Tuesday, November 19, 2019

Vulnerability: SSL/TLS use of weak RC4(Arcfour) cipher port 3389/tcp over SSL

Recent during a vulnerability scan , there is RC4 cipher found using on SSL/TLS connection at port 3389. The solution in the Qualys report is not clear how to fix. This post is going to record some searching results found online how to fix this SSL/TLS RC4 Cipher Vulnerability.

SSL/TLS use of weak RC4(Arcfour) cipher port 3389/tcp over SSL

QID: 38601
Category: General remote services
CVE ID: CVE-2013-2566, CVE-2015-2808
Vendor Reference: -
Bugtraq ID: 91787, 58796, 73684
Service Modified: 05/10/2019
User Modified: -
Edited: No
PCI Vuln: Yes

Sunday, November 17, 2019

The rocket-fast Syslog Server - Rsyslog Client and Server Configuration

Rsyslog is an Open Source logging program, which is the most popular logging mechanism in a huge number of Linux distributions. It's also the default logging service in CentOS 7 or RHEL 7. Rsyslog daemon in CentOS can be configured to run as a server in order collect log messages from multiple network devices. In this post, I am using two CentOS7 linux machines to test Rsyslog as server and client.


Client machine will send out local logs to remote central syslog server
Both machines are running on CentOS7.

Bulk IP Reputation Check using Security Websites and Open Source Scripts

This topic has been haunted in my mind for quite a while. As an information security guy, we got tons of reports about end point activities. One of them is the website ip or urls they were accessing. A typical network abnormal behaviour for an infected or compromised end point is huge amount of accessing malicious ip or bad reputation websites.

For many investigations, I can generate an ip list but how to quickly find out the ip reputation is a challenge for me.

That is why I am writing this post today. I am still checking those websites or scripts, hopefully I can get a good understanding then comes out my own script to do this job.

Friday, November 15, 2019

CyberArk PAS Solution (Vault, PVWA, CPM, PSM) Installation

High Level Installation Steps:

Basically, follow the hardware requirements out of the attached system requirements guide for hardware specs and prerequisite software needed.
Enterprise Password Vault Solution (Vault, PVWA, CPM)
For the vaults:
-        Install Windows 2012 R2 or Windows 2016
-        Install at least .NET Framework 4.6.2 (if that or a greater version not already included)
-        DO NOT join it to the domain
-        Install all the latest Windows OS patches
-        Remove all protocols and services from the network card except TCP/IP version 4
-        The rest is performed during the install

For the others:
-        Install Windows 2012 R2 or Windows 2016
-        Install at least .NET Framework 4.6.2 (if that or a greater version not already included)
-        Install all the latest Windows OS patches
-        The rest is performed during the install which includes:
o   Setting up the IIS role via the provided PVWA prerequisites script.

Thursday, November 14, 2019

CyberArk Quick Operation Handbook

This post is to show some quick steps for regular operation on my home CyberArk lab:

On board CyberArk End User

If you CyberArk has AD integrated, you will need to add this user into proper CybreArk AD group. Usually, you will have three types of CyberArk AD user groups:

Wednesday, November 13, 2019

CyberArk PAS Solution Issues and Troubleshooting (PVWA, PSM, CPM)

This is my CyberArk learning post to record those issues I met during working on CyberArk PAS (Privileged Account Security) Solutions which including following modules:

  • PVWA (Password Vault Web Access)
  • PSM (Privileged Session Manager)
  • CPM (Central Policy Manager)

Some of them can be easily fixed by changing group policy. Some of them are relating RDS license.

Issue: This app has been blocked 

1. Using PSM SSH to connect to Remote Site but got an error

Monday, November 11, 2019

Benchmark Linux Disk Read/Write Speed

hdparm is a command line utility to set and view hardware parameters of hard disk drives. It can also be used as a simple benchmarking tool.

Install hdparm


[[email protected] ~]# yum install hdparm


[email protected]:~# apt-get install hdparm

Gartner Magic Quadrant for Endpoint Protection Platforms (2019,2018,2017,2016,2015)

Research firm Gartner defines the Endpoint Protection Platform (EPP) market as one with offerings that "provide a collection of security capabilities to protect PCs, smartphones and tablets," which it said could include anti-malware, personal firewall, port and device control, and more.

The endpoint protection platform provides a collection of security capabilities to protect PCs, smartphones and tablets. Buyers of endpoint protection should investigate the quality of protection capabilities, the depth and breadth of features, and the ease of administration. The enterprise endpoint protection platform (EPP) is an integrated solution that has the following capabilities: anti-malware, personal firewall, port and device control. EPP solutions will also often include: vulnerability assessment, application control and application sandboxing, enterprise mobility management (EMM), typically in a parallel nonintegrated product, memory protection, behavioral monitoring of application code, endpoint detection and remediation technology full-disk and file encryption, also known as mobile data protection, endpoint data loss prevention (DLP).


Sunday, November 10, 2019

NIST CSF Core Notes

NIST Framework Components

The Cybersecurity Framework consists of three main components:

  • The Framework Core provides a set of desired cybersecurity activities and outcomes using common language that is easy to understand.  
  • The Framework Implementation Tiers assist organizations by providing context on how an organization views cybersecurity risk management. 
  • Framework Profiles are an organization’s unique alignment of their organizational requirements and objectives, risk appetite, and resources against the desired outcomes of the Framework Core.