Showing posts with label Security. Show all posts
Showing posts with label Security. Show all posts

Wednesday, December 12, 2018

Python Cyber Security Testing Tool Collection

Networking

Scapy: send, sniff and dissect and forge network packets. Usable interactively or as a library
pypcapPcapy and pylibpcap: several different Python bindings for libpcap
libdnet: low-level networking routines, including interface lookup and Ethernet frame transmission

Friday, December 7, 2018

Gartner Magic Quadrant for Identity Governance and Administration (2018,2017,2016,2015,2013)

IGA (Identify Governance and Administration) is a central component of Identity and Access Management (IAM) designed to “manage digital identity and access rights across multiple systems and applications.”  Identity Governance and Administration solutions achieve this by aggregating and correlating identity and permissions data found throughout an enterprise’s digital ecosystem, and then utilizing that data to perform its core functions.

Gartner considers IGA’s core functions to include access requests, access certification, auditing, reporting and analytics, workflow management, entitlement management, and identity life cycle management.  Gartner evaluates IGA (Identity Governance and Administration) vendors based on the completeness of their vision and their ability to execute on their vision and roadmap.


2018
Comparing to 2017, both One Identity and Saviynt come into Leaders quadrant from Challengers. Six vendors are in Leaders quadrant:
  • Oracle since 2013
  • IBM since 2014
  • SailPoint since 2013
  • One Identity
  • CA Technologies
  • Saviynt


Gartner Magic Quadrant for Access Management (2018, 2017, 2016, 2015 )


Today’s businesses require secure 24/7 access to their cloud applications and data, and require more than Web Single Sign-On to propel their business forward. The world has changed, allowing an almost infinite number of identities and accounts on different platforms and devices including cloud, mobile, social, and personal networks. Having an identity and access management strategy in place is more important than ever.

2018 (Second Year)
CA becomes into Visionaries from Leaders. Micro Focus falls into Visionaries from Challengers. Five Leaders in 2018:
  • Microsoft
  • OKTA
  • IBM
  • Oracle
  • Ping Identity

Saturday, December 1, 2018

Gartner Magic Quadrant for Security Awareness Computer-Based Training (2018,2017,2016,2015,2014)

IT research and advisory firm Gartner, Inc. has evaluated different vendors in the Magic Quadrant for Security Awareness Computer-Based Training (CBT). Gartner’s evaluation criteria includes market understanding, marketing strategy, sales strategy, product strategy and offering, business model, vertical/industry and geographic strategy, and innovation.

What is security awareness computer-based training?
End-user-focused security education and training is a rapidly growing market. Demand is fueled by the needs of security and risk management leaders to help influence the security behaviors of people. People impact security outcomes much more than any technology, policy or process. Interactive computer-based training (CBT) is a central component of a comprehensive security education and behavior management program. It is a mechanism for the delivery of a learning experience through computing devices, such as laptop computers, tablets, smartphones and Internet of Things (IoT) devices. The focus and structure of the content delivered by CBT vary, as do the duration of individual CBT modules and the type of computing endpoints supported. The market for CBT for security awareness is characterized by vendor portfolios that include ready-to-use, interactive software modules. These modules are available as internet-based services or on-premises deployments.

Tuesday, November 20, 2018

IBM Data Security Product Guardium Resources

IBM Security Guardium is designed to help safeguard critical data. Guardium is a comprehensive data protection platform that enables security teams to automatically analyze what is happening in sensitive-data environments (databases, data warehouses, big data platforms, cloud environments, files systems, and so on) to help minimize risk, protect sensitive data from internal and external threats, and seamlessly adapt to IT changes that may impact data security. Guardium helps ensure the integrity of information in data centers and automate compliance controls.
The IBM Security Guardium solution is offered in two versions:
  • IBM Security Guardium Database Activity Monitoring (DAM)
  • IBM Security Guardium File Activity Monitoring (FAM) - Use Guardium file activity monitoring to extend monitoring capabilities to file servers.

IBM Security Learning (Guardium):

IBM Security  Guardium Analyzer

Monday, October 29, 2018

Security Events and Data Breaches in 2018, 2017, 2016, 2015, 2014

World's Biggest Data Breaches
Thanks to Lewis Morgan, social media manager at IT Governance. He has compiled this list by month and year since 2014, might be earlier. What I did is to put his month or year list into my this post and count the numbers for leaked records which some of them were missing from original post.

