This document discusses recommendations to improve defenses against rapid cyberattacks. It begins with a review of how rapid attacks work, then provides specific recommendations in four areas: attack surface reduction, lateral traversal/securing privileged access, business continuity/disaster recovery, and exploit mitigation. Potential blockers to implementing the recommendations are also identified relating to technology, processes, and stakeholder buy-in. Next steps include assigning action items identified in the meeting.
System Hardening Recommendations_FINALMartin Evans
Â
The document provides system hardening recommendations for Windows 7 workstations and Windows Server 2012 at Verisk Health. It includes recommendations for account policies, local policies, Windows Firewall settings, network list manager policies, and public key policies. The recommendations aim to enhance security by restricting user permissions, enabling encryption, and locking down network access and system objects. Implementing the changes would help protect sensitive data like PHI and PII but also require carefully considering each setting's potential impact.
This document provides a checklist for hardening the security of Windows Server systems. It outlines best practices for organizational security, preparing, installing, and configuring Windows Server, as well as user account, network, registry, and general security settings. It also addresses audit policy, software security, and finalization steps like imaging servers. Implementing the guidelines can help reduce security vulnerabilities and the risk of attacks compromising critical systems and data.
This document discusses strategies for hardening Windows operating systems and applications. It provides resources and guidelines for securing Microsoft OS's using tools like the Microsoft Security Compliance Manager and the Center for Internet Security benchmarks. Specific recommendations are given for mitigating risks from Java, Adobe Reader, local administrator passwords, and enabling full disk encryption with BitLocker. Troubleshooting tips are also included for addressing issues that may arise from an OS hardening project.
Avoid Meltdown from the Spectre - How to measure impact and track remediationQualys
Â
The recently disclosed Meltdown and Spectre vulnerabilities negatively impact the security of virtually every computer in the world today. These vulnerabilities allow an attacker to gain control of a computerâs processor and steal data located on that computer. Organizations that store data in the cloud are particularly susceptible.
During this webcast, Jimmy Graham, Director of Product Management for Qualys Threat Protection and Asset Inventory, showcased solutions that can help you determine the impact of Spectre and Meltdown across your global IT environments.
Understand how:
⢠To quickly and easily visualize Spectre and Meltdown vulnerabilities within your environment
⢠To track remediation progress as you patch against Spectre and Meltdown
⢠The Qualys Asset Inventory and Threat Protection apps will help you automate detection and track remediation progress
Watch the on-demand webcast: https://goo.gl/6FQ6uJ
An Introduction to PowerShell for Security AssessmentsEnclaveSecurity
Â
With the increased need for automation in operating systems, every platform now provides a native environment for automating repetitive tasks via scripts. Since 2007, Microsoft has gone âall inâ with their PowerShell scripting environment, providing access to every facet of the Microsoft Windows operating system and services via a scriptable interface. Not only can administrators completely administer and audit an operating system from this shell, but most all Microsoft services, such as Exchange, SQL Server, and SharePoint services as well. In this presentation James Tarala of Enclave Security will introduce students to using PowerShell scripts for assessing the security of thee Microsoft services. Auditors, system administrators, penetration testers, and others will all learn practical techniques for using PowerShell to assess and secure these vital Windows services.
This document outlines security policies and procedures for Fermilab system administrators. It discusses the lab's strategy of integrated security management and defense in depth. System administrators are responsible for securing systems by applying patches, configuring systems securely, and communicating policies to users. All systems and users must meet baseline security requirements like using central authentication and keeping antivirus software up to date. System administrators must also monitor systems, report any suspicious activity, and help respond to security incidents.
System Hardening Recommendations_FINALMartin Evans
Â
The document provides system hardening recommendations for Windows 7 workstations and Windows Server 2012 at Verisk Health. It includes recommendations for account policies, local policies, Windows Firewall settings, network list manager policies, and public key policies. The recommendations aim to enhance security by restricting user permissions, enabling encryption, and locking down network access and system objects. Implementing the changes would help protect sensitive data like PHI and PII but also require carefully considering each setting's potential impact.
This document provides a checklist for hardening the security of Windows Server systems. It outlines best practices for organizational security, preparing, installing, and configuring Windows Server, as well as user account, network, registry, and general security settings. It also addresses audit policy, software security, and finalization steps like imaging servers. Implementing the guidelines can help reduce security vulnerabilities and the risk of attacks compromising critical systems and data.
This document discusses strategies for hardening Windows operating systems and applications. It provides resources and guidelines for securing Microsoft OS's using tools like the Microsoft Security Compliance Manager and the Center for Internet Security benchmarks. Specific recommendations are given for mitigating risks from Java, Adobe Reader, local administrator passwords, and enabling full disk encryption with BitLocker. Troubleshooting tips are also included for addressing issues that may arise from an OS hardening project.
Avoid Meltdown from the Spectre - How to measure impact and track remediationQualys
Â
The recently disclosed Meltdown and Spectre vulnerabilities negatively impact the security of virtually every computer in the world today. These vulnerabilities allow an attacker to gain control of a computerâs processor and steal data located on that computer. Organizations that store data in the cloud are particularly susceptible.
During this webcast, Jimmy Graham, Director of Product Management for Qualys Threat Protection and Asset Inventory, showcased solutions that can help you determine the impact of Spectre and Meltdown across your global IT environments.
Understand how:
⢠To quickly and easily visualize Spectre and Meltdown vulnerabilities within your environment
⢠To track remediation progress as you patch against Spectre and Meltdown
⢠The Qualys Asset Inventory and Threat Protection apps will help you automate detection and track remediation progress
Watch the on-demand webcast: https://goo.gl/6FQ6uJ
An Introduction to PowerShell for Security AssessmentsEnclaveSecurity
Â
With the increased need for automation in operating systems, every platform now provides a native environment for automating repetitive tasks via scripts. Since 2007, Microsoft has gone âall inâ with their PowerShell scripting environment, providing access to every facet of the Microsoft Windows operating system and services via a scriptable interface. Not only can administrators completely administer and audit an operating system from this shell, but most all Microsoft services, such as Exchange, SQL Server, and SharePoint services as well. In this presentation James Tarala of Enclave Security will introduce students to using PowerShell scripts for assessing the security of thee Microsoft services. Auditors, system administrators, penetration testers, and others will all learn practical techniques for using PowerShell to assess and secure these vital Windows services.
This document outlines security policies and procedures for Fermilab system administrators. It discusses the lab's strategy of integrated security management and defense in depth. System administrators are responsible for securing systems by applying patches, configuring systems securely, and communicating policies to users. All systems and users must meet baseline security requirements like using central authentication and keeping antivirus software up to date. System administrators must also monitor systems, report any suspicious activity, and help respond to security incidents.
Symantec Endpoint Protection (SEP) provides three layers of protection: network threat protection, proactive threat protection, and antivirus/antispyware protection. It combines essential threat protection technologies into a single client. The management console allows administrators to manage SEP and Symantec Network Access Control from a single interface, monitor security threats, and control user access. Installing SEP involves installing the manager software first, then the client software, accepting license agreements, selecting client types, and allowing the installation to complete and check for updates.
SYMANTEC ENDPOINT PROTECTION Interfacing the SEPM with Protection CenterDsunte Wilson
Â
Protection Center lets you manage Symantec Endpoint Protection together with other Symantec products in a single environment. Symantec Endpoint Protection is integrated with Protection Center by means of a series of Web services.
These Web services provide communication between the Symantec Endpoint Protection Manager server and the Protection Center server.
Symantec Endpoint Protection Enterprise Edition Best Practices GuidelinesSree Harsha Boyapati
Â
This document provides best practices guidelines for Symantec Endpoint Protection Enterprise Edition. It discusses recommended settings for the SEPM architecture including content distribution, log retention, proxy/SMTP configuration, and backup procedures. It also recommends enabling auto-protect, scheduled scans, and updating definitions regularly for the antivirus/antispyware policy. For the firewall policy, it suggests starting with firewall disabled and IPS enabled, then increasing protection over time through testing. Location awareness can disable the firewall on the corporate network.
