Why your company needs to have a network and infrastructure assessment

Many times, we have been contacted by companies that want us to ‘replace our hyper-visor infrastructure’ or ‘update our server infrastructure’ because of perceived issues in performance or user experience.  Unfortunately, by bypassing the critical step of a full network and infrastructure assessment, companies miss out on identifying the root cause of security issues and network performance.

Do you know all your infrastructure assets and what bandwidth they are using?

What are the critical infrastructure is not longer under warranty or service support?

How much traffic is traversing your branch office internet connection?

Network and infrastructure assessments are not a one time and done process.  Having fresh insight on your network and potential bottlenecks and security issues brings a piece of mind to any IT Manager, CIO and CSO.

Having our team identify and rank your organization’s pain points gives you the tools to apply budget appropriately and meet the growing demand of your companies IT needs.

Covid has changed the way we use the Internet at home

A recent article in the NY Times, highlighted the fact that we have moved away from our phones as the primary mode of interacting with content on the internet, as we sheltered at home.  In addition, there has been a huge increase in the use of video chat, including Zoom, Google Classroom and Microsoft Teams, as we look at ways to perform the face to face interactions that we took for granted, in our day to day lives and work environments.

Working from home has changed many company’s employee interactions with high reliance on the tools that allow them to do their jobs, while still being home to take care of children who are also remotely learning.   As a Managed Service Provider, we have been hard pressed to assist our clients in expanding the availability of remote access to critical software tools, stuck at their corporate offices and co-location facilities.   Companies that readily integrated cloud services, such as Office 365, Google Suite and Egnyte have fared better and been more easily able to transition to this difficult, distributed work force.

If your company has not thought about how they are going to support their home-workers, it is a good time to evaluate the services of a good Managed Service Provider that can help you create a strategic plan to provide services, maintain and support your remote teams.   The home environment adds other security issues as well, with unknown firewalls, wifi and IOT devices with potential access to your company’s data.

If your company is in search of good advice, we’re here to help in the San Francisco Bay Area as well as the Anchorage Metro.

secure data center

Zero-Day vulnerability in iTunes and iCloud Apps on Windows PCs allowed ransomware to be installed

A vulnerability in the Bonjour component in both iTunes and iCloud for Windows was exploited to install malicious applications.  Apple has released a patch update for iTunes 12.10.1 and iCloud 7.14, so PC users should check that they have both updates installed.

The worst part of this issue is that no anti-virus will catch it since the actions being done, were being done by a signed Apple application, and therefore flagged as ok.   In addition, uninstalling via the iTunes uninstaller doesn’t automatically remove Bonjour, leaving your PC vulnerable even if you have uninstalled the application.

The primary vehicle for the ransomware exploit is called BitPaymer.

This is a good reminder that updating third-party applications is a critical component of a broad based security posture.

 

 

Windows 7 end of support January 20th, 2020

Yes, another article on the end of support for Windows 7.

We’re now in June, and there is limited time to plan your workstation upgrades and work with your software vendors to upgrade your servers to 2016 or 2019 server.

Workstation Roll outs:  If your business is still running Windows 7, now, really, now is the time to start placing those orders for new equipment.

The old way was to have your own image, to write over the OEM image on the new desktop or laptop.

  • 10-30 users – just plan on manual deployment
  • 30-500 users, and an Office 365 Azure Active Directory Premium customer- you might benefit from Microsoft Autopilot.
    • Cloud based
    • Zero Touch
      • After profile configuration
    • Direct shipment from Manufacture (Acer, Dell, HP, Lenovo, Panasonic, Microsoft Surface and Toshiba)

What Microsoft has done, it really cool and helps companies simplify the roll-out of new devices, no matter what network they connect to.

You have granular control of what the end user sees when they first logon to the device.

  • End-user license agreement (EULA): (Windows 10, version 1709 or later) Choose if you want to show the EULA to users.
  • Privacy settings: Choose if you want to show privacy settings to users.
  • Hide change account options (requires Windows 10, version 1809 or later)
  • User account type: Choose the user’s account type (Administrator or Standard user).
  • Allow White Glove OOBE
  • Apply device name template: Choose Yes to create a template to use when naming a device during enrollment. Names must be 15 characters or less, and can have letters, numbers, and hyphens. Names can’t be all numbers. Use the %SERIAL% macro to add a hardware-specific serial number. Or, use the %RAND:x% macro to add a random string of numbers, where x equals the number of digits to add.
  • Language (Region)*: Choose the language to use for the device. This option is only available if you chose Self-deploying for Deployment mode.
  • Automatically configure keyboard*: If a Language (Region) is selected, choose Yes to skip the keyboard selection page. This option is only available if you chose Self-deploying for Deployment mode.