Here are leaked records numbers since 2014:

Thursday, October 25, 2018

Gartner Magic Quadrant for Intrusion Detection and Prevention Systems (2018, 2017, 2015, 2013, 2012, 2010 ...)

According to Gartner, “The network intrusion prevention system market has undergone dynamic
evolution, increasingly being absorbed by next-generation firewall placements. Nextgeneration
IPSs are available for the best protection, but the IPS market is being pressured by the uptake of
advanced threat defense solutions.

This Magic Quadrant focuses on the market for stand-alone IDPS (IDP / IPS) appliances; however, IDPS capabilities are also delivered as functionality in other network security products. Network IDPSs are provided within a next-generation firewall (NGFW), which is the evolution of enterprise-class network firewalls, and include application awareness and policy control, as well as the integration of network IDPSs (IDP / IPS)

2018
Gartner has named McAfee (StoneSoft), Cisco (SourceFire), Trend Micro as a Magic Quadrant Leader in 2018 for Intrusion Detection and Prevention Systems (IDPS). (In 2013, McAfee acquired Stonesoft, and Cisco acquired Sourcefire. In 2015, Trend Micro acquired HP TippingPoint at $300M.)



Wednesday, October 17, 2018

Canada CRA Email / Message Scam Example and Phone Call Scam Fraud Recording 2018

One of the top scams happening in Canada is CRA Scam, also called Income Tax Scams. Over $5 million was lost to income tax scams in 2017. The Canada Revenue Agency (CRA) is warning Canadians to be careful of emails, voice mails, even mail claiming to be from the CRA. These are phishing scams that could result in identity thefts. Email scams may also contain embedded malware, or malicious software, that can harm your computer and put your personal information at risk of compromise. The CRA does not email Canadians and request personal information.

Recently, I collected some of real samples happened to me from those scammers.

1. CRA Email Scam

I got an email from a email address starts with CRA-NoticeSecured-Taxinfo, with an attachment inside. But it actually from some weird domain aprobacion.x7.io. The email says Canada Revenue Agency has sent you an INTERAC e-Transfer with amount $782.57.


Thursday, October 11, 2018

Qualys Guard Tips and Tricks

The Qualys Cloud Platform and its integrated apps can simplify security operations and lower the cost of compliance by delivering critical security intelligence on demand and automating the full spectrum of auditing, compliance and protection for IT systems and web applications. Qualys Scanner Appliance is an option with the Qualys Cloud Platform. With the Qualys Scanner Appliance, you can easily assess internal network devices, systems and web applications.  This post summarize some of my experience with Qualys Guard service from Qualys Scanner Appliance.

1. Assetview Tag 

Asset Search - Dynamic Rule
Search all assets found / scanned in last 90 days:

Thursday, October 4, 2018

Gartner Magic Quadrant for Web Application Firewalls (2018,2017,2016)

A web application firewall (WAF) is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection.

While proxies generally protect clients, WAFs protect servers. A WAF is deployed to protect a specific web application or set of web applications. A WAF can be considered a reverse proxy.

According to Gartner, by 2023, more than 30% of public-facing web applications will be protected by cloud web application and API protection (WAAP) services that combine distributed denial of service (DDoS) protection, bot mitigation, API protection, and WAFs. This is an increase from fewer than 10% today.

2018

On August 2018, Gartner’s released their latest Magic Quadrant report for Web Application Firewalls. Only Imperva and Akamai are in the Leaders quadrant. F5 has been moved out from Leaders quadrant to challengers. Other vendors , such as Fortinet, Cloudflare, Barracuda, Citrix, are not changed much and still in challengers. Oracle and Radware are in Visionaries quadrant.

Tuesday, October 2, 2018

Install T-Pot into Google Cloud Platform VM Instance

T-Pot is a honeypot platform built on Ubuntu with Dock technology. Latest version is 17.10 and OS is Ubuntu 16.04. The minimum system requirement is at least 2GB RAM and 40GB disk space.

There are some other posts online to show how to install T-Pot into cloud virtual machine instance. Unfortunately, I failed so many times and got a error message 'could not find authrized_keys at .ssh folder'. Eventually I found issue is with the user I were using. If I create a new user and add it into sudo group, and install T-Pot after log in as that new user, the installation process is quite smooth.

Here is all steps I did. Hopefully it helps when you try this awesome honeypot.


