sales@net-ctrl.com
01473 281 211

Net-Ctrl Blog

Three key actions from Cyber Security Awareness Month you can take

October 20th, 2017

In a world where the Internet has become significant part of our everyday lives, we all need to be responsible for making sure our online identities are kept safe and secure. Much of our personal data is stored online which exposes us very easily to all sorts of threats. In a year of high-profile hacks and security vulnerabilities hitting the news headlines businesses and consumers are thinking a lot more about their online security. That’s what the Cyber Security Awareness Month is all about.

What is Cyber Security Month?

October is National Cyber Security Awareness Month (NCSAM) in the US which is an annual campaign that aims to raise awareness about cybersecurity. This year also marks the 5th anniversary of the European Cyber Security Awareness Month. NCSAM was launched by the National Cyber Security Alliance and the Department of Homeland Security in October 2004. It’s a collaborative effort between government and industry to ensure that everyone – from consumer and small businesses to corporations and academia, has the resources they need to stay safe and secure online. NCSAM carries the global message that cybersecurity is one shared responsibility.

This year kicked off with a global launch event to highlight the international adoption of Cyber Security Awareness Month. Let’s look into some of the main actions we can take.

1. Focus on consumers and their online safety

With the first few weeks of the initiative now behind us, we saw an even stronger focus on consumers and their online safety. This year also marks the 7th anniversary of the STOP. THINK. CONNECT. campaign, which aims to help all consumers stay safe and secure online. It is based on three easy to follow actionable practices:

  • STOP: make sure security measures are in place
  • THINK: about the consequences of your actions online
  • CONNECT: and enjoy the internet
  • Week 1 addressed the top consumer cyber concerns, encouraging users to be more vigilant about using the Internet and sharing their personal data online.

    Simple steps to follow to stay safe online include using stronger authentication like two-factor, biometrics, making your password long and strong, sharing/ opening files with care, to name just a few.

    We have a good and detailed checklist here: 10 tips to prepare for Cyber Security month. The most important tips include:

  • Make sure your password is secure
  • Regularly update your software
  • Beware of email scams
  • Password protect your laptop and smart devices
  • Install malware protections
  • The Internet touches almost all aspects of our everyday lives, so it is important that consumers are made aware of its most common risks. In the video below, former ethical hacker Jason Hart, who now works for Gemalto, explains how a man-in-the-middle attack works. A man-in-the-middle attack is where a hacker inserts themselves into a conversation between two parties and can affect your PC, mobile and the Wi-Fi network.

    Here are videos of Jason Hart explaining how phishing scam and karma attack work.

    2. Today’s predictions for tomorrow’s internet

    We live in an incredibly connected world with smart devices populating every aspect of our lives. There are many ways that an attacker can access data on our connected devices. So, how do we secure the Internet of Things? Data is the fuel that makes smart devices work, so looking for ways to secure it is essential. We see three essential pillars to secure the IoT data and rest in motion: securing the device, securing the cloud and managing the lifecycle of security components in the IoT. The importance of securing the IoT has also been recognized by the US government. Earlier this year two US lawmakers proposed new legislation that will seek to address the vulnerabilities in IoT devices.

    Smart cars, connected homes and smart healthcare devices have become inseparable part of our reality. And while there are massive benefits for connectivity, it is important to understand how to use cutting-edge tech in safe and secure ways.

    3. Building Resilience in Critical Infrastructure

    Building resilience in key systems like electricity, financial institutions, water treatment facilities, public healthcare and transportation is another key theme of this year’s events. These are all systems that store and will run based on data. We recently addressed end-to-end security of the smart energy ecosystem at European Utility Week. The final week will look at how cybersecurity relates to keeping our traffic lights, running water, phone lines and other critical infrastructure safe.

    There we have them – the key actions from cyber security awareness month, aiming to educate us on the importance of keeping our online identities safe. So, what will you do? Let us know by leaving a comment below or tweeting to us @Gemalto.

    This report was taken from Gemalto.com

    A deeper dive into GDPR: Identity and Access Management

    October 18th, 2017

    An important part of GDPR addresses the need for strong, two-factor authentication, as well as physical access controls to organisational information systems, equipment, and the respective operating environments to authorised individuals. Are you ready?

    Mapping the GDPR article to authentication
    GDPR greatly expands the requirements for organisations to prove identity and basically aims to get rid of the password once and for all. Organisations will need to verify the legitimacy of user identities and transactions and to prove compliance, or face big fines, which can be more than four percent of an organisation’s global worldwide revenue or €25 million. So let’s take a look at the articles of GDPR and how they call for stricter authentication controls.

    Article 5 covers principles relating to the processing of personal data. It says, however, data is processed, it needs to be secured from unauthorised access and loss. This is achieved through multi-factor authentication. Multi-factor authentication ensures a user is who they claim to be and can be achieved using a combination of the following factors something you have (such as a token or smart cards), with something you know (PIN or password) and/or something you have (biometric). The more factors used to determine a person’s identity, the greater the trust of authenticity.

    Asking for a second authentication factor ensures a simple stolen password won’t be sufficient to gain unfettered access to sensitive systems.

    Article 24 says organisations are required to take reasonable security measures that respond to the likely risks and threats they face. This not only covers the data itself, but calls for solutions that restrict access to corporate networks, protect the identities of users, and ensure users are who they claim to be. As a first line approach to data security, requiring multiple factors of authentication to verify a user’s identity helps mitigate the risk of unauthorised users accessing sensitive systems to manipulate data.

    Article 32 calls for additional security of processing, and calls for organisations to consider the risk associated with data processing such as data loss and unauthorised access when choosing the right level of security. Authentication solutions make it harder for unauthorised users to access sensitive environments while also mitigating the risk posed by administrators with privileged access.

    Authentication solutions such as Public Key Infrastructure (PKI) or access management services offer a complete set of provisioning rules and policy engines that cover privileged users and the varying levels of security they may need for their roles. Organisations can increase or decrease the level of access security to their data and network according to the level of sensitivity of the data concerned. In addition, PKI allows for other advanced security functionality, such as digital signature and email encryption as well as physical access that we’ll talk about next.

    Article 33 covers notification of a personal data breach to the supervisory authority. Organisations will need to ensure individuals only process data when authorised. Authentication solutions automatically apply rules in real time to users based on their group membership and their need to access certain levels of private data. The rules’ default setting can keep users out of processing systems, or offer only a narrow level of access until instructions are given from the data controller. Once processing is complete, administrators can return settings to a more restrictive default that prevents any further data processing. In addition, some authentication solutions provide extensive log and report mechanisms to give up-to-date snapshots of all authentication and management events.

    Wrapping up
    Authentication and access management solutions, come in many shapes and sizes, including cloud access management, PKI, certificate-based authentication, one-time password authentication, identity federation, complete lifecycle management and auditing tools. We hope you find this blog helpful in planning your authentication needs for GDPR.

    For more information on GDPR’s due diligence requirements along with other topical issues such as breach notification, security, and data control obligations, check out our expanded ebook, The General Data Protection Regulation.

    View the original post by Gemalto.

    WPA2 vulnerability (KRACK attack)

    October 17th, 2017

    The exploit is called KRACK and details about this vulnerability have been published in true White Hat fashion, by the Imec-DistriNet research group of KU Leuven. Mathy Vanhoef and his team have identified as many as ten vulnerabilities in the WPA and WPA2 protocols, which secure all modern protected Wi-Fi networks. These vulnerabilities were academically well-researched and responsibly reported in a manner allowing the industry to proactively prepare updates.

    Go to the Ruckus support site to learn about Ruckus’ counter-measures.

    Broadly, the exploit deals with how the WPA/WPA2 protocol handles requests to reinstall the encryption keys used to encode/decode traffic between a wireless client and an AP. The vulnerabilities can be described in two groups. The first set of vulnerabilities may allow the reinstallation of a pairwise transient key, a group key, or an integrity key on either a wireless client or a wireless access point. A transient key is one that is derived as part of the encryption of individual client sessions. It is not the PSK or user credentials and is a temporary key that is different for every client and every session.

    The second set of vulnerabilities may affect wireless supplicants supporting either the 802.11z (Extensions to Direct-Link Setup) standard or the 802.11v (Wireless Network Management) standard. This could also allow the reinstallation of a pairwise key, group key, or integrity group key.

    If a compromised key is installed (via a reinstallation procedure) an attacker can theoretically decrypt the transmissions between a client and an AP. Note, however, that each wireless client creates different temporary encryption keys that it uses with an AP. This is not a global attack but rather attacks a specific, targeted device. These vulnerabilities also only deal with the encryption of data using transient keys that are derived as part of the WPA2 protocol for each session. They are not the same as passwords or any other kind of credentials such as certificates.

    What does this mean for you?

    1. Don’t panic. No, you do not need to shut down your Wi-Fi network. The Internet did not suffer the equivalent of an EMP attack.
      1. Vulnerabilities exist on both sides of the 4-way handshake relationship (client and AP) and both sides need to be patched.
      2. Microsoft, Apple, Google, Intel, and other major vendors have been working on fixing these vulnerabilities for a few months now.
      3. Until client vendors provide updates, disabling 802.11r can help mitigate the attack by eliminating one source of vulnerability (Fast BSS Transitions, otherwise known as 802.11r roaming).
      4. Some client types, such as Android 6 are more vulnerable than others.
      5. iOS and Windows are not vulnerable to the first set of exploits because they don’t accept retries of handshake message 3.
    2. The sky isn’t falling. One, the attack must happen on-premises. Two, while the attacker can decrypt client-to-AP traffic, the attacker cannot inject arbitrary traffic into a WPA2-AES session and cannot get any authentication tokens or keys.
      1. To be successful, the attacker would need to be sophisticated, onsite, and armed with specialized hardware and software. To reiterate, there is currently no publicly available code that enables this attack.
      2. All current certificates and Wi-Fi passwords are still secure. This attack does not reveal passwords.
      3. While networks that use TKIP are vulnerable to packets being injected into the stream, AES does not allow for code injection. (TKIP and WEP have been broken for years so if your network is still either this may be a good time to do something about it.)
      4. A MitM (Man-in-the-Middle) attack is required prior to performing this because the 4thEAPOL message (part of the handshake) must be intercepted/prevented in order to allow retries of handshake message 3. This means that the attacker must spoof the MAC of the AP.
      5. Mesh and PtP links may be vulnerable (please see above).

    Steps You Can Take Now:

    1. Mitigate the risks caused by a MitM attack. By default, Ruckus has rogue detection enabled and automatically classifies spoofed MACs as a malicious threat, which can generate alarms for admins. Further, admins can enable APs to protect against Man-in-the-Middle attacks by deauth’ing clients connecting to a malicious rogue AP, which is required to carry out this attack.
    2. Eliminate the 802.11r vulnerability. Ruckus disables 802.11r by default on all SSIDs. If it is enabled on your network, consider disabling it until a fix is in place.
    3. Ruckus APs have additional protection against MiM attack for Mesh links – this makes the attacker be even more sophisticated to hijack the Ruckus Mesh link. Mesh-enabled networks that are not using mesh can have that disabled on a per-node basis.
    4. Refer to Ruckus Support. Security patches from Ruckus are forthcoming and will be posted as they are available.

    The WPA/WPA2 protocol is not fundamentally flawed. This means that exposure is limited and fixable without throwing out WPA2 altogether. Software/firmware patches that address this are already being rolled out. It is important to remember that, while concretely feasible, these attacks require not only access to your network, but a degree of knowledge and sophistication well beyond, say the Experian hack, for a lot less return. We always recommend that anyone interested in securing their WLAN network should perform regular audits of their security infrastructure and procedures to ensure everything is in compliance with best practices and vendor recommendations.

    Additional Information:

    Ruckus FAQ Security Advisory CloudPath

    Ruckus Security Advisory

    Deloitte data breach demonstrates why MFA and user access controls are a must

    October 9th, 2017

    The severe Deloitte breach revealed last week is indicative of several issues that many companies are seemingly slow to absorb when it comes to protecting intellectual property, reputation and customer data.

