{"id":77533,"date":"2015-07-28T18:38:43","date_gmt":"2015-07-28T22:38:43","guid":{"rendered":"http:\/\/rbach.net\/blog\/index.php\/"},"modified":"2022-08-12T08:02:26","modified_gmt":"2022-08-12T12:02:26","slug":"snoops-offer-security-tips","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/snoops-offer-security-tips\/","title":{"rendered":"Snoops Offer Security Tips"},"content":{"rendered":"<p><a href=\"http:\/\/blog.dictionary.com\/ironic\/\" target=\"_blank\" rel=\"noopener noreferrer\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignleft wp-image-100808 \" title=\"Snoops Offer Security Tips\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/Irony-e1566094120472-150x97.jpg?resize=156%2C101&#038;ssl=1\" alt=\"Snoops Offer Security Tips\" width=\"156\" height=\"101\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/Irony-e1566094120472.jpg?resize=150%2C97&amp;ssl=1 150w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/Irony-e1566094120472.jpg?resize=75%2C48&amp;ssl=1 75w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/Irony-e1566094120472.jpg?w=387&amp;ssl=1 387w\" sizes=\"auto, (max-width: 156px) 100vw, 156px\" \/><\/a>In one of the more ironic, notice I did not say tragic, turns in the post-Snowden era, the National Security Agency (<strong>NSA<\/strong>) has published a report with <strong>advice<\/strong> for companies on how to <strong>deal with<\/strong> <strong>malware attacks<\/strong>. <a href=\"https:\/\/web.archive.org\/web\/20160729153456\/http:\/\/www.fierceitsecurity.com:80\/?\" target=\"_blank\" rel=\"noopener noreferrer\"><em>FierceITSecurity<\/em><\/a> <a href=\"https:\/\/web.archive.org\/web\/20160325035154\/http:\/\/www.fierceitsecurity.com\/story\/nsa-offers-advice-enterprises-confronting-malware-wielding-attackers\/2015-01-29\" target=\"_blank\" rel=\"noopener noreferrer\">says<\/a> the <a href=\"https:\/\/web.archive.org\/web\/20160412164105\/https:\/\/www.nsa.gov\/ia\/_files\/factsheets\/Defending_Against_Destructive_Malware.pdf\" target=\"_blank\" rel=\"noopener noreferrer\">report<\/a>\u00a0(PDF) boils down to &#8220;prevent, detect and contain.&#8221; To be more specific, the report recommends that IT security pros:<\/p>\n<ul>\n<li><strong><a href=\"https:\/\/networkengineering.stackexchange.com\/questions\/58364\/why-cant-devices-on-different-vlans-but-on-the-same-subnet-communicate\" target=\"_blank\" rel=\"noopener noreferrer\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-100810 \" title=\"Segregate networks\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/network_segments-e1566094206271-146x150.png?resize=90%2C92&#038;ssl=1\" alt=\"Segregate networks\" width=\"90\" height=\"92\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/network_segments-e1566094206271.png?resize=146%2C150&amp;ssl=1 146w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/network_segments-e1566094206271.png?resize=73%2C75&amp;ssl=1 73w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/network_segments-e1566094206271.png?w=231&amp;ssl=1 231w\" sizes=\"auto, (max-width: 90px) 100vw, 90px\" \/><\/a>Segregate networks<\/strong> so that an attacker who breaches one section is blocked from accessing more sensitive areas of the network;<\/li>\n<li><strong>Protect<\/strong> and restrict administrative privileges, in particular <strong>high-level administrator accounts<\/strong>, so that the attacker cannot get control over the entire network;<\/li>\n<li>Deploy, configure, and monitor <strong><a href=\"http:\/\/searchsecurity.techtarget.com\/definition\/application-whitelisting\" target=\"_blank\" rel=\"noopener noreferrer\">application whitelisting<\/a><\/strong> to prevent malware from executing;<\/li>\n<li>Restrict workstation-to-workstation communication to reduce the attack surface for attackers;<\/li>\n<li>Deploy strong <strong>network boundary<\/strong> defenses such as perimeter and <a href=\"http:\/\/searchsoftwarequality.techtarget.com\/definition\/application-firewall\" target=\"_blank\" rel=\"noopener noreferrer\">application firewalls<\/a>, <a href=\"https:\/\/www.webopedia.com\/quick_ref\/proxy_server.asp\" target=\"_blank\" rel=\"noopener noreferrer\">forward proxies<\/a>, <a href=\"https:\/\/web.archive.org\/web\/20150622064352\/http:\/\/searchconsumerization.techtarget.com:80\/definition\/application-sandboxing\" target=\"_blank\" rel=\"noopener noreferrer\">sandboxing<\/a> and <a href=\"https:\/\/users.ece.cmu.edu\/~ejschwar\/papers\/oakland10.pdf\" target=\"_blank\" rel=\"noopener noreferrer\">dynamic analysis filters<\/a>\u00a0(PDF) to catch the malware before it breaches the network;<\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/network-watcher\/network-watcher-monitoring-overview\" target=\"_blank\" rel=\"noopener