Tech Blog

Oregon Cyber Task Force – Cyber Attack Mitigation

During a recent briefing from the FBI’s Oregon Cyber Task Force in Medford, OR they detailed best practices and industry standards for cyber attack mitigation. FBI special agents started with information and statistics about the most recent threats giving specifics of how the attacks were executed. Security Architect from the State of Oregon then outlined the specifics of how to mitigate these threats properly. Here is a summation:

Current Threat Landscape

Business Email Compromise (CEO Fraud): Involves cyber criminals posing as business executives at companies that regularly perform wire transfers. After compromising the executive’s email, the criminal requests employees to perform wire transfers to the criminal’s bank account. FBI Internet Crime Complaint Center (IC3) has reported over $3 billion of losses worldwide due to this threat.

Ransomware: Ransomware is a form of malware that targets weaknesses in networks to deny the availability of critical data by encrypting it and demanding a ransom for the encryption keys to decrypt the data. Ransomware is frequently delivered through spear phishing emails to end users.

Point of Sale (PoS) Malware: Cyber criminal steals payment card data by remotely infecting PoS systems with malware without the need to physically access the cards or the devices used to process them. This allows criminals to compromise PoS systems on a large scale with larger victim base.

Insider Threat: An insider is a current or former employee who has access to an organization’s network and intentionally misuses that access to negatively affect the company. IC3 has recorded business losses from insider threat to be between $5,000 to $3 million.

Internet Extortion: Victims are threatened by cyber criminal with Distributed Denial of Service (DDoS) attack that will make access to their e-commerce site severely degraded or impossible if they victim does not pay to appease them. These can be real or fake with price tags in the neighborhood of 50 bitcoin or about $30,000.

Cyber Attack Mitigation

Here is a list of items that will need to be addressed to comprise a complete mitigation plan:

  • Create company policy in regards to how wire transfers are handled that require verbal or in-person authorization from multiple company executives
  • Create company policy restricting details that can be shared  about job duties and company hierarchy on social media
  • Review National Institute of Standards and Technology (NIST) Cybersecurity Framework and  adopt risk management processes
  • Create, implement and keep up-to-date an incident response plan
  • Create company policy and implement lawful network monitoring
  • Have proactive relationships with law enforcement agencies – silence is letting cyber criminals win

Practical Security Best Practices

  • Network Segmentation – keep the guest wireless separate from the local network, keep payment processing in its own network and keep web servers in the Demilitarized Zone (DMZ) of the network.
  • Use firewall access rules, Active Directory Group Policy and physical security measures to limit unsecure access to every segment of your network.
  • Restrict usage of administrator level access by creating alternative accounts for these purposes that are not used for local login. Keep these accounts monitored.
  • Implement automated patching and managed virus scanning on all systems. Remove any unsupported / non-updateable software or sytems on the network.
  • Restrict remote access to the network to specific users and use only secure protocols like RDP through VPN
  • Conduct periodic testing of all security measures to identify weakness or failing procedures and adjust systems accordingly

Advanced Mitigation Processes

  • Use multi-factor authentication wherever possible
  • Establish baseline of applications used then implement application whitelisting
  • Standardize encryption for data both at-rest and in-transit
  • Conduct perimeter filtering via Intrusion Detection System (IDS)
  • Regularly backup system logs in a segregated portion of the network to prevent tampering

If your company is going to use full disk encryption or has compliance requirements that you need consulting for, then contact us for assistance.

ADPREP Windows 2008 R2 Server into 2003 Domain

After finishing the migration of a client to their new cloud-based Line of Business SaaS application, it was time to finally get rid of the last Windows 2003 Small Business Server that we manage. The client had a Windows Server 2008 R2 Standard server that used to be the database server for the on-premise application which was being re-purposed as the new Primary Domain Controller (PDC) for the domain. After installing the Active Directory Domain Services (ADDS) role on the new server, I went to run DCPROMO on the new server and found that it asked me to run ADPREP /FORESTPREP on the domain. Took me a little bit of searching to find the Windows 2003 Server media and ran the command successfully, but this did not do the trick – turns out I needed the Windows 2008 R2 Server media and run the ADPREP32 command several times to complete the domain preparation for the new server to be DCPROMO successfully. Extracted the support directory from the media ISO to a folder on the root of the old Windows 2003 Small Business Server and then ran the following commands in order:

ADPREP32 /FORESTPREP

This one took a long time as the server was going from Schema 31 to Schema 47.

ADPREP32 /DOMAINPREP

This one stated that I needed to run the next command, so I did.

ADPREP32 /DOMAINPREP /GPPREP

The command actually stated that the update was already applied. So went back to the Windows 2008 R2 Standard server and ran DCPROMO again which told me that I needed to run one more command.

