is a Remote Code Execution (RCE) attack, meaning the attacker is able to run arbitrary code on targeted devices. BlueKeep is a “wormable” exploit that can act as a foothold for active attackers to leverage and launch further malware attacks. This multi-stage strategy of exploiting a vulnerability to gain access and further utilize breaches as a conduit for more serious attacks is growing in popularity, with big-name self-propagating worms like WannaCryptor and the more recent Ryuk attacks coming to mind.

Window’s Remote Desktop Services, which BlueKeep exploits, is a protocol developed by Microsoft which delivers a graphical interface to users while connected to another computer over a network. Also known as “Terminal Service,” Microsoft has included RDP in every version of Windows since XP in 2001. RDP is used by network administrators to remotely connect to a machine in order to diagnose and resolve problems that users encounter. If you’ve ever allowed tech support to “remote in” to your computer, you may have been utilizing Windows Remote Desktop Services to do so.

Securing your network against BlueKeep

A patch for BlueKeep was released on May 14th, 2019. Whereas most patches released by Microsoft are compatible only with supported version of Windows operating systems, CVE-2019-0708 patches were also made available for Windows OS platforms that are no longer supported. This is a very rare occurrence for Microsoft and a sign of the potential havoc BlueKeep could wreak on unprepared systems.

While BlueKeep was initially thought to have the potential to mirror the cyber crises that spiraled out of the EternalBlue exploits of 2017, Microsoft claims to have found no active exploits in the wild utilizing the BlueKeep vulnerability. Sophos created a working proof-of-concept fileless exploit using the vulnerability. Though the code was never released to the public, a video demonstration of the exploit was published, visualizing the potential damage of BlueKeep.

So how should small businesses and network administrators be securing their systems against BlueKeep? As always, your first step should be to install patches! The BlueKeep vulnerability was addressed by Microsoft in May of 2019 for both supported and unsupported operating systems. It is recommended that organizations thoroughly test all patches before installation.

Other steps to ensure your organization is safe against BlueKeep include disabling Remote Desktop Protocol altogether by blocking TCP port 3389, updating outdated or unsupported operating systems, and enabling Network Level Authentication, which requires a user to authenticate a remote session before connecting. Keep in mind, however, these extra steps may add some friction for any organization that routinely makes use of remote desktop services.

Looking to learn more about cyber threats?

Check out our latest podcast on cyber threats with SonicWall’s Dan Kremers and Fortinet’s Douglas Santos as they discuss zombies, botnets, fileless malware, and more in episode 5 of Ping.

You can also browse the Firewalls.com Threat Dictionary, where we dissect all the cyber creepy-crawlies haunting the web.

Emotet: the Biggest Network Security Villain of 2019

By Andrew Harmon

Posted On March 8, 2019

Emotet: the Biggest Network Security Villain of 2019

hackers malware network security

The Biggest Villain of 2019

The U.S. Department of Homeland Security considers it to be among the most costly and destructive threats to U.S. businesses in 2019…

It constantly evolves, using adaptation and versatility to grow stronger with each new iteration…

It leverages several attack vectors against multiple targets, giving it plenty of opportunities to secure a victory…

The Feared, the Elusive, the Tenacious Malware: Emotet.

Emotet is a sophisticated cyber attack that uses its skills as a shapeshifter to spread itself far and wide across the Internet. The US Department of Homeland Security estimates that organizations in 2019 have shelled out as much as $1,000,000 per incident to recover from an Emotet attack. With big baddies from seasons past like WannaCry and Petya still fresh in the memory, businesses must now turn their attention to the security world’s 2019 season antagonist: Emotet.

What do Marvel’s Ultron and Emotet have in common?

You may defeat them now, but they always come back stronger, smarter form than before! Just like the comic villain Ultron, featured in Marvel’s 2015 “Avengers: Age of Ultron,” Emotet always finds a way to make itself more dangerous. This complicated malware has been constantly evolving since its humble origin story as an upstart banking trojan in 2014. In fact, Sophos Labs detected and identified over 4,500 different varieties of Emotet carrying unique payloads in January alone.

Emotet gives itself multiple chances to win. It spreads across networks, propagating itself through email spam and lateral movement, using your devices as remote zombies. Emotet collects contacts and browsing data. It can even act as a decoy for nastier attacks. Emotet isn’t picky; the malware can carry whatever malware is paying out top dollar at the time. Whether it’s TrickBot malware, QBot banking trojans, BitPayment ransomware, or something even more nefarious, Emotet is an ideal delivery system for payloads of all kinds. It’s flexible. It’s persistent. And it always comes back stronger!

The Emotet malware’s principal delivery method is through fake emails. One wrong click or careless attachment download lets Emotet get a foot in the door and from there, it begins its primary objective: spread to other devices on the network. Once infected, your inbox will start spitting out malicious emails to everyone in your contact list, providing Emotet with opportunities to infect far and wide. During this process, your email domain reputation plummets!

Once a system is infected, Emotet calls back home and initiates a malware download for whatever payload it’s been built to carry. In this call back step, Emotet may also take the opportunity to lift your contact lists and browser data to be sold off on the black market. With its versatility, constant evolution, and multiple victory conditions to meet, Emotet is a truly tricky foe.

Perhaps its most dangerous use, though, is as a smokescreen. Due to the fast-acting nature of Emotet, its rapid expansion sends network administrators into a frenzy to prevent further compromise. Some cyber attackers use this period of panic as a chance to initiate a targeted ransomware attack. By the time the initial Emotet chaos has been stabilized, ransomware like BitPaymer has already used the distraction to get a stranglehold on the organizations’ data.

Defeating Emotet

Call us old-school, but Firewalls.com believes the bad guys should always lose in the end. Most single solutions are ill-equipped to deal with Emotet. Between its versatility, speed, and ability to assault multiple targets, you’ll need a whole team to take it down. If you’re thinking the Avengers, think again. Sophos Synchronized Security with Sophos Heartbeat is just the band of network defending heroes to call if you want to send the baddies packing.

Try Synchronized Security Free for 30 Days

Sophos protects against Emotet at every point in the attack chain. Synchronized Security means that your endpoints and your firewall communicate with each other in real-time to provide comprehensive and instantaneous response to threats. This constant pulse of communication between endpoints and the network is called the Sophos Heartbeat. The moment an attack is detected, Sophos Heartbeat instantly relays details back to XG Firewall in order to isolate the machine, shut it off from the network, and begin remediation.

Sophos Email Protection blocks spam both inbound and outbound. Leveraging threat intelligence from SophosLabs, Sophos email protection identifies malicious emails like those that propagate Emotet and shuts threats down before they hit the inbox. Active threat protection, malicious attachment sandboxing, and time-of-click URL protection all come standard with Sophos Central Email Advanced, giving your inbox all the superpowers it needs to shut down Emotet at its point of entry.

Try Sophos Email Free for 30 days

Read Sophos Email Datasheet

If a single endpoint becomes infected, Sophos Intercept X springs into action, isolating the device before Emotet has a chance to spread across the network. Intercept X is super smart, harnessing deep learning capabilities to anticipate new threats and predict security threats before they happen. Intercept X cuts off the opportunity for lateral movement and gets to work cleaning up the infected systems. Sophos Intercept X Advanced consolidates protection and Endpoint Detection and Response (EDR) into a single solution with guided incident response.

Try Intercept X Free for 30 days

Read Intercept X Advanced Datasheet

XG Firewalls feature advanced cloud-based sandboxing to examine and detonate payloads in a quarantined environment. XG Firewall is the overwatch command center that communicates in real time with endpoints thanks to the Sophos Heartbeat. AI-powered behavioral monitoring lets XG Firewalls detect behaviors consistent with Emotet and pre-emptively block all currently known IP addresses with Emotet. With advanced protection guarding the point-of-entry, individual endpoints, and at the network level, your Sophos team makes short work of Emotet.

Try XG Firewalls Free for 30 days

Read XG Firewall Datasheet

Since these programs were designed to work as one well-oiled machine, all of these layers of Sophos protection occur automatically. This provides a comprehensive, zero-touch response that addresses advanced threats at every step of the attack chain. This dream team of Sophos Email, Intercept X, and XG Firewalls ensures Emotet never sees the Endgame. That means your story always gets its happy conclusion. And automatic, real-time, zero touch response means your IT guy can go grab lunch.

The Firewalls.com Threat Dictionary: Know Your Enemy

By Andrew Harmon

Posted On March 6, 2019

The Firewalls.com Threat Dictionary: Know Your Enemy

cyber threat

Meet the Firewalls.com Threat Dictionary

Network security education & firewall know-how are essential to our modus operandi here at Firewalls.com. Cyber security doesn’t stop at choosing the right appliance or service subscription. Small businesses can benefit greatly from understanding the types of threats they face on a daily basis. Recognizing how breaches happen, where vulnerabilities occur, and how best to prevent them can arm even tech newbies with the knowledge to keep their data secure.

