Category: Network Security

Oregon Cyber Task Force – Cyber Attack Mitigation

During a recent briefing from the FBI’s Oregon Cyber Task Force in Medford, OR they detailed best practices and industry standards for cyber attack mitigation. FBI special agents started with information and statistics about the most recent threats giving specifics of how the attacks were executed. Security Architect from the State of Oregon then outlined the specifics of how to mitigate these threats properly. Here is a summation:

Current Threat Landscape

Business Email Compromise (CEO Fraud): Involves cyber criminals posing as business executives at companies that regularly perform wire transfers. After compromising the executive’s email, the criminal requests employees to perform wire transfers to the criminal’s bank account. FBI Internet Crime Complaint Center (IC3) has reported over $3 billion of losses worldwide due to this threat.

Ransomware: Ransomware is a form of malware that targets weaknesses in networks to deny the availability of critical data by encrypting it and demanding a ransom for the encryption keys to decrypt the data. Ransomware is frequently delivered through spear phishing emails to end users.

Point of Sale (PoS) Malware: Cyber criminal steals payment card data by remotely infecting PoS systems with malware without the need to physically access the cards or the devices used to process them. This allows criminals to compromise PoS systems on a large scale with larger victim base.

Insider Threat: An insider is a current or former employee who has access to an organization’s network and intentionally misuses that access to negatively affect the company. IC3 has recorded business losses from insider threat to be between $5,000 to $3 million.

Internet Extortion: Victims are threatened by cyber criminal with Distributed Denial of Service (DDoS) attack that will make access to their e-commerce site severely degraded or impossible if they victim does not pay to appease them. These can be real or fake with price tags in the neighborhood of 50 bitcoin or about $30,000.

Cyber Attack Mitigation

Here is a list of items that will need to be addressed to comprise a complete mitigation plan:

  • Create company policy in regards to how wire transfers are handled that require verbal or in-person authorization from multiple company executives
  • Create company policy restricting details that can be shared  about job duties and company hierarchy on social media
  • Review National Institute of Standards and Technology (NIST) Cybersecurity Framework and  adopt risk management processes
  • Create, implement and keep up-to-date an incident response plan
  • Create company policy and implement lawful network monitoring
  • Have proactive relationships with law enforcement agencies – silence is letting cyber criminals win

Practical Security Best Practices

  • Network Segmentation – keep the guest wireless separate from the local network, keep payment processing in its own network and keep web servers in the Demilitarized Zone (DMZ) of the network.
  • Use firewall access rules, Active Directory Group Policy and physical security measures to limit unsecure access to every segment of your network.
  • Restrict usage of administrator level access by creating alternative accounts for these purposes that are not used for local login. Keep these accounts monitored.
  • Implement automated patching and managed virus scanning on all systems. Remove any unsupported / non-updateable software or sytems on the network.
  • Restrict remote access to the network to specific users and use only secure protocols like RDP through VPN
  • Conduct periodic testing of all security measures to identify weakness or failing procedures and adjust systems accordingly

Advanced Mitigation Processes

  • Use multi-factor authentication wherever possible
  • Establish baseline of applications used then implement application whitelisting
  • Standardize encryption for data both at-rest and in-transit
  • Conduct perimeter filtering via Intrusion Detection System (IDS)
  • Regularly backup system logs in a segregated portion of the network to prevent tampering

If your company is going to use full disk encryption or has compliance requirements that you need consulting for, then contact us for assistance.

Full Disk Encryption – Bitlocker vs. TrueCrypt

Recently had a financial planning firm contact me with their new compliance regulations which included full disk encryption on all workstations that accessed client data and on all thumb drives used. This led me on a search to find the best solution for their systems which boiled down to essentially two solutions – Bitlocker or TrueCrypt / VeraCrypt.

Full Disk Encryption w/ Bitlocker

This feature is built into the professional versions of Windows OS from version 7 and beyond. It is simple to use and can be implemented from the Properties on local drives. It works with the modern GUID partition table (GPT) and Unified Extensible Firmware Interface (UEFI) as well as the older MBR / BIOS model. It works best with a Trusted Platform Module chip but can also be setup to use an external USB device as the encryption key repository. There is also a “Bitlocker To Go” setup for thumb drives that will work easily on other Windows based devices.