    Move to the cloud can be a double edged sword: According to IDC, worldwide spending on public cloud computing will increase from $67B in 2015 to $162B in 2020 attaining a 19% CAGR. This means that more and more companies are storing sensitive systems, applications and data in the cloud. Cloud applications are excellent at providing organisations the best applications at a quick time to value, zero maintenance overhead and infinite scalability. The immediate fulfillment and instant productivity provided by cloud apps comes, however, with a price tag: IT departments lose visibility into who is accessing what application. And risk increases as apps are managed from multiple disparate consoles.

    Compromised credentials are the root cause of the majority of breaches: According to Verizon’s 2017 Data Breach Investigations Report, 81% of hacking-related breaches leveraged either stolen and/or weak passwords. Indeed, the Deloitte breach was apparently caused when the hacker gained access to an administrator email server account by logging on with a simple username and password.

    Lack of effective monitoring systems: Brian Krebs, in his Krebs on Security blog, earlier this week writes that ‘a person with direct knowledge of the incident said the company in fact does not yet know precisely when the intrusion occurred, or for how long the hackers were inside of its systems’. This gap may reflect weak monitoring systems and lack of central controls over whom was accessing various systems, when these systems were being accessed and visibility into the access control measures in place.

    Cloud-based applications play a vital role in fulfilling productivity, operational and infrastructure needs in the enterprise. The points mentioned above, indicate however that enterprises need to be focused in their cyber-security strategies, and implement protections at the most vulnerable points. Applying effective access security mechanisms such as multi-factor authentication, privileged account access, cloud access management controls as well as continuously monitoring who is accessing which service, when and with what credentials – are vital front line security measures that can prevent unwanted persons from accessing cloud and enterprise services and reduce the risk of breach. Doing otherwise is akin to gambling with your data.

    Avoid a data breach, get the Research and Best Practices Toolkit to do Web Application Security right.

    View the original post by Gemalto.

    6 Misconceptions about Network Security

    October 3rd, 2017

    When assessing or implementing network security, misconceptions can be dangerous, leading your company’s data to be at risk and, with it, your reputation, your revenue, and possibly your business. With that in mind, be on guard against these six insidious misconceptions:

    1. Threats only come from the outside. This is a common misconception, but the truth is that most infiltration issues and security breaches happen from inside the network. While this could be due to a malicious employee, most often it is simply the result of ignorance. For example, an employee may bring his own device and use it for work – but it is unsecured. Another person may have a hub sitting underneath her desk to which she connects multiple machines – some of which are personal. You must have a diligent secure access strategy in place that includes internal security compliance to prevent such security risks.

    2. Our employees would never fall for a phishing scam. Yes, they would. And they do. Phishing is very sophisticated nowadays, with spear phishing campaigns that are personalized and tailored to a specific individual. Even a savvy employee can fall prey to an email that looks and sounds authentic.

    3. Network access control (NAC) is too difficult to use. Five years ago, that may have been the case. NAC was hard to understand, tough to implement, and irritating for the end user. With business trends evolving to support initiatives like BYOD and IoT, however, network access control has also adapted to meet such demands. For example, Pulse Secure’s NAC solution, Policy Secure, is streamlined, simplified, and user-friendly. You can easily profile your network and get a clear picture of exactly what is residing on it and connecting to it, both internally and externally. Plus, you can gain full visibility into which people and devices have access to what data.

    4. Our firewall checks everything. It may – but the danger of using VPN components that are offered by next-generation firewalls is that they don’t always perform enough checks. Contrast that with a Pulse security solution that validates software patches, apps, and other elements through host-checking capabilities prior to allowing them on the network as well as during connections, and you’ve got yourself a fast and reliable secure access solution that will protect your company’s data yesterday, today, and tomorrow.

    5. The cloud is secure. We want to believe this, but it’s not that simple. The cloud is where everything is going; in essence, we are moving to huge server farms hosted by large organizations such as Google or AWS, and their primary product offering is space, processing power, and bandwidth – not security. That is their niche and their expertise. To protect that space, you must look to the secure access experts for the best security platform solutions that can be deployed across hybrid IT environments.

    6. Our security is good enough. This is the biggest and most dangerous misconception of all: companies assume that if their security was good enough last year or three years ago, it is good enough today … even if it hasn’t been updated in recent history. So, before you say, “Our security is good enough,” ask yourself: are you willing to bet your business on that? Ransomware can get through VPNs or open ports outside the network, potentially encrypting your entire network. Don’t jump onto this bandwagon too fast: your network security could be on the line.

    Maybe yesterday’s network security isn’t good enough. If you’re serious about security, it’s time to do some serious security upgrades.

    Learn more about the importance of upgrading hardware here.

    View the original article by Pulse Secure.

    Ruckus Expands “The Pack” on Unleashed

    October 3rd, 2017

    We are excited to announce new updates to the Ruckus Unleashed products, our Wi-Fi option for small organizations with limited IT resources. We are making the Unleashed products easier to manage and install without compromising on performance. We are also releasing three more Unleashed access points (APs). Let’s get right into the details.

    The third software release of the year is packed with exciting features and capabilities. Here are some highlights:

    • Ruckus R720, T610 and H320 – our popular 802.11ac Wave 2 APs are now part of the Unleashed Family
      • R720, a premium Wave 2 AP with multi-gig backhaul, ideal for high-performance indoor use cases; H320, an entry-level Wave 2 AP that works great as an in-room access point; T610, a mid-range Wave 2 AP, ideal for medium density outdoor deployments. This makes the unleashed product portfolio complete with a wide variety of AP options.
    • All new Mobile App version 2
      • Social login – Link Unleashed mobile app can connect via Gmail, Twitter or Facebook accounts to manage Unleashed networks remotely and locally without altering your firewall.
      • Remote management – Invite someone to deploy, manage or troubleshoot your Unleashed network with a simple text or email from the mobile app.
      • User Interface (UI) enhancements
    • Simplified and faster deployment – Reduced time to deploy an Unleashed network by 33%
    • Multi-site Support
      • Unleashed can now be deployed in multiple small sites and managed with the mobile app or the new Ruckus Unleashed Multi-Site Manager. If you think your business will grow in the future and are looking for Wi-Fi solution that is scalable – this is it!
    • Enhanced Administrative Control
      • Define network speed limits for each of the Unleashed networksUnleashed mobile app
      • Assign users to different VLANs based on their roles
    • Multiple language support further enhanced; Italian language added

    Here is a sneak-peak to the Unleashed mobile App

    Announcing SentinelOne 2.0 Version

    September 27th, 2017

    SentinelOne has announced their new version, 2.0, introducing the simplified policy, improved prevention, detection, and response, and many more features, fixes, and enhancements. Their customers have been telling them what improvements they want to see in the product, and they’re responding. Let’s go over the most significant changes.

    Simple Policy

    SentinelOne’s policy was never complex – Yet, they simplified it further by removing any setting that was not 100% clear to ther clients.

    The new policy of 2.0 is a simple selection between “Protect” and “Detect”. Choosing “Protect” means complete automation and autonomy – SentinelOne take responsibility for preventing and mitigating all threats. Choosing “Detect” means that you are running in EDR mode.

    Another option you will find useful is the differentiation between Threats – high confidence detections, and Suspicious activity, so you can assign them different policy modes. Try it out.

    Controlling Engines

    Under the hood of the SentinelOne agent, multiple engines are running and ensuring full visibility and detection of any malicious activity. We recommend running all of SentinelOne’s Static and Behavioral AI engines, but allow administrators to control them, based on policy.

    Prevention, Detection, and Response at Scale

    Many have tested SentinelOne’s capabilities, and the results are available:

    • Static AI (DFI) prevents malicious files and variants from ever being executed on your devices.
    • Behavioral AI specializes in catching zero-day and unknown attacks based on their behaviour, including file-less and other new means to evade traditional AV solutions.

    SentinelOne are always working on improvements. In the wild, we see more and more campaigns that don’t need to use files (WannaCry, EternalBlue, etc’). The reason is obvious – why expend effort on a file that will become a blocked signature in few days? For instance, it is common for attackers to find a weak host on a network and utilize it to compromise other devices on the same network. They invested further in their behavioural AI engines to improve detecting of such flows. When SentinelOne detect a risk, they already have the full context: users, processes, command line arguments, registry, files on the disk, external communication, and more.

    Forensics Analysis Improvements

    Once detected, it is helpful to identify the full context of the attempt, where it came from, and what it tried to do, even if it was automatically mitigated by “Protect” mode. To make this easy, SentinelOne improved what you see and what you can do. Starting in 2.0:

    You can see:

    • Which of their engines detected it.
    • A link to VirusTotal entry (for known threats) and to a Google search.
    • More forensics information, including the username, and the full command line arguments used by all processes during the incident.

    You can do:

    • More exclusion options: by hash, path, certificate, file type, or browser type.
    • Quickly and easily exclude for each specific incident directly from the forensics analysis view.

    Full Disk Scan

    Many of their customers asked for the option to scan a device and Full Disk Scan is now available for their Windows and macOS agents. Whether you are worried about dormant malware or concerned with issues of audit and compliance, you can choose a group from the console and initiate a scan, or just install using a flag that triggers the full disk scan. This is a great way to get value on day one.

    More improvements starting in 2.0

    • Performance improvements (cross-platform)
    • Click-through EULA
    • SSO support for the management console login.
    • VSS disk space does not exceed 10% (unless configured by the administrator to a different limit).
    • Support tools and remote troubleshooting options for your agents.
    • Additional proxy options, including failover to direct connection (for roaming devices) and authenticated proxy.
    • The Auto-immune flow is improved and now works on verified threats only.
    • Document names are not sent to the console, unless malicious.
    • Support for Windows agent on a single core.

    What’s next?

    The SentinelOne team is already working on the next release, planned for later this year. It will have improved deployment flows, more reporting options, Agent configuration and more policy options, initial scan support (no reboot needed), and static detection indicators, for a better understanding of detection reasons.

    Stay tuned!

    View the original post by SentinelOne.

    Palo Alto Networks Strengthens Ransomware Prevention Capabilities With New Traps Advanced Endpoint Functionality

    September 25th, 2017

    New Features Enable Customers to Prevent Malware and Kernel Exploit Attacks.

    Palo Alto Networks, the next-generation security company, today announced enhancements to its Traps™ advanced endpoint protection offering that strengthens current ransomware prevention by monitoring for new techniques and ransomware behaviour and, upon detection, prevents the attack and resulting encryption of data.

    As ransomware attacks continue to escalate in both sophistication and frequency, organisations are working quickly to protect themselves from falling victim to the next attack. According to Cybersecurity Ventures, ransomware will cost organisations more than $5 billion in 2017 – more than 15 times the cost of damages absorbed in 2015.

    To protect themselves from the evolving threat of ransomware, most organisations deploy multiple security point-products and software agents on their endpoint systems, including one or more legacy antivirus products. The protections provided by these signature-based products continue to lag behind the speed of ransomware attacks, which can impact and spread throughout organisations in a matter of minutes compared to the hours or days it could take a customer to receive a signature update.

    When combined with its existing ransomware prevention and other multi-method prevention capabilities, Traps offers effective ransomware protection and helps organisations avoid the business productivity losses associated with inaccessible data. Traps effectively secure endpoints with its unique multi-method prevention capabilities by combining multiple defensive techniques, preventing known and unknown attacks before they can compromise endpoints.

    QUOTES

    “Traps 4.1 takes endpoint security to the next level and continues to bring more innovative and impressive capabilities to address the modern threat landscape. The added ransomware capabilities and ease of deployment across Windows and MacOS clients further cement Traps as a necessary standard for any organisation serious about their endpoint security strategy.”
    Bryan Norman, chief executive officer, Norlem Technology Consulting

    “Ransomware attacks will continue to increase in frequency and sophistication for the foreseeable future, and with the new capabilities introduced today in version 4.1, Traps is better able to preemptively stop these attacks and protect our way of life in the digital age.”
    Lee Klarich, chief product officer, Palo Alto Networks

    Key advancements introduced in Traps version 4.1 include:

    Behavior-based ransomware protection adds a layer of malware prevention to pre-existing capabilities without reliance on signatures or known samples. By monitoring the system for ransomware behaviour, upon detection, Traps immediately blocks the attack and prevents encryption of end-user data.