So, if you are a corporate customer, with Office 365  work with your solution provider to add Office 365 Azure Active Directory Premium services to simplify your Windows 10 deployment options.

network security experts

Is your business paying attention to cyber-security?

There are many resources available to help your IT team or outsourced partner meet some of the basic policies to protect your business: A network with a firewall, encrypting data, cyber-security insurance and a next generation AI endpoint protection.

But despite these options, over a third of organizations still admit they are unprepared for cyber attacks, according to the eSecurity Planet’s 2019 State of IT Security survey.

Some questions to ask your IT service provider:

  • Do we perform penetration testing?
  • Do we perform phishing email response testing and education?
  • Do we perform threat hunting? (are we already compromised?)
  • How often to we review our cyber-security preparedness?
  • How quickly could we recover critical data from a backup in case of crypto virus?

But you may be thinking, I’m a small business and not a target for any cyber security issues.   Unfortunately, especially with phishing, your data might be a target due to the lack of formal education to help your users make good decisions when they receive a phishing email.

It is also a good idea to have  a professional IT consultant review your Microsoft Office 365 tenant for security best practices.

 

SamSam Ransomware

December 3, the FBI and Department of Homeland Security (DHS) issued an alert for SamSam ransomware—also known as MSIL/SAMAS.A—after identifying certain cyber threat actors using the ransomware to target industries in the US.

SamSam Ransomware: How it Works

As explained in the DHS alert, the SamSam actors exploit Windows servers to gain persistent access to a victim’s network and infect all reachable hosts. According to earlier reports, this is done by:

  • The cyber actors using the JexBoss Exploit Kit to access vulnerable JBoss applications
  • The cyber actors using Remote Desktop Protocol (RDP) to gain persistent access to victims’ networks

After gaining access to a particular network—typically through brute force attacks or stolen login credentials—the SamSam actors escalate privileges for administrator rights, drop malware onto the server, and run an executable file, all without victims’ action or authorization.

Detecting RDP intrusions can be challenging because the malware enters through an approved access point. While many ransomware campaigns rely on a victim completing an action, such as opening an email or visiting a compromised website, RDP allows cyber actors to infect victims with minimal detection.

Protecting Against SamSam Ransomware

DHS and FBI recommend that users and administrators consider using the following best practices to strengthen the security posture of their organization’s systems and mitigate the risk of SamSam ransomware infection:

  • Audit your network for systems that use RDP for remote communication. Disable the service if unneeded or install available patches. Users may need to work with their technology venders to confirm that patches will not affect system processes.
  • Verify that all cloud-based virtual machine instances with public IPs have no open RDP ports, especially port 3389, unless there is a valid business reason to keep open RDP ports. Place any system with an open RDP port behind a firewall and require users to use a virtual private network (VPN) to access that system.
  • Enable strong passwords and account lockout policies to defend against brute force attacks.
  • Where possible, apply two-factor authentication.
  • Regularly apply system and software updates.
  • Maintain a good backup strategy.
  • Enable logging and ensure that logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.
  • When creating cloud-based virtual machines, adhere to the cloud provider’s best practices for remote access.
  • Ensure that third parties that require RDP access follow internal policies on remote access.
  • Minimize network exposure for all control system devices. Where possible, disable RDP on critical devices.
  • Regulate and limit external-to-internal RDP connections. When external access to internal resources is required, use secure methods such as VPNs. Of course, VPNs are only as secure as the connected devices.
  • Restrict users’ ability (permissions) to install and run unwanted software applications.
  • Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
secure data center

Identity Management in the Cloud age

Your business, like many companies, have adopted several cloud services, where the price and convenience outweighed the higher cost of hosting the application on your own servers.  These services, be they email, documents, applications, databases or other collaboration tools, have broken the tightly guarded walled garden that your IT team has created behind your firewall and VPNs, allowing access to your company data via additional vectors with various security controls.

Most of these applications are only protected by one simple permission:  the password.

Data breaches are becoming more and more commonplace.  Lost and stolen data has exceeded six billion records in the past few year – an average of over 165,000 records compromised every hour!  The related damage is estimated to exceed $6 Trillion annually by 2021.  The recent Equifax breach, of a 143 million people (there are only 250 million or so adults in the US), highlights the vulnerability of weak passwords and open data portals.