That’s why Firewalls.com developed our new Threat Dictionary. Any frequent follower will have noticed the addition of a new tab on our humble blog’s top navigation row. Our Threat Dictionary provides digestible overviews of the most common security threats so that firewall admins and small business owners know exactly what they’re dealing with. Plus, we tell you which security solutions are built to address each threat!

We cover topics from Advanced Persistent Threats to Zero-Day Exploits, and everything in between. We’ll continually expand our library of security threats so that you’re always well-informed about the latest perils to your data!

View the Firewalls.com Threat Dictionary

Looking for More Network Security Wisdom?

We’ve got a ton of great content to consume if you’re looking to boost your security savvy. Check out some of the additional resources we’ve whipped up for you below:

Cyber Security Glossary – Learn the lingo of cyber security with our Cyber Security Glossary. Unpack the abbreviations so you can talk tech with the best of ’em.

Configuration QuickStart Checklist – Looking to tackle a configuration yourself? Do-It-Yourselfers and Consultants rejoice, this checklist from Firewalls.com will be there every step of the journey. In-depth setting options assist you in leaving no stone unturned.

Firewall Buyers Guides – If you’re shopping for SonicWall, Sophos, or Fortinet firewalls, but want a bit more info about bundle options or series comparisons, our buyer’s guides are built for you. Demystify the brand terms and get a clear picture of the products you’re purchasing.

Firewalls.com YouTube Channel – We break down the features of some of our best-selling firewalls, provide step-by-step tutorials for solving some of your biggest security puzzles, and give greater depth to some of our blog content. Subscribe for regular updates!

Google Says “No More Excuses” for Unsecured Websites

By Andrew Harmon

Posted On August 14, 2018

Google Says “No More Excuses” for Unsecured Websites

google https

Google has given websites a not-so-subtle prod towards security in 2018. Beginning this July, Google Chrome began visibly marking all HTTP sites as “not secure” in the address bar, signaling to visitors that their data may not be fully secure when interacting with a non-HTTPS enabled domain. What does this change mean for you and why does Google think this move is worthwhile? Keep reading to learn more about these security-focused changes rolling out this year.

Where Is the “Not Secure” Warning?

Starting with Chrome Version 68, Google will begin marking the address bar with one of two icons: if the website is secure, a green padlock with the word “Secure” (or, alternatively, the website’s verified domain name) will be displayed on the far-left of the site URL. Sites still rolling with the unsecured HTTP protocol will display a gray “i” icon accompanied by the ominous phrase “Not Secure.”

Good:

Bad:

What’s the Difference Between HTTP & HTTPS?

Hyper Text Transfer Protocol (HTTP) is the protocol that acts as a bridge between your browser and the website you are accessing. Third parties can (and do) intercept this data to glean information about visitor activity and browsing behavior. In HTTPS, the additional “S” stands for “Secure.” This indicates that the data transferring between your browser and a secured website has been encrypted and is unreadable to third parties. A website featuring an HTTPS URL has purchased and deployed an SSL Certificate. SSL certification requires some form of verification for the website’s ownership by a third-party authority.

Securing your website with an SSL certificate should be considered not only the “new normal” for the web, but the bare bones security measures that vendors and site operators should offer to visitors. This is especially crucial for ecommerce, banking, or financial websites where sensitive information such as credit card numbers or personally-identifying data is being submitted.

Should I Avoid Non-Secured Websites?

The short answer is: in most cases, yes. If you plan to give your credit card or bank account information to a website, that site owes it to you as a customer to at least attempt keeping your data secure. Deploying SSL certificates and HTTPS protocols can be an expensive and time-consuming process, but it is a good-faith step that organizations undertake to signal to visitors that their data will be safe in the website’s hands. Domains fail to purchase and deploy SSL certificates oftentimes because they have chosen to cut corners in order to save money. Your personal data should not be sacrificed for someone else’s bottom line.

If you make a purchase through an unsecured ecommerce website, understand that your sensitive data is being transferred to that website’s server with no encryption while in transit. With 81 of the Internet’s top 100 websites having made the migration to HTTPS and the aggressive moves by Google to further fuel that trend, HTTPS is no longer just an added benefit but a cost of doing business in the modern world.

5 Big Takeaways from the SonicWall 2018 Cyber Threat Report

By Andrew Harmon

Posted On March 8, 2018

5 Big Takeaways from the SonicWall 2018 Cyber Threat Report

cyber threat malware Ransomware rtdmi SonicWALL SSL

The 2018 SonicWall Cyber Threat Report was just released and we’re here to break down this massive report into bite-size morsels for you to chew on. Each year, SonicWall Capture Labs publishes an in-depth look at the trends, changes, & tech that shaped the cyber threat landscape over the previous year and they use their findings to predict the volatile threat landscape that organizations can expect to traverse in the coming year. Predict your own cyber security future by understanding these 5 key takeaways from the 2018 Cyber Threat Report.

1. Ransomware

Wave goodbye to the cyber security war that you once knew. No, it’s not over. It’s just a little different now. Despite headline-worthy attacks rocking Europe and North America, 2017 was a year of retreat and regroup for threat actors. No longer happy to play the numbers game, criminals have instead turned their focus towards innovation. While overall ransomware attacks dropped, the number of unique variants increased in 2017.

The number of ransomware attacks detected in 2017 by SonicWall Capture Labs totaled 183.6 million, a 71% drop compared to 2016. Nonetheless, of those detected hits, SonicWall discovered one never-before-seen variant for every 250 known threats it encountered. This means that ransomware is becoming more versatile. In 2018, expect the trend to continue, meaning your organization will be defending from fewer attempts, but each attempt will be smarter and more cunning than previous years.

What does this mean for me?

If you’re not already using a cloud-based sandbox, 2018 is the year to jump on the wagon. Zero-day threats may well become the new norm, meaning you’re only partially protected if you still depend on signature updates and patches. As the threat landscape shifts from quantity to quality, it is paramount that organizations stay ahead of the wave.

2. Malware

Where ransomware has taken a step back to catch its breath, malware filled the void in 2017, rebounding from the significant dip witnessed in 2016. From 2015 to 2016, malware attacks dropped from 8.19 billion occurrences to 7.87 billion, a statistic initially interpreted as a signal that malware was on the decline. 2017, however, saw a roaring return with over 9.32 billion malware attacks logged by SonicWall Capture Labs.

Malware in 2017 did have some unique features compared to past specimens. With the fall from grace of Adobe Flash sweeping a huge category of vulnerabilities and exploits into the trash, malware authors designated Microsoft as their new punching bag. Attacks against old targets like Acrobat Reader and Reader DC are down. Meanwhile, attacks targeting Word, Excel, and other Office products are ramping up.

Second, threat actors have seemingly joined the green movement by making recycling a big aspect of malware lifecycles. No, we’re not talking about scraps of trash, but malware code itself being reused, rehashed, and rewritten. The SonicWall Cyber Threat Report refers to this phenomenon as “malware cocktails.” Such cocktails are created by mixing and matching snippets of code or functionality from several malware kits and splicing them into new Frankenstein-esque creations.

What does it mean for me?

Take your signature-based scans and toss them out the window. It’s high time you switch over to behavior scanning. Most cyber security brands worth their weight are relying more heavily on machine learning, deep system scans, and real-time protection. Both SonicWall’s Capture ATP & Sophos’ Sandstorm make use of the latest deep learning capabilities to identify, probe, and judge data in fractions of a second. Much like our response to ransomware above, the key to steering clear of a malware infection will be in an organization’s ability to stay dynamic.

3. SSL/TSL

Speaking of malware, another important shift in the threat landscape is malware’s ability to hide itself behind encryption. Encryption, specifically through SSL/TSL protocol, has accelerated, with over 60% of web traffic now encrypted. Soon, Google Chrome will begin marking all unencrypted pages as “not secure.” All signs point towards a future where SSL/TSL secured sites are the normal and malicious traffic is no exception.

What does it mean for me?

According to the report, organizations that lack the ability to inspect encrypted traffic missed, on average, over 900 attacks hidden by SSL/TSL encryption in 2017. In addition, many attack kits are leveraging custom encryption languages, making it even more problematic to parse out their payload.

Stateful inspection and bad policy configuration are no longer effective if you want to catch all of the attacks. In 2018, an organization will rely heavily on its ability to inspect encrypted traffic. It may be wise to get a second set of eyes to review your NGFW configuration to ensure your network is set up to deal with encrypted threats.

4. Internet Of Things

We wrote up a comprehensive article on IoT in 2017 that takes an in-depth look at the developments and dangers surrounding the Internet of Things. Since then, exploits with very scary names such as Meltdown and Reaper have emerged. Unfortunately, IoT-enabled products continue to be produced with little to no regard for cyber security. Expect to see the weaponization of IoT clusters for use in botnet DDoS attacks.