noreferrer\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-100812 \" title=\"Network monitring\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/network_watcher-e1566094272721-150x150.png?resize=90%2C90&#038;ssl=1\" alt=\"Network monitring\" width=\"90\" height=\"90\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/network_watcher-e1566094272721.png?resize=150%2C150&amp;ssl=1 150w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/network_watcher-e1566094272721.png?resize=75%2C75&amp;ssl=1 75w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/network_watcher-e1566094272721.png?w=225&amp;ssl=1 225w\" sizes=\"auto, (max-width: 90px) 100vw, 90px\" \/><\/a>Maintain and monitor centralized host and network <strong>logging<\/strong> product after ensuring that all devices are logging enabled and their logs are collected to detect malicious activity and contain it as soon as possible;<\/li>\n<li>Implement <a href=\"https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=36036\" target=\"_blank\" rel=\"noopener noreferrer\"><strong>pass-the-hash<\/strong> mitigation<\/a> to cut credential theft and reuse;<\/li>\n<li>Deploy\u00a0<a title=\"Microsoft\" href=\"http:\/\/www.microsoft.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">Microsoft<\/a> (<a title=\"NASDAQ | MSFT\" href=\"https:\/\/www.google.com\/finance?cid=358464\" target=\"_blank\" rel=\"noopener noreferrer\">MSFT<\/a>) <a href=\"https:\/\/web.archive.org\/web\/20161209155356\/https:\/\/support.microsoft.com\/en-us\/kb\/2458544\" target=\"_blank\" rel=\"noopener noreferrer\">Enhanced Mitigation Experience Toolkit <\/a>(<strong>EMET<\/strong>)\u00a0or other anti-exploitation capability for devices running non-Windows operating systems;<\/li>\n<li>Employ <strong><a href=\"https:\/\/web.archive.org\/web\/20160318223325\/https:\/\/www.nsa.gov\/ia\/_files\/factsheets\/I43V_Slick_Sheets\/Slicksheet_AntivirusFileReputationServices.pdf\" target=\"_blank\" rel=\"noopener noreferrer\">anti-virus file reputation services<\/a><\/strong>\u00a0(PDF) to catch known malware sooner than normal anti-virus software;<\/li>\n<li>Implement <a href=\"http:\/\/searchenterprisedesktop.techtarget.com\/definition\/host-intrusion-prevention-systems-HIPS\" target=\"_blank\" rel=\"noopener noreferrer\">host intrusion prevent systems<\/a> to detect and prevent attack behaviors; and<\/li>\n<li>Update and <strong>patch software<\/strong> in a timely manner so known vulnerabilities cannot be exploited.<\/li>\n<\/ul>\n<p>The author quotes from the report;<\/p>\n<p style=\"text-align: justify; padding-left: 30px;\"><em><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-100816 \" title=\"I Luv your PC\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/ILuvYourPC-1-e1566094343371-150x108.jpg?resize=138%2C99&#038;ssl=1\" alt=\"I Luv your PC\" width=\"138\" height=\"99\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/ILuvYourPC-1-e1566094343371.jpg?resize=150%2C108&amp;ssl=1 150w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/ILuvYourPC-1-e1566094343371.jpg?resize=75%2C54&amp;ssl=1 75w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/ILuvYourPC-1-e1566094343371.jpg?w=256&amp;ssl=1 256w\" sizes=\"auto, (max-width: 138px) 100vw, 138px\" \/>Once a malicious actor achieves privileged control of an organization&#8217;s network, the actor has the ability to steal or destroy all the data that is on the network &#8230; While there may be some tools that can, in limited circumstances, prevent the wholesale destruction of data at that point, the better defense for both industry and government networks is to proactively prevent the actor from gaining that much control over the organization&#8217;s network.<\/em><\/p>\n<p style=\"text-align: left;\"><strong><em>rb-<\/em><\/strong><\/p>\n<p style=\"text-align: left;\"><em>For those who have not been following along, the TLA&#8217;s have been <a href=\"http:\/\/www.wired.com\/2015\/06\/us-british-spies-targeted-antivirus-companies\/\" target=\"_blank\" rel=\"noopener noreferrer\">attacking<\/a> and <a href=\"https:\/\/www.schneier.com\/blog\/archives\/2015\/06\/nsa_and_gchq_at.html\" target=\"_blank\" rel=\"noopener noreferrer\">manipulating<\/a> anti-virus software from Kasperskey. <\/em><\/p>\n<p style=\"text-align: left;\"><em><a href=\"https:\/\/en.wikipedia.org\/wiki\/Five_Eyes\" target=\"_blank\" rel=\"noopener noreferrer\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-100819 \" title=\"Spying\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/spying-1-e1566094406622-122x150.jpg?resize=90%2C111&#038;ssl=1\" alt=\"Spying\" width=\"90\" height=\"111\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/spying-1-e1566094406622.jpg?resize=122%2C150&amp;ssl=1 