12 February

Firewall: 101

Posted

How well do you know your firewall?

Do you know how your firewall works? Firewalls are an essential part of your infrastructure’s defense. It decides which network traffic to reach your computer. The two layers that are involved from the OSI model are 3; Network layer, and 7; Application Layer. Layer 7 interacts directly with the software applications, while layer 3 transfers data.

Firewall Layers

When it comes time to tell your firewall which types of traffic are OK to admit and which ones it should block, there are multiple ways to categorize traffic into “OK” and “not OK” categories. Each approach corresponds to a different firewall “layer,” as defined by the OSI model.

Layer 3 Firewalls (Network Firewalls)

One way is to categorize traffic according to IP addresses. You could tell your firewall to accept traffic from certain IP addresses while blocking all other traffic. Alternatively, you could blacklist IP addresses that you know to be sources of abuse.

If you categorize traffic in these ways, you’re operating on layer 3 of your firewall. You’re essentially allowing and blocking individual network packets depending on where they originated and which ports they want to talk to.

Layer 7 Firewalls (Application Firewalls)

The other common approach to firewall configuration involves layer 7, which is also known as the application layer.

Layer 7 lets you sort traffic according to which application or application service the traffic is trying to reach, and what the specific contents of that traffic are. Rather than simply blocking all traffic on a certain port, you could use an application firewall to accept traffic on that port in general, but block any traffic that contains a known vulnerability.

Layer 3 vs. Layer 7

If layer 7 provides the greatest opportunity for advanced firewall configuration, why would we talk about layer 3 at all? The answer is that they’re different tools that mitigate different kinds of risks and it’s not an either/or question. In most cases, you’d use both a L3 and an L7 firewall and the two complement each other.

L3 firewalls make decisions based on a much more narrow set of variables (IPs and ports) than L7 firewalls, which look at a literally infinite amount of unique requests. Thus, L3 firewalls are generally able to have much greater throughput than L7 firewalls. Further, because they address a lower level of the stack, L3 firewalls cover a wider variety of scenarios than an L7 firewall.

The lack of protocol awareness, though, is a significant blind spot the L7 firewalls address. Especially as HTTP has become the universal app protocol, attackers are more likely to probe and exploit weaknesses within the app layer. So, if you have just an L3 firewall that allows all traffic to port 80, you’re blind to those risks. An L7 firewall is able to look within the app layer and make decisions regarding whether to allow a request based on what it contains—not just the port it’s trying to reach.

Because of these trade-offs, the best model for most scenarios is to use multiple layers of defense in depth; specifically, have an L3 firewall at the edge that only allows inbound traffic on the specific ports your apps use.

Conclusion

Ideally, then, you’ll have the ability to use both layer 3 firewall filtering and layer 7 filtering as needed. By being able to filter both at the network level and the application level, you have maximum ability to protect your infrastructure and services against intruders.

Article written by John Morello at Security Boulevard.

Here at CITON, we believe knowledge is power. We hope this article provides you some insight as to how important our firewall software is to your business. Call us for more information (218) 720-4435.

31 January

What do your employees know about social engineering?

Posted

Have your employees been informed about the safety of phishing through social engineering? There are numerous ways to fall victim to this attack. Be prepared to protect your data with software that can protect against this.

Social engineering is a technique used by criminals and cyber-crooks to trick users into revealing confidential information. The data obtained is then used to gain access to systems and carry out actions to the detriment of the person or organization whose data has been revealed.

This practice basically exploits the trust that the user unwittingly places in the criminals, who often pose as a company employee, colleague, friend or boss. Under the guise of checking or protecting the user’s information, the criminals ask for confidential information which can then be used to steal the victim’s identity, money, etc.

How does social engineering work?

Social engineering is still one of the most common means of cyber-attack, primarily because it is highly efficient. To criminals, the user is the ‘weakest link in the security chain’.

Users are normally targeted in two ways: either over the phone or online.

– By phone, criminals pose as employees of a company or organization, say a bank or ISP, and after going through some typical questions and statements in order to gain the trust of the potential victim, they will then ask for login credentials and passwords.

– The most common fraud technique on the Internet is phishing. In this technique, users reveal data because they think they are on a trusted website. Another way that social engineering is used online is using attachments to emails from people known to the victim. Malware is used to attack users’ address book sand send emails –with the attacker’s file attached- to all their contacts.

How to avoid falling victim to social engineering

First and foremost, to prevent data theft through social engineering be wary and use common sense:

– Never reveal your passwords or login credentials to anyone. If a legitimate technician needs to access your account or information, they should be able to do this without needing you to give them your details.

– When you enter your details on a website, make sure the URL is correct.

– Never open strange-looking files or attachments, even if they come from someone you know.

 

Thank you Panda Security for the article.

Call CITON to find out how we can help defend your business’ data and hardware. (218) 720.4435.

17 January

Protecting against Ransomware

Posted

Ransomware attacks can happen to any business of any size. Usually the target of these attacks are individual computers, but recent attacks on weak IT infrastructures have been on the rise. Here at CITON we pride ourselves in protecting our customer’s data. Ask us about our Aardvark software to assist in defending your business.

cloud2

How Ransomware Attacks Typically Work

In a previous post from BackBlaze.com, they described the common vehicles used by hackers to infect organizations with ransomware viruses. Most often, downloaders distribute trojan horses through malicious downloads and spam emails. The emails contain a variety of file attachments, which if opened, will download and run one of the many ransomware variants. Once a user’s computer is infected with a malicious downloader, it will retrieve additional malware, which frequently includes crypto-ransomware. After the files have been encrypted, a ransom payment is demanded of the victim in order to decrypt the files.