    Enhanced kernel exploit prevention protects against new exploit techniques used to inject and execute malicious payloads, like those seen in the recent WannaCry and NotPetya attacks, by stopping advanced attacks from initiating the exploitation phase.

    Local analysis for macOS provides added protection against unknown attacks for a growing macOS® user base.

    AVAILABILITY
    Traps version 4.1 is generally available to Palo Alto Networks customers with an active support contract.

    LEARN MORE
    Traps advanced endpoint protection
    Traps: Expanding Ransomware Protection for Current and Future Threats (blog post)
    Palo Alto Networks Next-Generation Security Platform

    View the original post by Palo Alto Networks.

    First Half 2017 Breach Level Index Report: Identity Theft and Poor Internal Security Practices Take a Toll

    September 25th, 2017

    Gemalto, the world leader in digital security, today released the latest findings of the Breach Level Index, a global database of public data breaches, revealing 918 data breaches led to 1.9 billion data records being compromised worldwide in the first half of 2017. Compared to the last six months of 2016, the number of lost, stolen or compromised records increased by a staggering 164%. A large portion came from the 22 largest data breaches, each involving more than one million compromised records. Of the 918 data breaches more than 500 (59% of all breaches) had an unknown or unaccounted number of compromised data records.

    The Breach Level Index is a global database that tracks data breaches and measures their severity based on multiple dimensions, including the number of records compromised, the type of data, the source of the breach, how the data was used, and whether or not the data was encrypted. By assigning a severity score to each breach, the Breach Level Index provides a comparative list of breaches, distinguishing data breaches that are not serious versus those that are truly impactful.

    According to the Breach Level Index, more than 9 billion data records have been exposed since 2013 when the index began benchmarking publicly disclosed data breaches. During the first six months of 2017, more than ten million records were compromised or exposed every day, or one hundred and twenty-two records every second, including medical, credit card and/or financial data or personally identifiable information. This is particularly concerning, since less than 1% of the stolen, lost or compromised data used encryption to render the information useless, a 4% drop compared to the last six months of 2016.

    “IT consultant CGI and Oxford Economics recently issued a study, using data from the Breach Level Index and found that two-thirds of firms breached had their share price negatively impacted. Out of the 65 companies evaluated the breach cost shareholders over $52.40 billion,” said Jason Hart, Vice President and Chief Technology Officer for Data Protection at Gemalto. “We can expect that number to grow significantly, especially as government regulations in the U.S., Europe and elsewhere enact laws to protect the privacy and data of their constituents by associating a monetary value to improperly securing data. Security is no longer a reactive measure but an expectation from companies and consumers.”

    Primary Sources of Data Breaches

    Malicious outsiders made up the largest percentage of data breaches (74%), an increase of 23%. However, this source accounted for only 13% of all stolen, compromised or lost records. While malicious insider attacks only made up 8% of all breaches, the amount of records compromised was 20 million up from 500,000 an increase of over 4,114% from the previous six months.

    Leading Types of Data Breaches

    For the first six months of 2017, identity theft was the leading type of data breach in terms of incident, accounting for 74% of all data breaches, up 49% from the previous semester. The number of records compromised in identity theft breaches increased by 255%. The most significant shift was the nuisance category of data breaches representing 81% of all lost, stolen or compromised records. However, in terms of the number of incidents, nuisance type attacks were only slightly over 1% of all data breaches. The number of compromised records from account access attacks declined by 46%, after a significant spike in the 2016 BLI full year report.

    Biggest Industries Affected by Data Breaches

    Most of the industries the Breach Level Index tracks had more than a 100% increase in the number of compromised, stolen or lost records. Education witnessed one of the largest increases in breaches up by 103% with an increase of over 4,000% in the number of records. This is the result of a malicious insider attack compromising millions of records from one of China’s largest comprehensive private educational companies. Healthcare had a relatively similar amount of breaches compared to the last six months of 2016, but stolen, lost or compromised records increased 423%. The U.K’s National Health Service was one of the top five breaches in the first half with over 26 million compromised records. Financial services, government and entertainment were also industries that experienced a significant jump in the number of breached records, with entertainment breach incidents increasing 220% in the first six months of 2017.

    Geographic Distribution of Data Breaches

    North America still makes up the majority of all breaches and the number of compromised records, both above 86%. The number of breaches in North America increased by 23% with the number of records compromised skyrocketing by 201%. Traditionally, North America has always had the largest number of publicly disclosed breaches and associated record numbers, although this is poised to change in 2018 when global data privacy regulations like the European General Data Protection Regulation (GDPR) and Australia’s Privacy Amendment (Notifiable Data Breaches) Act are enforced. Europe currently only had 49 reported data breaches (5% of all breaches), which is a 35% decline from the previous six months.

    ​Related Resources:​
    – For a full summary of data breach incidents by industry, source, type and geographic region, download the First Half 2017 Breach Level Index Report
    – Download the infographic here​
    – Visit the BLI website here

    View original article by Gemalto.

    SentinelOne Announces New Deep Visibility Module for Breakthrough IOC Search and Threat Hunting on the Endpoint

    September 14th, 2017

    New Capabilities Enable Untethered View into All Endpoint Activities and Network Traffic – Encrypted and Clear Text.

    SentinelOne, a pioneer in delivering autonomous AI-powered security for the endpoint, datacenter and cloud, today launched its new Deep Visibility module for the SentinelOne Endpoint Protection Platform (EPP), making it the first endpoint protection solution to provide unparalleled search capabilities for all indicators of compromise (IOCs) regardless of encryption and without the need for additional agents.

    “We are bringing visibility to every edge of the network – from the endpoint to the cloud,” said Tomer Weingarten, CEO of SentinelOne. “Deep Visibility enables search capabilities and visibility into all traffic since we see it at the source and monitor it from the core. We know that more than half of all traffic is encrypted – including malicious traffic – which makes a direct line of sight into all traffic an imperative ingredient in enterprise defence.”

    Deep Visibility extends the company’s current endpoint suite abilities to provide full visibility into endpoint data, leveraging its patented kernel-based monitoring, for complete, autonomous, and in-depth search capabilities across all endpoints – even those that go offline – for all IOCs in both real-time and historical retrospective search. SentinelOne EPP with Deep Visibility enables customers to fully automate their detection to response workflow while also gaining unprecedented insight into their environment.

    Deep Visibility also empowers customers to gain insights into file integrity and data integrity by monitoring file characteristics and recording data exports to external storage.

    Deep Visibility monitors traffic at the end of the tunnel, which allows an unprecedented tap into all traffic without the need to decrypt or interfere with the data transport. This, in turn, provides a rich environment for threat hunting, that includes powerful filters, the ability to take containment actions, as well as fully automated detection and response.

    Since Deep Visibility does not require an additional agent and is a holistic part of the SentinelOne EPP platform, it is fully integrated into the investigation, mitigation and response capability sets, including process forensics, file and machine quarantine, and fully automated, dynamic remediation and rollback capabilities.

    Additionally, Deep Visibility does not require any changes to network topology and does not require any certificates for installation. Visibility into encrypted traffic further enriches forensics insights and empowers security analysts with more holistic investigation capabilities without impacting the end-user experience.

    “Deep Visibility is a breakthrough that will redefine how we think about perimeters,” said Weingarten. “Gaining visibility into the data pathways marks the first milestone for a real, software-defined edge network that can span through physical perimeters, to hybrid datacenters and cloud services. This is the beginning of the network of the future.”

    In addition to Deep Visibility, SentinelOne EPP will also offer several new capabilities that further enrich visibility into customer environments and threats. Key capabilities include:

    • Support for new platforms Amazon Linux AMI and Oracle Linux to expand visibility into critical server environments
    • Full disk scan support to discover latent threats
    • Richer forensics insights to help identify the source of threats and build attack storylines

    Current SentinelOne customers can upgrade to a new agent with access to Deep Visibility by working with their customer success managers. Prospective customers can learn more about SentinelOne EPP and the new Deep Visibility capabilities here.

     

    View the original article by SentinelOne.

    Net-Ctrl Blog - mobile

    Three key actions from Cyber Security Awareness Month you can take

    October 20th, 2017

    In a world where the Internet has become significant part of our everyday lives, we all need to be responsible for making sure our online identities are kept safe and secure. Much of our personal data is stored online which exposes us very easily to all sorts of threats. In a year of high-profile hacks and security vulnerabilities hitting the news headlines businesses and consumers are thinking a lot more about their online security. That’s what the Cyber Security Awareness Month is all about.

    What is Cyber Security Month?

    October is National Cyber Security Awareness Month (NCSAM) in the US which is an annual campaign that aims to raise awareness about cybersecurity. This year also marks the 5th anniversary of the European Cyber Security Awareness Month. NCSAM was launched by the National Cyber Security Alliance and the Department of Homeland Security in October 2004. It’s a collaborative effort between government and industry to ensure that everyone – from consumer and small businesses to corporations and academia, has the resources they need to stay safe and secure online. NCSAM carries the global message that cybersecurity is one shared responsibility.

    This year kicked off with a global launch event to highlight the international adoption of Cyber Security Awareness Month. Let’s look into some of the main actions we can take.

    1. Focus on consumers and their online safety

    With the first few weeks of the initiative now behind us, we saw an even stronger focus on consumers and their online safety. This year also marks the 7th anniversary of the STOP. THINK. CONNECT. campaign, which aims to help all consumers stay safe and secure online. It is based on three easy to follow actionable practices:

  • STOP: make sure security measures are in place
  • THINK: about the consequences of your actions online
  • CONNECT: and enjoy the internet
  • Week 1 addressed the top consumer cyber concerns, encouraging users to be more vigilant about using the Internet and sharing their personal data online.

    Simple steps to follow to stay safe online include using stronger authentication like two-factor, biometrics, making your password long and strong, sharing/ opening files with care, to name just a few.

    We have a good and detailed checklist here: 10 tips to prepare for Cyber Security month. The most important tips include:

  • Make sure your password is secure
  • Regularly update your software
  • Beware of email scams
  • Password protect your laptop and smart devices
  • Install malware protections
  • The Internet touches almost all aspects of our everyday lives, so it is important that consumers are made aware of its most common risks. In the video below, former ethical hacker Jason Hart, who now works for Gemalto, explains how a man-in-the-middle attack works. A man-in-the-middle attack is where a hacker inserts themselves into a conversation between two parties and can affect your PC, mobile and the Wi-Fi network.

    Here are videos of Jason Hart explaining how phishing scam and karma attack work.

    2. Today’s predictions for tomorrow’s internet

    We live in an incredibly connected world with smart devices populating every aspect of our lives. There are many ways that an attacker can access data on our connected devices. So, how do we secure the Internet of Things? Data is the fuel that makes smart devices work, so looking for ways to secure it is essential. We see three essential pillars to secure the IoT data and rest in motion: securing the device, securing the cloud and managing the lifecycle of security components in the IoT. The importance of securing the IoT has also been recognized by the US government. Earlier this year two US lawmakers proposed new legislation that will seek to address the vulnerabilities in IoT devices.

    Smart cars, connected homes and smart healthcare devices have become inseparable part of our reality. And while there are massive benefits for connectivity, it is important to understand how to use cutting-edge tech in safe and secure ways.

    3. Building Resilience in Critical Infrastructure

    Building resilience in key systems like electricity, financial institutions, water treatment facilities, public healthcare and transportation is another key theme of this year’s events. These are all systems that store and will run based on data. We recently addressed end-to-end security of the smart energy ecosystem at European Utility Week. The final week will look at how cybersecurity relates to keeping our traffic lights, running water, phone lines and other critical infrastructure safe.

    There we have them – the key actions from cyber security awareness month, aiming to educate us on the importance of keeping our online identities safe. So, what will you do? Let us know by leaving a comment below or tweeting to us @Gemalto.

    This report was taken from Gemalto.com

    A deeper dive into GDPR: Identity and Access Management

    October 18th, 2017

    An important part of GDPR addresses the need for strong, two-factor authentication, as well as physical access controls to organisational information systems, equipment, and the respective operating environments to authorised individuals. Are you ready?

