Showing posts with label Security. Show all posts
Showing posts with label Security. Show all posts

Friday, November 16, 2018

Threat Hunting Tools

Here are some collections from Internet about Threat Hunting tools, information and resources.

1. Kansa

Tuesday, November 13, 2018

IBM Data Security Product Guardium Resources

IBM Security Guardium is designed to help safeguard critical data. Guardium is a comprehensive data protection platform that enables security teams to automatically analyze what is happening in sensitive-data environments (databases, data warehouses, big data platforms, cloud environments, files systems, and so on) to help minimize risk, protect sensitive data from internal and external threats, and seamlessly adapt to IT changes that may impact data security. Guardium helps ensure the integrity of information in data centers and automate compliance controls.
The IBM Security Guardium solution is offered in two versions:
  • IBM Security Guardium Database Activity Monitoring (DAM)
  • IBM Security Guardium File Activity Monitoring (FAM) - Use Guardium file activity monitoring to extend monitoring capabilities to file servers.


https://www.securitylearningacademy.com/local/navigator/index.php?search=Guardium&level=top


IBM Security Learning :
Guardium Administrator

Monday, October 29, 2018

Security Events and Data Breaches in 2018, 2017, 2016, 2015, 2014

World's Biggest Data Breaches
Thanks to Lewis Morgan, social media manager at IT Governance. He has compiled this list by month and year since 2014, might be earlier. What I did is to put his month or year list into my this post and count the numbers for leaked records which some of them were missing from original post.

Here are leaked records numbers since 2014:



2018
List of data breaches and cyber attacks in September 2018 – 925,633,824 records leaked
List of data breaches and cyber attacks August 2018 – 215,000,000 records leaked
List of data breaches and cyber attacks in July 2018 – 139,731,894 million records leaked
List of data breaches and cyber attacks in June 2018 – 145,942,680 records leaked
List of data breaches and cyber attacks in May 2018 – 17,273,571 records leaked
List of data breaches and cyber attacks in April 2018 – 72,611,721 records leaked
List of data breaches and cyber attacks in March 2018 - 20,836,531 records leaked
List of data breaches and cyber attacks in February 2018 - 2,234,633 records leaked
List of data breaches and cyber attacks in January 2018 - 7,073,069 records leaked


Thursday, October 25, 2018

Gartner Magic Quadrant for Intrusion Detection and Prevention Systems (2018, 2017, 2015, 2013, 2012, 2010 ...)

According to Gartner, “The network intrusion prevention system market has undergone dynamic
evolution, increasingly being absorbed by next-generation firewall placements. Nextgeneration
IPSs are available for the best protection, but the IPS market is being pressured by the uptake of
advanced threat defense solutions.

This Magic Quadrant focuses on the market for stand-alone IDPS (IDP / IPS) appliances; however, IDPS capabilities are also delivered as functionality in other network security products. Network IDPSs are provided within a next-generation firewall (NGFW), which is the evolution of enterprise-class network firewalls, and include application awareness and policy control, as well as the integration of network IDPSs (IDP / IPS)

2018
Gartner has named McAfee (StoneSoft), Cisco (SourceFire), Trend Micro as a Magic Quadrant Leader in 2018 for Intrusion Detection and Prevention Systems (IDPS). (In 2013, McAfee acquired Stonesoft, and Cisco acquired Sourcefire. In 2015, Trend Micro acquired HP TippingPoint at $300M.)



Tuesday, October 23, 2018

Threat Modeling

This post is to collect Internet resources regarding threat modeling. There are some other similar posts regarding Threat Intelligence and Threat hunting. Search my blog you will find more. 


Threat Modeling Methodologies for IT Purposes
Conceptually a threat modeling practice flows from a methodology. Numerous threat modeling methodologies are available for implementation. Based on volume of published online content, the four methodologies discussed below are the most well known.


Wednesday, October 17, 2018

Canada CRA Email / Message Scam Example and Phone Call Scam Fraud Recording 2018

One of the top scams happening in Canada is CRA Scam, also called Income Tax Scams. Over $5 million was lost to income tax scams in 2017. The Canada Revenue Agency (CRA) is warning Canadians to be careful of emails, voice mails, even mail claiming to be from the CRA. These are phishing scams that could result in identity thefts. Email scams may also contain embedded malware, or malicious software, that can harm your computer and put your personal information at risk of compromise. The CRA does not email Canadians and request personal information.