This guide was developed by TBL Networkâs team of engineers and partners with the understanding that there are many ways to solve for the CIS controls. Our team has thoughtfully mapped solutions that work together to meet the controls.
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld
Â
VMworld 2013
Merritte Stidston, McKesson
James Wiese, VMware
Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
SYMANTEC ENDPOINT PROTECTION Advanced Monitoring and ReportingDsunte Wilson
Â
Symantec Endpoint Protection collects information about the security events in your network. You can use log and reports to view these events, and you can use notifications to stay informed about the events as they occur.
The document outlines Vicky Ames' patch management program training. It discusses what patch management is, why it is important for addressing security issues, and the patches they apply for operating systems, web servers, databases and more. It also details how they manage patches on a monthly schedule, applying them to development, QA and production systems in phases. Responsibilities are divided between various teams, and future plans include adding Citrix systems and more third-party middleware.
The document proposes a system that uses isolation and intrusion detection techniques to provide resistance to attacks and rapid recovery. It isolates user data in a file system virtual machine and applications in virtual machine appliances. A network virtual machine incorporates intrusion detection and firewalls. Virtual machine contracts define acceptable behavior for network, file system, and resource access and limits. The network and file system virtual machines enforce the contract rules. The system is implemented using the Xen hypervisor and is evaluated for performance and effectiveness against attacks.
The document discusses the motivation, goals, background, architecture, evaluation plan, and plan of work for a system called the Rapid Recovery System that aims to provide strong protection of user data and rapid recovery from attacks through the use of virtual machine isolation and rollback capabilities. The system would isolate user data and applications into separate virtual machines with strict access controls to prevent malware from compromising data or taking control of the system, and allow quick restoration to previous known-good states. Evaluation of the system would assess its effectiveness against various attack scenarios, performance overhead, and ability to facilitate forensic analysis after attacks.
The Truth About Viruses on Power Systems - PowertechHelpSystems
Â
It's time to take action: protect Power Systems servers and the network that connects to them.
Protecting your data from viruses or malicious code is not an unfamiliar concept, but understanding how these threats affect your Power Systems server may not be as easy to grasp. Many Power Systems managers still don't see viruses as a risk because they see them as a Windows threat. While this was once true, today's connected environments operate under different rules.
It's time to take action and protect IBM i, AIX, and the network that connects to them. Join noted cybersecurity expert Robin Tatam to find out common ways these business-critical operating systems may be vulnerable and how you can minimize your exposure to viruses. Learn the facts to ensure you are fully protected.
IANS information security forum 2019 summaryKarun Chennuri
Â
This document summarizes key sessions from the IANS Information Security Forum 2019 in Seattle. Session topics included the cloud security maturity roadmap, hybrid web application penetration testing, container security, and security tools for multi-cloud environments. Vendors also presented on topics like risk-based vulnerability management, network visibility, bot threats, and cyber exposure platforms. The executive summary highlighted presentations from security leaders at The Pokemon Company and Tanium on building successful security programs and responding to ransomware incidents.
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5AlienVault
Â
OSSIM v4.5 is here! With a focus on ease of use, better error control, and suggestions to make your security visibility more complete, OSSIM v4.5 works hard to save you time. Join us for this FREE user training session to learn more about what's new in OSSIM v4.5:
Streamline workflows: The more intuitive, easy to use, and consistent user interface helps you accomplish daily tasks in less time
Reduce blindspots: OSSIM v4.5 alerts you of network assets that aren't sending events to OSSIM so you can quickly add them
Avoid service disruptions: OSSIM v4.5 proactively alerts you of impending errors related to disk space utilization, IDS packet capture issues, etc.
Plus, we'll give an overview of how you can improve threat detection and simplify incident response with the AlienVault Labs Threat Intelligence feed included in AlienVault Unified Security Management⢠USM).
0828 Windows Server 2008 ć°ĺŽĺ ¨ĺč˝ć˘č¨Timothy Chen
Â
Windows Server 2008 includes several new security features to protect the operating system and applications. These include code integrity validation to prevent unauthorized code from loading, user access control to limit applications to standard user privileges, and network access protection to control network access based on the health status of client machines. The document also discusses improvements to application hardening, encryption technologies like BitLocker, and additional auditing capabilities in Windows Server 2008.
The document proposes a system called the Rapid Recovery System that uses virtual machine isolation and rollback capabilities to improve computer security and data protection. The goals are to (1) provide attack resistance and rapid recovery, (2) isolate and protect user data from attacks, and (3) provide automatic and user-triggered checkpoints. The system would use virtual machine monitors and appliances with separate network and file system VMs to detect anomalies and roll back to known good states. An evaluation plan is outlined to test performance, functionality, and defenses against common attack categories.
SYMANTEC ENDPOINT PROTECTION Performing Server and Database ManagementDsunte Wilson
Â
You can centrally manage all types of servers from the Admin page in the Symantec Endpoint Protection Manager Console.
The Admin page, under View Servers, lists the following groupings:
â Local Site
The console on the local site, databases, replication partners, such as other consoles whose databases replicate, and optional Enforcers
â Remote Sites
The console on any remote site, databases, replication partners, such as other management servers whose databases replicate, and optional Enforcers
SYMANTEC ENDPOINT PROTECTION Administration IntroductionDsunte Wilson
Â
Symantec Endpoint Protection is a client-server solution that protects laptops, desktops, Windows and Mac computers, and servers in your network against malware.
Symantec Endpoint Protection combines virus protection with advanced threat protection to proactively secure your computers against known and unknown threats.
The document discusses security mechanisms in Linux operating systems. It covers access control modules, including audit, access control, and role-based access control modules. It also discusses security models like DAC, MAC, RBAC and how they integrate with the operating system's security tag library and audit log. The principles of least privilege, separation of duties and simplicity are important to the design.
This document provides information about Symantec Endpoint Protection version 12.1 RU6 MP6, including minor updates for Mac and Windows support, as well as noting that this will be the last version to support certain older operating systems and migration from older versions of SEP. It also lists some fixes for issues encountered in previous versions.
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara
Â
The document provides a step-by-step guide for securing a company's IT architecture. It outlines creating a network and system administration policy, mapping out the company's IT elements, and then securing each element. Key steps include applying security through obscurity, hardening operating systems and services, updating software, and implementing monitoring, backups, and disaster recovery policies. Specific recommendations are given for securing SSH, Postfix, NFS, Apache, and PHP.
Business continuity planning involves creating a logistical plan for how an organization will recover from a disaster in a predetermined time. Disaster recovery planning addresses procedures for recovering critical business functions after an interruption. The document discusses business continuity planning lifecycles, objectives of business continuity and disaster recovery plans, developing and testing plans, differentiating business continuity and disaster recovery plans, types of backups and disaster recovery plans, recovery time objectives and recovery point objectives, threats to organizations, and risk analysis and planning considerations.
TECHNICAL BRIEF Protecting & Migrating Legacy Windows OSesSymantec
Â
End of Support is Not the End of Business
Businesses need to be prepared for the end of support of operating systems (OSes), especially if the OS is used enterprise-wide or runs business critical applications, such as MicrosoftÂŽ Windows XPÂŽ and Windows ServerÂŽ 2003.
As you know, Microsoft ended support for Windows XP on 8 April 2014, and will similarly pull the plugon Windows Server 2003 on 14 July 2015. Without any security patches, Microsoft has cautioned that âPCs running Windows XP after April 8, 2014 should not be considered to be protectedâ.