    Mapping the GDPR article to authentication
    GDPR greatly expands the requirements for organisations to prove identity and basically aims to get rid of the password once and for all. Organisations will need to verify the legitimacy of user identities and transactions and to prove compliance, or face big fines, which can be more than four percent of an organisation’s global worldwide revenue or €25 million. So let’s take a look at the articles of GDPR and how they call for stricter authentication controls.

    Article 5 covers principles relating to the processing of personal data. It says, however, data is processed, it needs to be secured from unauthorised access and loss. This is achieved through multi-factor authentication. Multi-factor authentication ensures a user is who they claim to be and can be achieved using a combination of the following factors something you have (such as a token or smart cards), with something you know (PIN or password) and/or something you have (biometric). The more factors used to determine a person’s identity, the greater the trust of authenticity.

    Asking for a second authentication factor ensures a simple stolen password won’t be sufficient to gain unfettered access to sensitive systems.

    Article 24 says organisations are required to take reasonable security measures that respond to the likely risks and threats they face. This not only covers the data itself, but calls for solutions that restrict access to corporate networks, protect the identities of users, and ensure users are who they claim to be. As a first line approach to data security, requiring multiple factors of authentication to verify a user’s identity helps mitigate the risk of unauthorised users accessing sensitive systems to manipulate data.

    Article 32 calls for additional security of processing, and calls for organisations to consider the risk associated with data processing such as data loss and unauthorised access when choosing the right level of security. Authentication solutions make it harder for unauthorised users to access sensitive environments while also mitigating the risk posed by administrators with privileged access.

    Authentication solutions such as Public Key Infrastructure (PKI) or access management services offer a complete set of provisioning rules and policy engines that cover privileged users and the varying levels of security they may need for their roles. Organisations can increase or decrease the level of access security to their data and network according to the level of sensitivity of the data concerned. In addition, PKI allows for other advanced security functionality, such as digital signature and email encryption as well as physical access that we’ll talk about next.

    Article 33 covers notification of a personal data breach to the supervisory authority. Organisations will need to ensure individuals only process data when authorised. Authentication solutions automatically apply rules in real time to users based on their group membership and their need to access certain levels of private data. The rules’ default setting can keep users out of processing systems, or offer only a narrow level of access until instructions are given from the data controller. Once processing is complete, administrators can return settings to a more restrictive default that prevents any further data processing. In addition, some authentication solutions provide extensive log and report mechanisms to give up-to-date snapshots of all authentication and management events.

    Wrapping up
    Authentication and access management solutions, come in many shapes and sizes, including cloud access management, PKI, certificate-based authentication, one-time password authentication, identity federation, complete lifecycle management and auditing tools. We hope you find this blog helpful in planning your authentication needs for GDPR.

    For more information on GDPR’s due diligence requirements along with other topical issues such as breach notification, security, and data control obligations, check out our expanded ebook, The General Data Protection Regulation.

    View the original post by Gemalto.

    WPA2 vulnerability (KRACK attack)

    October 17th, 2017

    The exploit is called KRACK and details about this vulnerability have been published in true White Hat fashion, by the Imec-DistriNet research group of KU Leuven. Mathy Vanhoef and his team have identified as many as ten vulnerabilities in the WPA and WPA2 protocols, which secure all modern protected Wi-Fi networks. These vulnerabilities were academically well-researched and responsibly reported in a manner allowing the industry to proactively prepare updates.

    Go to the Ruckus support site to learn about Ruckus’ counter-measures.

    Broadly, the exploit deals with how the WPA/WPA2 protocol handles requests to reinstall the encryption keys used to encode/decode traffic between a wireless client and an AP. The vulnerabilities can be described in two groups. The first set of vulnerabilities may allow the reinstallation of a pairwise transient key, a group key, or an integrity key on either a wireless client or a wireless access point. A transient key is one that is derived as part of the encryption of individual client sessions. It is not the PSK or user credentials and is a temporary key that is different for every client and every session.

    The second set of vulnerabilities may affect wireless supplicants supporting either the 802.11z (Extensions to Direct-Link Setup) standard or the 802.11v (Wireless Network Management) standard. This could also allow the reinstallation of a pairwise key, group key, or integrity group key.

    If a compromised key is installed (via a reinstallation procedure) an attacker can theoretically decrypt the transmissions between a client and an AP. Note, however, that each wireless client creates different temporary encryption keys that it uses with an AP. This is not a global attack but rather attacks a specific, targeted device. These vulnerabilities also only deal with the encryption of data using transient keys that are derived as part of the WPA2 protocol for each session. They are not the same as passwords or any other kind of credentials such as certificates.

    What does this mean for you?

    1. Don’t panic. No, you do not need to shut down your Wi-Fi network. The Internet did not suffer the equivalent of an EMP attack.
      1. Vulnerabilities exist on both sides of the 4-way handshake relationship (client and AP) and both sides need to be patched.
      2. Microsoft, Apple, Google, Intel, and other major vendors have been working on fixing these vulnerabilities for a few months now.
      3. Until client vendors provide updates, disabling 802.11r can help mitigate the attack by eliminating one source of vulnerability (Fast BSS Transitions, otherwise known as 802.11r roaming).
      4. Some client types, such as Android 6 are more vulnerable than others.
      5. iOS and Windows are not vulnerable to the first set of exploits because they don’t accept retries of handshake message 3.
    2. The sky isn’t falling. One, the attack must happen on-premises. Two, while the attacker can decrypt client-to-AP traffic, the attacker cannot inject arbitrary traffic into a WPA2-AES session and cannot get any authentication tokens or keys.
      1. To be successful, the attacker would need to be sophisticated, onsite, and armed with specialized hardware and software. To reiterate, there is currently no publicly available code that enables this attack.
      2. All current certificates and Wi-Fi passwords are still secure. This attack does not reveal passwords.
      3. While networks that use TKIP are vulnerable to packets being injected into the stream, AES does not allow for code injection. (TKIP and WEP have been broken for years so if your network is still either this may be a good time to do something about it.)
      4. A MitM (Man-in-the-Middle) attack is required prior to performing this because the 4thEAPOL message (part of the handshake) must be intercepted/prevented in order to allow retries of handshake message 3. This means that the attacker must spoof the MAC of the AP.
      5. Mesh and PtP links may be vulnerable (please see above).

    Steps You Can Take Now:

    1. Mitigate the risks caused by a MitM attack. By default, Ruckus has rogue detection enabled and automatically classifies spoofed MACs as a malicious threat, which can generate alarms for admins. Further, admins can enable APs to protect against Man-in-the-Middle attacks by deauth’ing clients connecting to a malicious rogue AP, which is required to carry out this attack.
    2. Eliminate the 802.11r vulnerability. Ruckus disables 802.11r by default on all SSIDs. If it is enabled on your network, consider disabling it until a fix is in place.
    3. Ruckus APs have additional protection against MiM attack for Mesh links – this makes the attacker be even more sophisticated to hijack the Ruckus Mesh link. Mesh-enabled networks that are not using mesh can have that disabled on a per-node basis.
    4. Refer to Ruckus Support. Security patches from Ruckus are forthcoming and will be posted as they are available.

    The WPA/WPA2 protocol is not fundamentally flawed. This means that exposure is limited and fixable without throwing out WPA2 altogether. Software/firmware patches that address this are already being rolled out. It is important to remember that, while concretely feasible, these attacks require not only access to your network, but a degree of knowledge and sophistication well beyond, say the Experian hack, for a lot less return. We always recommend that anyone interested in securing their WLAN network should perform regular audits of their security infrastructure and procedures to ensure everything is in compliance with best practices and vendor recommendations.

    Additional Information:

    Ruckus FAQ Security Advisory CloudPath

    Ruckus Security Advisory

    Deloitte data breach demonstrates why MFA and user access controls are a must

    October 9th, 2017

    The severe Deloitte breach revealed last week is indicative of several issues that many companies are seemingly slow to absorb when it comes to protecting intellectual property, reputation and customer data.

    Move to the cloud can be a double edged sword: According to IDC, worldwide spending on public cloud computing will increase from $67B in 2015 to $162B in 2020 attaining a 19% CAGR. This means that more and more companies are storing sensitive systems, applications and data in the cloud. Cloud applications are excellent at providing organisations the best applications at a quick time to value, zero maintenance overhead and infinite scalability. The immediate fulfillment and instant productivity provided by cloud apps comes, however, with a price tag: IT departments lose visibility into who is accessing what application. And risk increases as apps are managed from multiple disparate consoles.

    Compromised credentials are the root cause of the majority of breaches: According to Verizon’s 2017 Data Breach Investigations Report, 81% of hacking-related breaches leveraged either stolen and/or weak passwords. Indeed, the Deloitte breach was apparently caused when the hacker gained access to an administrator email server account by logging on with a simple username and password.

    Lack of effective monitoring systems: Brian Krebs, in his Krebs on Security blog, earlier this week writes that ‘a person with direct knowledge of the incident said the company in fact does not yet know precisely when the intrusion occurred, or for how long the hackers were inside of its systems’. This gap may reflect weak monitoring systems and lack of central controls over whom was accessing various systems, when these systems were being accessed and visibility into the access control measures in place.

    Cloud-based applications play a vital role in fulfilling productivity, operational and infrastructure needs in the enterprise. The points mentioned above, indicate however that enterprises need to be focused in their cyber-security strategies, and implement protections at the most vulnerable points. Applying effective access security mechanisms such as multi-factor authentication, privileged account access, cloud access management controls as well as continuously monitoring who is accessing which service, when and with what credentials – are vital front line security measures that can prevent unwanted persons from accessing cloud and enterprise services and reduce the risk of breach. Doing otherwise is akin to gambling with your data.

    Avoid a data breach, get the Research and Best Practices Toolkit to do Web Application Security right.

    View the original post by Gemalto.

    6 Misconceptions about Network Security

    October 3rd, 2017

    When assessing or implementing network security, misconceptions can be dangerous, leading your company’s data to be at risk and, with it, your reputation, your revenue, and possibly your business. With that in mind, be on guard against these six insidious misconceptions:

    1. Threats only come from the outside. This is a common misconception, but the truth is that most infiltration issues and security breaches happen from inside the network. While this could be due to a malicious employee, most often it is simply the result of ignorance. For example, an employee may bring his own device and use it for work – but it is unsecured. Another person may have a hub sitting underneath her desk to which she connects multiple machines – some of which are personal. You must have a diligent secure access strategy in place that includes internal security compliance to prevent such security risks.

    2. Our employees would never fall for a phishing scam. Yes, they would. And they do. Phishing is very sophisticated nowadays, with spear phishing campaigns that are personalized and tailored to a specific individual. Even a savvy employee can fall prey to an email that looks and sounds authentic.

    3. Network access control (NAC) is too difficult to use. Five years ago, that may have been the case. NAC was hard to understand, tough to implement, and irritating for the end user. With business trends evolving to support initiatives like BYOD and IoT, however, network access control has also adapted to meet such demands. For example, Pulse Secure’s NAC solution, Policy Secure, is streamlined, simplified, and user-friendly. You can easily profile your network and get a clear picture of exactly what is residing on it and connecting to it, both internally and externally. Plus, you can gain full visibility into which people and devices have access to what data.

    4. Our firewall checks everything. It may – but the danger of using VPN components that are offered by next-generation firewalls is that they don’t always perform enough checks. Contrast that with a Pulse security solution that validates software patches, apps, and other elements through host-checking capabilities prior to allowing them on the network as well as during connections, and you’ve got yourself a fast and reliable secure access solution that will protect your company’s data yesterday, today, and tomorrow.

    5. The cloud is secure. We want to believe this, but it’s not that simple. The cloud is where everything is going; in essence, we are moving to huge server farms hosted by large organizations such as Google or AWS, and their primary product offering is space, processing power, and bandwidth – not security. That is their niche and their expertise. To protect that space, you must look to the secure access experts for the best security platform solutions that can be deployed across hybrid IT environments.