Recently, I collected some of real samples happened to me from those scammers.

1. CRA Email Scam

I got an email from a email address starts with CRA-NoticeSecured-Taxinfo, with an attachment inside. But it actually from some weird domain aprobacion.x7.io. The email says Canada Revenue Agency has sent you an INTERAC e-Transfer with amount $782.57.


Thursday, October 11, 2018

Qualys Guard Tips and Tricks

The Qualys Cloud Platform and its integrated apps can simplify security operations and lower the cost of compliance by delivering critical security intelligence on demand and automating the full spectrum of auditing, compliance and protection for IT systems and web applications. Qualys Scanner Appliance is an option with the Qualys Cloud Platform. With the Qualys Scanner Appliance, you can easily assess internal network devices, systems and web applications.  This post summarize some of my experience with Qualys Guard service from Qualys Scanner Appliance.

1. Assetview Tag 

Asset Search - Dynamic Rule
Search all assets found / scanned in last 90 days:

Thursday, October 4, 2018

Gartner Magic Quadrant for Web Application Firewalls (2018,2017,2016)

A web application firewall (WAF) is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection.

While proxies generally protect clients, WAFs protect servers. A WAF is deployed to protect a specific web application or set of web applications. A WAF can be considered a reverse proxy.

According to Gartner, by 2023, more than 30% of public-facing web applications will be protected by cloud web application and API protection (WAAP) services that combine distributed denial of service (DDoS) protection, bot mitigation, API protection, and WAFs. This is an increase from fewer than 10% today.

2018

On August 2018, Gartner’s released their latest Magic Quadrant report for Web Application Firewalls. Only Imperva and Akamai are in the Leaders quadrant. F5 has been moved out from Leaders quadrant to challengers. Other vendors , such as Fortinet, Cloudflare, Barracuda, Citrix, are not changed much and still in challengers. Oracle and Radware are in Visionaries quadrant.

Tuesday, October 2, 2018

Install T-Pot into Google Cloud Platform VM Instance

T-Pot is a honeypot platform built on Ubuntu with Dock technology. Latest version is 17.10 and OS is Ubuntu 16.04. The minimum system requirement is at least 2GB RAM and 40GB disk space.

There are some other posts online to show how to install T-Pot into cloud virtual machine instance. Unfortunately, I failed so many times and got a error message 'could not find authrized_keys at .ssh folder'. Eventually I found issue is with the user I were using. If I create a new user and add it into sudo group, and install T-Pot after log in as that new user, the installation process is quite smooth.

Here is all steps I did. Hopefully it helps when you try this awesome honeypot.


1. Create a VM


2. Update your Ubuntu instance


[email protected]:~$ sudo apt-get update
[email protected]:~$ sudo apt-get upgrade
[email protected]:~$ sudo apt-get dist-upgrade


Thursday, September 27, 2018

Cisco Web Security Appliance (WSA) S190 - Web GUI

Cisco® Web Security Appliance (WSA) offers malware protection, application visibility and control, acceptable use policy controls, insightful reporting and secure mobility to enterprise network. 

The Cisco WSA is a forward proxy that can be deployed in either Explicit mode (proxy automatic configuration [PAC] files, Web Proxy Auto-Discovery [WPAD], browser settings) or Transparent mode (Web Cache Communication Protocol [WCCP], Policy-Based Routing [PBR], load balancers). WCCP-compatible devices, such as Cisco Catalyst® 6000 Series Switches, Cisco ASR 1000 Series Aggregation Services Routers, Cisco Integrated Services Routers, and Cisco ASA 5500-X Series Next-Generation Firewalls, reroute web traffic to the Cisco WSA. The Cisco WSA can proxy HTTP, HTTPS, SOCKS, native FTP, and FTP over HTTP traffic to deliver additional capabilities such as data-loss prevention, mobile user security, and advanced visibility and control. Cisco provides hardware appliances (Cisco S690, Cisco S690X, Cisco S680, Cisco S390, Cisco S380, Cisco S190, Cisco S170) and virtual appliances WSAV (S000v, S100v, S300v) for different requirements. In this post, S190 will be used to show the how web gui looks like.
The Cisco S190 appliance is typically installed as an additional layer in the network between clients and the Internet.


