Monthly Archives: February 2018

  • 0

Rethinking Data Security

Category : Forcepoint

EBOOK: How do you secure critical data and IP, when you operate on the Internet, but don’t own the internet?

Data security today is a neverending battle to keep up with the latest regulations and protect intellectual property from targeted attacks and accidental exposure. All while adapting to evolving IT environments of cloud applications, private clouds, mobile users, and data centers.

Yet, today’s data protection options are limiting. An effective data security solution should cut through the noise of alerts and provide warning signals early to prevent the loss of critical data.

Read this eBook to understand how taking a human-centric, risk adaptive approach to data security will transform your data protection program.

  • 0

APT37 (Reaper): The Overlooked North Korean Actor

Category : FireEye

On Feb. 2, 2018, we published a blog detailing the use of an Adobe Flash zero-day vulnerability (CVE-2018-4878) by a suspected North Korean cyber espionage group that we now track as APT37 (Reaper).

Our analysis of APT37’s recent activity reveals that the group’s operations are expanding in scope and sophistication, with a toolset that includes access to zero-day vulnerabilities and wiper malware. We assess with high confidence that this activity is carried out on behalf of the North Korean government given malware development artifacts and targeting that aligns with North Korean state interests. FireEye iSIGHT Intelligence believes that APT37 is aligned with the activity publicly reported as Scarcruft and Group123.

Read our report, APT37 (Reaper): The Overlooked North Korean Actor, to learn more about our assessment that this threat actor is working on behalf of the North Korean government, as well as various other details about their operations:

  • Targeting: Primarily South Korea – though also Japan, Vietnam and the Middle East – in various industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive, and healthcare.
  • Initial Infection Tactics: Social engineering tactics tailored specifically to desired targets, strategic web compromises typical of targeted cyber espionage operations, and the use of torrent file-sharing sites to distribute malware more indiscriminately.
  • Exploited Vulnerabilities: Frequent exploitation of vulnerabilities in Hangul Word Processor (HWP), as well as Adobe Flash. The group has demonstrated access to zero-day vulnerabilities (CVE-2018-0802), and the ability to incorporate them into operations.
  • Command and Control Infrastructure: Compromised servers, messaging platforms, and cloud service providers to avoid detection. The group has shown increasing sophistication by improving their operational security over time.
  • Malware: A diverse suite of malware for initial intrusion and exfiltration. Along with custom malware used for espionage purposes, APT37 also has access to destructive malware.

More information on this threat actor is found in our report, APT37 (Reaper): The Overlooked North Korean Actor. You can also register for our upcoming webinar for additional insights into this group.


  • 0

NetOps Embrace of Automation will lead to need for NetOps Ops

Category : F5

Automation is the future. DevOps has long embraced the idea of automating everything in sight, but NetOps is quickly closing the gap between them using automation and orchestration extensively in production processes.

Nearly half (46%%) of respondents in our State of Application Delivery 2018 survey indicated at least ‘partial’ use of automation in production. That includes always using automation for major production changes (25%), minor production changes (26%), and even incident response (22%). More than half ‘sometimes’ use automation in all three cases.

That automation is implemented in a variety of ways. Network automation like that from Cisco and VMware and OpenStack are popular, as are frameworks and tools like Puppet, Chef, and good old Python scripts.

To say that automation is a thing that’s really happening is not an understatement. NetOps has arrived. This is not a drill.

That’s exciting, on the surface, but when you dig into what that means we find there are challenges that might not yet have bubbled up to the surface.

For example, automating a change on the firewall or router is one thing. Including it in an overarching deployment process, well that’s another (and the proper term for that is orchestration, in case you were wondering).

Once you start chaining (integrating) systems and scripts you’ve built what is equivalent to an ‘application’. There are many moving parts that have to be deployed, managed, maintained, upgraded, patched, and licensed.

This is not a Sisyphean task, but it is one that NetOps is likely not taking into consideration.

It’s great that developers can now enter a ticket in ServiceNow and that will kick off an IT workflow that automagically provisions, configures, and bills for the desired resource. But what happens when ServiceNow chokes? Or when one of the components in that fragile chain sudden keels over. Or when an upgrade of one of the components breaks the integration?