    6. Our security is good enough. This is the biggest and most dangerous misconception of all: companies assume that if their security was good enough last year or three years ago, it is good enough today … even if it hasn’t been updated in recent history. So, before you say, “Our security is good enough,” ask yourself: are you willing to bet your business on that? Ransomware can get through VPNs or open ports outside the network, potentially encrypting your entire network. Don’t jump onto this bandwagon too fast: your network security could be on the line.

    Maybe yesterday’s network security isn’t good enough. If you’re serious about security, it’s time to do some serious security upgrades.

    Learn more about the importance of upgrading hardware here.

    View the original article by Pulse Secure.

    Ruckus Expands “The Pack” on Unleashed

    October 3rd, 2017

    We are excited to announce new updates to the Ruckus Unleashed products, our Wi-Fi option for small organizations with limited IT resources. We are making the Unleashed products easier to manage and install without compromising on performance. We are also releasing three more Unleashed access points (APs). Let’s get right into the details.

    The third software release of the year is packed with exciting features and capabilities. Here are some highlights:

    • Ruckus R720, T610 and H320 – our popular 802.11ac Wave 2 APs are now part of the Unleashed Family
      • R720, a premium Wave 2 AP with multi-gig backhaul, ideal for high-performance indoor use cases; H320, an entry-level Wave 2 AP that works great as an in-room access point; T610, a mid-range Wave 2 AP, ideal for medium density outdoor deployments. This makes the unleashed product portfolio complete with a wide variety of AP options.
    • All new Mobile App version 2
      • Social login – Link Unleashed mobile app can connect via Gmail, Twitter or Facebook accounts to manage Unleashed networks remotely and locally without altering your firewall.
      • Remote management – Invite someone to deploy, manage or troubleshoot your Unleashed network with a simple text or email from the mobile app.
      • User Interface (UI) enhancements
    • Simplified and faster deployment – Reduced time to deploy an Unleashed network by 33%
    • Multi-site Support
      • Unleashed can now be deployed in multiple small sites and managed with the mobile app or the new Ruckus Unleashed Multi-Site Manager. If you think your business will grow in the future and are looking for Wi-Fi solution that is scalable – this is it!
    • Enhanced Administrative Control
      • Define network speed limits for each of the Unleashed networksUnleashed mobile app
      • Assign users to different VLANs based on their roles
    • Multiple language support further enhanced; Italian language added

    Here is a sneak-peak to the Unleashed mobile App

    Announcing SentinelOne 2.0 Version

    September 27th, 2017

    SentinelOne has announced their new version, 2.0, introducing the simplified policy, improved prevention, detection, and response, and many more features, fixes, and enhancements. Their customers have been telling them what improvements they want to see in the product, and they’re responding. Let’s go over the most significant changes.

    Simple Policy

    SentinelOne’s policy was never complex – Yet, they simplified it further by removing any setting that was not 100% clear to ther clients.

    The new policy of 2.0 is a simple selection between “Protect” and “Detect”. Choosing “Protect” means complete automation and autonomy – SentinelOne take responsibility for preventing and mitigating all threats. Choosing “Detect” means that you are running in EDR mode.

    Another option you will find useful is the differentiation between Threats – high confidence detections, and Suspicious activity, so you can assign them different policy modes. Try it out.

    Controlling Engines

    Under the hood of the SentinelOne agent, multiple engines are running and ensuring full visibility and detection of any malicious activity. We recommend running all of SentinelOne’s Static and Behavioral AI engines, but allow administrators to control them, based on policy.

    Prevention, Detection, and Response at Scale

    Many have tested SentinelOne’s capabilities, and the results are available:

    • Static AI (DFI) prevents malicious files and variants from ever being executed on your devices.
    • Behavioral AI specializes in catching zero-day and unknown attacks based on their behaviour, including file-less and other new means to evade traditional AV solutions.

    SentinelOne are always working on improvements. In the wild, we see more and more campaigns that don’t need to use files (WannaCry, EternalBlue, etc’). The reason is obvious – why expend effort on a file that will become a blocked signature in few days? For instance, it is common for attackers to find a weak host on a network and utilize it to compromise other devices on the same network. They invested further in their behavioural AI engines to improve detecting of such flows. When SentinelOne detect a risk, they already have the full context: users, processes, command line arguments, registry, files on the disk, external communication, and more.

    Forensics Analysis Improvements

    Once detected, it is helpful to identify the full context of the attempt, where it came from, and what it tried to do, even if it was automatically mitigated by “Protect” mode. To make this easy, SentinelOne improved what you see and what you can do. Starting in 2.0:

    You can see:

    • Which of their engines detected it.
    • A link to VirusTotal entry (for known threats) and to a Google search.
    • More forensics information, including the username, and the full command line arguments used by all processes during the incident.

    You can do:

    • More exclusion options: by hash, path, certificate, file type, or browser type.
    • Quickly and easily exclude for each specific incident directly from the forensics analysis view.

    Full Disk Scan

    Many of their customers asked for the option to scan a device and Full Disk Scan is now available for their Windows and macOS agents. Whether you are worried about dormant malware or concerned with issues of audit and compliance, you can choose a group from the console and initiate a scan, or just install using a flag that triggers the full disk scan. This is a great way to get value on day one.

    More improvements starting in 2.0

    • Performance improvements (cross-platform)
    • Click-through EULA
    • SSO support for the management console login.
    • VSS disk space does not exceed 10% (unless configured by the administrator to a different limit).
    • Support tools and remote troubleshooting options for your agents.
    • Additional proxy options, including failover to direct connection (for roaming devices) and authenticated proxy.
    • The Auto-immune flow is improved and now works on verified threats only.
    • Document names are not sent to the console, unless malicious.
    • Support for Windows agent on a single core.

    What’s next?

    The SentinelOne team is already working on the next release, planned for later this year. It will have improved deployment flows, more reporting options, Agent configuration and more policy options, initial scan support (no reboot needed), and static detection indicators, for a better understanding of detection reasons.

    Stay tuned!

    View the original post by SentinelOne.

    Palo Alto Networks Strengthens Ransomware Prevention Capabilities With New Traps Advanced Endpoint Functionality

    September 25th, 2017

    New Features Enable Customers to Prevent Malware and Kernel Exploit Attacks.

    Palo Alto Networks, the next-generation security company, today announced enhancements to its Traps™ advanced endpoint protection offering that strengthens current ransomware prevention by monitoring for new techniques and ransomware behaviour and, upon detection, prevents the attack and resulting encryption of data.

    As ransomware attacks continue to escalate in both sophistication and frequency, organisations are working quickly to protect themselves from falling victim to the next attack. According to Cybersecurity Ventures, ransomware will cost organisations more than $5 billion in 2017 – more than 15 times the cost of damages absorbed in 2015.

    To protect themselves from the evolving threat of ransomware, most organisations deploy multiple security point-products and software agents on their endpoint systems, including one or more legacy antivirus products. The protections provided by these signature-based products continue to lag behind the speed of ransomware attacks, which can impact and spread throughout organisations in a matter of minutes compared to the hours or days it could take a customer to receive a signature update.

    When combined with its existing ransomware prevention and other multi-method prevention capabilities, Traps offers effective ransomware protection and helps organisations avoid the business productivity losses associated with inaccessible data. Traps effectively secure endpoints with its unique multi-method prevention capabilities by combining multiple defensive techniques, preventing known and unknown attacks before they can compromise endpoints.

    QUOTES

    “Traps 4.1 takes endpoint security to the next level and continues to bring more innovative and impressive capabilities to address the modern threat landscape. The added ransomware capabilities and ease of deployment across Windows and MacOS clients further cement Traps as a necessary standard for any organisation serious about their endpoint security strategy.”
    Bryan Norman, chief executive officer, Norlem Technology Consulting

    “Ransomware attacks will continue to increase in frequency and sophistication for the foreseeable future, and with the new capabilities introduced today in version 4.1, Traps is better able to preemptively stop these attacks and protect our way of life in the digital age.”
    Lee Klarich, chief product officer, Palo Alto Networks

    Key advancements introduced in Traps version 4.1 include:

    Behavior-based ransomware protection adds a layer of malware prevention to pre-existing capabilities without reliance on signatures or known samples. By monitoring the system for ransomware behaviour, upon detection, Traps immediately blocks the attack and prevents encryption of end-user data.

    Enhanced kernel exploit prevention protects against new exploit techniques used to inject and execute malicious payloads, like those seen in the recent WannaCry and NotPetya attacks, by stopping advanced attacks from initiating the exploitation phase.

    Local analysis for macOS provides added protection against unknown attacks for a growing macOS® user base.

    AVAILABILITY
    Traps version 4.1 is generally available to Palo Alto Networks customers with an active support contract.

    LEARN MORE
    Traps advanced endpoint protection
    Traps: Expanding Ransomware Protection for Current and Future Threats (blog post)
    Palo Alto Networks Next-Generation Security Platform

    View the original post by Palo Alto Networks.

    First Half 2017 Breach Level Index Report: Identity Theft and Poor Internal Security Practices Take a Toll

    September 25th, 2017

    Gemalto, the world leader in digital security, today released the latest findings of the Breach Level Index, a global database of public data breaches, revealing 918 data breaches led to 1.9 billion data records being compromised worldwide in the first half of 2017. Compared to the last six months of 2016, the number of lost, stolen or compromised records increased by a staggering 164%. A large portion came from the 22 largest data breaches, each involving more than one million compromised records. Of the 918 data breaches more than 500 (59% of all breaches) had an unknown or unaccounted number of compromised data records.

    The Breach Level Index is a global database that tracks data breaches and measures their severity based on multiple dimensions, including the number of records compromised, the type of data, the source of the breach, how the data was used, and whether or not the data was encrypted. By assigning a severity score to each breach, the Breach Level Index provides a comparative list of breaches, distinguishing data breaches that are not serious versus those that are truly impactful.

    According to the Breach Level Index, more than 9 billion data records have been exposed since 2013 when the index began benchmarking publicly disclosed data breaches. During the first six months of 2017, more than ten million records were compromised or exposed every day, or one hundred and twenty-two records every second, including medical, credit card and/or financial data or personally identifiable information. This is particularly concerning, since less than 1% of the stolen, lost or compromised data used encryption to render the information useless, a 4% drop compared to the last six months of 2016.

    “IT consultant CGI and Oxford Economics recently issued a study, using data from the Breach Level Index and found that two-thirds of firms breached had their share price negatively impacted. Out of the 65 companies evaluated the breach cost shareholders over $52.40 billion,” said Jason Hart, Vice President and Chief Technology Officer for Data Protection at Gemalto. “We can expect that number to grow significantly, especially as government regulations in the U.S., Europe and elsewhere enact laws to protect the privacy and data of their constituents by associating a monetary value to improperly securing data. Security is no longer a reactive measure but an expectation from companies and consumers.”

    Primary Sources of Data Breaches

    Malicious outsiders made up the largest percentage of data breaches (74%), an increase of 23%. However, this source accounted for only 13% of all stolen, compromised or lost records. While malicious insider attacks only made up 8% of all breaches, the amount of records compromised was 20 million up from 500,000 an increase of over 4,114% from the previous six months.

    Leading Types of Data Breaches

    For the first six months of 2017, identity theft was the leading type of data breach in terms of incident, accounting for 74% of all data breaches, up 49% from the previous semester. The number of records compromised in identity theft breaches increased by 255%. The most significant shift was the nuisance category of data breaches representing 81% of all lost, stolen or compromised records. However, in terms of the number of incidents, nuisance type attacks were only slightly over 1% of all data breaches. The number of compromised records from account access attacks declined by 46%, after a significant spike in the 2016 BLI full year report.

    Biggest Industries Affected by Data Breaches

    Most of the industries the Breach Level Index tracks had more than a 100% increase in the number of compromised, stolen or lost records. Education witnessed one of the largest increases in breaches up by 103% with an increase of over 4,000% in the number of records. This is the result of a malicious insider attack compromising millions of records from one of China’s largest comprehensive private educational companies. Healthcare had a relatively similar amount of breaches compared to the last six months of 2016, but stolen, lost or compromised records increased 423%. The U.K’s National Health Service was one of the top five breaches in the first half with over 26 million compromised records. Financial services, government and entertainment were also industries that experienced a significant jump in the number of breached records, with entertainment breach incidents increasing 220% in the first six months of 2017.