What does it mean for me?

Honestly, we’re not sure. The bad guys have not yet figured out how to best make use of this emergent attack vector. Whatever the future may hold for IoT, one thing we know for certain is that we will one day regret the short-sightedness of pumping all of these network-enabled devices into public hands with scant oversight of security risks. SonicWall Capture Labs has put forth at least one solution, which we’ll outline next.

5. Real-Time Deep Memory Inspection (RTDMI)

SonicWall has demonstrated its inventiveness over and over throughout the years with a strong portfolio of patents. Most notable is their patented Reassembly-Free Deep Packet Inspection, a method that allows simultaneous scanning of data chunks through multiple processing engines, changing DPI services of old from bottlenecks into high-speed security checkpoints. In 2018, SonicWall continued their proud tradition of innovation by opening new battlegrounds in the fight against cyber crime in advanced technologies such as IoT, chip-based threats, & mass market malware with the introduction of their patent-pending Real-Time Deep Memory Inspection.

There’s not a whole lot of information about RTDMI released so far, but the few snippets of features we were able to find hinted at potential capabilities. RTDMI is located in the Capture cloud and has been quietly operating for a few months now, so if you’re currently running Capture ATP you’re already under RTDMI’s silent watch.

RTDMI can detect and block malware that conceals its malicious behavior behind encryption. By scanning these encrypted threats in real time and forcing them to expose their intentions in processor memory, RTDMI promises to root out even the best disguised attacks. According to the threat report, the act of exposing, detecting, and blocking these kinds of advanced threats takes place in a timescale of under 100 nanoseconds.

What’s this mean for me?

Again, we’re not sure yet. But you should find this news reassuring at the least. RTDMI demonstrates that SonicWall is already working to solve the emerging threats of tomorrow. We’ll keep bugging SonicWall for more information on and we’ll let you know what we find out about this mysterious new patent-pending tech.

There is one common thread linking all of this information: set-it-and-forget-it is dead. Cyber safety in 2018 equates to dynamic, real-time, advanced tech focused efforts. Still relying on a legacy firewall or bare bones subscriptions? We recommend you start weighing your options. And if this all sounds expensive to you, consider softening the upfront costs by partnering with a Security-as-a-Service team where everything you need to stay secure is provided at a much lower cost monthly subscription.

READ THE FULL 2021 SONICWALL CYBER THREAT REPORT

3 Things All Organizations Should Learn from the SophosLabs 2018 Malware Forecast

By Andrew Harmon

Posted On January 23, 2018

3 Things All Organizations Should Learn from the SophosLabs 2018 Malware Forecast

cybercriminals malware Ransomware Sophos sophos intercept x

WannaCry. NotPetya. KRACK. BadRabbit–with all the new friends we made in 2017, organizations have to wonder what the new year has in store in regards to cyber security. A meteoric rise in ransomware has the healthcare industry on its toes. Corporate email breach rates are soaring. Surely there must be someone that can help us make sense of it all!

Well, Sophos can. A few months ago SophosLabs released its 2018 Malware Forecast. In this week’s blog post, we’ll look at the data, the predictions, and what business owners should take away from the research. Ready to get secure and stay secure in 2018? Keep reading to learn how you can pull it off.

3 Key Points of the SophosLabs Malware Forecast

1. Ransomware-as-a-Service is the New Normal

The real boogeyman in the world of cyber security is no longer individual hackers, but the toolkits and custom code they distribute. The Dark Web is littered with DIY exploit kits and pre-built ransomware payloads just waiting to be aimed and fired, for a price. Any Joe Shmoe off the street can bring a hospital campus to a grinding halt, even if they can’t tell a secure socket from an electrical socket. Ransomware-as-a-Service is an all-inclusive heist-in-a-box that even low-tier baddies can use to separate your organization from its wallet.

Just how commodified has ransomware become? Well, why not watch the world’s first commercial for a ransomware toolkit?

What It Means for You

More attempts. More spam. More danger lurking around every corner. Sure, these DIY exploiters may not have the expertise or dedication that hackers of old once touted, but cyber crime in 2018 is a numbers game. Expect to see the total number of attempted attacks rise as ransomware-as-a-service kits multiply and the entry threshold for cyber criminals lowers.

2. Windows is Still Vulnerable

As the author of the report states, “the Windows threat landscape hasn’t changed much in the past year…” Realistically, that’s no better news than claiming the yapping dog next door hasn’t been barking much louder than usual. One important trend that SophosLabs reported was an increased concentration of attack payloads nested in Microsoft Office applications such as Word and Excel. Droppers like these execute macros inside Windows documents to deliver their payload, turning innocent-looking files into landmines. If anything, these improvements in the world of Office exploits translate into shorter attack time frames and more efficient exploits.

What It Means for You

Like years past, the most likely attack vector against your organization in 2018 will be an attachment in your inbox. However, expect phishing attempts that are more deceptive, more persuasive, and, should you fall victim, more unforgiving. Tag teamed with a blossoming ransomware-as-a-service sector and we can expect Windows exploits that are deployed more dynamically than ever. The turnaround time is shrinking between when new vulnerabilities are discovered and attack payloads being built to exploit them.

3. Cybercriminals As Opportunistic Hunters

The bad guys are wasting less of their time on targets that won’t pay up. That’s bad news for those of us that don’t have the luxury of choice. The healthcare, government, and education industries will have inescapable targets looming over their heads throughout 2018. Healthcare in particular is already attacked more frequently than any other sector. Each instance of ransomware attack is an experiment in which criminals are learning who will convert into a sale and which targets are least prepared.

What It Means for You

Cyber crime is a growing industry and like any budding industry, they are piecing together their target audience and exploring strategies to shorten their “sales funnel.” With ransomware, that’s accomplished by targeting critical infrastructure, medical records, and sensitive financial information. If your industry touches on those goalposts, you’ve probably made it onto the bad guys’ shortlist.

How Can I Prepare for 2018?

Adware, spyware, and viruses are all very much real and salient worries. But let’s not kid ourselves about who the big bad final boss is on this level: ransomware. Any industries that could find themselves staring down the barrel of a custom-design exploit kit should be preparing for that possibility by putting preventative measures in place. Step one is as easy as learning as much as possible about ransomware, so why not hop over to our article “Ransomware Warfare: How to Protect Your Files From Hostage Takers” to brush up on your safety basics?

Sophos Intercept X is a powerful weapon that most organizations should be adding to their arsenal. Intercept X is designed to run alongside any other endpoint applications on your system, so most network environments will welcome it. Intercept X is built to go toe-to-toe with zero day threats because Sophos analyzes threats based on behavior rather than known signature. Behavior-based scanning ensures that even if an attack has never been documented before, it’s still going to get the ax if it walks like ransomware, talks like ransomware, and smells like ransomware. In an era of bespoke and rapid-deployment ransomware, we can no longer rely on only fighting the enemies we’re familiar with.

However, the most impressive feature of Intercept X is its ability to literally roll back damage from ransomware that lands on your system. Even if ransomware makes it onto your network and manages to encrypt a few files, Intercept X will be able to shut the attack down, restore your files, and reverse the damage right before your eyes. In fact, you can watch it demonstrated in this one-minute video:

Remember, an organization is only as secure as its employees make it. Human error will occur. Honest mistakes happen. But if the worst happens, Intercept X will be there to clean up.

Learn more about Intercept X or take it for a FREE 30-day trial

3 Things to Learn from Google’s Latest Report on Stolen Credentials

By Andrew Harmon

Posted On November 28, 2017

3 Things to Learn from Google’s Latest Report on Stolen Credentials

data breaches email security encryptions firewalls google malware phishing

Over the last year, Google has teamed up with University of California, Berkley and the International Computer Science Institute to collect, analyze, and report data on the contemporary landscape of black-hat email credential theft. In a period between March 2016 and March 2017, Google anonymously inserted themselves into private forums, credential trading markets, and dark web paste sites in order to learn how the bad guys, looking to steal your login and password information, are operating and evolving in the modern era. Or, as Kurt Thomas et al, authors of the study, put it, Google’s newest study “presents the first longitudinal measurement study of the underground ecosystem fueling credential theft and assesses the risk it poses to millions of users.” So, what’s that all mean for you? Let’s break down the numbers and outline 3 major take-away’s from Google’s study to understand how miscreants are trying to compromise your email security.

This study analyzed databases of purportedly stolen email credential information throughout 2016. Of these datasets, roughly 788,000 instances were the result of keyloggers, 12.4 million were sourced from phishing kits, and 1.9 billion credentials stolen in larger data breaches.

1. The Bad Guys Are Staying Up-To-Date. Are You?

If you’ve considered beefing up your security infrastructure but decided that it’s probably safe to lag a year or two behind the latest technology, you’re being outclassed by the competition. Online black-hat forums distribute pre-built phishing kits and keyloggers with thousands of variants and iterartions to ensure that they stay on the cutting-edge of cyber crime. Google’s study identified over 4,000 different strains of phishing kits available in 2016, and that’s only the variants they DID find.