What’s Changed With the Latest Ransomware Attacks?

In 2016, a customized ransomware strain called SamSam began attacking the servers in primarily health care institutions. SamSam, unlike more conventional ransomware, is not delivered through downloads or phishing emails. Instead, the attackers behind SamSam use tools to identify unpatched servers running Red Hat’s JBoss enterprise products. Once the attackers have successfully gained entry into one of these servers by exploiting vulnerabilities in JBoss, they use other freely available tools and scripts to collect credentials and gather information on networked computers. Then they deploy their ransomware to encrypt files on these systems before demanding a ransom. Gaining entry to an organization through its IT center rather than its endpoints makes this approach scalable and especially unsettling.

SamSam’s methodology is to scour the Internet searching for accessible and vulnerable JBoss application servers, especially ones used by hospitals. It’s not unlike a burglar rattling doorknobs in a neighborhood to find unlocked homes. When SamSam finds an unlocked home (unpatched server), the software infiltrates the system. It is then free to spread across the company’s network by stealing passwords. As it transverses the network and systems, it encrypts files, preventing access until the victims pay the hackers a ransom, typically between $10,000 and $15,000. The low ransom amount has encouraged some victimized organizations to pay the ransom rather than incur the downtime required to wipe and reinitialize their IT systems.

The success of SamSam is due to its effectiveness rather than its sophistication. SamSam can enter and transverse a network without human intervention. Some organizations are learning too late that securing internet-facing services in their data center from attack is just as important as securing endpoints.

What all the organizations successfully exploited by SamSam have in common is that they were running unpatched servers that made them vulnerable to SamSam. Some organizations had their endpoints and servers backed up, while others did not. Some of the victims chose to pay the ransom — a strategy that in the past hasn’t guaranteed that the hackers will decrypt the hijacked files.

Article written by Roderick Bauer from Backblaze.com

Call CITON today to have your IT infrastructure assessed (218) 720-4435.

 

8 January

What do you know about Phishing?

Posted

Keep yourself up-to-date with the latest facts on Phishing and how it can impact your business.

Phishing is still a prevalent form of attack that can be avoided with the proper defense precautions. This article from KnowBe4 provides relevant information on how to keep your information safe, and up-to-date facts. Contact CITON to find out how we can help you and your business protect your data through anti-malware and ransomware. (218) 720-4435.

Phishing is a core tactic in the cybercriminal’s arsenal. It’s the basis for the majority of social engineering, CEO fraud, and malware infection. The Anti-Phishing Working Group (APWG) just-released 3rd Quarter Phishing Activity Trends Report provides insight into the current state of phishing.

Some of the highlights this quarter include:

  • Phishing Attacks Remain Constant – The number of unique phishing reports has remained relatively steady from Q2 to Q3
  • Phishing Focuses on the Money – Payment processing firms remained the most-targeted companies, followed by the banking sector
  • Encryption is on the Rise: Phishing attacks hosted on secure sites continues its steady increase since 2015
  • Redirection is Key to Avoid Detection: phishing attacks are using redirectors both prior to the phishing site landing page and following the submission of credentials to obfuscate detection via web server log referrer field monitoring

The data collected by APWG provides some key insight on how organizations need to protect themselves:

  • Expect phishing to continue – there are zero indications that phishing is declining at any point in the near future.
  • Focus on the Phish – Before malware, ransomware, or social engineering can have an impact, the email needs to get to the Inbox, be opened, and have a malicious action taken first. So, your greatest protection is found in stopping the phishing from being successful.
  • Take a Layered Approach – Put proactive security measures like endpoint protection email and web scanning, and Security Awareness Training in place in order to both spot and stop phishing emails from either ever reaching an Inbox, or ever being engaged with by a user.

 

Article written by Stu Sjouwerman.

Keep this information in mind when opening your next unknown email, and if you do, keep us in mind. We’re here to help.

2 January

New Year’s Security Resolution

Posted

How can you strengthen your cybersecurity?

As 2018 comes to a close many people make New Year Resolutions. So today I’m going to ask you to include this on your list: Resolve to take time to make your online life safer.

Start by taking a piece of paper and make a list of all the Internet-connected devices in your home: Desktop and laptop computers — including those of your kids — modems and Wi-Fi routers, smart phones, connected TVs, smart speakers, surveillance cameras, baby monitors. Next, for devices like computers and smart phones, look at what applications are on them. Are there ones aren’t you using? Get rid of them, they’re a security risk. Of those that remain, are you updating them? If not, why not? Are the developers issuing security updates or is the software so old it’s no longer supported? Get rid of them, they are a security risk.

For other devices, like routers, is their software patched? Replace old devices that are no longer supported.
Then make a list of everything that has a password. Make sure the passwords aren’t easily guessable – like the word ‘password’ or 123456.

If a hacker’s target is a person, they’ll do some research. Which is why passwords directly related to your work – for example, that include the name of your company or your title – aren’t safe.

Two-factor authentication is where in addition to your password you get a number sent to you on a smart phone that also has to be entered when you login. Gmail has it, Facebook has it, your bank may have it. Investigate whether the sensitive sites you use have it, and enable it. Don’t have the second code sent to you by SMS text, use Google Authenticator or Authy.

How do you keep track of all those passwords? With a password manager. You might have one that comes with the antivirus or anti-malware suite already on your computer. There are versions for smart phones.

 

Article written by Howard Solomon with itworldcanada.com

While you make your New Year’s Resolutions for your personal or professional life take a minute to look into how you could improve your cybersecurity in both of those areas. There are a few tips below that can help make your devices a bit more secure. Contact CITON today for more information on securing your data. (218) 720-4435.