Showing posts with label Security. Show all posts
Showing posts with label Security. Show all posts

Thursday, February 22, 2018

Top Security Events / Vulnerabilities in 2018, 2017, 2016, 2015, 2014

Here is a list of  top vulnerabilities found since 2015, which I am still working on to compile them together. It will come from different sources and includes those which I believe it is worth taking a note here.


2018

  1. Jan 3,  Spectre and Meltdown vulnerabilities (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)
  2. Jan 29,  Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability


Installation and Configuration of Sophos Enterprise Console 5.1 in your Networks - 2. Configuration

Continue with previous post "Installation and Configuration of Sophos Enterprise Console 5.1 in your Networks - 1. Installation"


Steps: 
After the installation of the Sophos Enterprise Console you had logged off.
Now you logged in and the Console starts automatically.
This Windows will appear:


image001


Installation and Configuration of Sophos Enterprise Console 5.1 in your Networks - 1. Installation

This post is a detail documentation how to install Sophos Enterprise Console 5.1 in your networks.


Pre-Requirements:
  1. copy the Sophos Enterprise Console to the Server (ProdInstall\Sophos\Sophos Console\sec_5.1.exe)
  2. check if you are able to connect to the infrastructure server like this: http://IP Server:8085
  3. A webpage like this should be shown to you:



Tuesday, February 20, 2018

OWASP Top 10 (2010, 2013, 2017)

The Open Web Application Security Project (OWASP) is a non-profit organization dedicated to providing unbiased, practical information about application security. 
The OWASP Top 10 Web Application Security Risks was created  in 2010, 2013 and  2017 to provide guidance to developers and security professionals on the most critical vulnerabilities that are commonly found in web applications, which are also easy to exploit. These 10 application risks are dangerous because they may allow attackers to plant malware, steal data, or completely take over your computers or web servers.
Meeting OWASP Compliance Standards usually is the First Step Toward Secure Code.


Tuesday, February 6, 2018

Gartner Magic Quadrant for Endpoint Protection Platforms (2018,2017,2016,2015)

Research firm Gartner defines the Endpoint Protection Platform (EPP) market as one with offerings that "provide a collection of security capabilities to protect PCs, smartphones and tablets," which it said could include anti-malware, personal firewall, port and device control, and more.

The endpoint protection platform provides a collection of security capabilities to protect PCs, smartphones and tablets. Buyers of endpoint protection should investigate the quality of protection capabilities, the depth and breadth of features, and the ease of administration. The enterprise endpoint protection platform (EPP) is an integrated solution that has the following capabilities: anti-malware, personal firewall, port and device control. EPP solutions will also often include: vulnerability assessment, application control and application sandboxing, enterprise mobility management (EMM), typically in a parallel nonintegrated product, memory protection, behavioral monitoring of application code, endpoint detection and remediation technology full-disk and file encryption, also known as mobile data protection, endpoint data loss prevention (DLP).

2018

Symantec , Sophos and Trend Micro are in leaders quadrant. ESET is in Challengers.



Thursday, December 7, 2017

Cisco IOS Internet Key Exchange version 1 (IKEv1) Vulnerability and Fix

Cisco IKEv1 is still popular in VPN configuration. Most of my vpn configuration is based on IKE v1 although there are more demands for v2.  I had a post "Cisco Router IKE v2 Site to Site IPSec VPN Configuration" to quickly show what the difference is between v1 and v2, and how to do v2 configuration.  Recently some vulnerabilities scan tools raised a red flag to my IKE v1 configuration.

Symptoms 

There is IKE v1 vulnerability found and it lists severity level high.


Saturday, August 12, 2017

NSS Labs NGFW Security Value Map Report (2017, 2016, 2014, 2013, 2012, 2011)


It is good to compare with Gartner Magic Quadrant for Enterprise Network Firewall (2017, 2016, 2015, 2014, 2013, 2011, 2010) or Gartner Magic Quadrant for UTM (2017, 2016, 2015, 2014, 2013, 2012, 2010,...)