The bad guys aren’t making off with only information from old, unused, or abandoned accounts. 7% to 25% of recovered credentials matched the current login credentials of the accounts they were stolen from. (Don’t worry, Google made sure to reset any compromised accounts they identified!) Phishing kits in particular showed troubling results in this area: a whopping 25% of the stolen data that Google reviewed matched current, usable login credentials. The study concluded that victims of phishing kits are 400 times more likely to be successfully hijacked than an average user.

2. Corporate Phishing is a Cyber Gold Rush

That old prospector was right when he warned us all about the dangers of social engineering in the age of communication. During their research period, Google detected 234,887 instances of potentially valid credentials being transmitted to an exfiltration point (bad guys’ email) per week. Read that statement again. Not 234,887 attempts. 234,887 successful transmissions of potentially valid credentials per week. The estimated success rate for a phishing kit is 9%.

Phishing kits were largely aimed at victims located in the United States, with just shy of 50% of identified victims’ geolocations based in the U.S.
83% of phishing kits collect geolocation data in addition to login credentials
40% collect financial information such as credit card data
18% collect phone numbers
16% collect User-Agent data such as the browser, device, and platform in use at the time of the attack
9% collect social security numbers

3. “Stronger Passwords” Can Only Do So Much

Increasingly, organizations are coming to terms with the fact that a simple login/password combination is the bare bones when it comes to email security. Even hashed passwords based on salt values are proving flimsy under scrutiny, with Google’s report estimating that almost 15% of the stolen credentials in their study were hashed using MD5 and 10% with SHA-1 cryptographic hash functions.

To make matters worse, it can hardly be said that victims are learning from their mistakes. Research indicated that of victims that had their credentials stolen, only 3% later chose to switch to a two-factor authentication process as opposed to a simple login/password combination.

What Can I Do About It?

These numbers may be grim, but so long as organizations are as dedicated to email security as the bad guys are to stealing data, there is hope. Increasing usage of two-factor authentication as well as password management apps mean that the business world’s approach to cyber security is begrudgingly moving past the bare minimum. An even more secure future can be found in various email security subscriptions, encryption services, and anti-virus/anti-spam clients. Here are a couple recommendations for products that can prevent your login credentials from winding up on a black market spreadsheet.

Email Encryption

Email encryption is the process of encrypting the content of outbound messages in order to prevent 3rd party entities from intercepting and reading that data. In many cases, this means that the readable plain text has been scrambled into a cipher text which can only be unjumbled by a private key held by a recipient that matches the public key attached to the encrypted data. Email encryption services are usually subscription services that entail additional features and services in addition to message encryption.

Record ID Matching: Scans outbound content for sensitive information before delivery
Attachment Scanning: Probes potentially harmful attachments to ensure safety before opening
Predefined Compliance Policies: Built-in policies designed to be easily deployable for common problems and compliance issues such as HIPPA or PCI
Approval Boxes: Allows you to preview unverified emails before they are opened onto your network

LEARN MORE ABOUT EMAIL ENCRYPTION

TotalSecure Email

SonicWall TotalSecure Email provides complete protection for both inbound and outbound e-mail by providing award-winning anti-spam, anti-virus, anti-phishing, and policy and compliance management in one easy-to-use solution. For larger organizations there is simply no easier way to get complete email security. TotalSecure is a comprehensive package that holistically protects your inbox’s attack surfaces from every conceivable angle of attack by bundling several useful subscriptions together into a single strategy.

McAfee Anti-Virus: To keep the bugs at bay
SonicWall Time Zero: Protection from zero-day threats, focusing on the time frame between initial detection and receiving signature-based solutions
Corporate Phishing Protection: Uniquely identifies phishing attempts and enables admin to handle them independently from spam
Email Policy Management: Allows admin to quickly create and enforce corporate compliance policies
End-User Spam Management: Delegates spam management to end-users, reducing false positives and easing the load on your IT guys

LEARN MORE ABOUT TOTALSECURE EMAIL FROM SONICWALL

Want to see Google’s research for yourself? Download the PDF.

Taming the Hidden Cobra: The DPRK’s malware brigade

By Andrew Harmon

Posted On August 24, 2017

Taming the Hidden Cobra: The DPRK’s malware brigade

CVE exploits malware

What is Hidden Cobra?

While it may sound like the final technique learned from Jackie Chan in a young adult movie, Hidden Cobra is actually the moniker given to state-sponsored actors executing cyber crime activities on behalf of the North Korean government. Before federal agencies reported on the activities of DPRK’s Hidden Cobra, the group was dubbed by the private sector as Lazarus Group or Guardians of Peace. Hidden Cobra is an extension of the North Korean government and targets both public and private entities with malware, data wipers, DDoS, and SMB worm tools. Known variants of Destover, Duuzer , and Hangman exploits are common modus operandi for Hidden Cobra. In addition, Hidden Cobra is notorious for their use of powerful DDoS attacks with their denial-of-service tool, DeltaCharlie.

Flushing Out the Snake

Hidden Cobra tends to target systems that run older, unpatched operating systems. The lack of firmware updates and plethora of attack surfaces found in obsolete Microsoft operating systems makes for low-hanging fruit the serpents are able to reach. A Technical Alert issued by the Department of Homeland Security and Federal Bureau of Investigation includes a database of recognized IP addresses and network signatures that they consider Indicators of Compromise (IOCs).

Indicators of Compromise

[Clicking will begin a .csv download]

In addition to these IOC’s, DHS has published a Malware Analysis Report detailing the unique functionalities and common tactics demonstrated by Hidden Cobra actors.

MAR 10132963

[Clicking will open a .pdf]

Known Vulnerabilities

Like real snakes, we have accumulated antidotes for a majority of the Hidden Cobra’s venoms. The following Common Vulnerabilities and Exposures (CVEs) are typical susceptibilities targeted by Hidden Cobra:

If Adobe Flash and Microsoft Silverlight are no longer necessary applications in your system, we highly recommend removing these programs completely.

Delta Charlie

Perhaps the most perilous tool operated by Hidden Cobra is their DDOS tool, DeltaCharlie. Sporting a standard botnet infrastructure, DeltaCharlie is used to launch DNS attacks, NTP attacks, and CGN attacks. DeltaCharlie disguises itself as a svchost service. The tool can download and operate macros, alter its own structure, and perform denial-of-service attacks on command.

If You’ve Been Targeted

Report the attack to DHS or FBI – Federal agencies are very interested in keeping tabs on the activity of North Korea’s state-sponsored cyber warfare adjuncts. You can report malware to the DHS here. They will certainly appreciate the information.
Review visitor logs for IOCs – If you suspect Hidden Cobra is responsible for a raid on your network, cross-check records from your perimeter defenses against those IP addresses outlined in the Indicators of Compromise spreadsheet provided above.
Run YARA – For readers unfamiliar with YARA, it is a tool developed by malware researchers to detect attack signatures. The Technical Alert issued by DHS and FBI include a variety of YARA rule definitions that can quickly and effectively track down signs of Hidden Cobra malware.

Preventing Hidden Cobra Attacks

Limit admin privileges – We’ve talked about this one before. When an attacker gets into your system, you don’t want everyone inside carrying around skeleton keys.
Update your firmware – Hm. This one sounds familiar too. The straight-forward warning: the older your operating system, applications, or security patches, the more likely you are to be on the receiving end of cyber crime. This is as self-explanatory as comparing a modern digital security system to a string of rattling cans strung across the lawn.
Go invite-only for your applications– The practice of whitelisting applications drastically cuts down potential attack surfaces in your network. In short, whitelisting is allowing only prescreened applications access to your system. If it’s not on the list, it stays outside.
Leverage your firewall – Firewalls provide gateway security, content filtering, IP whitelisting, application controls, user groups, and more. There are a vast number of security options available to organizations to protect their data against the likes of Hidden Cobra, but most of them require a firewall appliance to operate. Think of your firewall as the command center of your security infrastructure. Next-generation firewalls are platforms designed to provide all of the security resources you need in one powerful appliance, known as Unified Threat Management.

Learn about UTMs offered by our manufacturer partners!

SONICWALL COMPREHENSIVE GATEWAY SECURITY SUITE

SOPHOS CENTRAL

I Spent 5 Years in the Hotel Industry; Here’s What I Learned About Cyber Security

By Andrew Harmon

Posted On August 10, 2017

I Spent 5 Years in the Hotel Industry; Here’s What I Learned About Cyber Security

cyber criminals cyber security culture hospitality security training social engineering

Stroll into any mid-range hotel with a flash drive in your pocket. Don’t bother with the old desktop computer in the lobby “business center.” Stop at the front desk, smile wide, and slap your USB device on the counter. Politely ask the guest services agent to print a document for you. If they direct you to the business center, claim that you tried it the previous night and couldn’t get it to work. Then observe.