ADPREP32 /RODCPREP

Ran this one even though I had no plans of having a Read-Only Domain Controller (RODC) in the domain. After all these commands the new server was able to be DCPROMO into the domain controller role. Now all that is left is FSMO roles, DNS, DHCP, printers and file shares.

If your company is going to use full disk encryption or has compliance requirements that you need consulting for, then contact us for assistance.

Full Disk Encryption – Bitlocker vs. TrueCrypt

Recently had a financial planning firm contact me with their new compliance regulations which included full disk encryption on all workstations that accessed client data and on all thumb drives used. This led me on a search to find the best solution for their systems which boiled down to essentially two solutions – Bitlocker or TrueCrypt / VeraCrypt.

Full Disk Encryption w/ Bitlocker

This feature is built into the professional versions of Windows OS from version 7 and beyond. It is simple to use and can be implemented from the Properties on local drives. It works with the modern GUID partition table (GPT) and Unified Extensible Firmware Interface (UEFI) as well as the older MBR / BIOS model. It works best with a Trusted Platform Module chip but can also be setup to use an external USB device as the encryption key repository. There is also a “Bitlocker To Go” setup for thumb drives that will work easily on other Windows based devices.

Full Disk Encryption w/ TrueCrypt

TrueCrypt, and the more recent “fork” of the software VeraCrypt, are based on the same open source code and are compatible with all recent versions of Windows OS. These software packages are not for the faint of heart as they require following detailed instructions on their usage through a multi-stage process to perform the drive encryption. My testing has revealed that they do not work well with modern GPT or UEFI and instead the Master Boot Record (MBR) and Basic Input/Output System (BIOS) systems would have to have been implemented from the initial setup of the workstation to function properly. There is currently no support for TPM, so remember your password or else say goodbye to your data. There is the ability to create a portable drive via these software packages, but the process is not something an end-user could easily do themselves.

Based on the limitations of TrueCrypt and the steep learning curve. It will be my recommendation to use the more simple and up-to-date Bitlocker technology to protect their firm – even if the encryption algorithms available in the other software provide deeper security. If your company is going to use full disk encryption or has compliance requirements that you need consulting for, then contact us for assistance.

Google Apps Migration for Microsoft Outlook

Had a small client recently that wanted to move from standard hosted email service (via WHM / cPanel based server) to Google Apps. In doing the Google Apps migration I found that they had a mix of POP3 and IMAP configured throughout the organization, so using the G Suite Migration for Microsoft® Exchange like I would for larger migrations that are based in IMAP only was out of the question. I found the Google Apps Migration for Microsoft Outlook® which was better suited for doing the job in this small mixed environment.

Google Apps Migration for Microsoft Outlook

If your company is going to use G Suite aka Google Apps migration needs to be performed, then contact us for assistance.

Cable Certification Importance

Reading through a whitepaper from an industry leader in structured cable certification and realized the importance and cost savings that comes from the certification process. Here is a summation of their findings:

Cable Certification Less Expensive Than Downtime

Running the numbers against enterprise sized environments showed that for an average cost of $750 worth of cable certification and repair the business was able to insure themselves against $67,000 of downtime. Consider how much each hour of downtime is worth to your organization then think about how much even 8 hours of downtime per year will cost you – that is the difference between 99.9% and 99.99% uptime.

Product Warranties Don’t Cover Workmanship

Even if you have product warranties from the manufactures of your network equipment and cable there is no guarantee as to the quality of the installation without cable certification.

Certification & Re-certification

The idea here is to future proof your business by making sure that cabling exceeds the current standards. This often can lead to extended return on investment (ROI) when newer technology standards are introduced and the current cabling can go through cable certification again to prove that it meets those standards. For example many Cat6 installations that originally were thought to be running at 1Gbps have been proven to run at 10Gbps over short distances thereby saving the company money and expanding their network bandwidth.

Cable Certification Saves Money

Landlords are mentioned here as a direct beneficiary of the cost savings inherent in cable certification. The costs of certifying a building full of cable prior to new tenants moving in is minimal in comparison with the cost of running all new wires – often only 5-10% of the cost.

Reducing Waste

Instead of demolishing current cable infrastructure to comply with National Electric Code standards of removing abandoned cabling, why not have the cable certification done to mark it for future use? It saves money and the environment

Unscrupulous Installers

No-name copper vendors are putting out so-called Cat5 or Cat6 cables that are manufacture outside the country with inferior goods and facilities. This is then used by unscrupulous installers to lower their overall costs whether or not they pass that savings on to the client. To avoid the use of these inferior cables make sure to only use vendors that supply cable certification for their work.

If your company is unsure about their current structured cable infrastructure or is looking to have new network cabling done, then contact us for assistance.

Missing Western Digital MyCloud Drive

Recently took over an account from another tech and was informed by the client that their Western Digital MyCloud drive was unreachable and they had not been able to access their files shared their with the computers in the office for some time. Since the MyCloud is just a simplified Network Attached Storage (NAS) device for the home / SMB market, I decided to go onsite and find out what was causing the issue.