Full Disk Encryption w/ TrueCrypt

TrueCrypt, and the more recent “fork” of the software VeraCrypt, are based on the same open source code and are compatible with all recent versions of Windows OS. These software packages are not for the faint of heart as they require following detailed instructions on their usage through a multi-stage process to perform the drive encryption. My testing has revealed that they do not work well with modern GPT or UEFI and instead the Master Boot Record (MBR) and Basic Input/Output System (BIOS) systems would have to have been implemented from the initial setup of the workstation to function properly. There is currently no support for TPM, so remember your password or else say goodbye to your data. There is the ability to create a portable drive via these software packages, but the process is not something an end-user could easily do themselves.

Based on the limitations of TrueCrypt and the steep learning curve. It will be my recommendation to use the more simple and up-to-date Bitlocker technology to protect their firm – even if the encryption algorithms available in the other software provide deeper security. If your company is going to use full disk encryption or has compliance requirements that you need consulting for, then contact us for assistance.

“Recent” Asante Employee Breach & Yahoo Hack

Very weird occurrence the other day, checked the post office box and found a letter regarding my son’s protected health information (PHI) had been improperly accessed in an Asante employee breach that started in 2014. Shortly there after upon returning home, found an email from Yahoo stating that they had been hacked back in 2014 and had just now finished their investigation which could have effected my wife’s personal email. Seems a strange coincidence that both firms had this happen two years ago and it took both firms two years to notice / do the investigation piece to rectify the situation. Here are some quotes from their responses:

Asante Employee Breach

“While Asante cannot provide details regarding the outcome of this internal investigation, we can assure you that we applied our employment policies and processes appropriately. A final audit of the employee’s actions showed that the employee inappropriately accessed records from August 18, 2014 to July 21, 2016 that may have included your child’s name, date of birth, medical records number, medications, diagnosis, and lab results… To date, we have no evidence that any patient information has been misused, nor do we have any reason to believe that the information will be misused. However, as a precaution, we wanted to notify you regarding this incident and assure you that we take it very seriously.”

Yahoo Hack

“A copy of certain user account information was stolen from our systems in late 2014 by what we believe is a state-sponsored actor… The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.”

So these two things were not related but it is scary to think that it took two years to notice this activity. Even if Asante believes that the employee didn’t do anything malicious with the information, it shows that their information access policies and audit logging on them is severely lacking. They need to step up their game and possibly adopt some behavioral based analysis of the audit logs for inappropriate access like this in the future.

As for Yahoo, why are some of the security questions unencrypted while others were and were the passwords just hashed? If a state-sponsored actor had unsalted password hashes for two years before being detected then the likelihood of them being able to crack the passwords is extremely high. They also state that they are working closely with law enforcement on this one, but what is law enforcement going to do against another government’s hacking crew (aka state-sponsored actor)?

If your company is unsure of its information security posture or needs an evaluation of audit logging / reporting, then contact us for assistance.

Crypto Malware Zepto Infection

Recently had a client get infected by the Zepto variant of crypto malware without even knowing it. The call originated when they could not find some of the shortcuts they were used to seeing on the desktop. I began to search for the shortcuts and found some files with the .ZEPTO extension on them. A quick Google search found that this was indeed an infection of crypto malware but something was different about this one – there was no ransom note or instructions on where to send the money for the decryption key. After investigating the problem it seems that the user got an image file that they could not open and forgot about. They noticed some slow down of the computer the day that these files indicated that they were created but nothing else presented itself that day, so they dismissed it.

So here is breakdown of what actually happened. They were protected by Norton Antivirus and when the infection began to spread across the network (only a couple files were affected there) it removed the infection and left the damage done by Zepto encryption of some of the files in place with no notice to the user about what was done. The customer had a partial backup from a poorly designed backup scheme that was able to recover some of the files, which left them in a state of not knowing what was missing from their local file directories. Needless to say that I will be recommending a different antivirus and backup / recovery plan for them going forward.

If your company is not sure about whether your antivirus software is capable of handling this type of situation properly or are not sure about the status of your backup / recovery procedures, then contact us for assistance.

LeChiffre Ransomware Hits Server

Recently had a non-managed client hit by the LeChiffre Ransomware which encrypted their entire data share on the Windows Small Business Server 2008 that they have been using for some time. Here is what the virus left in every folder along with adding the word LeChiffre (aka encrypt) to the end of all files:

LeChiffre Ransomware Traces

This company was at least partially protected – even though they made the cardinal mistake of not having anti-virus on the server, they did have recent backups that were usable. Used the backup to restore the files that were effected by the virus and everything seemed good for a couple weeks until they realized that the backup set was incomplete and didn’t include some vital files related to their website. Found and used the LeChiffre Decryptor from Emisoft to try and recover the remaining files from the server, but ended up having mixed results. They were able to open GIF and PNG files but DOC and PDF files were hopelessly corrupted.