In order to safeguard our important assets and reduce the risk of breaches, we need to rethink on how we approach organizational security

Access

New technologies, platforms and applications have accelerated the disintegration of the corporate security perimeter, creating a multitude of identities, user names and passwords.  This use of cloud computing has increased trends of enabling employees to access network servers and sensitive information from outside the enterprise.  Companies with static perimeter-based security methods (Firewalls, VPNS) will have a hard time managing both employee and partner access to critical data while maintaining any semblance of security.

Cyber criminals take aim at identities, from all types of users in your organization, from privileged users to vendors.  They focus on weak passwords and social engineering to achieve their aims.  Nearly two-thirds of all recently confirmed data breaches involved weak, default, or stolen passwords.   In the first quarter of 2016 alone, there were an estimated 6.3 million phishing emails and 93% of all phishing emails contained ransomware.

Consequenses

No one is safe.  In 2016, Yahoo revealed that the account information for over ONE BILLION consumers, including names, email addresses and encrypted passwords, were compromised by a data breach in 2013.

Dozens of companies experienced major outages when the DNS provider Dyn experienced a severe and extended Denial of Service attack (DDoS).  What was the cause?  Passwords.  Default passwords on millions of Internet of Things (IoT) devices that were hijacked and used together as the Mirai botnet.

Next Stop, Security

How do we protect against breaches in our organizations, with this porous, multi-vendor, cloud-based enterprise?  You must be able to adapt to new threats as they emerge.  You must be able to incorporate cloud, mobile, IoT and other technologies, into a seamless defense, following your users as they work across applications and tools – Wherever they are hosted.

Companies must adopt Identity and Access Management (IAM) solutions and practices that significantly reduce the likelihood of a data breach, by enabling secure access to your data from any device, for users inside and outside your organization.

How do we do this?

  • Consolidate identify stores into a single directory
  • Implementing single sign-on
  • Governing access through time-bound and temporary privileged access
  • Automating mobile application provisioning and deprovisioning of applications
  • Automatically deprovision privileged user access as they terminate from your organization
  • Eliminating the use of shared administrative accounts and centrally controlling access to shared service accounts
  • Recording all privileged sessions or commands
  • Automating role-based provisioning of applications and infrastructure

Forte can help your company ensure that identities are protected through an integrated solution across applications, devices and infrastructure.

https://www.forte-systems.com/trends/identity-management

Cisco ASA uptime over 200 days? You may need a reboot

This field notice was sent out at the end of last month.
Updated:Mar 30, 2017
Document ID:FN64291

NOTICE:

THIS FIELD NOTICE IS PROVIDED ON AN “AS IS” BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision Date Comment
1.0
30-MAR-2017
Initial Public Release

Products Affected

Products Affected
CISCO FIREPOWER 6.1.0.1
CISCO FIREPOWER 6.1.0.2
CISCO FIREPOWER 6.2.0
ASA 9.1.7.11
ASA 9.1.7.12
ASA 9.1.7.13
ASA 9.1.7.15
ASA 9.1.7.9
ASA 9.2.4.15
ASA 9.2.4.17
ASA 9.2.4.18
ASA 9.4.3.11
ASA 9.4.3.12
ASA 9.4.3.6
ASA 9.4.3.8
ASA 9.4.4
ASA 9.4.4.2
ASA 9.5.3
ASA 9.5.3.1
ASA 9.5.3.2
ASA 9.5.3.6
ASA 9.6.2.1
ASA 9.6.2.11
ASA 9.6.2.13
ASA 9.6.2.2
ASA 9.6.2.3
ASA 9.6.2.4
ASA 9.6.2.7
ASA 9.6.3
ASA 9.7.1
ASA 9.7.1.2

Problem Description

All Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) devices that run the affected software versions do not pass network traffic after approximately 213 days 12 hours (~ 5,124 hours) of uptime.

In the near term, immediately reboot the deployed security appliances in order to prevent this issue.

Background

On March 29, 2017 Cisco became aware of an issue that affects all Cisco ASA and Cisco FTD security appliances that run certain versions of software. The affected versions of software cause the security appliance to stop passing network traffic after approximately 213 days 12 hours (~ 5,124 hours) of uptime.

The issue detailed in this Field Notice is not a security vulnerability and there is no associated risk to the integrity of the security appliance.

Problem Symptoms

The Cisco ASA and Cisco FTD security appliances stop passing all network traffic.