    Geographic Distribution of Data Breaches

    North America still makes up the majority of all breaches and the number of compromised records, both above 86%. The number of breaches in North America increased by 23% with the number of records compromised skyrocketing by 201%. Traditionally, North America has always had the largest number of publicly disclosed breaches and associated record numbers, although this is poised to change in 2018 when global data privacy regulations like the European General Data Protection Regulation (GDPR) and Australia’s Privacy Amendment (Notifiable Data Breaches) Act are enforced. Europe currently only had 49 reported data breaches (5% of all breaches), which is a 35% decline from the previous six months.

    ​Related Resources:​
    – For a full summary of data breach incidents by industry, source, type and geographic region, download the First Half 2017 Breach Level Index Report
    – Download the infographic here​
    – Visit the BLI website here

    View original article by Gemalto.

    SentinelOne Announces New Deep Visibility Module for Breakthrough IOC Search and Threat Hunting on the Endpoint

    September 14th, 2017

    New Capabilities Enable Untethered View into All Endpoint Activities and Network Traffic – Encrypted and Clear Text.

    SentinelOne, a pioneer in delivering autonomous AI-powered security for the endpoint, datacenter and cloud, today launched its new Deep Visibility module for the SentinelOne Endpoint Protection Platform (EPP), making it the first endpoint protection solution to provide unparalleled search capabilities for all indicators of compromise (IOCs) regardless of encryption and without the need for additional agents.

    “We are bringing visibility to every edge of the network – from the endpoint to the cloud,” said Tomer Weingarten, CEO of SentinelOne. “Deep Visibility enables search capabilities and visibility into all traffic since we see it at the source and monitor it from the core. We know that more than half of all traffic is encrypted – including malicious traffic – which makes a direct line of sight into all traffic an imperative ingredient in enterprise defence.”

    Deep Visibility extends the company’s current endpoint suite abilities to provide full visibility into endpoint data, leveraging its patented kernel-based monitoring, for complete, autonomous, and in-depth search capabilities across all endpoints – even those that go offline – for all IOCs in both real-time and historical retrospective search. SentinelOne EPP with Deep Visibility enables customers to fully automate their detection to response workflow while also gaining unprecedented insight into their environment.

    Deep Visibility also empowers customers to gain insights into file integrity and data integrity by monitoring file characteristics and recording data exports to external storage.

    Deep Visibility monitors traffic at the end of the tunnel, which allows an unprecedented tap into all traffic without the need to decrypt or interfere with the data transport. This, in turn, provides a rich environment for threat hunting, that includes powerful filters, the ability to take containment actions, as well as fully automated detection and response.

    Since Deep Visibility does not require an additional agent and is a holistic part of the SentinelOne EPP platform, it is fully integrated into the investigation, mitigation and response capability sets, including process forensics, file and machine quarantine, and fully automated, dynamic remediation and rollback capabilities.

    Additionally, Deep Visibility does not require any changes to network topology and does not require any certificates for installation. Visibility into encrypted traffic further enriches forensics insights and empowers security analysts with more holistic investigation capabilities without impacting the end-user experience.

    “Deep Visibility is a breakthrough that will redefine how we think about perimeters,” said Weingarten. “Gaining visibility into the data pathways marks the first milestone for a real, software-defined edge network that can span through physical perimeters, to hybrid datacenters and cloud services. This is the beginning of the network of the future.”

    In addition to Deep Visibility, SentinelOne EPP will also offer several new capabilities that further enrich visibility into customer environments and threats. Key capabilities include:

    • Support for new platforms Amazon Linux AMI and Oracle Linux to expand visibility into critical server environments
    • Full disk scan support to discover latent threats
    • Richer forensics insights to help identify the source of threats and build attack storylines

    Current SentinelOne customers can upgrade to a new agent with access to Deep Visibility by working with their customer success managers. Prospective customers can learn more about SentinelOne EPP and the new Deep Visibility capabilities here.

     

    View the original article by SentinelOne.

    Net-Ctrl Blog

    Three key actions from Cyber Security Awareness Month you can take

    October 20th, 2017

    In a world where the Internet has become significant part of our everyday lives, we all need to be responsible for making sure our online identities are kept safe and secure. Much of our personal data is stored online which exposes us very easily to all sorts of threats. In a year of high-profile hacks and security vulnerabilities hitting the news headlines businesses and consumers are thinking a lot more about their online security. That’s what the Cyber Security Awareness Month is all about.

    What is Cyber Security Month?

    October is National Cyber Security Awareness Month (NCSAM) in the US which is an annual campaign that aims to raise awareness about cybersecurity. This year also marks the 5th anniversary of the European Cyber Security Awareness Month. NCSAM was launched by the National Cyber Security Alliance and the Department of Homeland Security in October 2004. It’s a collaborative effort between government and industry to ensure that everyone – from consumer and small businesses to corporations and academia, has the resources they need to stay safe and secure online. NCSAM carries the global message that cybersecurity is one shared responsibility.

    This year kicked off with a global launch event to highlight the international adoption of Cyber Security Awareness Month. Let’s look into some of the main actions we can take.

    1. Focus on consumers and their online safety

    With the first few weeks of the initiative now behind us, we saw an even stronger focus on consumers and their online safety. This year also marks the 7th anniversary of the STOP. THINK. CONNECT. campaign, which aims to help all consumers stay safe and secure online. It is based on three easy to follow actionable practices:

  • STOP: make sure security measures are in place
  • THINK: about the consequences of your actions online
  • CONNECT: and enjoy the internet
  • Week 1 addressed the top consumer cyber concerns, encouraging users to be more vigilant about using the Internet and sharing their personal data online.

    Simple steps to follow to stay safe online include using stronger authentication like two-factor, biometrics, making your password long and strong, sharing/ opening files with care, to name just a few.

    We have a good and detailed checklist here: 10 tips to prepare for Cyber Security month. The most important tips include:

  • Make sure your password is secure
  • Regularly update your software
  • Beware of email scams
  • Password protect your laptop and smart devices
  • Install malware protections
  • The Internet touches almost all aspects of our everyday lives, so it is important that consumers are made aware of its most common risks. In the video below, former ethical hacker Jason Hart, who now works for Gemalto, explains how a man-in-the-middle attack works. A man-in-the-middle attack is where a hacker inserts themselves into a conversation between two parties and can affect your PC, mobile and the Wi-Fi network.

    Here are videos of Jason Hart explaining how phishing scam and karma attack work.

    2. Today’s predictions for tomorrow’s internet

    We live in an incredibly connected world with smart devices populating every aspect of our lives. There are many ways that an attacker can access data on our connected devices. So, how do we secure the Internet of Things? Data is the fuel that makes smart devices work, so looking for ways to secure it is essential. We see three essential pillars to secure the IoT data and rest in motion: securing the device, securing the cloud and managing the lifecycle of security components in the IoT. The importance of securing the IoT has also been recognized by the US government. Earlier this year two US lawmakers proposed new legislation that will seek to address the vulnerabilities in IoT devices.

    Smart cars, connected homes and smart healthcare devices have become inseparable part of our reality. And while there are massive benefits for connectivity, it is important to understand how to use cutting-edge tech in safe and secure ways.

    3. Building Resilience in Critical Infrastructure

    Building resilience in key systems like electricity, financial institutions, water treatment facilities, public healthcare and transportation is another key theme of this year’s events. These are all systems that store and will run based on data. We recently addressed end-to-end security of the smart energy ecosystem at European Utility Week. The final week will look at how cybersecurity relates to keeping our traffic lights, running water, phone lines and other critical infrastructure safe.

    There we have them – the key actions from cyber security awareness month, aiming to educate us on the importance of keeping our online identities safe. So, what will you do? Let us know by leaving a comment below or tweeting to us @Gemalto.

    This report was taken from Gemalto.com

    A deeper dive into GDPR: Identity and Access Management

    October 18th, 2017

    An important part of GDPR addresses the need for strong, two-factor authentication, as well as physical access controls to organisational information systems, equipment, and the respective operating environments to authorised individuals. Are you ready?

    Mapping the GDPR article to authentication
    GDPR greatly expands the requirements for organisations to prove identity and basically aims to get rid of the password once and for all. Organisations will need to verify the legitimacy of user identities and transactions and to prove compliance, or face big fines, which can be more than four percent of an organisation’s global worldwide revenue or €25 million. So let’s take a look at the articles of GDPR and how they call for stricter authentication controls.

    Article 5 covers principles relating to the processing of personal data. It says, however, data is processed, it needs to be secured from unauthorised access and loss. This is achieved through multi-factor authentication. Multi-factor authentication ensures a user is who they claim to be and can be achieved using a combination of the following factors something you have (such as a token or smart cards), with something you know (PIN or password) and/or something you have (biometric). The more factors used to determine a person’s identity, the greater the trust of authenticity.

    Asking for a second authentication factor ensures a simple stolen password won’t be sufficient to gain unfettered access to sensitive systems.

    Article 24 says organisations are required to take reasonable security measures that respond to the likely risks and threats they face. This not only covers the data itself, but calls for solutions that restrict access to corporate networks, protect the identities of users, and ensure users are who they claim to be. As a first line approach to data security, requiring multiple factors of authentication to verify a user’s identity helps mitigate the risk of unauthorised users accessing sensitive systems to manipulate data.

    Article 32 calls for additional security of processing, and calls for organisations to consider the risk associated with data processing such as data loss and unauthorised access when choosing the right level of security. Authentication solutions make it harder for unauthorised users to access sensitive environments while also mitigating the risk posed by administrators with privileged access.

    Authentication solutions such as Public Key Infrastructure (PKI) or access management services offer a complete set of provisioning rules and policy engines that cover privileged users and the varying levels of security they may need for their roles. Organisations can increase or decrease the level of access security to their data and network according to the level of sensitivity of the data concerned. In addition, PKI allows for other advanced security functionality, such as digital signature and email encryption as well as physical access that we’ll talk about next.

    Article 33 covers notification of a personal data breach to the supervisory authority. Organisations will need to ensure individuals only process data when authorised. Authentication solutions automatically apply rules in real time to users based on their group membership and their need to access certain levels of private data. The rules’ default setting can keep users out of processing systems, or offer only a narrow level of access until instructions are given from the data controller. Once processing is complete, administrators can return settings to a more restrictive default that prevents any further data processing. In addition, some authentication solutions provide extensive log and report mechanisms to give up-to-date snapshots of all authentication and management events.

    Wrapping up
    Authentication and access management solutions, come in many shapes and sizes, including cloud access management, PKI, certificate-based authentication, one-time password authentication, identity federation, complete lifecycle management and auditing tools. We hope you find this blog helpful in planning your authentication needs for GDPR.

    For more information on GDPR’s due diligence requirements along with other topical issues such as breach notification, security, and data control obligations, check out our expanded ebook, The General Data Protection Regulation.

    View the original post by Gemalto.

    WPA2 vulnerability (KRACK attack)

    October 17th, 2017

    The exploit is called KRACK and details about this vulnerability have been published in true White Hat fashion, by the Imec-DistriNet research group of KU Leuven. Mathy Vanhoef and his team have identified as many as ten vulnerabilities in the WPA and WPA2 protocols, which secure all modern protected Wi-Fi networks. These vulnerabilities were academically well-researched and responsibly reported in a manner allowing the industry to proactively prepare updates.

    Go to the Ruckus support site to learn about Ruckus’ counter-measures.

    Broadly, the exploit deals with how the WPA/WPA2 protocol handles requests to reinstall the encryption keys used to encode/decode traffic between a wireless client and an AP. The vulnerabilities can be described in two groups. The first set of vulnerabilities may allow the reinstallation of a pairwise transient key, a group key, or an integrity key on either a wireless client or a wireless access point. A transient key is one that is derived as part of the encryption of individual client sessions. It is not the PSK or user credentials and is a temporary key that is different for every client and every session.

    The second set of vulnerabilities may affect wireless supplicants supporting either the 802.11z (Extensions to Direct-Link Setup) standard or the 802.11v (Wireless Network Management) standard. This could also allow the reinstallation of a pairwise key, group key, or integrity group key.