How to find a missing MyCloud

I first investigated the shortcuts that were sitting on the desktop to figure out what was going wrong with the drive or if there were some bread crumbs as to where it was previously. Found one called Dashboard which pointed to an IP address on their current subnet that went nowhere – this was likely the former IP address of the device. Found a shortcut to the “Public” folder which pointed to an IP address that was on another subnet than theirs – this was likely from a setup before another network change and had not been removed since then. Found another shortcut to the “Public” folder which pointed to the same IP address on their current network  as the Dashboard shortcut, so this confirmed that this was the last known IP address.

Ran a network scan using my personal favorite, SoftPerfect Network Scanner, to discover what was on the current subnet and if the MyCloud was still functional at another IP address. Found that the IP address for the device had changed to another similar address, so figured that it was getting its IP address from DHCP and when the old address lease ran out it just grabbed another one from the router. Checked the router and found that indeed the DHCP table contained the IP address for the device, so added a DHCP reservation to the router for that devices MAC address mapping it to the old IP address to make the broken shortcuts work again. Tested opening the dashboard and “Public” folders successfully which thankfully still had all of their information intact.

The final thing to do was to correctly set permissions within the device for each of the users and corresponding user folders within the device to allow them to connect and “backup” their documents to the device like they were used to. Although I would not recommend using this type of device to any of my clients, it was good to get this company backup up and running successfully. If your company is using Western Digital MyCloud drive for shared file access or are considering adding file shares to your network, then contact us for assistance.

“Recent” Asante Employee Breach & Yahoo Hack

Very weird occurrence the other day, checked the post office box and found a letter regarding my son’s protected health information (PHI) had been improperly accessed in an Asante employee breach that started in 2014. Shortly there after upon returning home, found an email from Yahoo stating that they had been hacked back in 2014 and had just now finished their investigation which could have effected my wife’s personal email. Seems a strange coincidence that both firms had this happen two years ago and it took both firms two years to notice / do the investigation piece to rectify the situation. Here are some quotes from their responses:

Asante Employee Breach

“While Asante cannot provide details regarding the outcome of this internal investigation, we can assure you that we applied our employment policies and processes appropriately. A final audit of the employee’s actions showed that the employee inappropriately accessed records from August 18, 2014 to July 21, 2016 that may have included your child’s name, date of birth, medical records number, medications, diagnosis, and lab results… To date, we have no evidence that any patient information has been misused, nor do we have any reason to believe that the information will be misused. However, as a precaution, we wanted to notify you regarding this incident and assure you that we take it very seriously.”

Yahoo Hack

“A copy of certain user account information was stolen from our systems in late 2014 by what we believe is a state-sponsored actor… The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.”

So these two things were not related but it is scary to think that it took two years to notice this activity. Even if Asante believes that the employee didn’t do anything malicious with the information, it shows that their information access policies and audit logging on them is severely lacking. They need to step up their game and possibly adopt some behavioral based analysis of the audit logs for inappropriate access like this in the future.

As for Yahoo, why are some of the security questions unencrypted while others were and were the passwords just hashed? If a state-sponsored actor had unsalted password hashes for two years before being detected then the likelihood of them being able to crack the passwords is extremely high. They also state that they are working closely with law enforcement on this one, but what is law enforcement going to do against another government’s hacking crew (aka state-sponsored actor)?

If your company is unsure of its information security posture or needs an evaluation of audit logging / reporting, then contact us for assistance.

Crypto Malware Zepto Infection

Recently had a client get infected by the Zepto variant of crypto malware without even knowing it. The call originated when they could not find some of the shortcuts they were used to seeing on the desktop. I began to search for the shortcuts and found some files with the .ZEPTO extension on them. A quick Google search found that this was indeed an infection of crypto malware but something was different about this one – there was no ransom note or instructions on where to send the money for the decryption key. After investigating the problem it seems that the user got an image file that they could not open and forgot about. They noticed some slow down of the computer the day that these files indicated that they were created but nothing else presented itself that day, so they dismissed it.

So here is breakdown of what actually happened. They were protected by Norton Antivirus and when the infection began to spread across the network (only a couple files were affected there) it removed the infection and left the damage done by Zepto encryption of some of the files in place with no notice to the user about what was done. The customer had a partial backup from a poorly designed backup scheme that was able to recover some of the files, which left them in a state of not knowing what was missing from their local file directories. Needless to say that I will be recommending a different antivirus and backup / recovery plan for them going forward.

If your company is not sure about whether your antivirus software is capable of handling this type of situation properly or are not sure about the status of your backup / recovery procedures, then contact us for assistance.

