- Verify that routing tables are identical on all nodes
- Synchronise HTTP, HTTPS, DNS between cluster members
- Set the 'fwha_forw_packet_to_not_active' kernel parameter to 1
- Edit your 'table.def' file on the SMS
Friday, January 17, 2020
Monday, January 6, 2020
Configure the Checkpoint Log Exporter
- Ensure you have the latest QRadar Checkpoint DSM (Device support module)
- Install IBM QRadar Custom Properties for Checkpoint from the QRadar App Exchange
Thursday, November 8, 2018
Tuesday, May 16, 2017
Wikipedia describes ransomware as “a type of malicious software that carries out the cryptoviral extortion attack from cryptovirology that blocks access to data until a ransom is paid and displays a message requesting payment to unlock it.”
In Layman's terms, it denies you access to your own files until you pay the ransomware creators to unlock your files. This extortion method has proven to be very profitable, with CryptoLocker and CryptoWall netting their creators U$3 million and US$17 million respectively.
Ransomware attacks are typically carried out by a Trojan, where the user is tricked into opening a seemingly legitimate attachment or document. Once activated, the ransomware will spread by exploiting vulnerabilities on the target systems. Once a system has been compromised and the files encrypted the victim will be issued with instructions on how to unlock the files - unlocking methods invariably involves paying the ransomware creators via hard-to-trace channels such as Bitcoin.
Whilst the result of a ransomware attack may be devastating, there are a lot of measures that one can take to protect your organisation. I will give a brief overview of these methods below. Do note that attacks, and indeed defense mechanisms, are constantly evolving. Thus the measures below are in no way exhaustive, but should be seen as a very strong baseline to work from.
Secure your perimeter
Your first line of defense is crucial. As such you need to make sure that a Unified Threat Management (UTM) firewall is part of your perimeter security solution. This will allow you to activate measures such as Anti-Virus and Malware scanning as well as Intrusion Detection and Prevention Systems (IDS / IPS). A UTM firewall will also allow you to configure outbound filtering, which will prevent any "phone-home" communication between a compromised system and its command-and-control servers.
Secure your E-Mail
E-Mail is one of the most prevalent attack vectors, so it just makes sense to invest significant effort to secure it. Start off by enable strong spam filters to prevent phishing and other similar forms of attack from reaching your users. You should furthermore look at implementing methods to authenticate inbound mail, these include technologies such as Domain Message Authentication Reporting and Conformance (DMARC), DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF). All these technologies complement each other and works together to detect and prevent mail spoofing. Of course you also need to make sure you are scanning all mails for viruses and, last but not least, filter all executable and "bad" file types.
Most ransomware propagates by exploiting Operating System Vulnerabilities. Point in case is the WannaCry variant which utilizes the EternalBlue exploit, which was actually patched by Microsoft two months before the first attacks hit. This clearly demonstrates the value of patching. Ensure you have a proper patch management strategy in place and that systems are patched timeously.
This goes without saying - always ensure that your anti-virus (AV) solution is up to date and that real-time scanning is enabled. Apart from that you'll also need to configure it to perform regular scheduled scans. Most AV solutions now also include heuristic technologies, which allows it to detect and remove threats for which there are no signatures yet, make sure you utilize this. Lastly, ensure that the endpoint's firewall is activated if provided as part of your AV solution.
Implement Least Privilege
Limit the use of administrative privileges to a minimum and also make sure that User Access Control (UAC) is activated. The principle of Least Privilege should also be applied when granting users access to network resources. Only give write permissions to users that absolutely need those permissions. Default to read only permissions when possible. You should also regularly audit your file shares and review the needed permissions for each share. Ransomware will typically enumerate all network resources an infected system has access to and then encrypt those resources. You can significantly reduce the impact of Ransomware by limiting user access to network resources and just granting them access to what they actually need.
Block file execution from certain paths
Ransomware generally executes from temporary folders located in Windows AppData folders. To protect against this you should configure a Software Restriction Policy to prevent executable files from running out of the %APPDATA% location. A much more exhaustive list can be obtained here.
Implement Geo-Blocking and blocking of known bad IP addresses
If possible for your organisation you should configure your perimeter firewall to block traffic to "at-risk" countries if you do not do business in these countries. For example a large percentage of Ransomware variants rely on communication with Russian IP blocks to function and spread. Protection mechanisms such as these are admittedly crude, but can be surprisingly effective. Furthermore if your perimeter solution allows you to do so, you should explicitly block all traffic to known bad IP addresses.
Application whitelisting is perhaps the most effective method of protecting against ransomware attacks. The flip side is that it also typically takes the most effort and resources in terms of testing, implementing and maintaining. There are various solutions available to implement application whitelisting, but as a start you should consider the AppLocker and Software Restriction Policies native to Windows.
Disable MS Office Macros
Many variants of Ransomware leverage Macros to propagate. If possible you should disable this functionality within Office documents, or at the very minimum for documents received via mail and downloaded from the Internet. Alternatively you can make use of the Office File Viewer to view these untrusted documents.