    If a compromised key is installed (via a reinstallation procedure) an attacker can theoretically decrypt the transmissions between a client and an AP. Note, however, that each wireless client creates different temporary encryption keys that it uses with an AP. This is not a global attack but rather attacks a specific, targeted device. These vulnerabilities also only deal with the encryption of data using transient keys that are derived as part of the WPA2 protocol for each session. They are not the same as passwords or any other kind of credentials such as certificates.

    What does this mean for you?

    1. Don’t panic. No, you do not need to shut down your Wi-Fi network. The Internet did not suffer the equivalent of an EMP attack.
      1. Vulnerabilities exist on both sides of the 4-way handshake relationship (client and AP) and both sides need to be patched.
      2. Microsoft, Apple, Google, Intel, and other major vendors have been working on fixing these vulnerabilities for a few months now.
      3. Until client vendors provide updates, disabling 802.11r can help mitigate the attack by eliminating one source of vulnerability (Fast BSS Transitions, otherwise known as 802.11r roaming).
      4. Some client types, such as Android 6 are more vulnerable than others.
      5. iOS and Windows are not vulnerable to the first set of exploits because they don’t accept retries of handshake message 3.
    2. The sky isn’t falling. One, the attack must happen on-premises. Two, while the attacker can decrypt client-to-AP traffic, the attacker cannot inject arbitrary traffic into a WPA2-AES session and cannot get any authentication tokens or keys.
      1. To be successful, the attacker would need to be sophisticated, onsite, and armed with specialized hardware and software. To reiterate, there is currently no publicly available code that enables this attack.
      2. All current certificates and Wi-Fi passwords are still secure. This attack does not reveal passwords.
      3. While networks that use TKIP are vulnerable to packets being injected into the stream, AES does not allow for code injection. (TKIP and WEP have been broken for years so if your network is still either this may be a good time to do something about it.)
      4. A MitM (Man-in-the-Middle) attack is required prior to performing this because the 4thEAPOL message (part of the handshake) must be intercepted/prevented in order to allow retries of handshake message 3. This means that the attacker must spoof the MAC of the AP.
      5. Mesh and PtP links may be vulnerable (please see above).

    Steps You Can Take Now:

    1. Mitigate the risks caused by a MitM attack. By default, Ruckus has rogue detection enabled and automatically classifies spoofed MACs as a malicious threat, which can generate alarms for admins. Further, admins can enable APs to protect against Man-in-the-Middle attacks by deauth’ing clients connecting to a malicious rogue AP, which is required to carry out this attack.
    2. Eliminate the 802.11r vulnerability. Ruckus disables 802.11r by default on all SSIDs. If it is enabled on your network, consider disabling it until a fix is in place.
    3. Ruckus APs have additional protection against MiM attack for Mesh links – this makes the attacker be even more sophisticated to hijack the Ruckus Mesh link. Mesh-enabled networks that are not using mesh can have that disabled on a per-node basis.
    4. Refer to Ruckus Support. Security patches from Ruckus are forthcoming and will be posted as they are available.

    The WPA/WPA2 protocol is not fundamentally flawed. This means that exposure is limited and fixable without throwing out WPA2 altogether. Software/firmware patches that address this are already being rolled out. It is important to remember that, while concretely feasible, these attacks require not only access to your network, but a degree of knowledge and sophistication well beyond, say the Experian hack, for a lot less return. We always recommend that anyone interested in securing their WLAN network should perform regular audits of their security infrastructure and procedures to ensure everything is in compliance with best practices and vendor recommendations.

    Additional Information:

    Ruckus FAQ Security Advisory CloudPath

    Ruckus Security Advisory

    Deloitte data breach demonstrates why MFA and user access controls are a must

    October 9th, 2017

    The severe Deloitte breach revealed last week is indicative of several issues that many companies are seemingly slow to absorb when it comes to protecting intellectual property, reputation and customer data.

    Move to the cloud can be a double edged sword: According to IDC, worldwide spending on public cloud computing will increase from $67B in 2015 to $162B in 2020 attaining a 19% CAGR. This means that more and more companies are storing sensitive systems, applications and data in the cloud. Cloud applications are excellent at providing organisations the best applications at a quick time to value, zero maintenance overhead and infinite scalability. The immediate fulfillment and instant productivity provided by cloud apps comes, however, with a price tag: IT departments lose visibility into who is accessing what application. And risk increases as apps are managed from multiple disparate consoles.

    Compromised credentials are the root cause of the majority of breaches: According to Verizon’s 2017 Data Breach Investigations Report, 81% of hacking-related breaches leveraged either stolen and/or weak passwords. Indeed, the Deloitte breach was apparently caused when the hacker gained access to an administrator email server account by logging on with a simple username and password.

    Lack of effective monitoring systems: Brian Krebs, in his Krebs on Security blog, earlier this week writes that ‘a person with direct knowledge of the incident said the company in fact does not yet know precisely when the intrusion occurred, or for how long the hackers were inside of its systems’. This gap may reflect weak monitoring systems and lack of central controls over whom was accessing various systems, when these systems were being accessed and visibility into the access control measures in place.

    Cloud-based applications play a vital role in fulfilling productivity, operational and infrastructure needs in the enterprise. The points mentioned above, indicate however that enterprises need to be focused in their cyber-security strategies, and implement protections at the most vulnerable points. Applying effective access security mechanisms such as multi-factor authentication, privileged account access, cloud access management controls as well as continuously monitoring who is accessing which service, when and with what credentials – are vital front line security measures that can prevent unwanted persons from accessing cloud and enterprise services and reduce the risk of breach. Doing otherwise is akin to gambling with your data.

    Avoid a data breach, get the Research and Best Practices Toolkit to do Web Application Security right.

    View the original post by Gemalto.

    6 Misconceptions about Network Security

    October 3rd, 2017

    When assessing or implementing network security, misconceptions can be dangerous, leading your company’s data to be at risk and, with it, your reputation, your revenue, and possibly your business. With that in mind, be on guard against these six insidious misconceptions:

    1. Threats only come from the outside. This is a common misconception, but the truth is that most infiltration issues and security breaches happen from inside the network. While this could be due to a malicious employee, most often it is simply the result of ignorance. For example, an employee may bring his own device and use it for work – but it is unsecured. Another person may have a hub sitting underneath her desk to which she connects multiple machines – some of which are personal. You must have a diligent secure access strategy in place that includes internal security compliance to prevent such security risks.

    2. Our employees would never fall for a phishing scam. Yes, they would. And they do. Phishing is very sophisticated nowadays, with spear phishing campaigns that are personalized and tailored to a specific individual. Even a savvy employee can fall prey to an email that looks and sounds authentic.

    3. Network access control (NAC) is too difficult to use. Five years ago, that may have been the case. NAC was hard to understand, tough to implement, and irritating for the end user. With business trends evolving to support initiatives like BYOD and IoT, however, network access control has also adapted to meet such demands. For example, Pulse Secure’s NAC solution, Policy Secure, is streamlined, simplified, and user-friendly. You can easily profile your network and get a clear picture of exactly what is residing on it and connecting to it, both internally and externally. Plus, you can gain full visibility into which people and devices have access to what data.

    4. Our firewall checks everything. It may – but the danger of using VPN components that are offered by next-generation firewalls is that they don’t always perform enough checks. Contrast that with a Pulse security solution that validates software patches, apps, and other elements through host-checking capabilities prior to allowing them on the network as well as during connections, and you’ve got yourself a fast and reliable secure access solution that will protect your company’s data yesterday, today, and tomorrow.

    5. The cloud is secure. We want to believe this, but it’s not that simple. The cloud is where everything is going; in essence, we are moving to huge server farms hosted by large organizations such as Google or AWS, and their primary product offering is space, processing power, and bandwidth – not security. That is their niche and their expertise. To protect that space, you must look to the secure access experts for the best security platform solutions that can be deployed across hybrid IT environments.

    6. Our security is good enough. This is the biggest and most dangerous misconception of all: companies assume that if their security was good enough last year or three years ago, it is good enough today … even if it hasn’t been updated in recent history. So, before you say, “Our security is good enough,” ask yourself: are you willing to bet your business on that? Ransomware can get through VPNs or open ports outside the network, potentially encrypting your entire network. Don’t jump onto this bandwagon too fast: your network security could be on the line.

    Maybe yesterday’s network security isn’t good enough. If you’re serious about security, it’s time to do some serious security upgrades.

    Learn more about the importance of upgrading hardware here.

    View the original article by Pulse Secure.

    Ruckus Expands “The Pack” on Unleashed

    October 3rd, 2017

    We are excited to announce new updates to the Ruckus Unleashed products, our Wi-Fi option for small organizations with limited IT resources. We are making the Unleashed products easier to manage and install without compromising on performance. We are also releasing three more Unleashed access points (APs). Let’s get right into the details.

    The third software release of the year is packed with exciting features and capabilities. Here are some highlights:

    • Ruckus R720, T610 and H320 – our popular 802.11ac Wave 2 APs are now part of the Unleashed Family
      • R720, a premium Wave 2 AP with multi-gig backhaul, ideal for high-performance indoor use cases; H320, an entry-level Wave 2 AP that works great as an in-room access point; T610, a mid-range Wave 2 AP, ideal for medium density outdoor deployments. This makes the unleashed product portfolio complete with a wide variety of AP options.
    • All new Mobile App version 2
      • Social login – Link Unleashed mobile app can connect via Gmail, Twitter or Facebook accounts to manage Unleashed networks remotely and locally without altering your firewall.
      • Remote management – Invite someone to deploy, manage or troubleshoot your Unleashed network with a simple text or email from the mobile app.
      • User Interface (UI) enhancements
    • Simplified and faster deployment – Reduced time to deploy an Unleashed network by 33%
    • Multi-site Support
      • Unleashed can now be deployed in multiple small sites and managed with the mobile app or the new Ruckus Unleashed Multi-Site Manager. If you think your business will grow in the future and are looking for Wi-Fi solution that is scalable – this is it!
    • Enhanced Administrative Control
      • Define network speed limits for each of the Unleashed networksUnleashed mobile app
      • Assign users to different VLANs based on their roles
    • Multiple language support further enhanced; Italian language added

    Here is a sneak-peak to the Unleashed mobile App

    Announcing SentinelOne 2.0 Version

    September 27th, 2017

    SentinelOne has announced their new version, 2.0, introducing the simplified policy, improved prevention, detection, and response, and many more features, fixes, and enhancements. Their customers have been telling them what improvements they want to see in the product, and they’re responding. Let’s go over the most significant changes.

    Simple Policy

    SentinelOne’s policy was never complex – Yet, they simplified it further by removing any setting that was not 100% clear to ther clients.

    The new policy of 2.0 is a simple selection between “Protect” and “Detect”. Choosing “Protect” means complete automation and autonomy – SentinelOne take responsibility for preventing and mitigating all threats. Choosing “Detect” means that you are running in EDR mode.

    Another option you will find useful is the differentiation between Threats – high confidence detections, and Suspicious activity, so you can assign them different policy modes. Try it out.

    Controlling Engines

    Under the hood of the SentinelOne agent, multiple engines are running and ensuring full visibility and detection of any malicious activity. We recommend running all of SentinelOne’s Static and Behavioral AI engines, but allow administrators to control them, based on policy.

    Prevention, Detection, and Response at Scale

    Many have tested SentinelOne’s capabilities, and the results are available:

    • Static AI (DFI) prevents malicious files and variants from ever being executed on your devices.
    • Behavioral AI specializes in catching zero-day and unknown attacks based on their behaviour, including file-less and other new means to evade traditional AV solutions.

    SentinelOne are always working on improvements. In the wild, we see more and more campaigns that don’t need to use files (WannaCry, EternalBlue, etc’). The reason is obvious – why expend effort on a file that will become a blocked signature in few days? For instance, it is common for attackers to find a weak host on a network and utilize it to compromise other devices on the same network. They invested further in their behavioural AI engines to improve detecting of such flows. When SentinelOne detect a risk, they already have the full context: users, processes, command line arguments, registry, files on the disk, external communication, and more.