If you close your eyes you’ll hear the sound of developers chortling from an overdose of schadenfreude at the thought.

One of the unintended consequences of automating IT is going to be that IT has more software and systems to maintain. Some of them will be critical, and require more care and feeding than others.

Just as there are legions of ‘maintenance’ or ‘support’ developers within enterprise organizations whose task it is simply to keep software systems running, there will be a need for a similar role within IT to deal with the day-to-day operations of NetOps Operations.

NetOpsOps. Yeah, it’s a terrible portmanteau but it is an accurate way to describe what’s going to be needed as automation consumes more and more of NetOps deployment tasks.

Some of those tasks will be of a nature (integration, software systems, etc…) that can be shouldered by existing operations staff. But some are specific to the network, and that means someone who both understands the scripts and systems and the networking components involved.

You can’t troubleshoot, update, or modify code/scripts/templates if you don’t know what they’re doing.

If you ask me what’s wrong my snowmobile I’m going to tell you I have no idea. I know how to open the hood, and charge the battery, but don’t ask me to go tinkering with the parts that make it go. That’s the same as asking a development intern proficient in JavaScript to go updating a COBOL copybook. That’s a recipe for disaster right there.

Ultimately, NetOps is going to need some folks (the NetOps Ops) who are knowledgeable about the network and the systems used to automate it. The more automation is used, the more imperative it will be to have said folks in place to take on the mantle of maintaining that automation while engineers are working on the next big thing.


Author: Lorie MacVittie

  • 0

Building a secure DEVOPS pipeline

Category : Cyber-Ark

Thursday, February 22, 2018 at 17:00 CET | 16:00 GMT | 11:00 EST

PwC and CyberArk: Is your Continuous DevOps Pipeline Continuously Secure?

Code fast, beat the competition to market, and make more money. This is the value of DevOps, but are you missing a step? Now that developer and operations teams have settled their differences to leverage countless containers, applications, and virtual machines, to move and produce at unprecedented scale and speed, do you still know who has access to these virtual machines and applications? Where are the secrets and credentials stored? Is your continuous CI/CD pipeline continuously secure? How would you know?

PwC knows.

And by attending this webinar you will learn from PwC’s experience garnered from years of working with clients to help them identify, design and deploy secure DevOps solutions. PwC’s experience in combination CyberArk’s dedication to privileged account security, brings the expertise you need to secure your DevOps pipeline, and stay in compliance without adding roadblocks to DevOps workflows.

By registering for this event, you consent to the event organizers using your contact information for the purposes of contacting you regarding cybersecurity related products, events or news and general marketing communications. 

  • 0

The Best Way to Tackle Shadow IT – Secure Apps That Make It Easy to Get Your Work Done

Category : Citrix

From the latest app on our smartphones to the newest gadgets in our homes, many of us love to embrace innovation. After all, these technology advances improve our lives, make us more productive and help us stay connected in ways our parents never could have imagined.

That’s why so many of us use our personal smartphones for work, and jump at the chance to use the latest app or service that makes our jobs easier. And today, if IT doesn’t move as fast as you want, it’s not that hard to bypass the normal process and download that app or sign up for that cloud-based service, and leave IT out of the process. All too often, the most productive, ambitious people buy and use unsanctioned technology – Shadow IT – to speed up their work, boost productivity, or make work easier. But they might not be considering the serious risks that come with their unsanctioned technology that can threaten their career, their privacy, and their organization.


This Shadow IT trend can expose organizations to data exfiltration, malware, phishing; it can open the door for hackers to steal employee and customer identities, steal company secrets, and cause companies to fail compliance audits or violate laws. And since people go out of their way to avoid the IT department, shadow IT is tough to prevent, manage, or control.

So, what can you do about shadow IT? How can organizations give executives and employees the apps and tools they want, on the device they want, without compromising security?

One way to securely provide employees with the apps, data, and services they want is with a unified, secure digital workspace service. And if you give employees compelling apps, data, and services, they will be less likely to buy and use shadow IT, giving IT back control and reducing complexity.

