security

Security Recommendations for all Company Computer Systems - Part 2

LAPS

Implement Microsoft Local Administrator Solution A common practice when running Windows networks is to set the local Administrator account to the same password on every machine. Whilst this makes system administration more convenient the practice also makes is easier for attackers. When an attacker has compromised one machine, they are able to obtain the administrator password and then use the password to access any other machine on the same network. 
The "Local Administrator Password Solution" (LAPS) provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory (AD) and protected by ACL, so only eligible users can read it or request its reset. 
LAPS removes the common local account password by setting a random password on each machine. LAPS also mitigates the risk of a Pass-the-Hash (PtH) credential replay attacks. 

Consider implementing Microsoft LAPS. 
https://www.microsoft.com/en-us/download/details.aspx?id.46899

Email Security

SPF (Sender Policy Framework) is a standard that helps reduce spam. Each domain lists in one DNS record a list of all the servers that are allowed to send emails for that domain. When an email provider like Gmail sees an email sent from an address @example.com but coming from a server not listed in the SPF record, it knows it is likely to be spam. 

Conversely, it is important to set such a record to avoid your emails to be considered spam. More and more email providers consider domains without SPF record as more suspicious than others. Even if your domain does not send emails, you should set a SPF record as this will prevent spammers from faking emails from your domain. 


Implement DKIM and DMARC to strengthen email security. Deploying both configuration with SPF hard fail will prevent any third party sending emails pretending to be from @companydomain. This will prevent spear phishing emails internally and externally to customers and suppliers. 

Email Archiving

Lack of Email Archiving Email archiving is the act of preserving and making searchable all email to/from an individual. Archiving emails is considered a better practice as it allows an organisation to control the size of mailboxes and to keep a non-reputable copy in case of legal disputes. 

Implement some form of email journaling or archival to meet compliance or admissible evidence in court proceedings. Check if Barracuda offer additional archiving services or purchase additional software and storage for on-premise vault. Alternatively, Office 365 business plans have large mailbox and storage capacities, and offers legal hold as additional add-on service.

 

Patching

Hackers take advantage of errors in software code to attack and take over computers. These vulnerabilities are specifically targeted by attackers. Software vendors correct errors in their code by releasing patches. Applying patches is one of the most effective measures to improve the security of a computer system. 

Patching implement Windows Update Server Services to manage, monitor and control the deployment of Windows patches. This free Windows application. 

Administrator Privileges

Administrator or admin access is a level of access where the user has full, complete or unrestricted access to the entire system and all its data. Users with administrative access pi privileges for operating systems and applications can make significant changes to their configuration and operation, bypass critical security settings and access sensitive ' information.

Make sure Users do not have Local Admin to Machines and Administers have a specific login for Domain Admin Tasks for Logging and Auditing

Logging

Consider implementing a system for managing and storing logs from key infrastructure services are periodically copied to an external system for long term storage and access.

We recommend that at least the last 3 months logging information is on hand for immediate analysis and that at least the last 12 months of logging data can be retrieved when required for analysis.

Limited Retention of Logs Logging should be enabled across all systems and logs retained for a reasonable period to allow investigation and review of events that have occurred in the past.

 The lack of available logging information makes any subsequent investigation into an incident that occurred in the past very difficult to perform.

Network segmentation

Network segmentation is the act of splitting a network into many "sub networks" or areas. Segmentation segregates and protects company data and systems and limits attackers' lateral movements between computers and across the network.

There should be an segmentation between internal network and internet accessible computers. Should an internet facing computer be compromised by attackers the rest of the company network will be easily accessible.

Consider implementing network segmentation. At a minimum, internet facing systems should be segregated from the internal network by creating a demilitarised zone or DMZ.

Network access to administer computers, firewalls, switches and routers is not restricted. Any computer on the network can connect to any other computer on the network and potentially access services that are only meant to be accessed by IT administrators.

Access to administration ports should be restricted to only certain network addresses and/or computer systems.

This can be achieved through network segmentation and/or by implementing IP address restrictions for accessing administration functions such as SSH, remote desktop or web based administration portals.