However, many organisations stick with their legacy Windows systems, even after support ends. Changing an OS across the entire organisation opens up the risk of downtime for mission critical applications. Migrating to a new OS is also manpower-intensive, and could easily lead to time and cost overruns.
Not surprisingly, companies see very little incentive to replace an unsupported but still functional OSâuntil there is an overwhelmingly urgent need to do so. In addition, their business may be dependent on old, proprietary applications that cannot run on newer platforms. Yet, itâs crucial for organisations to understand the risks of running an out-of-support OS against the costs and effort of migrating to a new one.
Symantec Endpoint Protection (SEP) provides three layers of protection: network threat protection, proactive threat protection, and antivirus/antispyware protection. It combines essential threat protection technologies into a single client. The management console allows administrators to manage SEP and Symantec Network Access Control from a single interface, monitor security threats, and control user access. Installing SEP involves installing the manager software first, then the client software, accepting license agreements, selecting client types, and allowing the installation to complete and check for updates.
SYMANTEC ENDPOINT PROTECTION Interfacing the SEPM with Protection CenterDsunte Wilson
Â
Protection Center lets you manage Symantec Endpoint Protection together with other Symantec products in a single environment. Symantec Endpoint Protection is integrated with Protection Center by means of a series of Web services.
These Web services provide communication between the Symantec Endpoint Protection Manager server and the Protection Center server.
Symantec Endpoint Protection Enterprise Edition Best Practices GuidelinesSree Harsha Boyapati
Â
This document provides best practices guidelines for Symantec Endpoint Protection Enterprise Edition. It discusses recommended settings for the SEPM architecture including content distribution, log retention, proxy/SMTP configuration, and backup procedures. It also recommends enabling auto-protect, scheduled scans, and updating definitions regularly for the antivirus/antispyware policy. For the firewall policy, it suggests starting with firewall disabled and IPS enabled, then increasing protection over time through testing. Location awareness can disable the firewall on the corporate network.
This guide was developed by TBL Networkâs team of engineers and partners with the understanding that there are many ways to solve for the CIS controls. Our team has thoughtfully mapped solutions that work together to meet the controls.
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld
Â
VMworld 2013
Merritte Stidston, McKesson
James Wiese, VMware
Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
SYMANTEC ENDPOINT PROTECTION Advanced Monitoring and ReportingDsunte Wilson
Â
Symantec Endpoint Protection collects information about the security events in your network. You can use log and reports to view these events, and you can use notifications to stay informed about the events as they occur.
The document outlines Vicky Ames' patch management program training. It discusses what patch management is, why it is important for addressing security issues, and the patches they apply for operating systems, web servers, databases and more. It also details how they manage patches on a monthly schedule, applying them to development, QA and production systems in phases. Responsibilities are divided between various teams, and future plans include adding Citrix systems and more third-party middleware.
The document proposes a system that uses isolation and intrusion detection techniques to provide resistance to attacks and rapid recovery. It isolates user data in a file system virtual machine and applications in virtual machine appliances. A network virtual machine incorporates intrusion detection and firewalls. Virtual machine contracts define acceptable behavior for network, file system, and resource access and limits. The network and file system virtual machines enforce the contract rules. The system is implemented using the Xen hypervisor and is evaluated for performance and effectiveness against attacks.
The document discusses the motivation, goals, background, architecture, evaluation plan, and plan of work for a system called the Rapid Recovery System that aims to provide strong protection of user data and rapid recovery from attacks through the use of virtual machine isolation and rollback capabilities. The system would isolate user data and applications into separate virtual machines with strict access controls to prevent malware from compromising data or taking control of the system, and allow quick restoration to previous known-good states. Evaluation of the system would assess its effectiveness against various attack scenarios, performance overhead, and ability to facilitate forensic analysis after attacks.
The Truth About Viruses on Power Systems - PowertechHelpSystems
Â
It's time to take action: protect Power Systems servers and the network that connects to them.
Protecting your data from viruses or malicious code is not an unfamiliar concept, but understanding how these threats affect your Power Systems server may not be as easy to grasp. Many Power Systems managers still don't see viruses as a risk because they see them as a Windows threat. While this was once true, today's connected environments operate under different rules.
It's time to take action and protect IBM i, AIX, and the network that connects to them. Join noted cybersecurity expert Robin Tatam to find out common ways these business-critical operating systems may be vulnerable and how you can minimize your exposure to viruses. Learn the facts to ensure you are fully protected.
IANS information security forum 2019 summaryKarun Chennuri
Â
This document summarizes key sessions from the IANS Information Security Forum 2019 in Seattle. Session topics included the cloud security maturity roadmap, hybrid web application penetration testing, container security, and security tools for multi-cloud environments. Vendors also presented on topics like risk-based vulnerability management, network visibility, bot threats, and cyber exposure platforms. The executive summary highlighted presentations from security leaders at The Pokemon Company and Tanium on building successful security programs and responding to ransomware incidents.
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5AlienVault
Â
OSSIM v4.5 is here! With a focus on ease of use, better error control, and suggestions to make your security visibility more complete, OSSIM v4.5 works hard to save you time. Join us for this FREE user training session to learn more about what's new in OSSIM v4.5:
Streamline workflows: The more intuitive, easy to use, and consistent user interface helps you accomplish daily tasks in less time
Reduce blindspots: OSSIM v4.5 alerts you of network assets that aren't sending events to OSSIM so you can quickly add them
Avoid service disruptions: OSSIM v4.5 proactively alerts you of impending errors related to disk space utilization, IDS packet capture issues, etc.
Plus, we'll give an overview of how you can improve threat detection and simplify incident response with the AlienVault Labs Threat Intelligence feed included in AlienVault Unified Security Management⢠USM).
0828 Windows Server 2008 ć°ĺŽĺ ¨ĺč˝ć˘č¨Timothy Chen
Â
Windows Server 2008 includes several new security features to protect the operating system and applications. These include code integrity validation to prevent unauthorized code from loading, user access control to limit applications to standard user privileges, and network access protection to control network access based on the health status of client machines. The document also discusses improvements to application hardening, encryption technologies like BitLocker, and additional auditing capabilities in Windows Server 2008.
The document proposes a system called the Rapid Recovery System that uses virtual machine isolation and rollback capabilities to improve computer security and data protection. The goals are to (1) provide attack resistance and rapid recovery, (2) isolate and protect user data from attacks, and (3) provide automatic and user-triggered checkpoints. The system would use virtual machine monitors and appliances with separate network and file system VMs to detect anomalies and roll back to known good states. An evaluation plan is outlined to test performance, functionality, and defenses against common attack categories.
SYMANTEC ENDPOINT PROTECTION Performing Server and Database ManagementDsunte Wilson
Â
You can centrally manage all types of servers from the Admin page in the Symantec Endpoint Protection Manager Console.
The Admin page, under View Servers, lists the following groupings:
â Local Site
The console on the local site, databases, replication partners, such as other consoles whose databases replicate, and optional Enforcers
â Remote Sites
The console on any remote site, databases, replication partners, such as other management servers whose databases replicate, and optional Enforcers
SYMANTEC ENDPOINT PROTECTION Administration IntroductionDsunte Wilson
Â
Symantec Endpoint Protection is a client-server solution that protects laptops, desktops, Windows and Mac computers, and servers in your network against malware.
Symantec Endpoint Protection combines virus protection with advanced threat protection to proactively secure your computers against known and unknown threats.
The document discusses security mechanisms in Linux operating systems. It covers access control modules, including audit, access control, and role-based access control modules. It also discusses security models like DAC, MAC, RBAC and how they integrate with the operating system's security tag library and audit log. The principles of least privilege, separation of duties and simplicity are important to the design.
This document provides information about Symantec Endpoint Protection version 12.1 RU6 MP6, including minor updates for Mac and Windows support, as well as noting that this will be the last version to support certain older operating systems and migration from older versions of SEP. It also lists some fixes for issues encountered in previous versions.