So, what is a unified, secure digital workspace service? How does it work?

Let’s begin with “unified”. Work gets a lot more simple if people can securely sign in once, and then have everything they need to get their work done, all in one digital location. Not only does that eliminate the frustration that comes from logging into multiple SaaS apps, as well as corporate apps and other web services, but it makes the process of using unsanctioned apps and services less appealing. Any time you can simplify the process of working, you’ll score points with employees, and make them happier with the apps and services you give them.

At the same time, a unified workspace service is also much easier for IT and security teams. Admins can manage everything as one unified service, and they can easily add new apps, services, and capabilities to that workspace when executives request them. As a result, IT and security operations can be more agile, and more responsive to both employees and executives.

It’s also important to manage all of the apps and workloads for this unified secure workspace from the cloud, so IT admins can monitor, maintain and manage on-prem and cloud-based workloads, even services from multiple clouds in one location. This model makes it much easier to manage hybrid environments, plus it’s more cost-effective, and your organization can adapt cloud services capacity to meet the operational needs of the business.

Security is a key factor and requirement for any unified workspace service. The virtualization services securely deliver apps and data, and keeps the data off the device. For mobile apps, the enterprise mobility management service provides secure device and app management including keeping data within a powerful, encrypted environment.

In addition, it’s important to provide contextual security that can adapt security and application settings to the employee’s network, device, and, location. For example, an employee visiting a customer in a country deemed a high security risk might be required to use a virtual smart card before access the company network. On the other hand, the employee would not need to use a virtual smart card when accessing the same apps and data when working from the corporate office. The secure digital workspace operates under a model of contextual access to ensure apps and data are protected in all stage of use.

People today expect technology to be simple, convenient, and easy to use. By deploying a unified, secure digital workspace service, organizations can simplify work, allow people to use the devices they prefer, while reducing the desire for shadow IT, and the related risks associated with unsanctioned technology.

Employees, and their managers will be happy, and the business will be safer and more secure.


Author: Calvin Hsu

  • 0

Have Your Cake and Eat it Too With Next-Generation Endpoint Security from Cisco

Category : Cisco

When faced with an either/or situation, people typically prefer not to choose. We want the best of both worlds. Rarely does someone want peanut butter OR jelly. Have cake? You probably want to eat it, too.

So, it’s surprising to find new research from ESG shows that while 87% of organizations want a comprehensive endpoint security software suite, 43% want that suite to come from an “established” vendor, and 44% want to purchase from a “next-generation” vendor. (Source: ESG Master Survey Results, The Evolution of Endpoint Security Controls and Suites, November 2017.)

Why should anyone have to choose between next-generation technology and working with a well-established vendor with long-lasting customer partnerships?

With Cisco, you don’t have to compromise between next-generation and established – you get both. Cisco’s AMP for Endpoints provides the advanced protection of next-generation technology, backed by an established, proven organization.

What people really want

At the end of the day, what people really want is a comprehensive endpoint security tool they can rely on to do its job effectively. They want:

  • Fewer tools to manage
  • Protection from advanced threats
  • Automatic remediation upon discovery
  • Comprehensive investigation capabilities

Solely implementing point products from niche “next-generation” vendors creates a lack of integration across your security infrastructure and an environment that’s near-impossible to manage. Many of these vendors are still seeking rounds of funding, with no guarantee you’ll be working with the same organization a year from now. You’re left with an environment full of security products that don’t work together, scalability issues, and inefficiencies.

AMP solves these challenges and provides next-generation features, including:

  • Continuous monitoring:  Continuously watches, analyzes, and records all activity of clean and unknown files on a system. Watch Continuous analysis in 4 minutes.
  • Retrospective security:  The ability to look back in time and trace processes, file activities, and communications in order to understand the full extent of an infection, establish root causes, and perform remediation. Watch retrospective security feature overview.
  • Machine Learning:  Breaks down every file and analyzes it against over 400 attributes, constantly training our algorithms to detect never before seen threats.
  • Exploit Prevention:  Protects against threats targeting unpatched applications, those using legitimate processes, and prevents fileless or memory only malware.
  • Antivirus Engine:  Performs offline and system-based detections, including rootkit scanning.
  • File analysis and sandboxing:  Highly-secure environment automatically analyzes suspicious files in order to discover previously unknown threats. Watch file analysis feature overview.