End users are finding that NGFWs are no longer as limiting in their performance or capability trade-offs as they once were. NSS Labs discovered that many enterprises are choosing NGFW over traditional firewalls for a variety of reasons without feeling that they are compromising on features or performance. Some NGFW solutions scale to tens of gigabits which satisfies the needs of all but the most demanding enterprise WAN connections.

NSS Labs regularly released NGFW Security Value Map™, Comparative Analysis Reports, and Product Analysis Reports.  These results help guide security professionals in the enterprise to make informed decisions when evaluating the many offerings in the industry.

NSS Labs designed the test to focus on the following four areas:
  •     Security effectiveness
  •     Performance
  •     Stability
  •     Total Cost of Ownership (TCO)
2017
June 06, 2017 (GLOBE NEWSWIRE) -- NSS Labs, Inc., the global leader in operationalizing cybersecurity, announced the results of its Next Generation Firewall (NGFW) Group Test.


Monday, July 24, 2017

Gartner Magic Quadrant for Enterprise Network Firewall (2017, 2016, 2015, 2014, 2013, 2011, 2010)

Based on Gartner's definition, the enterprise network firewall
" is composed primarily of purpose-built appliances for securing enterprise corporate networks. Products must be able to support single-enterprise firewall deployments and large and/or complex deployments, including branch offices, multitiered demilitarized zones (DMZs) and, increasingly, the option to include virtual versions for the data center. Customers should also have the option to deploy versions within Amazon Web Services (AWS) and Microsoft Azure public cloud environments. These products are accompanied by highly scalable (and granular) management and reporting consoles, and there is a range of offerings to support the network edge, the data center, branch offices and deployments within virtualized servers and the public cloud. "

Here is the difference from UTM appliance, which  UTM approaches are suitable for small or midsize businesses (SMBs), but not for the remainder of the enterprise market.

2017 Gartner Magic Quadrant for Enterprise Network Firewalls



2017 Gartner Magic Quadrant for Enterprise Network Firewalls

Gartner Magic Quadrant for Unified Threat Management (2017, 2016, 2015, 2014, 2013, 2012, 2010,...)

Gartner defines the unified threat management (UTM) market as multifunction network security products used by small or midsize businesses (SMBs) (< 1000 employees).

2017 Gartner Magic Quadrant for Unified Threat Management (SMB Multifunction Firewalls)

Not much changes from 2016.
2017 Gartner Magic Quadrant for Unified Threat Management (SMB Multifunction Firewalls)

Friday, February 10, 2017

Gartner Magic Quadrant for Intrusion Detection and Prevention Systems (2017, 2015, 2013, 2012, 2010 ...)


According to Gartner, “The network intrusion prevention system market has undergone dynamic
evolution, increasingly being absorbed by next-generation firewall placements. Nextgeneration
IPSs are available for the best protection, but the IPS market is being pressured by the uptake of
advanced threat defense solutions.

This Magic Quadrant focuses on the market for stand-alone IDPS appliances; however, IDPS capabilities are also delivered as functionality in other network security products. Network IDPSs are provided within a next-generation firewall (NGFW), which is the evolution of enterprise-class network firewalls, and include application awareness and policy control, as well as the integration of network IDPSs


2017


Gartner’s 2017 Magic Quadrant for Intrusion Detection and Prevention Systems (IDPS)



Cisco and Intel are still in leader quadrant, at the same time Trend Micro comes in as leader now. IBM becomes Challengers.

Sunday, April 17, 2016

Real-Time Cyber Attack Threat Map

More and more security companies use a webpage to show their monitored global security events such as the  Live Status of Cyber Attacks being launched from where and who is the target of that attack. It is become interesting by watching those websites. Actually those are not games but actually happening globally.


1.  Kaspersky CYBERTHREAT REAL-TIME MAP



Sunday, March 20, 2016

Ransomware Locked Files on My Test Machine

One of my test machines which I am using to download and test software from Internet was hit by Ransomware recently.