Security Recommendations for all Company Computer Systems - Part 1

Multi-Factor Authentication

Multi-factor authentication (MFA) is a method of controlling computer access in which a user is only granted access after ' successfully presenting several separate pieces of evidence to prove that they are who they say they are — typically at least two of the following categories of authentication information are provided: something they know — for example a password, something they have — for example a PIN code sent via SMS to a phone, and something they are — for example a fingerprint.  
Multi-factor authentication is one of the most effective controls an organisation can implement to prevent an attacker from gaining access to a device or network. When implemented correctly, multi-factor authentication can make it significantly more difficult for an attacker to steal legitimate credentials to facilitate further malicious activities on a network. 

Extend the rollout of MFA to any system that is publicly available and to any system that requires a higher level of access control:

  • Remote VPN access
  • Webmail Access
  • Third Party Apps
  • Website access
  • Administrator level access to key systems
  • Implement a RADIUS server on-premise to allow local systems to integrate with the Azure MFA service
     

Training

Extend Security Awareness and Training Training employees to understand and avoid common security threats can greatly reduce a companies risk of a security incident. It is therefore vital that an organisation has a security awareness program in place to ensure employees are aware of the importance of protecting sensitive information, what they should do to handle information securely, and the risks of mishandling information. 

Implement security awareness training for new starters. expand its security awareness efforts by implementing a security training platform. 
Implement an integrated Security Awareness Training and Simulated Phishing platform such as Knowbe4. https://www.knowbe4.com/about-us/  
 

Hard Disk Encryption

Hard disk encryption prevents any information stored on disk from being read or accessed. Data that is encrypted may only be decrypted and read if the encryption key or password is known. 
If a computer is lost or stolen, the information stored on the computer will be protected from unauthorised access. 

You can upgrade the version of Windows in use to Windows 10 Enterprise to take advantage of Bitlocker. Bittocker is a Windows feature that allows hard drives to be encrypted. Bitkocker provides the most protection when used with a Trusted Platform Module (1-13M) version 1.2 or later. The TI)M is a hardware component installed in many newer computer by the computer manufacturers. 

 

Cyber insurance policies

  • Third Party Claims - covers the Insured's liability to third parties from a failure to keep data secure, such as claims for compensation by third parties, investigations, defence costs and fines and penalties from breaching the Privacy Act. 
  • First Party Costs - reimburses the Insured for the costs they would incur to respond to a breach, such as IT Forensic Costs, Credit Monitoring Costs, Public Relations Expenses and Cyber Extortion Costs (including ransom payments to hackers).
  • Business Interruption - this section provides reimbursement for the Insured's loss of profits resulting from the breach, as well as any additional necessary expenses it may need to incur to continue business as usual. 

 

Critical Microsoft Exchange Patch - CVE-2018-8154 patch

Microsoft has released a update to address a critical vulnerability for all Exchange versions

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8154

A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the System user. An attacker could then install programs; view, change, or delete data; or create new accounts.

Exploitation of the vulnerability requires that a specially crafted email be sent to a vulnerable Exchange server.

The security update addresses the vulnerability by correcting how Microsoft Exchange handles objects in memory.

Exchange 2007 will not be patched by Microsoft so if you are using this version its highly recommended you update or migrate to Office 365

LAPS – Local Administrator Password Solution

The problem with computers that come straight from an OEM or setup by users themselves is that sometimes they leave the original Local Administrator Account Password Blank. When this PC joins a domain as most PC's in business' do , this blank password is left as an exploitable security rish which is how UK renowned British Hacker Gary McKinnon infiltrated Nasa

Not only can someone access your PC remotely they can also :  

  • Install a keylogger to get the Domain Users or Administrator Password
  • Install Software to reverse engineer Cached Credentials 
  • Get immediiate access all the local FIles on the Computer
  • Get Users Saved Browser Passwords

 

LAPs is a solution provided by Microsoft , that when installed has a tiny client rolled out on each PC, that gets told by Group Policy to generate a random password. The password gets changed every 30 days and is unique for each computer. Even if the computer disconnects the domain for what ever reason your local AD will still have a record for the password

LAPS is easy to deploy, easy to manage and provides several security benefits… and it’s free available below

http://aka.ms/laps

How to prevent your business from getting hacked ..