Congratulations, you just slipped past the perimeter defense of a multi-billion dollar corporation. Let me lay out what happens next. The front desk staff takes your flash drive to the back, pops it into a USB port, and joyfully opens whatever file you ask them to.

I know this trick works because I’ve witnessed the scenario play out a thousand times. In a few instances, I was the unwitting hand guiding the thumb drive into a terminal. While most Firewalls.com blog posts shy away from anecdotes and keep individual histories at a professional arm’s length, this post is based on personal experience.

I worked in the hospitality industry for half a decade before shifting into the info sec market. This is what I learned.

Corporate Will Do the Leg Work for You

Okay, getting a file onto a machine was easy, but you’ve only infected a single computer on a closed network. Now what? Wait for corporate to do the heavy lifting.

Each night when the hotel audits their daily transactions, troves of data are gleaned from employee desktops and rolled up to the corporate servers for safe keeping. Your freeloading file needs only loiter on the network until about 2:00 or 3:00 in the morning, when corporate provides a free lift to the database where comprehensive financial data, transaction history, and confidential customer information for a multinational brand is stored.

Security Culture in 10 Minutes or Less

Hotel new hires typically sit through a series of training modules where the mainstays of employee on-boarding make their appearances: OSHA policy review, incident reporting, benefits programs, core values. If the brand is more forward-thinking, then somewhere in this hodgepodge of instructional videos is nestled the briefest touchpoint on cyber security.

Included in one training excursion I trudged through, the company splurged on commissioning Kevin Mitnick to narrate a nine-minute video on cyber crime. After a Spark Notes’ tier definition of social engineering, Kevin encourages new employees to address further email fraud questions to their direct supervisors.

Hoteliers Wear Many Hats, But None of Those are White Hats

Asking superiors for further information sounds reasonable, in a script. But I was a direct supervisor to over a dozen employees and was granted no special insight into preventing cyber crime. I was consistently preoccupied with expanding a repertoire of customer service, accounting, management, sales, payroll, quality control, HR, safety, facilities management, commercial kitchen, and plumbing skills. Hotel employees tend to be jacks of all trades at the expense of being even a journeyman in any specific talent. Specialists graduated away from the front lines quickly or were chased out when one of their duller skills failed to impress.

Perhaps further up the chain of command an answer could be uncovered? But my direct supervisor played audience to the very same training modules I watched. And his supervisors, now nearing the vice presidential or regional territory types, likely hadn’t seen a training video since before cyber crime was a credible threat. But surely further up the ladder, someone was watching over us. I’m certain that scouring LinkedIn or the company Outlook Address Book would inevitably turn up a VP of Technology or comparable title, but they were off in a lofty C-suite well outside the reach or even the zeitgeist of any ground-level employees looking for answers. For all intents and purposes, further information is impractical beyond utility if it exists at all.

Throwing the Baby Out With the Hogwash

An anecdote burned forever into my psyche involves an umbrella term that some corporate security wonk for one hotel brand took a liking to: hogwash. The term ‘hogwash’ and cyber security were married after an impassioned email in which the word was typed in bold font, in all capital letters, a total of 7 times. Several months later this diatribe lead to the introduction of a “hogwash button” on corporate email applications. At no point was it expounded exactly what ‘hogwash’ entailed or why reporting it proved crucial to company goals. The only instruction given was to delete and report any email that looked suspicious. The grounds for basing our suspicions, I suppose, were left to individual interpretation.

The Lesson to Be Learned

This is no simple attempt at picking on the hospitality industry. Instead, take this post as a wake-up slap. When discussing information security, there is a magnetic draw to discussing the healthcare industry, banking and financial institutions, or vulnerabilities haunting our governmental or infrastructure systems. But if we trot out the conversation to less flashy or FUD-inducing industries, we find a landscape brimming with entities just begging to be caught with their pants down. And while malware crashing the power grid makes for better thriller movie material, the hospitality industry still handles the confidential information of millions of travelers each day.

We must address the disconnect between security administrators in high towers and front-line employees operating in distant venues. Real human connections are necessary to impart the axioms of cyber security to ground level employees. This is personnel that doesn’t spend hours browsing Dark Reading or CNET.

Firewalls.com dedicates a lot of time and screen space to the cause of nurturing cyber security cultures in the office. We understand that even the most expensive and sophisticated security setup will fail if employees leave gateways wide open.

It’s time to revamp your library of training videos. It’s time to review SOPs with VPs who have occupied their positions since before the hazards of cyber crime fleshed out. It’s time to put cyber security on the same pedestals as accurate payroll, helpful customer service, and efficient logistics. And for the hotel industry in particular, it is time to leave the printing of boarding passes to airline kiosks.

Firewalls.com is a value-added reseller of firewall appliances & a vendor of managed security and Firewall-as-a-Service support. Our engineers are rigorously trained and certified by all of the major manufacturers that we partner with. Whether you’re looking to add an appliance to your security set-up or seek ongoing support from seasoned experts, we can provide the security solutions necessary to get you secure and keep you secure. Contact one of our knowledgeable sales staff to answer any questions you may have about your network, firewalls, or endpoint protection.

You can also follow us on Twitter and Facebook.

PHISHING ALERT: The Better Business Bureau warns members about fraudulent emails

By Andrew Harmon

Posted On August 8, 2017

PHISHING ALERT: The Better Business Bureau warns members about fraudulent emails

alert email security malware phishing social engineering viruses

Companies are being urged to think twice before opening notices of complaint from the BBB as an intense phishing campaign ramps up targeting business owners. An email from Central Indiana branch of the BBB issued statements claiming that the “BBB name and logo are being fraudulently used by criminals” in a social engineering scheme.

Fraudulent emails are delivered under the guise of a violation complaint. Over 100 malicious websites have been shut down in response to attempts over the last few days.

Here are signs that you’re being targeted:

1. Check BBB emails to ensure details look legitimate. Poor formatting, typos, grammar mistakes, and generic form field greetings are all signs of a phishing email.
2. Double-check the sender’s email address. Does it appear accurate?
3. Do not click, save, or open any attachments or links.
4. Social engineers take advantage of fear, urgency, and doubt to rush targets into a rash decision. If an email asks you to take a specific action (like opening an attachment) to maintain your account or rating, think twice.

If you believe that you may be the target of a phishing email, follow these steps:

1. Delete the email and ensure that you empty your recycling bin.
2. If you clicked any links or opened attachments, immediately change your log-in credentials.
3. Watch your finances. If you see any unexpected transactions, you may want to investigate further.
4. Ensure that your endpoint protection is running with all available updates installed.

With proper understanding of social engineering practices, you can stay safe even against emerging threats.

Here’s a quick look at one of the inbox impostors:

The silver lining

Phishing is a topic to discuss in your workplace. This BBB scam represents a prime example of social engineering and cyber security safety that can be dissected for your team. Building a culture of cyber security in the workplace is a best practice that every business should keep on its to-do list. We encourage you to print the sample email provided above, highlight the tell-tale clues of social engineering, and hold a discussion with your staff about email security.

If you found a suspicious BBB notification in your inbox, do your part by reporting the email to phishing@council.bbb.org.

Fortunately, you don’t have to worry about fraudulent emails when you use SonicWall’s TotalSecure Email Protection.

PROTECT YOUR NETWORK TODAY

ePidemiology: Applying concepts of herd immunity and public health to cyber security

By Andrew Harmon

Posted On August 3, 2017

ePidemiology: Applying concepts of herd immunity and public health to cyber security

cyber security culture firmware patches updates

Metaphors for cyber security tend to gravitate towards the adversarial. We break into teams. We assign colors. We talk in terms of warfare. We man battle stations and try to push back against bad guys on active fronts. When discussing cyber security in the mindset of battle, of raiders and defenders, we find our line of thinking entrapped by binary outcomes of victory or defeat. However, framing the conversation in a fresh conceit fosters perspectives that may otherwise elude us.

While stock photo options for warfare are objectively more metal, we would like to investigate cyber security through the lens of epidemiology. Public health is a struggle that does not produce 100% winners or 100% losers. Instead, the goal revolves around mitigating infectiousness to the point that a disease no longer possesses the means to reproduce its efforts en masse, thus undercutting its capability to evolve into more sophisticated strains. This change in victory conditions births discussion of herd immunity.

What is herd immunity?

Herd immunity is a term used in epidemiology describing a secondary line of defense against infection that benefits individuals who cannot or have not gained immunity already. Vaccines are widely regarded as the primary security point against the spread of infectious diseases but thanks to the effects of herd immunity, those persons who cannot receive vaccination find shelter in a majority of the population being unable to spread disease.

Like malware, the first goal of a disease is to spread to the greatest number of hosts possible. A higher percentage of individuals infected by a disease grants that disease better potential to spread to new hosts. However, as the percentage of the population with immunity to that disease grows, the ability for the disease to spread softens.