WHM AWS S3 Glacier Backup Setup

Amazon AWS S3 Storage to the rescue again with native support in WebHost Manager (WHM) to backup directly to S3. WHM AWS S3 Glacier backup is easy to setup and works like a charm. Included in this post are the standard settings that I use for all WHM backups.

WHM AWS S3 Glacier Backup Setup

  • Login to WHM and run a quick search for backup at the top left of the navigation pane
    WHM AWS S3 Glacier Backup - Quick Search
  • Click on “Backup Configuration” to begin setup
  • Under “Backup Status” choose “Enabled”, under “Backup Type” choose “Compressed” to save on bandwidth and leave the timeouts at their defaults
    WHM AWS S3 Glacier Backup - Backup Status
  • Under “Scheduling and Retention” choose to do a backup each day of the week and keep them for 30 days
    WHM AWS S3 Glacier Backup - Scheduling and Retention
  • Under “Files” choose to disable “Backup Suspended Accounts”, choose to enable “Backup Access Logs”, choose to enable “Backup Bandwidth Data”, choose to disable “Use Local DNS” and put a check next to “Backup System Files” to allow for full restores if needed
    WHM AWS S3 Glacier Backup - Files
  • Under “Databases” choose both “Per Account and Entire MySQL Directory”, under “Default Backup Directory” type in:

    /backup

    Leave the “Retain backups in default directory” unchecked and disable “Mount Backup Drive as Needed”
    WHM AWS S3 Glacier Backup - Databases

  • Under “Additional Destinations” choose Amazon S3 from the drop down list and click on the “Create new destination button”
  • Assuming there is already a bucket and user created in AWS for this purpose – give the destination a name, check the box next to “Transfer System Backups to Destination”, type in the name of a folder in the bucket under “Folder” that will be created and used, type in the name of the “Bucket”, type in the “Access Key ID” and “Secret Access Key” then change the timeout to 60 seconds
  • Click on the “Save and Validate Destination” button to make sure all settings are correct
  • Finally click on the “Save Configuration” at the bottom to complete the WHM AWS S3 Glacier Backup setup.

Your WHM AWS S3 Glacier Backup has now been setup and with proper setup of S3 Storage there will be automatic archival too. If your company is using Amazon Web Services or S3 Storage for backup and need help getting it setup properly, then contact us for assistance.

Configuring AWS S3 Bucket Lifecycle Archiving

I am growing to love Amazon Web Services (AWS) S3 Storage. The AWS S3 Bucket Lifecycle feature is great for those using S3 buckets for backups. The lifecycle can be applied to the whole bucket or individual folders based on rules then set for auto archival or deletion based on those same rules. This post assumes that the bucket to be used for backups has already been created. For help setting up a new bucket read the AWS Documentation for a walk through of this simple process.

Configuring AWS S3 Bucket Lifecycle Archiving

  • Log into the AWS console and click into the S3 console
  • Click on the magnifying glass next to the S3 bucket being used for backup
  • On the right side of the screen, scroll down the list of properties to the Lifecycle item and expand it
    AWS S3 Bucket Properties
  • Click on the “Add Rule” next to the green plus symbol
    AWS S3 Bucket Properties - Lifecycle
  • For backups, it is best to choose the whole bucket option in the “Apply this Rule to:” section of the wizard then click “Configure Rule” button
    AWS S3 Bucket Properties - Lifecycle Apply
  • For the “Actions on Object” section choose the “Archive to the Glacier Storage Class” option with the “Days after object’s creation date” set to 7 days to automatically archive to S3 Glacier after a week. Choose the “Permanently Delete” option with the “Days after object’s creation date” set to 120 days to automatically delete from S3 Glacier after 4 months. Click on the “Review” button to continue.
    AWS S3 Bucket Properties - Lifecycle Action
  • Give the rule a name and click on the “Create and Activate Rule” button to finish the rule creation process
  • Make sure to click on the “Save” button to have the newly created rules saved.

Your AWS S3 Bucket Lifecycle has now been setup for automatic archival. If your company is using Amazon Web Services or S3 Storage for backup and need help getting it setup properly, then contact us for assistance. Look for the next post that will show how to setup WHM for backup to S3 Storage.

Archives

Categories

Plant a Seed @ 541-761-9549
233 Rogue River Hwy #873 Grants Pass, OR 97527
Mon-Fri: 9:00am-5:00pm
support@farmhousenetworking.com
© 2016-2025 - Farmhouse Networking. All rights reserved
Terms and Conditions Privacy Policy

Evaluation Signup

Error: Contact form not found.

And God will generously provide all you need. Then you will always have everything you need and plenty left over to share with others. As the Scriptures say,
“They share freely and give generously to the poor. Their good deeds will be remembered forever.”
For God is the one who provides seed for the farmer and then bread to eat. In the same way, he will provide and increase your resources and then produce a great harvest of generosity in you. - 2 Corinthians 9:8-10