These next-generation features and capabilities are all backed by Cisco’s established, world-leading security research team, Cisco Talos. With over 250 full-time threat researchers, 11,000 decoy systems and threat traps, and millions of telemetry agents, Talos represents the industry’s largest collection of real-time threat intelligence. Talos’ threat intelligence flows to every Cisco security solution in real-time, so your tools are always equipped with the latest threat intelligence.

Have your cake and eat it, too

The beauty of a comprehensive next-generation endpoint security solution like AMP for Endpoints is that it offers solutions to your most common challenges and integrates with other products across your environment. We integrate these next-generation features on the endpoint with our web, email, network and cloud security solutions, creating an environment of products that continuously share threat intelligence and learn from one another.

If you like having your cake and eating it too, start your AMP for Endpoints free trial on your own endpoints now.


Author: Kelsey Brewer

  • 0

Malware Protection 2018 – Public Health Service Prevents, Not Just Detects, Advanced Threats

Category : Check Point

Malware Protection in 2018 is about prevention not just detection. As a leading West Coast provider of emergency health services, this Public Health Service organization has over two million patients and runs over 90 locations, with two major trauma and rehabilitation centers. The organization provides critical, life-saving services in emergency cases and cares for over 2 million people. They chose Check Point SandBlast Zero day Protection because they appreciate SandBlast’s ability to prevent attacks, not just detect them, and use it in-line to block threats in their tracks.

  • 0

Do 72 Hours Really Matter? Data Breach Notifications in EU GDPR

Category : Trend Micro

On January 23, South Dakota’s Senate Judiciary Committee voted unanimously to approve Senate Bill No. 62, which will require organizations and individuals to notify South Dakotans whose personally identifiable information (PII) was, or is believed to have been, exposed to and accessed by unauthorized parties. It will require businesses to notify affected South Dakotans within 60 days of a data breach’s discovery, with penalties of up to US$10,000 per day per violation.

With data breaches increasingly coming to the threat landscape’s fore, the way organizations inform affected individuals is as vital as the methods used to secure personal data. But with over 48 notification laws in the U.S. alone, it’s beginning to sound like a powder keg of confusion. In the U.S., Florida has the shortest breach notification timeline at 30 days. The European Union’s (EU) General Data Protection Regulation (GDPR), however, provides a data breach notification law that’ll rule them all.

[READ: What organizations need to know about the EU General Data Protection Regulation (GDPR)]

The EU GDPR will require organizations faster turnarounds, stricter risk assessments, and heftier penalties. From Article 33 of the GDPR:

“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.”

Notifications become a race against the clock as soon as the organization’s IT/information security staff and system administrators determine, with prudent certainty, that there’s been a data breach. Under the GDPR, the affected organization must alert the local supervisory authority, or the country’s data protection authority. In the U.K., for instance, the organization must notify the Information Commissioner’s Office (ICO).

Affected organizations must also report to supervising authorities the nature of the breach, including the number of PII involved. They must also provide communication channels via a designated data protection officer, specify the potential impact, and spell out how the company responded to the incident. Failure to comply can entail penalties of as much as €20 million, or 4% of a business’ global revenue, whichever is higher.

The EU GDPR is indeed a game changer. Preventing and responding to data breaches entail a holistic effort from everyone in the organization, from IT, legal, and operations to upper management.  And some are already gearing up ahead of the GDPR’s implementation on May 25. Facebook, for instance, just overhauled its “privacy principles” to be GDPR-compliant and protect its user base of over 2 billion.  Technology firms Google and Amazon, too, are polishingtheir privacy policies and fine-tuning their technologies to better secure the data they store and process.

For businesses falling under the GDPR’s purview, compliance involves arraying defenses at each level of the infrastructure handling personal data —  from the network’s physical perimeter to the online gatewaysendpointsnetworks, and servers.  For starters, EU’s own European Commission has a set of guidelines on the GDPR’s data breach notification that can help organizations streamline their strategies.