Model
Disk Space
RAID Mirroring
Memory
CPUs
SMB and Branch
S190
1.2TB
(2x600 GB SAS)
Yes (RAID 1)
8 GB, DDR4
1 x 1.9 Ghz, 6C


Depending on how you deploy the appliance, you may or may not need a Layer 4 (L4) switch or a WCCP router to direct client traffic to the appliance.
Deployment options include:

  • Transparent Proxy—Web proxy with an L4 switch 
  • Transparent Proxy—Web proxy with a WCCP router 
  • Explicit Forward Proxy—Connection to a network switch 
  • L4 Traffic Monitor—Ethernet tap (simplex or duplex)


Wednesday, September 26, 2018

How to Find Out Windows Process Sending Traffic, Especially ICMP Packets

There are a number of different ways to find out which process is sending tcp / udp traffic in computer systems, but not much for icmp traffic.

Here is a summary for the ways to do it.

1. Install a local firewall

You could always try installing a firewall that blocks outgoing traffic or use the Windows Firewall. When the traffic is generated, it could prompt you asking whether you want to allow it or not. In many cases, it will tell you what application is generating the traffic.


Wednesday, August 8, 2018

Symantec Diagnostic Tool - SymDiag Usage Guide

The Symantec Diagnostic Tool (SymDiag) is a multi-product, multi-language diagnostic, and security analysis utility. SymDiag is provides self-help support for Symantec product technical issues, zero-day threat analysis, best practice recommendations, and proactive services to customers. If you require further assistance, SymDiag lowers the level of effort and increases efficiency by automating data gathering and support case submission.

SymDiag support most of popular OS including Windows, Linux and Mac. SymDiag supports the following Symantec products:
  • Advanced Threat Protection (Linux)
  • Data Center Security Management Server
  • Data Loss Prevention 11.0 and later
  • Encryption Powered by PGP
  • Endpoint Encryption
  • Endpoint Protection 11.0 and later*
  • Endpoint Protection Small Business Edition (.Cloud)
  • Endpoint Protection Cloud
  • Mail Security for Microsoft Exchange 6.5.2 and later*
  • Messaging Gateway
  • Protection Engine
  • Unified Agent
  • VIP Access


In order to generate a Symantec Endpoint Protection support package. In order to perform this, the following steps must be completed as follows,

n  Download the SymDiag tool from the following URL

Friday, July 20, 2018

NSS Labs NGFW Security Value Map Report (2018, 2017, 2016, 2014, 2013, 2012, 2011)


The NGFW is the first line of defense to protect against today’s evolving threats and is a critical component of any defense-in-depth strategy.  The NSS Labs NGFW test methodology has evolved from the previous testing to reflect the threat landscape and therefore, this latest testing includes SSL inspection.  This is an important key test factor because most vendors see huge performance impacts when SSL is turned on, preventing them from publishing SSL performance on their datasheets.  With the expanded use of secure sockets layer (SSL)/transport layer security (TLS) in the traffic traversing the modern network, an NGFW must be able to inspect encrypted content. NSS Labs evaluated firewall products with 190 different evasion techniques, more than 2,000 exploit tests and throughput tests.

NSS Labs regularly released NGFW Security Value Map™, Comparative Analysis Reports, and Product Analysis Reports.  These results help guide security professionals in the enterprise to make informed decisions when evaluating the many offerings in the industry.

NSS Labs designed the test to focus on the following four areas:
  •     Security effectiveness
  •     Performance
  •     Stability
  •     Total Cost of Ownership (TCO)

2018

Security Value Map™ Next Generation Firewall (NGFW) April 30, 2018
Products Tested
• Barracuda Networks F600.E20 v6.1.1-071
• Check Point Software Technologies 13800 NGFW Appliance vR77.20
• Cisco ASA 5585-X SSP-60 v5.4.0.3
• Cisco FirePOWER Appliance 8350 v5.4.0.3
• Cyberoam – Cyberoam CR2500iNG-XP v10.6.3
• Dell SonicWALL SuperMassive E10800 SonicOS Enhanced v6.0.1.13-177o
• Forcepoint Stonesoft Next-Generation Firewall 1402 v5.8.5
• Fortinet FortiGate 3200D v5.2.4, build 5069
• Hillstone Networks SG-6000-E5960 v5.5 SG6000-M-2-5.5R1P2.2
• Huawei Technologies USG6650 vV500R001C00SPC010T
• Juniper Networks SRX5400E JUNOS Software Release 12.3X48
• Palo Alto Networks PA-7050 v6.0.11-h1
• WatchGuard Technologies XTM 1525 v11.9.4 build 486684

Friday, July 13, 2018

Check Your Site Vulnerability if Listing on Bounty Site.