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara
Â
The document provides a step-by-step guide for securing a company's IT architecture. It outlines creating a network and system administration policy, mapping out the company's IT elements, and then securing each element. Key steps include applying security through obscurity, hardening operating systems and services, updating software, and implementing monitoring, backups, and disaster recovery policies. Specific recommendations are given for securing SSH, Postfix, NFS, Apache, and PHP.
Business continuity planning involves creating a logistical plan for how an organization will recover from a disaster in a predetermined time. Disaster recovery planning addresses procedures for recovering critical business functions after an interruption. The document discusses business continuity planning lifecycles, objectives of business continuity and disaster recovery plans, developing and testing plans, differentiating business continuity and disaster recovery plans, types of backups and disaster recovery plans, recovery time objectives and recovery point objectives, threats to organizations, and risk analysis and planning considerations.
TECHNICAL BRIEF Protecting & Migrating Legacy Windows OSesSymantec
Â
End of Support is Not the End of Business
Businesses need to be prepared for the end of support of operating systems (OSes), especially if the OS is used enterprise-wide or runs business critical applications, such as MicrosoftÂŽ Windows XPÂŽ and Windows ServerÂŽ 2003.
As you know, Microsoft ended support for Windows XP on 8 April 2014, and will similarly pull the plugon Windows Server 2003 on 14 July 2015. Without any security patches, Microsoft has cautioned that âPCs running Windows XP after April 8, 2014 should not be considered to be protectedâ.
However, many organisations stick with their legacy Windows systems, even after support ends. Changing an OS across the entire organisation opens up the risk of downtime for mission critical applications. Migrating to a new OS is also manpower-intensive, and could easily lead to time and cost overruns.
Not surprisingly, companies see very little incentive to replace an unsupported but still functional OSâuntil there is an overwhelmingly urgent need to do so. In addition, their business may be dependent on old, proprietary applications that cannot run on newer platforms. Yet, itâs crucial for organisations to understand the risks of running an out-of-support OS against the costs and effort of migrating to a new one.
Website security is a critical issue that needs to be considered in the web, in order to run your online business healthy and
smoothly. It is very difficult situation when security of website is compromised when a brute force or other kind of attacker attacks on
your web creation. It not only consume all your resources but create heavy log dumps on the server which causes your website stop
working.
Recent studies have suggested some backup and recovery modules that should be installed into your website which can take timely
backups of your website to 3rd party servers which are not under the scope of attacker. The Study also suggested different type of
recovery methods such as incremental backups, decremental backups, differential backups and remote backup.
Moreover these studies also suggested that Rsync is used to reduce the transferred data efficiently. The experimental results show
that the remote backup and recovery system can work fast and it can meet the requirements of website protection. The automatic backup
and recovery system for Web site not only plays an important role in the web defence system but also is the last line for disaster
recovery.
This paper suggests different kind of approaches that can be incorporated in the WordPress CMS to make it healthy, secure and
prepared web attacks. The paper suggests various possibilities of the attacks that can be made on CMS and some of the possible
solutions as well as preventive mechanisms.
Some of the proposed security measures â
1. Secret login screen
2. Blocking bad boats
3. Changing db. prefixes
4. Protecting configuration files
5. 2 factor security
6. Flight mode in Web Servers
7. Protecting htaccess file itself
8. Detecting vulnerabilities
9. Unauthorized access made to the system checker
However, this is to be done by balancing the trade-off between website security and backup recovery modules of a website, as measures
taken to secure web page should not affect the userâs experience and recovery modules
This document summarizes a presentation on threat modeling for web application deployment. The presentation introduces threat modeling and provides a real-world example of threat modeling an e-commerce site. Key steps in the threat modeling methodology include information gathering, analysis of users, assets, and threats, and defining mitigation strategies. The example analyzes threats to an online store's users, entry points, and remaining assets, and defines mitigation strategies like restricting access, reducing the attack surface, and securing the application and database.
Microsoft - Human-Operated Ransomware Mitigation Project Plan #nice #template...powerofgametest
Â
The document provides recommendations to implement a zero trust security model including enabling AMSI for Office VBA, implementing advanced email security using Defender for Office 365, enabling attack surface reduction rules to block common attacks, and auditing and monitoring to detect deviations and potential attacks. It also recommends applying these best practices to all endpoints, maintaining software and security updates, isolating or retiring insecure systems, blocking unexpected traffic, and continuing to audit and monitor.
This document discusses tools and techniques for assessing and hardening Microsoft systems against common vulnerabilities. It describes Microsoft tools like the Microsoft Baseline Security Analyzer (MBSA) that can identify vulnerabilities in Windows systems. It also outlines vulnerabilities in various Microsoft services and protocols like SMB, IIS, and SQL Server. The document concludes with best practices for securing Microsoft systems like regular patching, antivirus software, logging and monitoring, and disabling unused services.
This document discusses tools and techniques for assessing and hardening Microsoft systems against common vulnerabilities. It describes Microsoft tools like the Microsoft Baseline Security Analyzer (MBSA) that can identify vulnerabilities related to patches, passwords, and insecure configurations. It also discusses vulnerabilities in Microsoft operating systems, services like IIS and SQL Server, and protocols like SMB/CIFS. The document provides best practices for securing Microsoft systems such as regular patching, antivirus software, logging and monitoring, disabling unused services, and enforcing strong passwords.
Ch08 Microsoft Operating System Vulnerabilitiesphanleson
Â
This document discusses tools and techniques for assessing and hardening Microsoft systems against common vulnerabilities. It describes Microsoft tools like the Microsoft Baseline Security Analyzer (MBSA) that can identify vulnerabilities related to patches, passwords, and insecure configurations. It also discusses vulnerabilities in Microsoft operating systems, services like IIS and SQL Server, and protocols like SMB/CIFS. The document provides best practices for securing Microsoft systems such as regular patching, antivirus software, logging and monitoring, disabling unused services, and enforcing strong passwords.
How to bring down your own RTC platform. Sandro GauciAlan Quayle
Â
Sandro Gauci provides a walkthrough for performing distributed denial of service (DDoS) simulations on real-time communication (RTC) platforms to test security. He recommends starting with simple bandwidth saturation or protocol attacks before moving to specific application attacks. Tools are needed to distribute attacks from nodes, monitor systems, and shut down attacks. Findings should be analyzed with engineers through root cause analysis and documented. Solutions may include updates, rate limiting, or code changes. Regular testing ensures a more robust RTC platform.
TADSummit 2022 - How to bring your own RTC platform downSandro Gauci
Â
Running DDoS simulations on your own.
Why would you want to do such a thing?
Preparing for destruction
Running the tests â best practices
What happens after the fact
Moving forward towards more robust RTC
Network Diagram of a company ABCD Roshan basnet it 29rosu555
Â
AUSTECH pharmaceutical company is planning to expand its operations by opening a new branch office. It wants to centralize its servers in the head office located in North Sydney to manage the network infrastructure across locations. The key servers implemented include a domain controller, print server, proxy server, and exchange server. The company will apply the same network design at the new branch but update devices as needed. It has identified various IT and disaster recovery risks and developed contingency plans to address threats that could disrupt operations.
1. Security and vulnerability assessment analysis tool - Microsoft.docxpaynetawnya
Â
1. Security and vulnerability assessment analysis tool - Microsoft Baseline Security Analyzer (MBSA) for Windows OS
Locate and launch MBSA CLI
Check computer for common security misconfigurations
MBSA will automatically select by default to scan WINDOWS VM WINATCK01
While scanning WINDOWS VM WINATCK01
Security Assessment Report
2 Security updates are missing ACTION **Requires immediate installation to protect computer
1 Update roll up is missing ACTION **Obtain and install latest service pack or update roll up by using download link
Administrative Vulnerabilities
More than 2 Administrators were found on the computer, ACTION **Keep number to a minimum because administrators have complete control of the computer.