This infection of the LeChiffre Ransomware is just another lesson to those who think that their systems are just fine. Please take the time to contact us for a free security evaluation, so that a proper plan can be put in place to protect vital company documents from being lost to situations like these.

Windows Event Logs Intrusion Detection

Big thanks go out to the folks at SANS Institute for this write-up on Detecting Security Incidents Using Windows Workstation Event Logs that gave the guidance for this article on Windows Event Logs Intrusion Detection. These are the basics of creating Custom Views in Event Viewer on Microsoft Windows 2012, but the actual monitoring for these events should be done by more complex log parsing software that is beyond the scope of this article. Here are the basic steps towards finding these events:

Create Windows Event Logs Intrusion Detection Custom View

  1. Open Event Viewer
  2. Right click on Custom Views then choose “Create Custom View…”
  3. Make sure to select all event levels and all Windows Logs
    Windows Event Log - Create Custom View
  4. Add the following event id numbers into the space provided:

    1001,4624,4625,4657,4688,4697,4698,7034,7035,7036,7040,64004

  5. Click OK. Give the Custom View a name then Click OK again.
  6. Right click on the newly created Custom View and select “Attach Task To This Custom View…”
  7. Work through the wizard based interface and select the desired task. Email is a nice one but is depreciated and will require the setup of an SMTP Relay unless there is an onsite Exchange server or dedicated email setup for this purpose with your email provider.

These are just the basics the article from SANS goes into greater depth on how to configure event log monitoring software to parse these for you. Better yet contact us to setup remote monitoring and maintenance to do the heavy lifting for you.

UmbreCrypt RansomWare Hits Terminal Server

This one scares me to read about. A new variant of ransomware called UmbreCrypt RansomWare is out there that is getting into business networks via hacking of terminal servers. This is even more reason to use the best practice of connecting to a Virtual Private Network (VPN) before connecting to your company terminal server. Please take the time to read this article from BleepingComputer.com to find out the frightening details. Feel free to call or email us to discuss how to proactively protect your business computer network with managed antivirus and offsite backups. Schedule a full network security audit to determine just how vulnerable your systems are and to determine what can be done to mitigate the risks.

Google Apps SPF / DKIM setup

A Sender Policy Framework (SPF) record indicates mail servers that are authorized to send mail for a domain. Email recipient servers perform a check with DNS to see if the mail came from an authorized server. If not, then the email is most likely SPAM. SPF DNS records lets the recipient server perform this verification.

A DomainKeys Identified Mail (DKIM) record adds a digital signature to emails your organization sends. Email recipient servers perform a check with DNS for the to see if the DomainKey matches the sender. If so, then the email is considered unmodified and from a legitimate sender. DKIM DNS record lets the recipient server perform this verification.

Configure Google Apps SPF

If you use Google Apps for email, you’ll need access to your DNS provider to add an SPF record. In most cases, you simply login and create a new TXT record with the value of:

v=spf1 include:_spf.google.com ~all

Google provides detailed instructions on how this is done. Be sure to save your changes.

Configure DKIM for Google Apps

You’ll need access to your Google Apps control panel and your DNS records to set DKIM. This is a three step process:

1. Create the DKIM key

a. Login to your Google Apps Control Panel (e.g., https://www.google.com/a/cpanel/[yourdomain.com])

b. Navigate to the Gmail App Control Panel

c. Scroll down to “Authenticate email” and click on “Set up email authentication (DKIM)”.

d. Your domain name should be displayed. Click on “Generate new record”. Leave the default selector prefix as “google”. Click “Generate”.

e. Leave this browser window open, and then create a new tab or browser window.

2. Create the DKIM DNS record

a. Login to your DNS provider.

b. Create a new TXT record. The name of the TXT record should be:

google._domainkey

This creates a domain that, fully resolved, looks like: google._domainkey.yourdomain.com.

c. The value for the DNS record will be a very long string of characters, something like:

v=DKIM1; k=rsa; t=y; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCG5in7gQIDAQAB

The actual length of the string will be much longer than that above. I find it simplest to copy-and-paste the information from the Control Panel page displaying the information. Save the DNS record.