1. Create a VM


2. Update your Ubuntu instance


[email protected]:~$ sudo apt-get update
[email protected]:~$ sudo apt-get upgrade
[email protected]:~$ sudo apt-get dist-upgrade


Thursday, September 27, 2018

Cisco Web Security Appliance (WSA) S190 - Web GUI

Cisco® IronPort Web Security Appliance (WSA) offers malware protection, application visibility and control, acceptable use policy controls, insightful reporting and secure mobility to enterprise network. 

The Cisco IronPort WSA is a forward proxy that can be deployed in either Explicit mode (proxy automatic configuration [PAC] files, Web Proxy Auto-Discovery [WPAD], browser settings) or Transparent mode (Web Cache Communication Protocol [WCCP], Policy-Based Routing [PBR], load balancers). WCCP-compatible devices, such as Cisco Catalyst® 6000 Series Switches, Cisco ASR 1000 Series Aggregation Services Routers, Cisco Integrated Services Routers, and Cisco ASA 5500-X Series Next-Generation Firewalls, reroute web traffic to the Cisco WSA. The Cisco WSA can proxy HTTP, HTTPS, SOCKS, native FTP, and FTP over HTTP traffic to deliver additional capabilities such as data-loss prevention, mobile user security, and advanced visibility and control. Cisco provides hardware appliances (Cisco S690, Cisco S690X, Cisco S680, Cisco S390, Cisco S380, Cisco S190, Cisco S170) and virtual appliances WSAV (S000v, S100v, S300v) for different requirements. In this post, S190 will be used to show the how web gui looks like.
The Cisco S190 appliance is typically installed as an additional layer in the network between clients and the Internet.


Model
Disk Space
RAID Mirroring
Memory
CPUs
SMB and Branch
S190
1.2TB
(2x600 GB SAS)
Yes (RAID 1)
8 GB, DDR4
1 x 1.9 Ghz, 6C


Depending on how you deploy the appliance, you may or may not need a Layer 4 (L4) switch or a WCCP router to direct client traffic to the appliance.
Deployment options include:

  • Transparent Proxy—Web proxy with an L4 switch 
  • Transparent Proxy—Web proxy with a WCCP router 
  • Explicit Forward Proxy—Connection to a network switch 
  • L4 Traffic Monitor—Ethernet tap (simplex or duplex)


Wednesday, September 26, 2018

How to Find Out Windows Process Sending Traffic, Especially ICMP Packets

There are a number of different ways to find out which process is sending tcp / udp traffic in computer systems, but not much for icmp traffic.

Here is a summary for the ways to do it.

1. Install a local firewall

You could always try installing a firewall that blocks outgoing traffic or use the Windows Firewall. When the traffic is generated, it could prompt you asking whether you want to allow it or not. In many cases, it will tell you what application is generating the traffic.


Wednesday, August 8, 2018

Symantec Diagnostic Tool - SymDiag Usage Guide

The Symantec Diagnostic Tool (SymDiag) is a multi-product, multi-language diagnostic, and security analysis utility. SymDiag is provides self-help support for Symantec product technical issues, zero-day threat analysis, best practice recommendations, and proactive services to customers. If you require further assistance, SymDiag lowers the level of effort and increases efficiency by automating data gathering and support case submission.

SymDiag support most of popular OS including Windows, Linux and Mac. SymDiag supports the following Symantec products:
  • Advanced Threat Protection (Linux)
  • Data Center Security Management Server
  • Data Loss Prevention 11.0 and later
  • Encryption Powered by PGP
  • Endpoint Encryption
  • Endpoint Protection 11.0 and later*
  • Endpoint Protection Small Business Edition (.Cloud)
  • Endpoint Protection Cloud
  • Mail Security for Microsoft Exchange 6.5.2 and later*
  • Messaging Gateway
  • Protection Engine
  • Unified Agent
  • VIP Access


In order to generate a Symantec Endpoint Protection support package. In order to perform this, the following steps must be completed as follows,

n  Download the SymDiag tool from the following URL

Friday, July 20, 2018

NSS Labs NGFW Security Value Map Report (2018, 2017, 2016, 2014, 2013, 2012, 2011)


The NGFW is the first line of defense to protect against today’s evolving threats and is a critical component of any defense-in-depth strategy.  The NSS Labs NGFW test methodology has evolved from the previous testing to reflect the threat landscape and therefore, this latest testing includes SSL inspection.  This is an important key test factor because most vendors see huge performance impacts when SSL is turned on, preventing them from publishing SSL performance on their datasheets.  With the expanded use of secure sockets layer (SSL)/transport layer security (TLS) in the traffic traversing the modern network, an NGFW must be able to inspect encrypted content. NSS Labs evaluated firewall products with 190 different evasion techniques, more than 2,000 exploit tests and throughput tests.

