Posts

4 Ways the WhatsApp Exploit Could Use Employees to Infiltrate Your Network

/1 Comment/in , /by

The recent WhatsApp breach was very sophisticated and clever in the manner it was delivered. And that should be expected considering who was reported as being behind the zero-day attack against the popular messaging application.

But the attack against the WhatsApp app is not just a concern for its millions of global customers. There’s a very real and imminent threat to businesses and enterprises, too.

For example, let’s assume one of your employees has WhatsApp installed on their device and it is subsequently compromised via the latest WhatsApp exploit. In many situations, this employee will, at some point, connect their device to the corporate network.

This legitimate access could be via VPN, cloud applications (e.g., Office 365, Dropbox, etc.), corporate Wi-Fi or, my personal “favorite,” plugging the device into the USB port of a corporate laptop so the phone can charge. Understanding how and where users connect to the corporate network is critical.

In most cases, organizations can’t prevent personal BYOD phones from being compromised — particularly when outside the network perimeter. They can, however, protect the network from exploits delivered via the compromised phone. Here are the four most common ways the WhatsApp vulnerability could be leveraged to infiltrate a corporate network and, more importantly, how SonicWall can prevent it:

  1. Via VPN. If an employee connects to corporate over VPN, SonicWall, for example, would be the endpoint where they establish the VPN Threat prevention (e.g., firewalls, Capture ATP) and access control (e.g., Secure Mobile Access) would prevent the WhatsApp breach from spreading any further than the compromised phone.
  2. Via Wi-Fi. In this scenario, next-generation firewalls and secure wireless access points should be in place to inspect all internal traffic and prevent the exploit from going further than the phone.
  3. Via compromised credentials. Because the WhatsApp exploit enabled attackers to steal credentials to cloud services and apps, organizations with Cloud Access Security Broker (CASB) solutions, like SonicWall Cloud App Security, would mitigate account takeovers (ATO), unauthorized access and any related data leakage.
  4. Via USB port. Users often forget that a powered USB port on their laptop is an entry point for attackers — even when doing something as innocent as charging a phone. A sound endpoint protection solution (see diagram), such as Capture Client, would monitor the connection to the laptop and inspect any malicious activity attempting to leverage the USB port to deliver malware payloads.

3 Ways to Prevent Cryptominers from Stealing Your Processing Power

/0 Comments/in /by

Visiting a website is no longer what it used to be.

Despite this hilarious Imgur post, there is a different trend you may not have noticed: cryptomining via the browser. Many news and procrastination (e.g., BuzzFeed) websites add dozens of trackers to monetize the experience.

However, some sites may also use your browser to mine cryptocurrencies (e.g., bitcoin, Ethereum or Monero) for their own financial gain. The mining stops once you leave, but there is a popular new form of malware that attempts to turn your device into a full-time cryptocurrency mining bot called a cryptojacker. Cryptojacking’s threat to your endpoint or business is based on three things:

  • The energy it consumes or wastes
  • The damage it can do to a system
  • The loss to productivity due to limited resources.

Unlike ransomware that wants to be found (to ask for payment), a cryptojacker’s job is to run invisibly in the background although your CPU performance graph or device’s fan may indicate something is not normal.

Despite our vigilance and knowledge of the warning signs, a report from the Ponemon Institute stated the average length of time for an organization to discover malware or a data breach in 2017 was 191 days.

Ransomware authors have switched gears over the past two years to use cryptojacking more, because a ransomware strain’s effectiveness and ROI diminish as soon as it ends up on public feeds like VirusTotal. Like anyone else running a highly profitable business, cybercriminals need to constantly find new ways to fulfill their financial targets. Cryptojacking may solve that.

For example, the Apple App Store briefly carried a version of a free app called ‘Calendar 2’ that mined Monero cryptocurrency while open. It reportedly made $2,000 in two days before it was pulled from the App Store.