As long as your web application published on Internet, one day it will face the hackers scanning. There is no 100% security and you always want to find out the vulnerability first before it can be exploited. There are many bounty programs online to attract hackers to search those vulnerabilities and publish out, also notify web master. Open Bug Bounty is one of them and probably most popular one.

1. Open Bug Bounty Website
Started in June 2014, Open Bug Bounty is a non-profit platform designed to connect security researchers and website owners in a transparent, respectful and mutually valuable manner. Open Bug Bounty’s coordinated vulnerability disclosure platform allows any security researcher reporting a vulnerability on any website as long as the vulnerability is discovered without any intrusive testing techniques and is submitted following responsible disclosure guidelines.

Sunday, July 8, 2018

Sumuri Paladin 7 Forensics Suite Basic Usage

PALADIN is a bootable forensic Linux distribution based on Ubuntu and is developed and provided as a courtesy by SUMURI. The boot process has been modified to assure that the internal or external media of computers and devices are not modified or mounted. PALADIN is available as an ISO which can be used to make a bootable DVD or USB. Once booted, the user will find a host of pre-compiled open-source forensic tools that can be used to perform various tasks.


Boot Sumuri Paladin Live Session into Forensics Mode:
1_forensic_mode
Boot Screen

Monday, June 11, 2018

Basic Procedures to Troubleshoot an Infected Computer

Today received a report from user, computer is slow and seems have been infected with unknown virus or malware. No special symptoms except slow.

1. Check task manager and resource monitor

There is a process smss.exe which description is "Microsoft ? Console Based Script Host " using almost 75% CPU all the time.

From task manager, I found system was rebooted a couple of hours ago at very early morning and user was not around.

Also, no matter how you ended this process, it will come back in 10 seconds and take your CPU away and use about 4M your memory.



Tuesday, June 5, 2018

Gartner Magic Quadrant for Identity Governance and Administration (2018,2017,2016,2015,2013)

IGA (Identify Governance and Administration) is a central component of Identity and Access Management (IAM) designed to “manage digital identity and access rights across multiple systems and applications.”  Identity Governance and Administration solutions achieve this by aggregating and correlating identity and permissions data found throughout an enterprise’s digital ecosystem, and then utilizing that data to perform its core functions.

Gartner considers IGA’s core functions to include access requests, access certification, auditing, reporting and analytics, workflow management, entitlement management, and identity life cycle management.  Gartner evaluates IGA (Identity Governance and Administration) vendors based on the completeness of their vision and their ability to execute on their vision and roadmap.


2018
The vendors are in Leaders quadrant:

  • Oracle
  • IBM
  • SailPoint
  • One Identity
  • CA Technologies
  • Saviynt


Saturday, May 26, 2018

CISO Leadership Mind Map

SANS Cisco Mind Map
A CISO (Chief Information Security Officer) has a complex role within a company. They have a wide array of tasks to perform, that involves many differing parts, which the average individual is not always aware of.

CISO Mind Map is an overview of responsibilities and ever expanding role of the CISO.  This Security Leadership poster made by SANS shows exactly the matters a CISO needs to mind when creating a world class IT Security team. It also highlights the essential features necessary of a Security Operations Centre (SOC).


Thursday, April 19, 2018

Gartner Magic Quadrant for Access Management (2017,2016,2015 )


Today’s businesses require secure 24/7 access to their cloud applications and data, and require more than Web Single Sign-On to propel their business forward. The world has changed, allowing an almost infinite number of identities and accounts on different platforms and devices including cloud, mobile, social, and personal networks. Having an identity and access management strategy in place is more important than ever.



2017 
Gartner recently named following vendors as  a leader in its first “Magic Quadrant for Access Management, Worldwide 2017.”

  • Microsoft
  • Okta
  • CA Technologies
  • Oracle
  • IBM
  • Ping Identity





Tuesday, April 17, 2018

Install OpenVAS on Ubuntu


OpenVAS is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution. The framework is part of Greenbone Networks' commercial vulnerability management solution from which developments are contributed to the Open Source community since 2009.

1. Install dependencies