User accounts have non-expiring passwords ACTION ***Password should be changed regularly to prevent password attacks
Windows firewall disabled and has exceptions configured
Great! Auto logon is disabled (Even if it is configured, provided password is encrypted; not stored as text)
GREAT! Guest account is disabled on the computer.
GREAT! Anonymous access is restricted from the computer
ADMINISTRATIVE SYSTEM INFORMATION DANGER! Logon success and logon failure auditing is not enabled. ACTION ** Enable and turn on auditing for specific events such as logon and logoff to watch for unauthorized access.
3 Shares are present ACTION ** Review list of shares and remove any shares that are not needed.
GREAT! Internet explorer has secure settings for all users.
Following to be included in the SAR
a. Windows administrative vulnerabilities present are that more than 2 Administrators were found on the computer. It is advised to keep minimum number because administrators have complete control of the computer.
b. Windows accounts were found to have non-expiring passwords while passwords should be changed regularly to prevent password attacks. One user account has blank or simple password or could not be analyzed
c. Windows OS has two security updates missing and so requires immediate installation to protect the computer. One update roll up is missing which requires that latest service pack should be obtained and installed or roll up updated using the download link.
2.Security and vulnerability assessment analysis tool â OpenVAS for Linux OS
Using the ifconfig command in Terminal to check the IP Address assigned to your VM Linux machine.
eth0: (device name for Linux Ethernet cards), with IP Address in this example is determined to be 172.21.20.185 The IP address, 127.0.0.1, is the loopback address that points to the localhost, or the computer that applications or commands are being run from. This address will be used to access the OpenVas application on the VM.
Using OpenVAS Web Interface which is running on port number 9392 and can be opened using the Mozilla Firefox browser.
After getting a security exception, on Adding Exception
Scan IP address by typing 127.0.0.1 next to the âStart Scanâ button, then click.
...
Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IVAlexander Sverdlov
Â
Incident Prevention and Incident Response presentation for a 4-hour workshop presented by Alexander Sverdlov @ PHDays 2014 (PHDays IV) in Moscow, Russia http://nopasara.com/services/information-security-incident-response/
The document discusses monitoring strategies for cloud infrastructure and applications. It notes that effective monitoring involves more than just collecting data and requires tiered escalation processes and incorporating lessons learned into policies. The document outlines key considerations for what to monitor including infrastructure, software services, and business processes. It also discusses challenges in monitoring cloud environments and strategies for adopting cloud-native monitoring tools.
The document discusses the top 10 vulnerabilities of databases. The most common is deployment failures where databases are not properly secured when deployed. Other vulnerabilities include broken authentication that allows worms like SQL Slammer to spread rapidly; data leaks through unencrypted network traffic; stolen backups; abuse of standard database features; lack of access controls; SQL injections; weak key management; and inconsistent security practices. Proper configuration such as encrypted connections, access control, and regular patching can help address many of these issues.
The document provides guidelines for secure coding. It discusses the evolution of software markets and increased security threats. Common web attacks like injection, broken authentication, and sensitive data exposure are explained. The OWASP Top 10 list of vulnerabilities is reviewed. The document emphasizes the importance of secure coding practices like input validation, output encoding, and using components with no known vulnerabilities. Following a secure coding lifestyle can help developers write more secure code and protect against attacks.
Introduction to Network and System AdministrationDuressa Teshome
Â
The document provides an overview of computer networks and system administration. It defines what a computer network is and describes different types of networks including WANs, LANs, peer-to-peer networks, and the internet. It also discusses servers, switches, hubs and the roles and responsibilities of a system administrator. Key aspects of system administration include automating tasks, documenting all changes, communicating with users, securing systems, and planning for expected and unexpected issues.
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppGoogle
Â
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
đđ Click Here To Get More Info đđ
https://sumonreview.com/ai-fusion-buddy-review
AI Fusion Buddy Review: Key Features
â Create Stunning AI App Suite Fully Powered By Google's Latest AI technology, Gemini
â Use Gemini to Build high-converting Converting Sales Video Scripts, ad copies, Trending Articles, blogs, etc.100% unique!
â Create Ultra-HD graphics with a single keyword or phrase that commands 10x eyeballs!
â Fully automated AI articles bulk generation!
â Auto-post or schedule stunning AI content across all your accounts at onceâWordPress, Facebook, LinkedIn, Blogger, and more.
â With one keyword or URL, generate complete websites, landing pages, and moreâŚ
â Automatically create & sell AI content, graphics, websites, landing pages, & all that gets you paid non-stop 24*7.
â Pre-built High-Converting 100+ website Templates and 2000+ graphic templates logos, banners, and thumbnail images in Trending Niches.
â Say goodbye to wasting time logging into multiple Chat GPT & AI Apps once & for all!
â Save over $5000 per year and kick out dependency on third parties completely!
â Brand New App: Not available anywhere else!
â Beginner-friendly!
â ZERO upfront cost or any extra expenses
â Risk-Free: 30-Day Money-Back Guarantee!
â Commercial License included!
See My Other Reviews Article:
(1) AI Genie Review: https://sumonreview.com/ai-genie-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
#AIFusionBuddyReview,
#AIFusionBuddyFeatures,
#AIFusionBuddyPricing,
#AIFusionBuddyProsandCons,
#AIFusionBuddyTutorial,
#AIFusionBuddyUserExperience
#AIFusionBuddyforBeginners,
#AIFusionBuddyBenefits,
#AIFusionBuddyComparison,
#AIFusionBuddyInstallation,
#AIFusionBuddyRefundPolicy,
#AIFusionBuddyDemo,
#AIFusionBuddyMaintenanceFees,
#AIFusionBuddyNewbieFriendly,
#WhatIsAIFusionBuddy?,
#HowDoesAIFusionBuddyWorks
Odoo ERP software
Odoo ERP software, a leading open-source software for Enterprise Resource Planning (ERP) and business management, has recently launched its latest version, Odoo 17 Community Edition. This update introduces a range of new features and enhancements designed to streamline business operations and support growth.
The Odoo Community serves as a cost-free edition within the Odoo suite of ERP systems. Tailored to accommodate the standard needs of business operations, it provides a robust platform suitable for organisations of different sizes and business sectors. Within the Odoo Community Edition, users can access a variety of essential features and services essential for managing day-to-day tasks efficiently.
This blog presents a detailed overview of the features available within the Odoo 17 Community edition, and the differences between Odoo 17 community and enterprise editions, aiming to equip you with the necessary information to make an informed decision about its suitability for your business.
GraphSummit Paris - The art of the possible with Graph TechnologyNeo4j
Â
Sudhir Hasbe, Chief Product Officer, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges â from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Graspan: A Big Data System for Big Code AnalysisAftab Hussain
Â
We built a disk-based parallel graph system, Graspan, that uses a novel edge-pair centric computation model to compute dynamic transitive closures on very large program graphs.
We implement context-sensitive pointer/alias and dataflow analyses on Graspan. An evaluation of these analyses on large codebases such as Linux shows that their Graspan implementations scale to millions of lines of code and are much simpler than their original implementations.
These analyses were used to augment the existing checkers; these augmented checkers found 132 new NULL pointer bugs and 1308 unnecessary NULL tests in Linux 4.4.0-rc5, PostgreSQL 8.3.9, and Apache httpd 2.2.18.
- Accepted in ASPLOS â17, Xiâan, China.
- Featured in the tutorial, Systemized Program Analyses: A Big Data Perspective on Static Analysis Scalability, ASPLOS â17.
- Invited for presentation at SoCal PLS â16.
- Invited for poster presentation at PLDI SRC â16.