122w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/spying-1-e1566094406622.jpg?resize=61%2C75&amp;ssl=1 61w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/spying-1-e1566094406622.jpg?w=450&amp;ssl=1 450w\" sizes=\"auto, (max-width: 90px) 100vw, 90px\" \/><\/a>We also now <del>know<\/del> suspect that the TLA&#8217;s have compromised at least one and\u00a0probably\u00a0two hardware vendors. The <a href=\"http:\/\/www.businessinsider.com\/fbi-investigates-juniper-hack-attack-2015-12\" target=\"_blank\" rel=\"noopener noreferrer\">Business Insider<\/a>\u00a0recalls, way back in 2013, as part of the Edward Snowden NSA spying revelations.German publication<a href=\"http:\/\/www.spiegel.de\/international\/world\/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html\" target=\"_blank\" rel=\"noopener noreferrer\">\u00a0<\/a>S<a href=\"http:\/\/www.spiegel.de\/international\/world\/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html\" target=\"_blank\" rel=\"noopener noreferrer\">piegel wrote an article<\/a>\u00a0alleging that the NSA had done a similar thing \u2014 put code on <a title=\"Juniper\" href=\"http:\/\/www.juniper.net\/us\/en\/\" target=\"_blank\" rel=\"noopener noreferrer\">Juniper Networks<\/a> (<a href=\"https:\/\/www.tradingview.com\/symbols\/NYSE-JNPR\/\" target=\"_blank\" rel=\"noopener noreferrer\">JNPR<\/a>) security products to enable the NSA to spy on users of the equipment.\u00a0<\/em><\/p>\n<p style=\"text-align: left;\"><em>Over at <a href=\"https:\/\/www.fortinet.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">Fortinet<\/a>\u00a0(<a href=\"https:\/\/www.tradingview.com\/symbols\/NASDAQ-FTNT\/\" target=\"_blank\" rel=\"noopener noreferrer\">FTNT<\/a>)\u00a0they had their own <del>backdoor<\/del> management console access issue that appeared in\u00a0its FortiOS firewalls, FortiSwitch, FortiAnalyzer and FortiCache devices. These devices shipped with a secret hardcoded SSH logins with\u00a0a secret passphrase.<\/em><\/p>\n<p style=\"text-align: left;\"><em>The article seems like advertising for the TLA&#8217;s hacking program.<\/em><\/p>\n<h6>Related articles<\/h6>\n<ul>\n<li><a href=\"http:\/\/www.kitguru.net\/gaming\/security-software\/jon-martindale\/nsa-and-gchq-reverse-engineering-anti-virus-software\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">NSA and GCHQ reverse engineering anti-virus software<\/a> (kitguru.net)<\/li>\n<\/ul>\n<p><em><a title=\"Ralph Bach\" href=\"https:\/\/rbach.net\/index.php\/new-resume\/\" target=\"_blank\" rel=\"noopener noreferrer\">Ralph Bach<\/a>\u00a0has been in IT long enough to know better and has blogged from his\u00a0<a title=\"Bach Seat\" href=\"https:\/\/rbach.net\/\" target=\"_blank\" rel=\"noopener noreferrer\">Bach Seat<\/a>\u00a0about IT, careers and anything else that catches his attention since 2005. You can follow him at\u00a0<a class=\"broken_link\" href=\"http:\/\/www.linkedin.com\/in\/rb48334\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">LinkedIn<\/a>,\u00a0<a href=\"https:\/\/www.facebook.com\/ralph.bach.14\" target=\"_blank\" rel=\"noopener noreferrer\">Facebook<\/a>\u00a0and\u00a0<a href=\"https:\/\/twitter.com\/rbach48334\" target=\"_blank\" rel=\"noopener noreferrer\">Twitter<\/a>. Email the Bach Seat\u00a0<a href=\"mailto:\/\/bach.seat@gmail.com\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The National Security Agency (NSA) offers advice on how to prevent. detect, and  contain malware attacks.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[3277,565,2631,2364,2107,153,626,2937,2934,2498,185,2499,4,2165,2496],"class_list":["post-77533","post","type-post","status-publish","format-standard","hentry","category-security","tag-3277","tag-anti-virus","tag-backdoor","tag-edward-snowden","tag-firewall","tag-fortinet","tag-ftnt","tag-jnpr","tag-juniper-networks","tag-kaspersky-lab","tag-privacy","tag-reverse-engineering","tag-security","tag-ssh","tag-tla"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/77533","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/comments?post=77533"}],"version-history":[{"count":11,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/77533\/revisions"}],"predecessor-version":[{"id":129824,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/77533\/revisions\/129824"}],"wp:attachment":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/media?parent=77533"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/categories?post=77533"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/tags?post=77533"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}