Check out what it did to my machine.

In most computer folders including c driver and d driver, even on the desktop, there are three following files which obviously is from hackers who is asking for money to decrypt your files.:
  • +REcovER+gdqvd+.txt
  • +REcovER+gdqvd+.html
  • +REcovER+gdqvd+.png
 

Tuesday, March 8, 2016

How Firewalls (Security Gateways) Handle the Packets? (Traffic Flow)






Different firewall (security gateway) vendor has different solution to handle the passing traffic. This post compiles some useful Internet posts that interpret major vendors' solutions including:
1. Checkpoint
2. Palo Alto
3. Fortigate
4. Cisco
5. Juniper
6. F5



1. Checkpoint Firewall Packets Flow:

Here is official Check Point R77 Packet Flow Diagram from sk116255 updated April 2017:


Note: Checkpoint can define destination NAT happens at client side (default) or server side. Source NAT always at outbound, and ACL is checked before NAT. More details are on SK85460

Monday, February 8, 2016

Gartner Magic Quadrant for Mobile Data Protection (2015, 2014, 2013, 2012, 2011..., 2006)

According to Gartner, "Mobile Data Protection (MDP) systems and procedures are needed to protect business data privacy, meet regulatory and contractual requirements, and comply with audits." Additionally, "Most companies, even if not in sensitive or regulated industries, recognize that encrypting business data is a best practice."

2015

Magic Quadrant for Mobile Data Protection Solutions 2015

Monday, December 21, 2015

My Top Network Security Tools

I listed some of my favorite and useful Internet websites and network tools in previous post which has been used in my daily IT life. There are some network security related tools I am using at my environment. This post is a summarize for those tools and also I am trying to extend this list to add more later.

  • Online Security Scanning
  • Online Website Security Vulnerabilities & Malware Scan
  • Free Security Check / Scanning Tools
  • Packets Capturing and Analysing Tools
  • TCP/UDP Tools
  • Integrity Check
  • Penetration Test Tools
  • Proxy Software
  • Network Automation Tools
  • Security Intelligence Tools
  • Security information and event management (SIEM) 
  • Encryption Tools
  • Windows System/Appication Test Software
  • Antivirus
  • Firewall Management Tools

Thursday, March 26, 2015

Troubleshooting Java HTTPS Security Warning Message

One of our Internal Website is always having a Security Warning message when using Internet Explorer https to it, but this message is not showing when using Google Chrome.

Symptoms:

As following screenshot shows, a pop-up window will ask you "Do you want to Continue? The connection to this website is untrusted".
 Click More Information link:
 The Warning message will warm you a Risk;

Monday, February 2, 2015

CVE-2015-0235: GHOST - A Critical Vulnerability in the Glibc Library


GHOST is a 'buffer overflow' bug affecting the gethostbyname() and gethostbyname2() function calls in the glibc library. If a remote attacker can make an application call to gethostbyname() or gethostbyname2(), this vulnerability allows the remote attacker to execute arbitrary code with the permissions of the user running the application.

GHOST was originally published by Red Hat as CVE-2015-0235: https://access.redhat.com/articles/1332213


1. Check Point Response to CVE-2015-0235 (glibc - GHOST)

Solution ID: sk104443
Severity: Low

IPS Protection: 

Check Point released "GNU C Library gethostbyname Buffer Overflow" IPS protection that protects customer environments.
This protection is part of the Recommended_Protection profile. It enables organizations to add a layer of protection to their network while updating their systems with vendor-provided patches.

OS Level Protection: 


  • IPSO OS is not vulnerable.
  • While Check Point Gaia and SecurePlatform operating systems may be susceptible to CVE-2015-0235, there are no known exploits to Check Point software.