Simply put, a disease with fewer bridges available to cross is limited in the distance that it can travel. Without delving too deep into epidemiology theory, a concept exists of thresholds that, once crossed, generally spell the end of outbreaks. In some cases, a combination of vaccination and herd immunity has led to the effective eradication of a disease. When was the last case of polio in the United States? The elimination of wild polio strains in certain regions is thanks to the fact that widespread immunity makes it more difficult for a polio outbreak to gain footholds in a human ‘herd’ and even more difficult for an outlier case to spin out of control.

In the past, human populations were concentrated in small, isolated groups. This meant that the extent of outbreaks were limited by geological factors. Spatial limitations no longer come into play in the modern era where humans can travel over mountains, across oceans, and hop between continents in a day’s time. Increased globalization and greater access to remote geographical regions mirrors the growth of interconnected, Internet-connected devices represented by the Internet of Things.

If we think of the Internet of Things as a population, we see a growing potential for infections to spread over new channels and pathways. The threat of more interconnected and heterogeneous mixing pushes higher the necessary threshold to trigger the benefits of herd immunity.

What does this have to do with me?

Framed in the perspective of public health, cyber security is an issue that concerns everyone.

If, like polio, over 90% of the Internet-connect populace were immune to ransomware, what motivation remains for hackers to continue developing exploits and writing malicious code? The cost-to-benefit analysis would be a quick calculation: the risk of deploying a cyber attack would outweigh the peanuts that attackers stand to make off the 5% of computers still exhibiting vulnerabilities.

Ensuring that 100% of devices are exploit-proof is a pipe dream. But if we apply the ideas of herd immunity, we can see that the goal never was absolute immunization. Instead, it would suffice to balance the equation in such a way that cyber crime is an untenable career.

The question then becomes how to make a life of cyber crime unappetizing.

Washing our hands of accountability

There is more to public health epidemiology than distributing vaccines until we pass thresholds.

Consider the signs hanging in bathrooms all around the nation urging people to wash their hands. Spend one winter on a college campus and you’re sure to see plenty of warnings posted about hand washing, sneezing etiquette, and more. Over television and radio we receive public service announcements outlining precautions against the common cold and announcing schedules for flu shot season. Unfortunately, cyber security has no such mass public effort.

Often, the only groups preaching cyber health gospel are organizations that sell cyber security products or the creators of targeted software. This raises a question: where would we be if public awareness campaigns for cyber security were as prevalent as those for physical well-being?

Imagine strolling down a corridor and spotting a sign on the wall asking “Have you updated your firmware yet?”

Imagine a world in which school children were taught about phishing alongside the practice of covering their mouth when they cough.

Imagine if the end of every fiscal quarter heralded radio airtime dedicated to the whens, whys, and hows of data backup.

We may one day consider it myopic that mankind did not charge into the age of information on the wings of federally-funded education and information campaigns. The facts bear out that there is no such public health campaign for our cyber well-being. The onus for protecting our networks rests in our own hands. Despite a mirage of isolation, we find ourselves in a constantly more connected community.

A herd.

Firewalls.com continues to push for a larger umbrella of security for the Internet community not only because it benefits our own security, but that of the entire herd. Everyone has a stake in the outcome of this struggle. Encourage a culture of cyber security in your workplace. Host open discussions about Internet safety measures. Ensure that policies are in place and understood by employees.

While we do not all possess the skills and knowledge to be soldiers in a cyber crime war, we can take steps to provide the herd with a robust profile of immunization.

Whether you’re an organization of three employees or three thousand, you have joined a pool of potential victims. Firewalls.com has the expertise to make that pool a little shallower. Whether it be endpoint security suites, physical appliances, or managed services, cyber security solution providers want to guide you to the vaccines and best practices that simultaneously protect your organization and deny the bad guys another attack vector.

FIND YOUR NETWORK SECURITY PRODUCTS & SERVICES

You can also follow us on Twitter and Facebook.

The History of Orpheus’ Lyre: A tale as old as time, a vuln as old as Windows

By Andrew Harmon

Posted On July 27, 2017

The History of Orpheus’ Lyre: A tale as old as time, a vuln as old as Windows

exploits kerberos malware vulnerabilities windows

The world of cyber security and classic Hellenistic Greece are colliding. We are speaking, of course, about the Orpheus’ Lyre security hole making rounds in security news. We’re sounding the Gjallarhorn in hopes that you’ll join us down in the info sec underworld as we discover what three-headed dogs, Thrace, and the granddaddy of the modern guitar have in common with your network.

Setting the Stage – the Classical Age

Orpheus – First mentioned by a sixth-century epic poet named Ibycus and later made famous by Thebian lyric poet Pindar, Orpheus is an epic hero popular in ancient Greek myth. Orpheus is known as a legendary musician with the ability to trick, persuade, and charm his way around obstacles thanks to his supernatural lyre playing. The lyre, which is how the ancient Romans played Wonderwall at insulae parties, is a predecessor of the guitar often mistaken for a harp.

The most famous story of Orpheus is that of rescuing his wife, Eurydice, from the underworld. When Eurydice is attacked by a satyr (mischievous goat-man played by Danny Devito in Disney’s “Hercules”), she falls into a pit of vipers, is bitten on the heel, and succumbs to their venom. Stricken with grief, Orpheus plays a song so mournful that the gods themselves are moved to tears. They offer him advice: descend into the underworld yourself and strike a deal to get Eurydice back. Orpheus descends into the underground, soon finding himself face-to-face with the ferocious Cerberus, guardian of the gates into the underworld. Orpheus tames Cerberus with some hot lyre riffs and snags an appointment with Hades, lord of the underworld, to successfully negotiate the return of Eurydice to the world of the living. Unfortunately, the tale takes a turn south from there with Orpheus falling for the classic religious no-no of “looking behind you” while fleeing. Because he peeks back over his shoulder during their exit from the underworld despite clear warning from Hades, Eurydice vanishes forever. Orpheus is later torn apart by a wandering band of vicious feral women upset by Orpheus snubbing their favored rock n roll god.

Cerberus – The hound of hell, three-headed guardian of the underworld, son of Tartarus-bound Typhon and Echidna. Cerberus has made cameos in “Harry Potter & the Philosopher’s Stone”, several Disney movies, and most every RPG game with a summoning system. This tri-skulled canine is among the most prominent icons for gatekeeping and security around. In the legends of Orpheus, Cerberus succumbs to the honey-sweet grooves of a lyre to allow the legendary musician to pass where countless others had failed.

Heimdallr – Heimdallr and his namesake are only peripheral references in our story, so let’s make this quick. Heimdallr is a Norse god that carries a giant horn, Gjallarhorn, and is said to be an ever-vigilant sentry watching for the inevitable approach of Ragnarok, which is like a Rammstein music video version of the apocalypse.

Setting the Stage – The Information Age

Orpheus’ Lyre – Orpheus’ Lyre is the name given to an exploit present in the Kerberos network security protocol. A patch for Orpheus’ Lyre was published with the Windows July 2017 security patches.

Kerberos – Kerberos is a security protocol that has been utilized by Windows for over 20 years. Kerberos is a “ticket” system in terms of security. Rather than exchanging unique authentications between the several servers that you may request access to, Kerberos acts as a central authority, distributing “server tickets” that come pre-written with encrypted data detailing what server you requested access to, how long your authentication is valid, and more. Think of Kerberos as the guy whose only job is tear your ticket stub off at the movie theater. You can go buy your movie tickets at the will-call desk, on Fandango, or from the sketchy guy out front who for some reason has 60 extra tickets to “The Emoji Movie.” But if you want into a screening room (server), you must stop at the kiosk in the lobby and have your ticket checked.

Heimdal – Heimdal is one of two common variants of Kerberos. The other variant, MIT Kerberos, was developed by the Massachusetts Institute of Technology and is leveraged by Windows for a majority of network security uses while Heimdal Kerberos is generally supported by smaller operating systems. While the July 2017 Windows security patch addressed exploits in MIT Kerberos, Heimdal Kerberos is still at risk. Look for patches for Heimdal to be released by Apple in the future.

How does it work?

Great, so some cyber attackers came up with clever pet names for their project. What’s this thing actually do?

Keep in mind the analogy above in regard to Kerberos being the primary ticket-checker of a Windows network security apparatus. Since these are packets of encrypted data, however, let’s add that these tickets are being transported in opaque envelopes. When a data packet approaches Kerberos, the security protocol opens the envelope, records the information inside, and routes the packet to its destination. However, there’s a bit of a catch. Some of that data, seemingly innocuous stuff like which server you’re traveling to, is also written on the outside of the envelope in plain text.
So what if someone could convince the ticket-checker, Kerberos, that the plain text data scribbled on the outside of the envelop is actually the secure data encrypted inside? Or, in the case of Orpheus’ Lyre, enough data to receive a positive authentication and gain open-ended access to a server. Now you have a packet slipping past the ticket-checker carrying an envelope with mysterious contents. And you know what happens when someone figures out how to sneak something around gateway security!