1) Use two-factor Authentication for Authentication to all your web and application services

Your password now is a single point of failure for your email or service getting hacked by unauthorized users. The chances are the account would be exploited in the first day against some social engineering trying to get money from your finance department. Your bank and financial institutions have been using 2fa for years now and it's the recommended solution now to add to the rest of your cloud and local services. 

2) Use SSL Certificates whether possible

This is usually added to company's Web Application such as a Document Management Solution or Content Management Solution which use certificates to encrypt traffic between your web browser and the app to make sure no prying eyes will see any confidential data.

SMTP emails should be set to use TLS for mail flow by default over normal port 25.

3) Have a fully up-to-date antivirus program that also Alerts

Windows 7 and Windows 10 now-a-days come with Free Antivirus checkers ( Windows Defencer and Security Essentials)  however these are only licensed for Home use. It's best to get a fully managed AV like Webroot where Virus detections are alerted on straight away.

4) Use a third party for Spam Filtering

Even with cloud providers such as Google's Google Apps for Email or Microsoft's Email Hosting 365 , they need that added layer of protection against Spoofing, Phishing and Virus.

Services such as Mimecast and Postini can help protect all the above and provide real time protection to new threats

5) Regularly change your password

Per Bullet point 1) the first form of defense if your password! Make sure this is changed once a month and sign up to https://haveibeenpwned.com/ to make sure this hasn't been compromised elsewhere

6) Keep your Equipment Up-To-Date

Make sure all the firmware on your Wireless Devices , Servers and Routers are kept up-to-date to make sure you install security updates as well as feature updates

7 ) User training

Make sure users are told regularly about current well-known attacks such as phishing , Spear Phishing or Cryptolocker so they can understand what to look out for and ask before clicking!

 

KRACK - What is it and what does it mean for your Business?

https://www.krackattacks.com

We discovered serious weaknesses in WPA2, a protocol that secures all modern protected Wi-Fi networks. An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs). Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.

 

What does it mean for your Business

If you use wireless in your organisation you are probably using WPA2 , which means this exploit effects you. Intruders can use this attack to listen to passwords and sensitive company information. Your Wireless Manufacturer being Draytek, Netgear, Meraki or Ubiqiuiti are currently realizing updates which will need to be applied to your device to protect against this.

Microsoft will release a fix for Windows 10 on October 17th, along with several extra features.

iOS devices are already patched for this problem. Android phone manufactures will be releasing updates as well as Linux Distro's.

Spear Phishing what is it and how to protect yourself from it

As techtarget.com puts it : 

Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data. Spear phishing attempts are not typically initiated by "random hackers" but are more likely to be conducted by perpetrators out for financial gain

How is this done

We have seen a few cases of this usually in the following order :

1) Attacker uses publically available resources e.g. Social Sites , company websites to get a name and email for a financial controller as well as the managing director of the company

2) Attacker uses a third party email server to fake [email protected] email and sends the below email to [email protected]. Attacker could also try emailing from [email protected] ( notice the ltd the end! ) 

Hey financecontrollername,
I'm in the middle of a meeting , not available on the cell phone , but need this actioned NOW please transfer $$$$$ to this bank account let me know when done
managingdirectorname

Attacker also tries to send emails to financecontrollername saying 'Hey are you there ?'

3) financecontrollername sends the money and emails managingdirectorname when done , only to find out managingdirectorname never asked for this transfer

How to protect yourself from this

1) Careful what information you have publically available such as emails as it can be used against you. Also be careful emailing people you don't know , the attacker copies your signature to validate the email as best as possible

2) Get your IT provider to use SPF Records along with DKIM records to either put all the emails from your organisation that are from unknown senders into SPAM , or mark the Subject as SPAM so the end user knows to be wary. This can be done with Spam Filters and Exchange

3) Financial Controllers should always speak to MD's when unsure of moving money around , better to be safe than sorry as they say!

If you have already been effected

Speak to your local Police by dialling 101, and report it.

Speak to your bank, there is a 24 hour window where bank transfers can be halted, speak to them as soon as possible