NSS Labs regularly released NGFW Security Value Map™, Comparative Analysis Reports, and Product Analysis Reports.  These results help guide security professionals in the enterprise to make informed decisions when evaluating the many offerings in the industry.

NSS Labs designed the test to focus on the following four areas:
  •     Security effectiveness
  •     Performance
  •     Stability
  •     Total Cost of Ownership (TCO)

2018

Security Value Map™ Next Generation Firewall (NGFW) April 30, 2018
Products Tested
• Barracuda Networks F600.E20 v6.1.1-071
• Check Point Software Technologies 13800 NGFW Appliance vR77.20
• Cisco ASA 5585-X SSP-60 v5.4.0.3
• Cisco FirePOWER Appliance 8350 v5.4.0.3
• Cyberoam – Cyberoam CR2500iNG-XP v10.6.3
• Dell SonicWALL SuperMassive E10800 SonicOS Enhanced v6.0.1.13-177o
• Forcepoint Stonesoft Next-Generation Firewall 1402 v5.8.5
• Fortinet FortiGate 3200D v5.2.4, build 5069
• Hillstone Networks SG-6000-E5960 v5.5 SG6000-M-2-5.5R1P2.2
• Huawei Technologies USG6650 vV500R001C00SPC010T
• Juniper Networks SRX5400E JUNOS Software Release 12.3X48
• Palo Alto Networks PA-7050 v6.0.11-h1
• WatchGuard Technologies XTM 1525 v11.9.4 build 486684

Friday, July 13, 2018

Check Your Site Vulnerability if Listing on Bounty Site.

As long as your web application published on Internet, one day it will face the hackers scanning. There is no 100% security and you always want to find out the vulnerability first before it can be exploited. There are many bounty programs online to attract hackers to search those vulnerabilities and publish out, also notify web master. Open Bug Bounty is one of them and probably most popular one.

1. Open Bug Bounty Website
Started in June 2014, Open Bug Bounty is a non-profit platform designed to connect security researchers and website owners in a transparent, respectful and mutually valuable manner. Open Bug Bounty’s coordinated vulnerability disclosure platform allows any security researcher reporting a vulnerability on any website as long as the vulnerability is discovered without any intrusive testing techniques and is submitted following responsible disclosure guidelines.

Sunday, July 8, 2018

Sumuri Paladin 7 Forensics Suite Basic Usage

PALADIN is a bootable forensic Linux distribution based on Ubuntu and is developed and provided as a courtesy by SUMURI. The boot process has been modified to assure that the internal or external media of computers and devices are not modified or mounted. PALADIN is available as an ISO which can be used to make a bootable DVD or USB. Once booted, the user will find a host of pre-compiled open-source forensic tools that can be used to perform various tasks.


Boot Sumuri Paladin Live Session into Forensics Mode:
1_forensic_mode
Boot Screen

Monday, June 11, 2018

Steps to Troubleshoot an Infected Computer

Today received a report from user, computer is slow and seems have been infected with unknown virus or malware. No special symptoms except slow.

1. Check task manager and resource monitor

There is a process smss.exe which description is "Microsoft ? Console Based Script Host " using almost 75% CPU all the time.

From task manager, I found system was rebooted a couple of hours ago at very early morning and user was not around.

Also, no matter how you ended this process, it will come back in 10 seconds and take your CPU away and use about 4M your memory.



Tuesday, April 17, 2018

Install OpenVAS on Ubuntu


OpenVAS is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution. The framework is part of Greenbone Networks' commercial vulnerability management solution from which developments are contributed to the Open Source community since 2009.

1. Install dependencies

OpenVAS Virtual Appliance / GreenBone Installation

OpenVAS Framework
The GSM Community Edition is a derivate of the GSM ONE and allows a quick and easy option on Windows, Linux or Mac to give the solution a trial. No particular know-how is needed.
In contrast to the commercial solution the Community Feed instead of the Greenbone Security Feed is used. Also some management functions like for TLS certificates are not included. Feed updates happen on a regular basis, but the system itself can not be updated. The commercial version can be updated seamless and also includes access to the Greenbone Support.
The Community Edition as well as the GSM ONE are designed for use with a laptop. The full feature set for a vulnerability management process (schedules, alarms, sensors) are only available with the bigger GSM models (see here for an overview) and can be obtained from Greenbone as an evaluation unit.

1. OpenVAS / GreenBone Installation Video