For reasons unknown to the modern world, when Kerberos was designed long ago, they felt the need to duplicate some data from inside the packet and paste it as plain text on the outside of the packet. The Orpheus’ Lyre exploit takes advantage of this short-sighted slip by convincing Kerberos that the plain text authentication data (which can be easily modified) is, in fact, the encrypted data inside, which cannot be modified. In short, Orpheus’ Lyre takes advantage of the fact that Kerberos will be forced to choose between two sets of similar data and the exploit influences Kerberos to choose the version that attackers are able to modify.

So the attacker buys a movie ticket for “The Emoji Movie” at 8:00 pm. He grabs an eraser and snubs out the modifiable data on the envelop and writes “Dunkirk” at 8:30. He approaches Kerberos, the ticket-checker, flashes him the modified data in a convincing manner, and strolls on into the lobby. Now that the attacker is granted access, they are free to mosey about the corridors, popping their head into whatever screening room they feel like.

Or, to carry the theme of Greek mythology, Orpheus descends into the underworld and charms Cerberus, the hell hound, with his magical lyre and is free to traipse around the land of the dead at his leisure.

How do we keep Orpheus and his Lyre out?

Luckily, Microsoft has done most of the leg work for you. The Windows July 2017 patch CVE-2017-8495 includes a fix for Orpheus’ Lyre, at least in regards to MIT Kerberos. If you do not use Windows, keep an eye peeled for a patch coming down the pipe from Apple. As long as you are a good cyber security warrior and keep your security patches updated, you should be fine!

Looking for a hell-hound of your own to guard your network?

CHECK OUT OUR LICENSE WIZARD

Secrets of the Mysterious & Ubiquitous Internet of Things

By Andrew Harmon

Posted On July 20, 2017

Secrets of the Mysterious & Ubiquitous Internet of Things

alerts cyber security culture devices firmware IoT mobile security

Without peeking, tell me the number of Internet-connected devices in the room with you. How about in the whole building? In 2017, it’s likely that the building itself is connected to the Internet. Whether it be through mobile-controlled thermostats, security cameras, or the traffic lights right outside your window, you live in a reality in which an Internet-capable device is likely within a few steps of you at any given time. This is the Internet of Things. And while the name doesn’t seem all that inspired (the term was coined by Kevin Ashton of MIT’s Auto-ID Center in 1999), it describes a nebulous world of Wi-Fi, RFID, and microcode that affects just about every transaction and interaction throughout your day.

As years pass, the Internet of Things grows. When an app is launched allowing you to refill your dog’s food bowl while you’re at the office, the Internet of Things grows. When cutting-edge garden tech allows you to water your herbs from halfway around the globe, the Internet of Things grows.

It is important to understand, though, that the IoT is not Skynet biding time to build its cyberspace army. The IoT is used to automate inventory and improve communications between people. It assists in search and rescue operations and monitor heart implants. Nonetheless, for all of the good that the IoT is capable of, it nurtures growing security risks as well.

So What is the Internet of Things?

The Internet of Things is an umbrella term describing the vast array of Internet-accessing devices that we interact with on a daily basis. This includes mobile devices, vehicles, buildings, thermostats, home appliances, street cameras, air purifiers, refrigerators, childrens’ toys, and much more. Objects that possess sensors, software, or microchips are known as cyber-physical systems and likely to fall under the IoT umbrella. The concept is hard to wrap your head around because it reaches across every industry and every channel one could imagine.

The great fear in the cyber security world in regards to the IoT is a potential for hackers to remotely access and control devices over networks shared by the IoT.

Welcome Aboard: An IoT Metaphor

Let’s picture the Internet of Things as a cruise liner. The klaxons sound in response to an engine room breach–in the case of the IoT, a hacker; in the case of our cruise liner, a hole in the haul—and seamen begin to combat the leak.

Water-tight hatches are sealed between various compartments of the ship, ensuring that water coming in through the engine room is unable to spread into neighboring compartments. However, in our IoT analogy, there’s an open pipe running from the engine room to the officers’ quarters because the sailors requested soda fountains. Another pipe runs from the engine room to the storage compartments because water is needed to humidify the air. A third set of pipes runs between the engine room and the ballast compartments for regulating buoyancy. Even though the maintenance team has sealed off all the main hatches between compartments, the leak continues to spread through the innumerable channels made possible by the demands of the crew.

Issues of IoT Vulnerability in the Real World

Devil’s Ivy – On July 18^th, 2017, Senrio released an in-depth write-up of an IoT zero-day exploit dubbed “Devil’s Ivy.” The threat was discovered in an Axis Communications M3004 security camera. The exploit was made possible thanks to an open source toolkit called gSOAP, which boasts over one million downloads and counts IBM, Microsoft, Adobe, and Xerox among their customer base. Senrio claims “It is likely that tens of millions of products—software products and connected devices—are affect by Devil’s Ivy to some degree.” But don’t take our word for it, check out the video published by Senrio Labs below.

FBI Announcement for IoT Toys – On Monday the 17^th, the Federal Bureau of Investigation issued a consumer notice to parents warning them of the threats associated with Internet-connected toys. As interactive toys grow in popularity, toys are being made with sensors, microchips, data storage, microphones, cameras, and more. The FBI warns that these types of toys may be used to compromise the privacy of children. The Public Service Announcement can be found here.

IoT Security is Expensive – The costs associated with IoT security are rapidly growing to keep pace with the sheer size of the Internet of Things and the ripe potential for bad guys to exploit it. According to a white paper published by Altman Vilandrie & Co., the IoT is projected to encompass 18,000,000,000 devices by 2022. That’s more than double the number of human beings on the planet. Altman Vilandrie also estimated that spending on IoT security will outgrow spending on “traditional” cyber security at a rate of nearly two and a half times.

Passenger Drones Over Dubai – And the award for “Most Terrifying Place to Learn About IoT Breaches” goes to… the inside of a passenger drone hovering hundreds of feet above the ground. Dubai has announced its intention to implement passenger-carrying quadcopters as exasperatingly luxurious taxis in the summer of 2018. Passengers will have no manual controls, relying instead on Internet-connected GPS to deliver them at their destination. Keep an eye out for this new cyber security threat to become a special effects whirlwind shoehorned into the next James Bond film!

Optimizing Security for the IoT

Disable UPnP – Many firewalls and routers possess a feature known as Universal Plug and Play (UPnP). This setting allows a device to plug into a network and configure itself, making it more convenient and mobile. However, this extra versatility comes at a price: security experts believe that UPnP may allow exploits to automatically jump from the IoT to the network during configuration. Once your appliance is positioned, it is a great idea to disable UPnP. Learn more about UPnP from our friends at Sophos.

Strengthen Your Passwords – Yes, this is the same advice we give to those seeking to optimize their more traditional cyber security. However, the IoT carries with it further complications in this arena: in many cases when one wants to set a password, they are presented with a numpad and asked to enter a 4-digit PIN. This can make it difficult to secure your devices with strong enough passwords. We suggest that you create a unique password for each device. Yes, it will mean that you have a lot more passwords to keep track of, but it does protect your data in case of a breach.

Patch Your Firmware – Wow, I think we’ve heard this one before too! Again we cannot stress enough the importance of keeping your security patches and firmware up to date. If you dissect most major cyber attacks, you will discover over and over and over that the affected demographics tends to gravitate around those who shrug and ignore the latest updates. In the IoT world, firmware may also sometimes be referred to as “microcode.”

Segregate IoT Devices to Your Guest Network – Many businesses now provide guest networks that remain overtly separate from their private network. Doing so provides the peace of mind that some schmuck on the street isn’t going to walk into your lobby, connect to your wireless network, and spread his nasty bugs around your system. If possible, try to quarantine as many IoT devices onto this guest network as possible. This way if a breach does occur, your most precious data is sheltered.

The cyber security industry absolutely buzzes with excitement, anxiety, and doubt when the discussion turns to the Internet of Things. It is an explosive matter. The IoT will continue to grow. Its ability to make our lives more convenient and connected will continue to grow. So too will the threats and vulnerabilities that it represents. Expect to see high-profile news stories revolving around Internet-connected objects and expect to see your budget in this area balloon as the IoT expands. From cars to toys to cameras, every industry and interest contributes to the ever-expanding galaxy that is the Internet of Things.

You can also follow us on Twitter and Facebook.

The Holistic Approach to Cyber Security: A magical concept, but what does it look like?