Artificia Intellicence and XPath Extension FunctionsOctavian Nadolu
Â
The purpose of this presentation is to provide an overview of how you can use AI from XSLT, XQuery, Schematron, or XML Refactoring operations, the potential benefits of using AI, and some of the challenges we face.
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j
Â
Dr. JesĂşs Barrasa, Head of Solutions Architecture for EMEA, Neo4j
DĂŠcouvrez les dernières innovations de Neo4j, et notamment les dernières intĂŠgrations cloud et les amĂŠliorations produits qui font de Neo4j un choix essentiel pour les dĂŠveloppeurs qui crĂŠent des applications avec des donnĂŠes interconnectĂŠes et de lâIA gĂŠnĂŠrative.
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...kalichargn70th171
Â
A dynamic process unfolds in the intricate realm of software development, dedicated to crafting and sustaining products that effortlessly address user needs. Amidst vital stages like market analysis and requirement assessments, the heart of software development lies in the meticulous creation and upkeep of source code. Code alterations are inherent, challenging code quality, particularly under stringent deadlines.
What is Augmented Reality Image Trackingpavan998932
Â
Augmented Reality (AR) Image Tracking is a technology that enables AR applications to recognize and track images in the real world, overlaying digital content onto them. This enhances the user's interaction with their environment by providing additional information and interactive elements directly tied to physical images.
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j
Â
Dr. JesĂşs Barrasa, Head of Solutions Architecture for EMEA, Neo4j
DĂŠcouvrez les dernières innovations de Neo4j, et notamment les dernières intĂŠgrations cloud et les amĂŠliorations produits qui font de Neo4j un choix essentiel pour les dĂŠveloppeurs qui crĂŠent des applications avec des donnĂŠes interconnectĂŠes et de lâIA gĂŠnĂŠrative.
Microservice Teams - How the cloud changes the way we workSven Peters
Â
A lot of technical challenges and complexity come with building a cloud-native and distributed architecture. The way we develop backend software has fundamentally changed in the last ten years. Managing a microservices architecture demands a lot of us to ensure observability and operational resiliency. But did you also change the way you run your development teams?
Sven will talk about Atlassianâs journey from a monolith to a multi-tenanted architecture and how it affected the way the engineering teams work. You will learn how we shifted to service ownership, moved to more autonomous teams (and its challenges), and established platform and enablement teams.
DDS Security Version 1.2 was adopted in 2024. This revision strengthens support for long runnings systems adding new cryptographic algorithms, certificate revocation, and hardness against DoS attacks.
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsPeter Muessig
Â
The UI5 tooling is the development and build tooling of UI5. It is built in a modular and extensible way so that it can be easily extended by your needs. This session will showcase various tooling extensions which can boost your development experience by far so that you can really work offline, transpile your code in your project to use even newer versions of EcmaScript (than 2022 which is supported right now by the UI5 tooling), consume any npm package of your choice in your project, using different kind of proxies, and even stitching UI5 projects during development together to mimic your target environment.
Transform Your Communication with Cloud-Based IVR SolutionsTheSMSPoint
Â
Discover the power of Cloud-Based IVR Solutions to streamline communication processes. Embrace scalability and cost-efficiency while enhancing customer experiences with features like automated call routing and voice recognition. Accessible from anywhere, these solutions integrate seamlessly with existing systems, providing real-time analytics for continuous improvement. Revolutionize your communication strategy today with Cloud-Based IVR Solutions. Learn more at: https://thesmspoint.com/channel/cloud-telephony
5. RAPID
â˘Spreads through
enterprise in minutes
(no time for human
response processes)
AUTOMATED
â˘No human interaction
required after attack
cycle starts
DISRUPTIVE
â˘Intentional operational
disruption via
destruction/encryption
of data/systems
7. Recommend
Specific measures to
improve your defenses
against rapid
cyberattacks
Review
How rapid cyberattacks
work
Discover
Potential blockers
preventing you from
implementing
recommended
mitigations
8. Supply Chain â Attack started in IT
supply-chain, not phishing or
browsing
Multi-technique â automated
multiple traversal techniques
effectively
Fast â Automatic propagation
(Worm behavior) left no time for
security teams to react
Destructive - Destroyed assets (vs.
silent theft or ransom demand)
⢠Encrypted a master file table
(MFT), making it costly/difficult to
retrieve data
⢠Replaced boot record with
malicious code making machine
unbootable
âNewâ attack Innovations Massive Impact
9. ENTER
ANATOMY OF A PETYA ATTACK
2. Trojan MEDoc update installed
launching malicious code
3. Multiple techniques used to spread rapidly:
⢠MS17-010 Vulnerability (released March 2017)
⢠Credential theft and impersonation
1. Attackers compromised software update
infrastructure for MEDoc financial application
⢠CLEARED WINDOWS EVENT LOGS
⢠OTHER POTENTIAL ACTIONS?
⢠ENCRYPTED MFT
⢠MADE SYSTEMS UNBOOTABLE
NETWORK
& IDENTITY
DEVICE
SOFTWARE VENDOR
EXECUTE
TRAVERSE
PREPARE
10. 3. PROCESS EXECUTION
EXECUTION
⢠PSExec
⢠WMIC
2. PRIVILEGE ACQUISITION
TRAVERSE (Automated Worm Behavior)
IMPERSONATION
1. Impersonate current session
(SYSTEM)
2. Impersonate other active local
sessions (using token)
EXPLOITATION
⢠MS17-010 (ETERNALBLUE) ď (Execute as SYSTEM on remote host)
1. TARGETING
NETWORK
1. Acquire IP Addresses
⢠Servers & DCs - DHCP subnets
⢠Other Hosts - Local network
2. Validate IP Addresses
⢠TCP/139 and TCP/445
CONNECTED SHARES
Note: Impersonation functionality has code similarities to Mimikatz
11. Targeted
⢠Targeted at specific
organizations.
Offline Recovery
Required
⢠Online Backup servers
were taken out.
Communications
down
⢠Office 365 online but
Active Directory &
Federation down.
Needed off-site backups
and printed documents
for restore procedures.
Used Manual Text
Messaging and Twitter
Spread was inhibited by Windows 10âs Secure
Boot, Server Core, and Network Isolation
Less widespread than
WannaCrypt, but
more severe.
12.
13.