The Lure of Cryptomining

Cryptomining operations have become increasingly popular, now consuming almost half a percent of the world’s electricity consumption. Despite the wild swings in price, roughly 60 percent of the cost of legitimately mining bitcoin is the energy consumption. In fact, at the time of writing, the price of a bitcoin is worth less than the cost of mining it legitimately.

With such costs and zero risk as compared to buying and maintaining equipment, cybercriminals have strong incentives to generate cryptocurrency with someone else’s resources. Infecting 10 machines with a cryptominer could net up to $100/day, so the challenge for cryptojackers is three-fold:

  1. Find targets, namely organizations with a lot of devices on the same network, especially schools or universities.
  2. Infect as many machines as possible.
  3. Unlike ransomware, and more akin to traditional malware, stay hidden for as long as possible.

Cryptojackers use similar techniques as malware to sneak on to an endpoint: drive-by downloads, phishing campaigns, in-browser vulnerabilities and browser plugins, to name a few. And, of course, they rely on the weakest link — the people — via social engineering techniques.

How to Know if You are Infected by Cryptominers

Cryptominers are interested in your processing power, and cryptojackers have to trade off stealth against profit. How much of your CPU resources they take depends on their objectives.

Siphoning less power makes it harder for unsuspecting users to notice. Stealing more increases their profits. In either case, there will be a performance impact, but if the threshold is low enough it could be a challenge to distinguish the miner from legitimate software.

Enterprise administrators may look for unknown processes in their environment, and end users on Windows should spawn a Sysinternals Process Explorer to see what they are running. Linux and macOS users should investigate using System Monitor and Activity Monitor, respectively, for the same reason.

How to Defend Against Cryptominers

The first step in defending against cryptominers is to stop this type of malware at the gateway, either through firewalls or email security (perimeter security), which is one of the best ways to scrub out known file-based threats. Since people like to reuse old code, catching cryptojackers like CoinHive can be a simple first step.

If the malware strain is unknown (new or updated), then it will bypass static filters in perimeter security. If a file is unknown, it will be routed to a sandbox to inspect the nature of the file.

In the case of SonicWall Capture ATP, the multi-engine sandbox environment is designed to identify and stop evasive malware that may evade one engine but not the others.

If you have an endpoint not behind this typical set up (e.g., it’s roaming at the airport or hotel), you need to deploy an endpoint security product that includes behavioral detection.

Cryptominers can operate in the browser or be delivered through a fileless attack, so the legacy solutions you get free with a computer are blind to it.

A behavioral-based antivirus like SonicWall Capture Client would detect that the system wants to mine coins and then shut down the operation. An administrator can easily quarantine and delete the malware or, in the case of something that does damage to system files, roll the system back to the last known good state before the malware executed.

By combining a mixture of perimeter defenses and behavioral analysis, organizations can fight the newest forms of malware no matter what the trend or intent is.

To learn more about how you can defend your organization from these threats I recommend reading this white paper, “Best Practices for Protection Against Phishing, Ransomware and Email Fraud.”

3 Elements of a Successful Managed Security Services (MSS) Bundle

/0 Comments/in , /by

The small- and medium-sized business (SMB) market is rapidly accelerating its adoption of converged managed IT services to alleviate headaches and prevent risks.

More and more businesses use cloud-based services for enterprise applications, processing or communications, placing an even higher priority on network performance and reliability. Yet many SMBs are facing a cybersecurity crisis.

Cyber threats are continuing to get more sophisticated and frequent; SMBs are becoming a more routine target. 61 percent of SMBs experienced a cyber breach in 2017, compared to 55 percent in 2016.

Most managed IT service providers recognize that SMBs don’t have the awareness, knowledge or resources to implement cyber defense mechanisms to effectively protect their data, devices and people. Furthermore, the cybersecurity services market has developed enterprise-class solutions aimed at large enterprise businesses because they have historically been prime targets.