Windows FileScreen was a popular method to detect ransomware infections, however its functionality has been greatly reduced because of new ransomware variants randomizing file extensions. It might still add value in your organisation and assist with alerting and tracing the origin of a ransomware outbreak. A fairly comprehensive list of file extensions can be found here.
Enable Logging (SIEM)
A proper logging solution will be invaluable in tracing the origin of a ransomware outbreak. The value in a SIEM solution is that you will be able to correlate the logs of a multitude of different devices to find out how the attack happened. This in turn will allow you to take measure to prevent a re-occurrence. A properly configured SIEM solution will also act as an efficient early-warning system, which will allow you to limit the spread and fallout of a ransomware infection should you be compromised.
If all else fails your backups will be what stands between you and disaster. Back up your data regularly, as per your organisation's Recovery Point Objective's (RPO). Verify the integrity of those backups and test the restoration process regularly to ensure it is working. You also need to secure your backups, or at the very least take them offline so that it cannot be affected by the same ransomware you are trying to protect against.
I’ll split this up in two scenarios – the first being where there is no IPS being done yet and you just want to block WannaCry, and the second being where you already have IPS measures in place protecting to your clients
No IPS in place yet
- Create an IPS protection profile containing the MS.SMB.Server.SMB1.Trans2.Secondary.Handling.Code.Execution signature
- Ensure that the protection profile is set to Block
- Apply the IPS signature to all policies governing your intra-VLAN traffic
Adding the WannaCry signature to your existing client targeting IPS profile
The target type for this signature unfortunately has the target type Server, even though client OS’s are also being targeted. This means you’ll have to manually add it to your client-targeting IPS profile.
Another point to note is that it is listed as a Rate-based signature, so ensure that your signature has a threshold of zero.
Here is more information about the relevant signature from Fortinet: https://fortiguard.com/encyclopedia/ips/43796
Monday, January 9, 2017
A FortiGate device allows you to create a password policy for administrative accounts via the web interface. Unfortunately this functionality is not exposed for normal, local user accounts. Typically this isn't a big pain point as I would imagine that most customers would make use of external authentication (FSSO / LDAP / Radius etc.). That said, I recently had a situation where a client had a bunch of local users configured and they wanted to implement password expiry, with users being prompted to change passwords upon expiry. Authentication was done via Captive Portal.
The FortiOS handbook came up blank, but a chat with my Fortinet SE provided me with a solution. First we need to configure the actual policy, then apply it to a user account.
The password policy is configured like so:
config user password-policy
set expire-days 2
set warn-days 1
We then apply it to a user:
config user local
set type password
set passwd-policy "pwpol01"
Unfortunately password policies can only be applied to users, and not to groups, so it is a bit of a pain if you have lots of users, although in that use case you will be better off using external authentication or FortiAuthenticator. When the configurable number of days has been reached, the user will be prompted via their captive portal to renew their password before the expiration day is reached.
Friday, November 18, 2016
I am very proud to say that I now hold the Payments Card Industry Professional (PCIP) certification. This is a journey that took me about 6 months to complete and I'll share some tips and experience I've picked up on my way to becoming certified.
The registration process starts by submitting your application as well as supporting documentation to the PCI Council via their website. The approval typically takes about two weeks and it might be that they ask you for proof of work experience and additional security certifications. In my case I've been fortunate to have about a decade of experience in the InfoSec field in general, and 3 years working for clients who need to be PCI-DSS compliant.
What do you need to do?
Once your application is approved you need to attend the PCIP course. This can be either on-line or classroom based. If you are new to the PCI-DSS field I would strongly suggest attending the classroom training, as access to the instructor as well as conversing with peers in the industry can be invaluable. If you have PCI-DSS experience then the on-line course will suffice.
Once you have completed the course, the PCI Council will register a user ID for you on the Pearson Vue website and provide you with a voucher to take the exam. It is up to you to do the booking on the Vue website. It is important to note that you have to use this voucher within 30 days of your training. If you fail the exam you can book to take it again at your own cost. If, heavens forbid, you fail it a second time you will have to attend the PCIP course again.
Preparing for the exam
First and foremost, know the PCI-DSS 3.2 Standard inside out. You do not have to know things like requirement 3.2.1 states that etc. You will however need to know how to successfully meet every requirement. In my case there was also a strong focus on the various Self-Assessment Questionnaires (SAQs) and in which cases they would be applicable. I was not tested on Reports of Compliance (ROC) or Attestation of Compliance (AOC) at all.
You should also know when encryption, strong cryptography, hashing, tokenization and masking should be used as well as the difference between all these. Make sure you know exactly when Compensating Controls are allowed, as well as what are the requirements for acceptance of those. I got maybe one or two question from the supplemental (Virtualization and TLS specifically). You don't have to study them in depth, but do read through them and understand the intent.
I find assisting our clients on their path towards PCI-DSS compliance to be an extremely challenging and rewarding endeavour. As such, the next step on my journey is to become a PCI Internal Security Assessor. I believe this will add tremendous value over and above that which we already provide to our clients in the financial services sector.