14. Review
a. How rapid destruction
attacks work
b. Your current risk
factors for rapid
cyberattacks
Recommend
Specific measures to
improve your defenses
against rapid
cyberattacks
Discover
potential blockers
preventing you from
implementing
recommended
mitigations
15. Attack Surface Reduction â Reduce critical risk factors across all
attack stages (prepare, enter, traverse, execute)
Lateral Traversal / Securing Privileged Access - Mitigate ability to
traverse (spread) using impersonation and credential theft attacks
Business Continuity / Disaster Recovery (BC/DR) â Rapidly
resume business operations after a destructive attack
Exploit mitigation â Mitigate software vulnerabilities that allow
worms and attackers to enter and/or traverse an environment
16. 1. Create malware-resistant backups of your critical systems and data
2. Immediately deploy critical Operating System security updates
3. Isolate (or retire) computers that cannot be updated and patched
4. Implement advanced e-mail and browser protections
5. Ensure host anti-malware solution gets real-time blocking
responses from cloud
6. Implement unique local administrator passwords on all systems
7. Separate and protect privileged accounts
1. Rapidly deploy all critical security updates
2. Validate your backups using standard restore procedures and tools
3. Disable unneeded legacy protocols
4. Discover and reduce broad permissions on file repositories
5. Stay current
DIRECT ATTACK
MITIGATION
RAPID ENABLEMENT
30 Days +
DIRECT ATTACK
MITIGATION
LONGER ENABLEMENT
D E F A U L T
R E C O M M E N D A T I O N S
18. Attack Surface Reduction
Lateral Traversal / Securing Privileged Access
Business Continuity / Disaster Recovery (BC/DR)
Exploit Mitigation
2. Immediately deploy critical OS security updates
1. Rapidly deploy all
critical security updates
5. Stay current3. Isolate (or retire) computers that cannot be updated and patched
1. Create malware-resistant backups
of your critical systems and data
2. Validate your backups using standard
restore procedures and tools
7. Separate and protect privileged accounts
6. Implement unique local
administrator passwords on all systems
3. Disable unneeded legacy protocols
4. Discover and reduce broad
permissions on file repositories
4. Implement advanced e-mail and browser protections
5. Host anti-malware gets real-time blocking from cloud
19. 1. Ensure outsourcing contracts and SLAs are compatible with rapid security
response
2. Move critical workloads to SaaS and PaaS
3. Validate existing network controls (internet ingress, Lab/ICS/SCADA isolation)
4. Enable UEFI Secure Boot
5. Complete SPA roadmap Phase 2:
⢠Reduce attack surface for Active Directory, Domain Controllers, and Service Accounts
⢠Time-bound privileges (no permanent admins)
⢠Just Enough Admin (JEA) for DC Maintenance
6. Protect backup and deployment systems from rapid destruction
7. Restrict inbound peer traffic on all workstations
8. Use application whitelisting
9. Remove local administrator privileges from end-users
10.Implement modern threat detection solutions
D E F A U L T
R E C O M M E N D A T I O N S
Additional
20. Review
a. How rapid destruction
attacks work
b. Your current risk
factors for rapid
cyberattacks
Recommend
Specific measures to
improve your defenses
against rapid
cyberattacks
Discover
potential blockers
preventing you from
implementing
recommended
mitigations
21.
22. You can't defeat the
threats of the present
with tools from past
Photocredit:WikimediaCannonfromGaleraForte
23. We could patch 99%+ of our operating systems in 4 days if we had (or did)âŚ.
24. We could get all unsupported operating systems upgraded if we had (or did)âŚ.
25. We could deploy the credential theft recommendations if we had (or did)âŚ
Unique local administrator passwords
on all systems (workstations, servers)
Separate and protect privileged accounts
26. We could retire SMBv1, LM, and NTLMv1 if we had (or did)âŚ
TECHNOLOGY
(Platforms, Tools, etc.)
PROCESS
(procedures,
approvals, etc.)
PEOPLE
(Stakeholder buy-
in, funding, etc.)
Identifying
Dependencies
Removing
Dependencies
27.
28. Next steps
<Highlight any action items identified in the meeting.>
Add customer
specifics
Person responsible Completion date Action
29.
30. Attack Surface Reduction
Lateral Traversal / Securing Privileged Access
Business Continuity / Disaster Recovery (BC/DR)
Exploit Mitigation
2. Immediately deploy critical OS security updates
1. Rapidly deploy all
critical security updates
5. Stay current3. Isolate (or retire) computers that cannot be updated and patched
1. Create malware-resistant backups
of your critical systems and data
2. Validate your backups using standard
restore procedures and tools
7. Separate and protect privileged accounts
6. Implement unique local
administrator passwords on all systems
3. Disable unneeded legacy protocols
4. Discover and reduce broad
permissions on file repositories
4. Implement advanced e-mail and browser protections
5. Host anti-malware gets real-time blocking from cloud
31. C R I T I C A L
IT Impact â IT Processes and priorities may need to change to meet this objective
User Experience Impact â Reboot of workstations or servers can cause temporary
application or workstation downtime for users.
Critical Operating System updates are applied to 99%+ of computers in 4 days or less.
⢠Policy and process are documented (including validation/enforcement of results)
⢠See âIsolate (or retire) computersâŚâ recommendation for handling exceptions
⢠Capability to rapidly deploy emergency workarounds (scripts, settings, etc.)
Expected
Organizational
Impact
Description
Critical vulnerabilities allow code execution without user interaction and can:
⢠Enable self-propagating malware (e.g. worms)
⢠Facilitate rapid entry of any attack (such as browsing to a web page or opening email)
Note: Some guidance (ASD top 4 | Essential 8) recommends applying within 48 hours
Operating system services (or daemons) are the ideal mechanism for rapid destruction
attacks as they are always running and many accept inbound network traffic
For Microsoft operating systems, Windows Update provides a rapid deployment capability
Rationale
Quick win
0 to 30 days
32. For systems that cannot apply critical OS security updates within 4 days, apply alternate
mitigations:
⢠Upgrade any unsupported operating system to a current version
⢠Retire unsupported system
⢠Fully isolate systems from Internet and intranet / general-purpose networks
Description
Quick win
0 to 30 days
Microsoft recognizes updating some operating systems is difficult because
⢠Unsupported operating system required (for regulatory/support/etc. reasons)
⢠Reboots associated with updates incur costs from interrupting business operations
While these may be valid reasons for not updating, connected vulnerable systems create a
major risk to the organizationâ as illustrated by two Petya cases:
Case 1 â Significant business impact (halted business operations) because business critical
ICS/SCADA systems were infected from the corporate intranet.
Case 2 â ICS/SCADA business operations continued because legacy systems were
completely isolated on a separate, inaccessible network.
Rationale
33. IT Impact â IT Processes and priorities may need to change to meet this objective
User Experience Impact â Reboot of workstations or servers can cause temporary
application or workstation downtime for users.
All applicable critical updates are applied to 99%+ of computers in 4 days or less.
⢠Policy and process are documented (including validation/enforcement of results)
⢠Systems with unsupported / End of Life software products should be upgraded,
isolated, or retired
⢠Capability to rapidly deploy emergency workarounds (scripts, settings, etc)
Organizational
Impact
Description
Critical vulnerabilities allow code execution without user interaction and can:
⢠Facilitate rapid entry of any attack (such as browsing to a web page or opening email)
⢠Enable self-propagating malware (e.g. worms) if application has a listening
service/daemon
Note: Some guidance (ASD top 4 | Essential 8) recommends applying within 48 hours
Rationale
30 Days +
C R I T I C A L
34. User Impact â User education.
IT Impact - Deploying new operating system and updating applications can have a significant
impact on an organization â from deploying, upgrading, to training.
⢠Adopt Cloud Services for workloads when available
⢠Use the latest operating system and applications to protect against modern threats
⢠Windows 10 for Windows Workstations
⢠Windows Server 2016 for Windows Servers
⢠Latest revisions of Linux, Mac OSX, and Router/Switch/Mobile Device Operating Systems
Expected
Organizational
Impact
Description
⢠Cloud services have been largely unaffected by rapid destruction attacks
⢠Technology providers like Microsoft constantly invest in security to keep up with threats
⢠Effectively mitigating some attacks requires new approaches that are impractical to
retrofit into older systems (such as TPM hardware based security assurances).
⢠New capabilities frequently enable digital transformation initiatives that are top priority
for CEOs at most organizations.
Rationale
30 Days +
35. Attack Surface Reduction
Lateral Traversal / Securing Privileged Access
Business Continuity / Disaster Recovery (BC/DR)
Exploit Mitigation
2. Immediately deploy critical OS security updates
1. Rapidly deploy all
critical security updates
5. Stay current3. Isolate (or retire) computers that cannot be updated and patched
1. Create malware-resistant backups
of your critical systems and data
2. Validate your backups using standard
restore procedures and tools
7. Separate and protect privileged accounts
6. Implement unique local
administrator passwords on all systems
3. Disable unneeded legacy protocols
4. Discover and reduce broad
permissions on file repositories
4. Implement advanced e-mail and browser protections
5. Host anti-malware gets real-time blocking from cloud
36. Impact on IT â level of impact will vary based on the existing backup practices and may
require changes to processes and/or backup technology.
Protect critical systems against effects of erasure/encryption
⢠Automatically backup all critical data, critical systems, and dependencies
⢠Protect critical backups against online deletion/encryption attacks
(via multi-factor authentication or have the backups stored fully offline/off-site).