Trend Micro solutions, powered by XGen™ security, deliver state-of-the-art security capabilities that can be used to help address GDPR compliance. Trend Micro™ XGen™ security provides a cross-generational blend of threat defense techniques against a full range of threats for data centerscloud environmentsnetworks, and endpoints. It features high-fidelity machine learning to secure the gateway and endpoint data and applications, and protects physical, virtual, and cloud workloads. With capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen protects against today’s purpose-built threats that bypass traditional controls and exploit known, unknown, or undisclosed vulnerabilities. Smart, optimized, and connected, XGen powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.

For further guidance on the GDPR and state-of-the-art cybersecurity solutions, download our whitepaper, “Solving the GDPR Puzzle: Data Protection with State-of-the-Art Cybersecurity.”


  • 0

Star Wars, Network Security and the Force of SD-WAN

Category : Riverbed

“This is not going to go the way you think.”  — Luke Skywalker

Like me, you’ve probably seen Star Wars: The Last Jedi a few times already. And, like me, you probably enjoyed it more than you expected. (For me it may have been partially due to the full-reclining seats, buttered popcorn, and 3-D glasses, but I digress).

The Last Jedi got me thinking about security and how the First Order broke through the Resistance’s “firewall” and installed a tracking device on General Leia Organa’s craft. How Rose and Finn neglected to treat DJ, the codebreaker enlisted by Rose and Finn, as a potential insider threat. And how the Resistance’s security posture was not nearly strong enough to withstand the First Order.

The Resistance is not alone in preventing and mitigating the impact of security threats. With cyberattacks on the rise, successful breaches per company each year has risen more than 27 percent, from an average of 102 to 130, according to a recent Ponemon Institute/Accenture study. These breaches cost companies an average of $11.7 million USD annually.

Here at Riverbed, we’ve led the charge around a better way to manage and secure the network. IT teams are embracing Software-Defined WAN (also known as SD-WAN or SDN) for its ability to centrally configure and manage hybrid WANs, cloud connectivity, and branch office networks. Many of our customers are also adopting SD-WAN because it provides greater security than traditional device-centric MPLS networks.

7 ways that SD-WAN makes your network more secure

I’ve highlighted the top 7 ways that Software-Defined WAN technology can make your network more secure than traditional MPLS networks. Starting from the top:

  1. Centralized Security Policy Management vs Device-Centric Management: SD-WAN allows you to establish centralized control of network-wide business and security policies. Rules can be implemented, deployed, managed, and changed universally throughout the system—without requiring command-line interface (CLI) configuration that is often susceptible to human error or driven by custom scripts. SD-WAN provides rules-based traffic, security, and hardware assignment policy definition. Best of all, it’s centralized and automated rather than on a manual, per-device basis. Say goodbye to CLI.
  2. Unified Views of the Network vs Multiple Panes of Glass: SD-WAN management dashboards offer unified views of the network topology, including registered and online appliances and new events. The dashboards continuously and automatically reflect network events, sites, and tunnel status to validate that security policies are working as expected. You can gain insight of the entire network topology or drill into specific site, application, and user views. With improved visibility and integrated analytics, you can troubleshoot problems quickly, better plan for changes, and even rollback changes if they are not working as intended.
  3. Built-in Firewalls vs Separate Firewall Appliances: SD-WANs provide centralized support for embedded security, firewalls, access points, and switches, eliminating the need for additional security appliances in many remote/branch location scenarios. They include a built-in stateful firewall and allow tight policy control over the types of Internet traffic that are allowed in and out at a branch. SD-WAN solutions are hardened and provide in-flight encryption for additional built-in security. Lastly, because many SD-WANs deployments run on top of existing infrastructure, they work in combination with your current firewalls and switches.
  4. Network Segmentation: You can define granular segmentation policies tied to application characteristics, network configurations, addressing, etc., which are distributed across all nodes in the SD-WAN. Based on the segmentation policies, SD-WAN creates multi-point tunnels using IPsec to dynamically enforce segmentation of LAN and Wi-Fi users and devices across all locations. Many organizations also use network segmentation to reduce attack surfaces and contain possible breaches. Traditional WAN segmentation was based on Layer 2/3 and was not driven by application and business priorities.
  5. Identity Based User Access:  SD-WAN identifies users by names, roles, or job functions, and assigns users to a virtual network zone to simplify management. These virtual zones automatically follow the users and their devices across all locations, no matter which device is used.  You can rely on user-identity based access control to better secure mobile and bring-your-own-device (BYOD) environments.
  6. Secure Guest Wi-Fi Access: SD-WAN offers authenticated and identity-based registration and then directs all guest Wi-Fi traffic over the Internet with a firewall between the guest zones and the internal zones. Guests can self-register each device in a matter of minutes and the administrator automatically attaches the security policy to each device registered by that user. Web content restriction and malware filtering can also be set as policies.
  7. Auto Virtual Private Network (AutoVPN): AutoVPN, based on the industry-standard IPsec with AES-256 encryption, creates a secure VPN backbone around remote branches and users. It can also be deployed between access points, gateways, as well as third-party VPNs (Classic VPNs). Encrypted AutoVPNs are typically supported over all WAN transports including Internet and MPLS and can be applied to SD-WAN environments for highly-sensitive data and applications.