By Andrew Harmon

Posted On July 13, 2017

The Holistic Approach to Cyber Security: A magical concept, but what does it look like?

cyber security culture firmware security training

If you’re reading this, chances are you spend a good chunk of your time keeping up with the latest news and opinions in the world of cyber security. And if that supposition is true, there’s also a strong chance that you’ve run across the concept of the “holistic approach” to cyber security culture already. In fact, headlines containing this phrase have been popping up like weeds everywhere info sec content grows. We sincerely hope that you’re not writing it off as another trendy platitude to sell endpoint protection.

The holistic cyber security approach is an idea that deserves discussion. It can be difficult though to glean some visualization clues as to what this holistic approach means beyond connotations of healing crystals and chakra therapy. What exactly would a holistic approach to cyber security look like in practice?

It may be prudent to first examine why this shift in ideology is emerging. First I’ll issue a warning: the following answer may be too cynical for readers that are faint of heart.

The truth is, we’ve been fighting the bad guys for over a decade and are no closer to “winning” the war than when it started. Don’t get me wrong, we have always put up a hell of a fight but even Sisyphus stops celebrating when he crests his thousandth summit. Daily, millions of network architects, security engineers, programmers, pen testers, and more are engaging in noble work and boasting massive strides in the protection of your data. New security layers are being added, threat signatures are being documented, and packet scrutiny is intensifying. But the bad guys are at their battle stations too. Every new feature or program unveiled is accompanied by its own unique slew of exploits. Let me be clear: this is a never-ending battle.

Cyber attackers are finding these pursuits are clearly worth their time and effort. You don’t have to dig very far into our previous blog posts to be reminded of the glaring statistical evidence that ransomware attacks are increasing at an extreme rate. High-profile attacks such as WannaCry and Petya are making regular appearances in an already overwrought news cycle. As serious as these staggering trends are, though, the concept of the holistic approach did not emerge solely in response to highly publicized attacks or to surges in certain species of malware. In fact, nothing specifically birthed any new ideology in cyber security because the “holistic approach” is nothing new. It is, at best, a rebranding. A repackaging of the same advice that the info sec community has been preaching for years: train your staff to identify threats, patch your system often, secure your most sensitive data.

The fact of the matter is the anatomy of a cyber attack has not changed much over the last few years. Someone in the office clicked something they shouldn’t have, they hesitated in reporting it in fear of repercussions, your security patches just never got around to being installed, and no one’s been accountable for data backups since Nelly was putting out new albums.

Perhaps I am giving away the golden-egg-laying goose for info sec bloggers, but the holistic approach to cybersecurity is nothing more than fresh phrasing for the need of a cyber safety culture in the workplace. Dirty secrets aside, there are still pertinent lessons to be learned. Whether you consider this cutting-edge insight or a refresher course, let’s dissect what the holistic approach to cyber security looks like in practice.

Striking a Balance Between Efficiency & Security

We live in a dangerous world. In our virtual lives, we must remain vigilant in guarding our identities and data. In our real lives, we worry over crime and random misfortune. An ever-present aspect of our fight for safety rests on the delicate scales balancing security on one side and efficiency on the other. Certainly we could be 100% secure if each email and document entering our network was personally read and reviewed by a network engineer before getting the thumbs up or down. Unfortunately, this would eat up a lot of time and a lot of labor. Your employees can’t sit around half the day while necessary emails trickle through the gateway. Likewise, it would be super efficient to hand over admin credentials to every employee, contractor, and vendor on your payroll so that they can help themselves to whatever resources are needed to get the job done. Somewhere in the middle, a balance must be struck. I may be biased here, but I encourage you to err on the side of security over productivity.

You’re On the Crew, Like It or Not

If your employer has a computer on property, guess what: you’re part of the cyber security team! Whether you’re the sys admin or the janitor, everyone has a role to play. Empower and educate your employees at all levels in the basic habits most likely to prevent a breach. Email security best practices should not be optional curriculum for new hires or annual retraining.

What Is Governance Anyway?

Cyber security governance is a hefty phrase that could do with unpacking. In this case, governance is the codified operating procedures in place to manage and enforce cyber security in the workplace. This is the infrastructure behind the lectures. The bite behind the bark. Strong cyber security governance means having accountable parties tasked with monitoring and enforcing info sec protocol. It includes having clear, concise rules outlined in employee manuals. It includes real, visible consequences for flagrant disregard of those rules. Cyber security governance is corporate speak for a company walking the walk of cyber security instead of just talking the talk. If an employee unwittingly allows a threat onto the network because they’re unaware of the procedures that could have prevented it, you share the blame.

With Our Powers Combined..

Technical! Physical! Human! Okay, maybe this dream team of cyber security assets isn’t quite as screen-ready as Captain Planet’s squad, but it gets the job done. Another aspect of the holistic approach is a widening of your cyber security scope beyond UTMs. Having the most secure network money can buy will amount to nothing if the bad guys walk into your unlocked server closet, unplug your appliances, and jet. Or worse yet, you may find yourself in a Scooby Doo situation wherein unmasking the bad guy reveals someone assumed to be on your side. Insider attacks are a growing concern across industries of all shapes and sizes.

Whether it’s malicious insider attacks or just gullible Dave in Accounting responding to a phishing scam, human beings are much more likely than technological assets to be the wrench in your cyber security gears. A holistic approach incorporates staff training to combat social engineering as well as physical security measures to secure your hardware from break-ins.

Your company will face with a cyber attack one day. The threat of ransomware has graduated from worrisome to inevitable. In the second quarter of 2017, UK businesses experienced an average of 105 breach attempts per day. A holistic approach, a culture of cyber security, a security awareness mentality, Uncle Admin’s Special Funtime No-No’s: you can call it whatever you dream up so long as you actually implement the pillars of breach prevention. Only when we all get on the same page and work towards a common goal will the dream of vanquishing the bad guys be possible. I encourage you to put me out of a job. If a ransomware attack is never again recorded in the info sec archives, Firewalls.com would be thrilled. Sure, we’d have to hang up our lucky engineering pants, but we could always go make Mobile games or something. Unfortunately this dream world does not yet exist. Until then, we’ll do our part in the fight.

What’s your next step?

LET’S HAVE A STRATEGY MEETING

Category: Cybersecurity

Types of Cyber Attacks to Expect in 2024: Insights from the SonicWall Cyber Threat Report

The Target: Small Businesses

Trends from 2023

Malware Landscape

Ransomware Resilience

Intrusion Attempts on the Rise

Encrypted Threats Surge

Cryptojacking’s Unprecedented Growth

Looking Ahead to 2024

Recommendations for Enhanced Cybersecurity

Unsure About Your Network Security?

Why Is There A Shortage Of Firewall Inventory & Other Network Security Products

The Electronic Chip Shortage Explained

When Will Electronic Chip Production Improve

Who Has Firewalls In-Stock & How To Check Their Inventory

What is XDR?

How is Sophos XDR different from other solutions?

How to get Sophos XDR

Try Sophos XDR for yourself

PA-3220 Overview

Key Security and Connectivity Features

Machine Learning-Powered Firewall

Full 7 Layer Inspection

Unique Packet Processing with Single Pass Architecture

PA-3220 Specs

Palo Alto PA-3220 Front Panel

PA-3220 Price

PA-3220 Hardware Guide

Managed Firewall Services

The Benefits To 3rd Party Managed Firewall Services

1. Your Current Firewall Configuration Settings Are Probably Wrong

2. Maintaining Compliance

3. Talent & Specialty

4. 24/7 Network Monitoring

5. Cost

Trust The Security Of Your Network With Firewalls.com

How phishing attacks work

How can you spot a phishing attempt?

What to do if you think you received a phishing email

Ransomware Attack 2020: Why Prepare

Train Your Staff

Layer Your Security

Backup So You Can Rollback

About Equinix

Learn More About Ransomware

What Is SonicWall NetExtender

How Can SonicWall NetExtender Improve Your Remote Workforce

How Much Do VPNs With SonicWall NetExtender Cost

Looking For A NetExtender VPN Solution?

What is a firewall & why do I need a firewall?

How do firewalls work?

Firewall configuration

How many different types of firewalls are there?

Form Factors

Firewall Sizing

Firewall Generations

Firewalls. Defined.

Why EDR works for small businesses

Sophos Intercept X Advanced with EDR

Fortinet FortiEDR

SonicWall Capture Client

Benefits of the Remote Worker Bundle

Flexible, scalable remote access for all

Remote worker bundle: configuration included

Security best practices when working from home

The Past is Prologue

Ransomware Shifts Strategy

IoT Malware on the Rise

Encrypted Threats Continue Growth

Defenses Are Improving, Too

Want to Learn More?

The Cyber Threat Assessment Program

See How Fortinet’s Secure SD-WAN Can Save You Time & Money

What Information Is Included In CTAP Report?

No Risk, No Extra Work, No Commitments

Ready For Your Free Assessment?

Arm yourself

Thirsty for more?

Why criminals are targeting mobile phones

Types of Cyber Attacks to Expect in 2024:
Insights from the SonicWall Cyber Threat Report

Key Security and Connectivity
Features