Hotfix Packages

Hotfix packages are available for R77.20R77.10R77R76,  and R75.47
R77.20R77.10R77R76R75.47
Gaia
SecurePlatform

2. Juniper: 2015-01 Out of Cycle Security Bulletin: GHOST glibc gethostbyname() buffer overflow vulnerability (CVE-2015-0235)

Vulnerable Products


  • Junos Space
  • CTPView
  • CTP
  • IDP-SA
  • SRC
  • NSM Appliance
  • JSA and STRM Series

SOLUTION:


  • Junos Space: PR 1060102 has been logged to resolve this issue.
  • IDP-SA: PR 1060071 has been logged to resolve this issue in IDP-OS.
  • CTPView: PR 1060060 has been logged to resolve this issue in CTPView.
  • CTP: PR 1060352 has been logged to resolve this issue in CTP-OS.
  • SRC: PR 1060350 has been logged to resolve this issue.
  • NSM Appliance: PR 1059948 has been logged to resolve this issue.
  • QFabric Director: gethostbyname() functions are used internally, but DNS name resolution is not supplied as a service on external ports.
  • Firefly Host/vGW: The C/C++ based daemon running on the vGW/FFH Security VM agent is not exploitable. Also, the vGW/FFH management system (SD VM) is Java based (Apache Java application server) is not applicable.
  • JSA and STRM: A fix is pending release.
  • IDP Anomaly: The IDP anomaly ​SMTP:OVERFLOW:COMMAND-LINE should cover the known SMTP variant of this vulnerability. For easy attack lookup, the Signatures team has linked CVE-2015-0235 as a reference to this anomaly and also made it part of the recommended policy. All these changes will be reflected in the next signature pack which is scheduled to release on 29-Jan-2015 at 12:00 PST.

WORKAROUND: General Mitigation:

The affected gethostbyname() functions are primarily called in response to references to DNS host names and addresses from the CLI or via services listening on the device.  ​Apply and maintain good security best current practices (BCPs) to limit the exploitable attack surface of critical infrastructure networking equipment.  Use access lists or firewall filters to limit access to networking equipment only from trusted, administrative networks or hosts.  This reduces the risk of remote malicious exploitation of the GHOST vulnerability.

3. Cisco : GNU glibc gethostbyname Function Buffer Overflow Vulnerability

Advisory ID: cisco-sa-20150128-ghost:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150128-ghost

Workarounds: 

There are currently no network-based mitigations for this vulnerability or any mitigations that can be performed directly on affected systems.

Sunday, October 19, 2014

Poodle : New SSL 3.0 Bug (CVE-2014-3566)

Oct 14 2014, this bug CVE_2014-3566 has been found as a subtle but significant security weakness in version 3 of the SSL protocol. Severity level is Medium. Basically this vulnerability is not critical as Shellshock and Heartbleed

The vendors's Recommendations: 

1. Check Point response to the POODLE Bites vulnerability (CVE-2014-3566)

a. Check Point Customers

  • Check Point products are not vulnerable to the “POODLE Bites” vulnerability (CVE-2014-3566). See our Security Alert: sk102989
  • Implement the IPS protection, CPAI-2014-1909, to detect or block the use of SSL 3.0
  • Configure Multi Portal, HTTPS Inspection, and Check Point OS to prevent web browser use of SSL 3.0

b. Non Check Point Customers

  • Use Active Directory Group Policy Objects to disable the use of SSL 3.0
  • Update your browser when a patch is available
  • Disable SSL 3.0 in your clients and servers
  • Test if your browser is vulnerable at www.poodletest.com
  • Test if a particular domain name is vulnerable at www.poodlescan.com

2. Juniper Responding:

a. Junos:

Junos OS will update OpenSSL to add support for SSL 3.0 Fallback protection (TLS_FALLBACK_SCSV) in a future release.

Connect Secure (SA / SSL VPN) / Policy Secure (IC / UAC), MAG Series:
Please refer to Pulse Secure TSB16540 for details on mitigating risk from this vulnerability.

b. ScreenOS:

A problem report has been submitted.  Development is in the process of evaluating the best method to resolve this issue.

c. Junos Space:

Disable SSLv3 by changing the following files.