    Forensics Analysis Improvements

    Once detected, it is helpful to identify the full context of the attempt, where it came from, and what it tried to do, even if it was automatically mitigated by “Protect” mode. To make this easy, SentinelOne improved what you see and what you can do. Starting in 2.0:

    You can see:

    • Which of their engines detected it.
    • A link to VirusTotal entry (for known threats) and to a Google search.
    • More forensics information, including the username, and the full command line arguments used by all processes during the incident.

    You can do:

    • More exclusion options: by hash, path, certificate, file type, or browser type.
    • Quickly and easily exclude for each specific incident directly from the forensics analysis view.

    Full Disk Scan

    Many of their customers asked for the option to scan a device and Full Disk Scan is now available for their Windows and macOS agents. Whether you are worried about dormant malware or concerned with issues of audit and compliance, you can choose a group from the console and initiate a scan, or just install using a flag that triggers the full disk scan. This is a great way to get value on day one.

    More improvements starting in 2.0

    • Performance improvements (cross-platform)
    • Click-through EULA
    • SSO support for the management console login.
    • VSS disk space does not exceed 10% (unless configured by the administrator to a different limit).
    • Support tools and remote troubleshooting options for your agents.
    • Additional proxy options, including failover to direct connection (for roaming devices) and authenticated proxy.
    • The Auto-immune flow is improved and now works on verified threats only.
    • Document names are not sent to the console, unless malicious.
    • Support for Windows agent on a single core.

    What’s next?

    The SentinelOne team is already working on the next release, planned for later this year. It will have improved deployment flows, more reporting options, Agent configuration and more policy options, initial scan support (no reboot needed), and static detection indicators, for a better understanding of detection reasons.

    Stay tuned!

    View the original post by SentinelOne.

    Palo Alto Networks Strengthens Ransomware Prevention Capabilities With New Traps Advanced Endpoint Functionality

    September 25th, 2017

    New Features Enable Customers to Prevent Malware and Kernel Exploit Attacks.

    Palo Alto Networks, the next-generation security company, today announced enhancements to its Traps™ advanced endpoint protection offering that strengthens current ransomware prevention by monitoring for new techniques and ransomware behaviour and, upon detection, prevents the attack and resulting encryption of data.

    As ransomware attacks continue to escalate in both sophistication and frequency, organisations are working quickly to protect themselves from falling victim to the next attack. According to Cybersecurity Ventures, ransomware will cost organisations more than $5 billion in 2017 – more than 15 times the cost of damages absorbed in 2015.

    To protect themselves from the evolving threat of ransomware, most organisations deploy multiple security point-products and software agents on their endpoint systems, including one or more legacy antivirus products. The protections provided by these signature-based products continue to lag behind the speed of ransomware attacks, which can impact and spread throughout organisations in a matter of minutes compared to the hours or days it could take a customer to receive a signature update.

    When combined with its existing ransomware prevention and other multi-method prevention capabilities, Traps offers effective ransomware protection and helps organisations avoid the business productivity losses associated with inaccessible data. Traps effectively secure endpoints with its unique multi-method prevention capabilities by combining multiple defensive techniques, preventing known and unknown attacks before they can compromise endpoints.

    QUOTES

    “Traps 4.1 takes endpoint security to the next level and continues to bring more innovative and impressive capabilities to address the modern threat landscape. The added ransomware capabilities and ease of deployment across Windows and MacOS clients further cement Traps as a necessary standard for any organisation serious about their endpoint security strategy.”
    Bryan Norman, chief executive officer, Norlem Technology Consulting

    “Ransomware attacks will continue to increase in frequency and sophistication for the foreseeable future, and with the new capabilities introduced today in version 4.1, Traps is better able to preemptively stop these attacks and protect our way of life in the digital age.”
    Lee Klarich, chief product officer, Palo Alto Networks

    Key advancements introduced in Traps version 4.1 include:

    Behavior-based ransomware protection adds a layer of malware prevention to pre-existing capabilities without reliance on signatures or known samples. By monitoring the system for ransomware behaviour, upon detection, Traps immediately blocks the attack and prevents encryption of end-user data.

    Enhanced kernel exploit prevention protects against new exploit techniques used to inject and execute malicious payloads, like those seen in the recent WannaCry and NotPetya attacks, by stopping advanced attacks from initiating the exploitation phase.

    Local analysis for macOS provides added protection against unknown attacks for a growing macOS® user base.

    AVAILABILITY
    Traps version 4.1 is generally available to Palo Alto Networks customers with an active support contract.

    LEARN MORE
    Traps advanced endpoint protection
    Traps: Expanding Ransomware Protection for Current and Future Threats (blog post)
    Palo Alto Networks Next-Generation Security Platform

    View the original post by Palo Alto Networks.

    First Half 2017 Breach Level Index Report: Identity Theft and Poor Internal Security Practices Take a Toll

    September 25th, 2017

    Gemalto, the world leader in digital security, today released the latest findings of the Breach Level Index, a global database of public data breaches, revealing 918 data breaches led to 1.9 billion data records being compromised worldwide in the first half of 2017. Compared to the last six months of 2016, the number of lost, stolen or compromised records increased by a staggering 164%. A large portion came from the 22 largest data breaches, each involving more than one million compromised records. Of the 918 data breaches more than 500 (59% of all breaches) had an unknown or unaccounted number of compromised data records.

    The Breach Level Index is a global database that tracks data breaches and measures their severity based on multiple dimensions, including the number of records compromised, the type of data, the source of the breach, how the data was used, and whether or not the data was encrypted. By assigning a severity score to each breach, the Breach Level Index provides a comparative list of breaches, distinguishing data breaches that are not serious versus those that are truly impactful.

    According to the Breach Level Index, more than 9 billion data records have been exposed since 2013 when the index began benchmarking publicly disclosed data breaches. During the first six months of 2017, more than ten million records were compromised or exposed every day, or one hundred and twenty-two records every second, including medical, credit card and/or financial data or personally identifiable information. This is particularly concerning, since less than 1% of the stolen, lost or compromised data used encryption to render the information useless, a 4% drop compared to the last six months of 2016.

    “IT consultant CGI and Oxford Economics recently issued a study, using data from the Breach Level Index and found that two-thirds of firms breached had their share price negatively impacted. Out of the 65 companies evaluated the breach cost shareholders over $52.40 billion,” said Jason Hart, Vice President and Chief Technology Officer for Data Protection at Gemalto. “We can expect that number to grow significantly, especially as government regulations in the U.S., Europe and elsewhere enact laws to protect the privacy and data of their constituents by associating a monetary value to improperly securing data. Security is no longer a reactive measure but an expectation from companies and consumers.”

    Primary Sources of Data Breaches

    Malicious outsiders made up the largest percentage of data breaches (74%), an increase of 23%. However, this source accounted for only 13% of all stolen, compromised or lost records. While malicious insider attacks only made up 8% of all breaches, the amount of records compromised was 20 million up from 500,000 an increase of over 4,114% from the previous six months.

    Leading Types of Data Breaches

    For the first six months of 2017, identity theft was the leading type of data breach in terms of incident, accounting for 74% of all data breaches, up 49% from the previous semester. The number of records compromised in identity theft breaches increased by 255%. The most significant shift was the nuisance category of data breaches representing 81% of all lost, stolen or compromised records. However, in terms of the number of incidents, nuisance type attacks were only slightly over 1% of all data breaches. The number of compromised records from account access attacks declined by 46%, after a significant spike in the 2016 BLI full year report.

    Biggest Industries Affected by Data Breaches

    Most of the industries the Breach Level Index tracks had more than a 100% increase in the number of compromised, stolen or lost records. Education witnessed one of the largest increases in breaches up by 103% with an increase of over 4,000% in the number of records. This is the result of a malicious insider attack compromising millions of records from one of China’s largest comprehensive private educational companies. Healthcare had a relatively similar amount of breaches compared to the last six months of 2016, but stolen, lost or compromised records increased 423%. The U.K’s National Health Service was one of the top five breaches in the first half with over 26 million compromised records. Financial services, government and entertainment were also industries that experienced a significant jump in the number of breached records, with entertainment breach incidents increasing 220% in the first six months of 2017.

    Geographic Distribution of Data Breaches

    North America still makes up the majority of all breaches and the number of compromised records, both above 86%. The number of breaches in North America increased by 23% with the number of records compromised skyrocketing by 201%. Traditionally, North America has always had the largest number of publicly disclosed breaches and associated record numbers, although this is poised to change in 2018 when global data privacy regulations like the European General Data Protection Regulation (GDPR) and Australia’s Privacy Amendment (Notifiable Data Breaches) Act are enforced. Europe currently only had 49 reported data breaches (5% of all breaches), which is a 35% decline from the previous six months.

    ​Related Resources:​
    – For a full summary of data breach incidents by industry, source, type and geographic region, download the First Half 2017 Breach Level Index Report
    – Download the infographic here​
    – Visit the BLI website here

    View original article by Gemalto.

    SentinelOne Announces New Deep Visibility Module for Breakthrough IOC Search and Threat Hunting on the Endpoint

    September 14th, 2017

    New Capabilities Enable Untethered View into All Endpoint Activities and Network Traffic – Encrypted and Clear Text.

    SentinelOne, a pioneer in delivering autonomous AI-powered security for the endpoint, datacenter and cloud, today launched its new Deep Visibility module for the SentinelOne Endpoint Protection Platform (EPP), making it the first endpoint protection solution to provide unparalleled search capabilities for all indicators of compromise (IOCs) regardless of encryption and without the need for additional agents.

    “We are bringing visibility to every edge of the network – from the endpoint to the cloud,” said Tomer Weingarten, CEO of SentinelOne. “Deep Visibility enables search capabilities and visibility into all traffic since we see it at the source and monitor it from the core. We know that more than half of all traffic is encrypted – including malicious traffic – which makes a direct line of sight into all traffic an imperative ingredient in enterprise defence.”

    Deep Visibility extends the company’s current endpoint suite abilities to provide full visibility into endpoint data, leveraging its patented kernel-based monitoring, for complete, autonomous, and in-depth search capabilities across all endpoints – even those that go offline – for all IOCs in both real-time and historical retrospective search. SentinelOne EPP with Deep Visibility enables customers to fully automate their detection to response workflow while also gaining unprecedented insight into their environment.

    Deep Visibility also empowers customers to gain insights into file integrity and data integrity by monitoring file characteristics and recording data exports to external storage.

    Deep Visibility monitors traffic at the end of the tunnel, which allows an unprecedented tap into all traffic without the need to decrypt or interfere with the data transport. This, in turn, provides a rich environment for threat hunting, that includes powerful filters, the ability to take containment actions, as well as fully automated detection and response.

    Since Deep Visibility does not require an additional agent and is a holistic part of the SentinelOne EPP platform, it is fully integrated into the investigation, mitigation and response capability sets, including process forensics, file and machine quarantine, and fully automated, dynamic remediation and rollback capabilities.

    Additionally, Deep Visibility does not require any changes to network topology and does not require any certificates for installation. Visibility into encrypted traffic further enriches forensics insights and empowers security analysts with more holistic investigation capabilities without impacting the end-user experience.

    “Deep Visibility is a breakthrough that will redefine how we think about perimeters,” said Weingarten. “Gaining visibility into the data pathways marks the first milestone for a real, software-defined edge network that can span through physical perimeters, to hybrid datacenters and cloud services. This is the beginning of the network of the future.”

    In addition to Deep Visibility, SentinelOne EPP will also offer several new capabilities that further enrich visibility into customer environments and threats. Key capabilities include:

    • Support for new platforms Amazon Linux AMI and Oracle Linux to expand visibility into critical server environments
    • Full disk scan support to discover latent threats
    • Richer forensics insights to help identify the source of threats and build attack storylines

    Current SentinelOne customers can upgrade to a new agent with access to Deep Visibility by working with their customer success managers. Prospective customers can learn more about SentinelOne EPP and the new Deep Visibility capabilities here.

     

    View the original article by SentinelOne.

    Keep up-to-date with Net-Ctrl

    Simply fill in the fields below to sign up for the Net-Ctrl Newsletter.

    Don't worry we only send it once a month.

    • New Solution Announcements
    • Latest Promotions
    • Links to some great content.