Organizational
Impact
Description
Rapid destruction attacks typically take down all online services including backup and
deployment systems, slowing recovery of critical business systems
Recovering quickly requires backups exist and are not deleted/encrypted by the attack.
Rationale
Quick win
0 to 30 days
$
37. IT Impact â Minor impact for staff to perform backup validation and disaster recovery
exercises. Recovery processes may need refinement and continued practice.
Validate your end to end recovery process
⢠Include âComplete IT system downâ scenario into Business Continuity / Disaster
Recovery (BC/DR) exercises to build readiness for rapid destruction attacks
⢠All on-premises services will be unavailable (including communications, identity systems, and
fileservers/SharePoint where BC/DR procedures may be stored).
⢠Regularly validate critical system backups files using standard restore procedures
⢠Evaluate the use of cloud backup/recovery capabilities like Azure Site Recovery
Expected
Organizational
Impact
Description
Petya exposed major challenges with recovery processes at most affected enterprises:
⢠Exercising restore procedures and tooling would avoid these by proactively exposing
challenges before a real event
⢠Cloud services were largely unaffected by rapid destruction attacks
Note: This preparation also improve your resilience to ransomware attacks and natural
disasters.
Rationale
30 Days + $
38. Attack Surface Reduction
Lateral Traversal / Securing Privileged Access
Business Continuity / Disaster Recovery (BC/DR)
Exploit Mitigation
2. Immediately deploy critical OS security updates
1. Rapidly deploy all
critical security updates
5. Stay current3. Isolate (or retire) computers that cannot be updated and patched
1. Create malware-resistant backups
of your critical systems and data
2. Validate your backups using standard
restore procedures and tools
7. Separate and protect privileged accounts
6. Implement unique local
administrator passwords on all systems
3. Disable unneeded legacy protocols
4. Discover and reduce broad
permissions on file repositories
4. Implement advanced e-mail and browser protections
5. Host anti-malware gets real-time blocking from cloud
39. User Impact â None
IT Impact â Deploy and configure solution, Update IT Support processes/practices
Ensure the local administrator account password on each system is unique:
⢠Unique random password for Administrator account on each workstation
⢠Unique random password for Administrator account on each server
⢠No other local administrator accounts should be active, enabled, or used
Key Resources: LAPS | Securing Privilege Access Roadmap
Organizational
Impact
Description
⢠Attackers regularly exploit presence of identical passwords on the local administrator
account (across workstations and/or servers)
⢠While Petya required an local (or domain) account to be logged in and impersonated
the credentials, the next attack likely will be able to use local accounts directly
⢠Targeted attacks regularly involve stealing and re-using local credentials
⢠Attack technique is automated in multiple tool(s) ( Death Star | GoFetch )
Rationale
Quick win
0 to 30 days
40. 30 Days +
User Impact - Privileged users practices must be adjusted to separate account and workstation.
IT Impact - Organization needs to deploy and maintain the new set of workstations.
Separate and protect privileged credentials exposure to impersonation, theft and re-use
⢠Create separate accounts for privileged activities that is restricted from using e-mail and
browsing Internet.
⢠Ensure privileged accounts are used only on trusted workstations (such as PAWs)
⢠Enforce multi-factor authentication on privileged accounts
Organizational
Impact
Description
⢠Impersonation and credential theft for privileged accounts leads to rapid organization
compromise (and has been automated: ( Death Star | GoFetch )
⢠Separating privileged accounts and workstation dramatically increases cost of this attack:
⢠Standard users tasks expose accounts and workstations to compromise through
phishing attacks, drive-by download attacks, and many other Internet-based attacks.
⢠Purpose built workstations are simpler to protect and discourage overuse of privileges)
⢠These mitigations also protect against the most prevalent technique in targeted attacks
Rationale
41. Attack Surface Reduction
Lateral Traversal / Securing Privileged Access
Business Continuity / Disaster Recovery (BC/DR)
Exploit Mitigation
2. Immediately deploy critical OS security updates
1. Rapidly deploy all
critical security updates
5. Stay current3. Isolate (or retire) computers that cannot be updated and patched
1. Create malware-resistant backups
of your critical systems and data
2. Validate your backups using standard
restore procedures and tools
7. Separate and protect privileged accounts
6. Implement unique local
administrator passwords on all systems
3. Disable unneeded legacy protocols
4. Discover and reduce broad
permissions on file repositories
4. Implement advanced e-mail and browser protections
5. Host anti-malware gets real-time blocking from cloud
42. IT Impact â Inventory environment and dependent devices, application compatibility testing,
remediate legacy systems (upgrade/migrate/retire/etc.), and deploy changes
End-users â Varies based on application dependencies, but should be minimal with effective
application testing plan.
Disable legacy protocols that create unneeded attack surface
⢠Server Message Block v1 (SMBv1)
⢠LanMan (LM) and NTLMv1 authentication
Expected
Organizational
Impact
Description
Successful worms require vulnerabilities in âuniversallyâ available components (e.g. running on
nearly all computers in nearly all enterprises)
Unneeded legacy protocols that are broadly available create significant organizational riskâ
⢠SMBv1 â ~30 year old protocol that Microsoft is removing from Windows and strongly
recommends customers disable/remove (MS17-010 vulnerability in SMBv1 was used in Petya)
⢠LanMan and NTLMv1 â Legacy authentication protocols with well-known and significant
security weaknesses
Rationale
30 Days +
43. User Impact â Minimal negative impact on end-user experience
IT Impact â Deployment and management associated with the solutions
Email - Implement advanced protections for phishing attacks that include:
⢠Attachment/URL âsandbox detonationâ â Protect against unknown malware and viruses
⢠Time of Click Protections â rewrite links to protect against malicious links in e-mail messages at
time of click (vs. just at time of send)
Browsing - Implement advanced browser protection solutions that include:
⢠Website analysis â Identify known malicious sites and suspicious site behavior
⢠Download file analysis â Evaluate downloaded files to warn if it came from a known malicious site
or is new/unknown (not on list of popular programs)
Organizational
Impact
Description
While Petya (and WannaCry [unconfirmed]) did not start with e-mail or browsing, this is an
extremely unusual phenomenon for cyber attacks.
⢠Phishing/Browsers are overwhelmingly used for almost all other attack patterns, so they
are very likely to be included in future attacks
Rationale
Quick win
0 to 30 days
44. User Impact â Minimal negative impact on end-users experience
IT Impact - Deployment and management associated with the solutions
Ensure your host anti-malware solution gets real-time blocking responses from a cloud
service.
Organizational
Impact
Description
⢠Rapid destruction attacks happen too fast for human response and you are reliant on
automatic responses like those found in Antimalware solutions
⢠Because every second counts in these attacks, your AV should immediately get the
latest signatures from the cloud when it detects suspicious behavior
⢠This feature (or similar) is available from several antivirus vendors (including the MAPS
service for Windows Defender AV) but it is not always enabled in production.
Rationale
Quick win
0 to 30 days
?
45. IT Impact â Plan/implement processes (and optionally tool(s)) to discover, reduce, and
monitor broad permissions.
Reduce risk from broad permissions
1. Discover broad write/delete permissions on Fileshares, SharePoint, and other solutions
⢠Broad is defined as many users having write/delete to business critical data
2. Reduce broad permissions (while meeting business collaboration requirements)
3. Configure continuous monitoring and/or ongoing discovery for broad permissions
Organizational
Impact
Description
⢠Destructive attacks spread and encrypt data using compromised accounts/workstations
⢠Most ransomware encrypts files on all mapped drives, causing significant impact
⢠Petya attacks propagated using logged in credentials
⢠Reducing these broad permissions can reduce the impact of destructive attacks
Rationale
30 Days +