/etc/httpd/conf.d/webProxy.conf
/etc/httpd/conf.d/ssl.conf
/etc/httpd/conf.d/webConf/webProxyCertAuth.conf

The following line needs to be updated to remove references to SSLv3:

Original:
SSLProtocol -ALL +SSLv3 +TLSv1

Updated:
SSLProtocol -ALL +TLSv1

Restart httpd by typing 'service httpd restart'.

A future release of Junos Space will disable SSLv3 by default.

d. STRM/JSA Series:

Development is working on a patch to resolve this issue.

e. NSM3000/NSMXpress:

Edit /etc/httpd/conf/ssl.conf and change the SSLProtocol entry to:
SSLProtocol all -SSLv2 -SSLv3

f. IDP Signature:

Juniper has released signature SSL:AUDIT:SSL-V3-TRAFFIC in Sigpack 2430 to detect SSLv3 traffic.

3. Cisco Event Response: POODLE Vulnerability:

Details are in Cisco Page : 

 Vulnerable Products

Customers interested in tracking the progress of any of the following bugs can visit the Cisco Bug Search Tool to view the defect details and optionally select Save Bug and activate the Email Notification feature to receive automatic notifications when the bug is updated.

Products and services listed in the subsections below have had their exposure to this vulnerability confirmed. Additional products will be added to these sections as the investigation continues.
Collaboration and Social Media
Endpoint Clients and Client Software
Network Application, Service, and Acceleration
  • Cisco ACE 4710 Application Control Engine (A5) [CSCur27691]
  • Cisco ACE10 / ACE20 / 4710 (A3x) [CSCur27985]
  • Cisco ACE30 Application Control Engine Module [CSCur23683]
  • Cisco CSS 11500 Series Content Security Switch [CSCur27999]
Network and Content Security Devices
  • Cisco Adaptive Security Appliance (ASA) Software [CSCur23709]
  • Cisco Email Security Appliance (ESA) [CSCur27131]
  • Cisco Intrusion Prevention System Solutions (IPS) [CSCur29000]
  • Cisco Prime Security Manager (PRSM) [CSCur29172]
Network Management and Provisioning
Routing and Switching - Enterprise and Service Provider
  • Cisco Application Policy Infrastructure Controller (ACI/APIC) [CSCur28110]
  • Cisco IOS and Cisco IOS-XE (IOSd only) [CSCur23656]
  • Cisco Nexus 3000 Series Switches [CSCur28178]
  • Cisco Nexus 9000 (ACI/Fabric Switch) [CSCur28114]
  • Cisco Nexus 9000 Series (standalone, running NxOS) [CSCur28092]
Unified Computing
Voice and Unified Communications Devices
  • Cisco IM and Presence Service (CUPS) [CSCur33203]
  • Cisco Unified Communications Manager (CUCM) [CSCur23720]
Video, Streaming, TelePresence, and Transcoding Devices
  • Cisco TelePresence Advanced Media Gateway 3610 [CSCur33286]
  • Cisco TelePresence IP Gateway Series [CSCur33289]
  • Cisco TelePresence IP VCR Series [CSCur33294]
  • Cisco TelePresence ISDN Gateway [CSCur33282]
  • Cisco TelePresence MCU (8510, 8420, 4200, 4500 and 5300) [CSCur33260]
  • Cisco TelePresence MSE 8050 Supervisor [CSCur33267]
  • Cisco TelePresence Serial Gateway Series [CSCur33297]
  • Cisco TelePresence Server 8710, 7010 [CSCur33274]
  • Cisco TelePresence Server on Multiparty Media 310, 320 [CSCur33274]
  • Cisco TelePresence Server on Virtual Machine [CSCur33274]
  • Cisco TelePresence Video Communication Server [CSCur23698]
Wireless
  • Cisco Wireless LAN Controller (WLC) [CSCur27551]
Cisco Hosted Services

4. Other Vendors

Apple has released a security update at the following link:Security Update 2014-005