“The challenge for MSPs is finding effective tools that pair well with internal processes to mitigate the risk of a cyber breach, threat of downtime or damage to customers’ reputation.”

There are incredible opportunities for MSPs to develop service options customized for SMBs to address cybersecurity woes while accommodating limited budgets. MSPs that are focused on this will continue to add real value to the services they are providing and strengthen customer relationships by building trust.

The challenge for MSPs is finding effective tools that pair well with internal processes to mitigate the risk of a cyber breach, threat of downtime or damage to customers’ reputation. If bundled intelligently, these services are any easy sell. No business owner wants to see their organization featured on the six o’clock news for a data breach.

Consider three foundational elements of an MSSP plan. These may consist of several individual services, but those services are aimed at protecting specific functions.

Data Protection

Just like their enterprise counterparts, small businesses have a growing data footprint. Storage keeps getting less expensive and many SMBs don’t have a data governance policy, causing the gigabytes to pile up.

Whether the data is stored on-premises or in the cloud, it’s important to have appropriate protections in place, but also the ability to restore data in the event of a disaster or cyberattack. Good MSSP bundles aimed at protecting data will include:

  • Content Filtering: Having a web filtering service to block inappropriate, unproductive or malicious websites is a major first step in preventing cyberattacks.
  • Email Security: Implement secure email solutions to protect SMBs from email-borne threats, such as ransomware, zero-day attacks and spear-phishing attempts, and comply with regulatory mandates to encrypt sensitive emails.
  • Backup & Disaster Recovery: Ensure that an SMB’s data is effectively backed up; whether it lives on a workstation, on-premises device or in the cloud. Being able to restore information that has been compromised is the best insurance policy.

Device Protection

Endpoint devices come in all shapes, sizes and flavors, but the quantity of devices continues to grow. This means that there are more potential intrusion points than ever before. It’s important for a good MSSP bundle to include services aimed at protecting and monitoring endpoint devices.

  • Endpoint Management: MSSPs should have a comprehensive inventory of all devices associated with an SMB customer. Good endpoint management solutions will allow MSSPs to push updates and security patches as they are released to ensure that endpoints stay hardened.
  • Endpoint Security: It almost goes without saying, but having a solid antivirus endpoint security solution in place is still one of the best defenses for protecting endpoint devices.
  • Endpoint Rollback: Mistakes happen. Phishing emails are opened. Malicious links are clicked. But MSSPs can add value for their customers by using endpoint protection solutions that include automated rollback features for those events when a device is compromised.

People Protection

The human element is the most difficult to control and the hardest to protect. But it is critical.

Provide convenient and easy pathways for people to adopt sound security behavior. A consistent security awareness culture makes it easier for users to be aware of security threats. Consider the following bundled services as part of your MSSP offering.

  • Virtual Private Network (VPN): Provide a secure lane for all SMB endpoints to work over a VPN connection. A VPN client may route back to the customer’s network if there are on-premises connectivity demands, or it may be more generic VPN connection to an MSSP’s gateway. VPNs are prevalent and not just for workstations anymore. Modern VPN services offer clients for just about any type of endpoint and are especially important for mobile devices.
  • Policies & Procedures: Provide template policies and procedures to your SMB customers. Again, many of them are leaving IT management, including governance, up to you. Providing basic templates for things like password management, backup and user provisioning is an easy way to get them to create a more robust security awareness culture.
  • Security Awareness Training: For SMBs that subscribe to your MSSP bundle, provide them with routine threat awareness and simple tips and tricks to enforce that security awareness culture.

The most effective MSSP program is dependent on partnerships. Partnerships between SMBs and their IT partners, but also partnerships between MSSP providers and solutions providers. MSPs that bundle services to offer an MSSP will be well-suited to work with security vendors able to offer a comprehensive spectrum of services for their SMB customers.