I know that I said 7 but…

For many of us, direct Internet connections can raise security concerns. Cloud-based security solutions, like Zscaler, can minimize security threats associated with direct Internet access. In this scenario, your SD-WAN is service chained to the cloud security gateway, which inspects all traffic inline, including SSL. You can provide advanced threat prevention, data protection, access controls, and compliance reporting – all while maintaining performance and an improved user experience.

SD-WAN and the last, Last Jedi

On a final note, the Resistance lacked the visibility to recognize that its security had been breached. To that end, I’ll make an analogy to network visibility. Network visibility is essential for quickly identify breaches and rolling out fixes. When network visibility is woven into a management dashboard that includes end-user experience and device, application, and infrastructure monitoring, it becomes a more powerful force (pun intended). Seeking more insight on how to improve your SD-WAN Jedi skills? Check out the white paper, Solving Cloud and Branch Office Security Challenges with SD-WAN.


Author: Gayle Levin

  • 0

Metasploit Wrapup

Category : Rapid7

Wintertime can be a drag. Folks get tired of shoveling snow, scraping ice from windshields, dealing with busted water pipes, etc.. Thoughts of “fun in the sun” activities start to seep in, as people begin wistfully daydreaming about summertime. And for this coming summer, Metasploit has some hotness to daydream about!

Pictured: the original snowman looking for fun-in-the-sun…Pictured: the original snowman looking for fun-in-the-sun…

Google Summer of Code: We’re In!

The Metasploit team is SUPER EXCITED to have been recently selected by Google to participate in GSoC 2018! This will be our second year in GSoC as a mentor organization, and we’ve pulled together a great set of mentors to work with our student developers. We’ve also got a nice list of project ideas coming along, which students applying for GSoC can check out to see if there’s something there they’d like to work on (or applicants may suggest their own ideas, too!). GSoC student applications will be accepted for consideration from March 12th through March 27th. Information on registering can be found here!

It’s Been a Privilege (Escalation)…

Prolific framework contributor bcoles has been busy cranking out a number of new privilege escalation modules. With this latest MSF release, four of these new modules are now available to help get a “leg up” on exploited targets. Vulnerable versions of Juju and ABRT (again!) are covered, as well as some older versions of glibc’s shared library. May come in handy on your next engagement!

Keep in the Know

A friendly reminder that the Metasploit team has multiple ways to keep up with what’s going on. To learn about new work (and see some of it demonstrated!), check out our YouTube channel. You can also visit the Metasploit Framework GitHub account and look at pull requests (PR) and issue activity. If you have questions or want to learn more, and the Rapid7 Knowledge Baseare good places to visit. There’s also a Slack workspace if you prefer a chat (and IRC, if that’s more your jam). And you can follow along with us on Twitter, as well!

New Modules

Exploit modules (4 new)


Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit Framework versions included in distros such as Kali, Parrot, etc.,are based off the stable Metasploit 4 branch. If you’d like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.


Author: Pearce Berry