Entering the show asp drop command over the console port will indicate that packets are being dropped due to the reason punt-rate-limit-exceeded.

Workaround/Solution

In order to mitigate the risk and impact of the device not passing network traffic, Cisco urges customers to proactively reboot their Cisco ASA and Cisco FTD security appliances that run affected versions of the software.

For customers with failover configurations, it is recommended to reboot the standby devices first, make them active after they complete booting, and then reboot the formerly active devices. Customers with clustering configurations should remove one slave at a time from the cluster, reboot them, and rejoin them until each slave has been rebooted. Then, move the master to one of the rebooted devices and then remove that device from the cluster, reboot it, and then have it rejoin.

The reboot of the security appliance must be performed prior to 213 days 12 hours of uptime. After the reboot, the security appliance avoids an encounter with this issue for another 213 days 12 hours.

Enter the show version | grep up command in order to display the uptime of the security appliance.

The output is shown here:

ciscoasa# show version | grep up
Config file at boot was "startup-config"
ciscoasa up 210 days 11 hours
failover cluster up 210 days 11 hours

The device can be rebooted with one of these methods.

For ASA security appliances:
CLI – Enter the reload command in privileged mode.
ASDM GUI – Choose Tools > System Reload.

For FTD security appliances:
CLI – Enter the reboot command in privileged mode.
Firepower Management Center – Choose Devices > Device Management, double-click FTD, then choose the Device tab. In the System section, click the Restart Device icon.

For both ASA and FTD security appliances, a physical power-cycle can be used in order to perform a reboot.

Updated ASA and FTD software versions that address this issue will be published in the coming weeks and will be available from the Cisco Software Download Center.

CDETS

To follow the bug ID link below and see detailed bug information, you must be a registered customer and you must be logged in.

CDETS Description
CSCvd78303 (registered customers only) ARP functions fail after 213 days of uptime, drop with error ‘punt-rate-limit-exceeded’

 

http://www.cisco.com/c/en/us/support/docs/field-notices/642/fn64291.html

Backup versus Business Continuity

Data protection solutions are essential for businesses of all sizes to implement, regardless of size, industry and geographic location. In this article we discuss the importance of business continuity rather than simply backup.

Introduction

Downtime is real and it’s costly. How costly exactly? Depending on the size of the organization, the cost per hour of downtime is anywhere from $9,000- $700,000.

On average, a business will lose around $164,000 per hour of downtime.

The numbers speak for themselves. What causes downtime?

  • Network outages and human error account for 50% and 45% of downtime, respectively.
  • Meanwhile, natural disasters account for just 10 percent of downtime.
  • When you look at the cause of downtime by data volume, the #1 culprit is, once again, human error, at 58%.

Just look at the recent Amazon AWS outtage: http://www.geekwire.com/2017/amazon-explains-massive-aws-outage-says-employee-error-took-servers-offline-promises-changes/

As it turns out, businesses should be more wary of their own employees and less of natural disasters. If you’ve been putting off data protection because your organization is located far from any inclement weather, be warned: the bigger threat to your data is inside of your company, not the great outdoors.

What’s at stake?

2.5 quintillion bytes of data are generated daily. And 90% of the total data in existence was created within the past few years, a significant portion of which has been generated by small businesses. Considering all the servers, desktops, and laptops that the typical SMBs manage, it adds up to a lot of data to protect. Yet nearly 75% of SMBs operate without a disaster recovery plan and only 25% are “extremely confident” that they can restore data if it was compromised.

Only 50% of SMBs back up less than 60% of their data. The remaining 40%? No protection for it whatsoever.

How much does this cost? Over the past few years, 35% of SMBs lost as much as $500K due to downtime. An unlucky 3% lost over $1 million.

 

What to look for in a business continuity solution

To sum up what we’ve learned today, here are some key things to look for when seeking a business continuity solution:

  • Hybrid cloud backup—A hybrid approach fixes the vulnerabilities that a cloud-only or local-only possess.
  • Superior RTO and RPO—Think in terms of business continuity rather than simply backup, and calculate how much downtime your business can endure and still survive (RTO) as well as how much data you can afford to lose (RPO).
  • Image-based backup—Make sure that the backup solution takes images of all data and systems rather than simply copying the files.

Forte, in conjunction with our business continuity partner, Datto, can help your company meet it’s disaster recovery targets. No matter if your downtime was caused by a hardware failure, ransomware or the inadvertent keystroke of a well meaning employee.