Asterisk has released a security advisory at the following link:AST-2014-011

BlackBerry has released a security notice at the following link: KB36397

FreeBSD has released a VuXML document at the following link: OpenSSL -- multiple vulnerabilities


Microsoft has released a security advisory at the following link: 3009008

OpenSSL has released a security advisory at the following link: secadv_20141015

Oracle has released a security advisory at the following link:Cryptographic Issues vulnerability

Red Hat has released a CVE statement and security advisories for bug ID 1152789 at the following links: CVE-2014-3566RHSA-2014:1653, and RHSA-2014:1652


References:

a.  Check Point response to the POODLE Bites vulnerability (CVE-2014-3566)

Friday, September 26, 2014

Shellshock (Bash Computer Bug) Exploited - Responding from Venders


Heartbleed Extension Vulnerability caused lots of worries for Internet system. The affects still do not go away and now Shellshock coming.  This latest vulnerability affects the command line software Bash operating at Linux , Unix and Mac OS X.


Vendors have been posting the patches and suggestions on their websites already. Here is some quick collections for my environment.


1. Checkpoint's Responding:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk102673

2. Cisco's Responding: 

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash

3. Juniper's Responding:

https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10648&actp=RSS

4. Vmware:

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2090740


Note: How it happened? (from Symantec)

An attacker can potentially use CGI to send a malformed environment variable to a vulnerable Web server. Because the server uses Bash to interpret the variable, it will also run any malicious command tacked-on to it.

Thursday, May 1, 2014

Reset SonicWall NSA 4500 to Factory Default Configuration

SonicWall NSA 4500 is Next-Generation Firewall features integrate intrusion prevention, gateway
anti-virus, anti-spyware and URL filtering with application intelligence and control, and SSL decryption to
block threats from entering the network and provide granular application control without compromising performance.

Here is the steps to reset SonicWall to factory default configuration:

SonicWALL security appliance has a special SafeMode which allows you to quickly recover from uncertain configuration states with a simplified management interface that includes the same settings available on the System > Settings page.

Step 1. 

Connect your management station to a LAN port (NSA 4500 is X0 port) on the SonicWALL security appliance and configure you management workstation IP address to 192.168.168.20/24.


Step 2. 

Use a narrow, straight object, like a straightened paper clip or a toothpick, to press and hold the reset button on the back of the security appliance for five to ten seconds. The reset button is in a small hole next to the console port or next to the power supply, depending on your SonicWALL security appliance model. 
The Test light starts blinking when the SonicWALL security appliance has rebooted into SafeMode.

Step 3. 

Connect to the SonicWALL management interface: Point the Web browser on your Workstation to 192.168.168.168. The SafeMode management interface displays. Choose Current firmware with Factory Default Settings and boot device.


Step 4. 

After system rebooted and came back online, using browser navigator to http://192.168.168.168 and log into authentication page with following default username/password based on your SonicWall device model:
The following list provides the factory default administrator (admin) username, password and IP address for all categories of SonicWALL appliances.
 NOTE: All IP addresses listed are in the 255.255.255.0 subnet mask.
Product
Default Username
Default Password
Default IP Address
SonicWALL FIREWALL (UTM) APPLIANCES
admin
password
192.168.168.168
SonicWALL CONTENT SECURITY MANAGER (CSM) APPLIANCES
admin
password
192.168.168.168
SonicWALL SMB SSL-VPN APPLIANCES
admin
password
192.168.200.1
SonicWALL Aventail EX Series SSL-VPN Appliances
admin (AMC), 
root (CLI)
Defined during 
initial configuration.
192.168.0.10 
(on internal interface)
SonicWALL  EMAIL SECURITY APPLIANCES
admin
password
192.168.168.169
SonicWALL CONTINUOUS DATA PROTECTION (CDP) APPLIANCES
admin
password
192.168.168.169
SonicWALL SonicPoint appliance
admin
password
192.168.1.20

Step 5. 

Check the default configuration.









NetSec Youtube Videos