3. Start Authenticating

a. Wait 24-hours for your changes to propagate, and for Google’s servers to detect the changes.

b. Login to your Google Apps Control Panel (e.g., https://www.google.com/a/cpanel/[yourdomain.com])

c. Go to the “Advanced tools” tab, then scroll down to “Authenticate email” and click on “Set up email authentication (DKIM)”.

d. Click “Start authentication”.

As always, check Google’s detailed instructions if your setup is more complex.

Verify that SPF & DKIM are configured

Send an email from your Gmail account to checkauth@verifier.port25.com after you’ve completed the Google Apps SPF and DKIM setup. You’ll receive an email response in a few minutes. If everything is properly configured, you’ll receive a “PASS” for both the Google Apps SPF and DKIM settings. This means your email is now securely being delivered and can be verified as such.

Demote Windows Small Business Server

Since Microsoft is no longer making Small Business Server (SBS) as the complete package for the SMB client, it is time to migrate email to Office365 and put in a Windows Standard Server in its place. This will explain the details of how to demote Windows Small Business Server from the domain after email has been migrated, the new server should already be in place and it should be running the appropriate server service and Flexible Single Master Operation (FSMO) roles would already be migrated.

One Last Check

  • Open a Command Prompt

  • Type in – netdom query fsmo

  • Make sure that all roles are pointing to the new Domain Controller

Uninstall Exchange

  • Open Control Panel

  • Double Click on “Programs and Features” icon

  • Search the list and find the entry named something like “Microsoft Exchange Server…” right click on it and choose “Uninstall”

  • Click “Next >” button then uncheck all possible boxes then click “Next >” button

  • Once the prerequisites have cleared successfully, click “Uninstall” button

  • Finally click “Finish” button

Remove AD Certificate Services

  • Click Start button, click Administrative Tools, and then click Server Manager.

  • Click on Roles, then in the Roles Summary section, click Remove Roles.

  • In the Remove Roles Wizard, click “Next >” button

  • Clear the “Active Directory Certificate Services” check box, and then click “Next >” button

  • On the Confirm Removal Options page, review the information, and then click “Remove >” button

Demote Windows Small Business Server and Remove from Active Directory

  • On the Source Server, click Start button, click Run, type dcpromo, and then click “OK” button

  • Click “Next >” button twice. (WARNING: Do not select “Delete the domain because this server is the last domain controller in the domain.”)

  • In the Summary dialog box, you are told that Active Directory Domain Services (AD DS) will be removed from the computer and that the server will become a member of the domain. Click “Next >” button

  • Click “Finish” button and the Server will restart

  • After the Server restarts, it can then be removed from the domain into a workgroup and disconnected from the network.

To remove the Source Server from Active Directory Domain Services

  • On the new Domain Controller Server click Start button, click Administrative Tools, and then select Active Directory Users and Computers.

  • In the Active Directory Users and Computers navigation pane, expand the domain name, expand MyBusiness, expand Computers, and then expand SBSComputers.

  • Right-click the old Server name if it still exists in the list of servers, click Delete, and then click Yes.

  • Verify that the Source Server is not listed, and then close Active Directory Users and Computers.

To update the Software Updates Group Policy Object

  • On the Management Server, click Start, click Administrative Tools, and then click Group Policy Management.

  • On the User Account Control dialog box, click Continue.

  • In the Group Policy Management console, in the navigation pane, expand Forest:DomainName, expand Domains, expand DomainName, and then expand Group Policy Objects (GPO).

  • Click Update Services Server Computers Policy.

  • In the results pane, click the Scope tab.

  • In the Security Filtering section, click the object that begins with “S-1-5…” This is the old Server Security Identifier (SID).

  • Click Remove, and then click “OK” button

If your company is migrating to Office 365 and needs help to demote Windows Small Business Server, then contact us for assistance.

Archives

Categories

Plant a Seed @ 541-761-9549
233 Rogue River Hwy #873 Grants Pass, OR 97527
Mon-Fri: 9:00am-5:00pm
support@farmhousenetworking.com
© 2016-2025 - Farmhouse Networking. All rights reserved
Terms and Conditions Privacy Policy

Evaluation Signup

Error: Contact form not found.

And God will generously provide all you need. Then you will always have everything you need and plenty left over to share with others. As the Scriptures say,
“They share freely and give generously to the poor. Their good deeds will be remembered forever.”
For God is the one who provides seed for the farmer and then bread to eat. In the same way, he will provide and increase your resources and then produce a great harvest of generosity in you. - 2 Corinthians 9:8-10