About ProviNET

ProviNET is a SonicWall SecureFirst Gold Partner. For nearly three decades, ProviNET has delivered trusted technology solutions for healthcare organizations. Whether it’s a single project or full-time onsite work, ProviNET designs and implements customized solutions so healthcare organizations can focus on core services.

ProviNET’s tight-knit group of experienced, industry-certified personnel are focused on customer satisfaction. They are a reputable organization, fulfilling immediate IT needs and helping plan for tomorrow. They are ready to put their extensive knowledge to work for healthcare, developing strategies and solving challenges with the latest technology.

To learn more about ProviNET, please visit www.provinet.com.

Infographic: Ransomware’s Devastating Impact on Real-World Businesses

/0 Comments/in /by

Still relatively new to the cyber threat landscape, ransomware continues to be one of the high-profile malware types that grab headlines. It’s one part Hollywood-style drama mixed with the “mystery” of cryptocurrencies and the seemingly personal nature of ransomware attacks.

But it’s not hyperbole. Ransomware remains one of the most malicious cyberattacks that can cripple a business. SonicWall’s new infographic highlights composite data that demonstrates how ransomware impacts businesses’ ability to operate.

So, how do you prevent your organization from being severely disrupted by ransomware? The best approach is to use multiple layers that deliver automated, real-time breach detection and prevention. While this isn’t an exhaustive list of all security options, these cornerstone tactics will mitigate most of today’s most malicious cyberattacks, including ransomware.

How to Block Ransomware

Businesses have no choice but to proactively mitigate ransomware attacks. But is there a proven approach that can cost-effectively scale across networks and endpoints? Four key security capabilities make full ransomware protection possible.

  1. Next-Generation Firewall

    Detect and prevent cyberattacks with power, speed and precision.
    Next-generation firewalls (NGFW) are one of your first lines of defense against hackers, cybercriminals and threat actors.

    For example, SonicWall firewalls deliver real-time, cloud-based threat prevention, while augmenting the security from on-box deep packet inspection of SSL traffic (DPI-SSL). And all new SonicWall firewalls integrate with our award-winning network sandbox for advanced threat protection.

  2. Network Sandbox

    Identify and stop unknown attacks in real time.
    A network sandbox is an isolated environment on the firewallthat runs files to monitor their behavior. SonicWall Capture Advanced Threat Protection (ATP) is a multi-engine sandbox service that holds suspicious files at the gateway until a verdict can be achieved.

    Capture ATP also features Real-Time Deep Memory InspectionTM (RTDMI). RTDMI is a memory-based malware analysis engine that catches more malware, and faster, than behavior-based sandboxing methods. It also delivers a lower false-positive rate to improve security and the end-user experience.

  3. Email Security

    Filter email-borne attacks before they hit your network.
    Secure email solutions deliver comprehensive inbound and outbound protection from advanced cyberattacks, including ransomware, phishing, business email compromise (BEC), spoofing, spam and viruses. Proven solutions will be available in on-premise email security appliances and hosted secure email.

    SonicWall Email Security also integrates with Capture ATP to protect email from advanced threats, such as ransomware and zero-day malware.

  4. Advanced Endpoint Client Security

    Block ransomware before it compromises user devices.
    Traditional antivirus (AV) has been trusted for years to protect computers. This was a sound approach when the total number of signatures required numbered in the hundreds of thousands. Today, millions of new forms of malware are discovered each month.

    To protect endpoints from this endless onslaught of malware attacks, SonicWall recommends using a next-generation antivirus (NGAV) solution that can monitor the behavior of a system to look for malicious activities, such as the unauthorized encryption of your files.

    For example, SonicWall Capture Client delivers advanced malware protection and additional security capabilities for SonicWall firewall

Ransomware remains one of the most damaging cyberattacks to businesses. Follow these four ransomware protection best practices to help ensure ransomware does not impact your ability to operate.

Capture Client Endpoint Protection: What’s New in Version 1.5

/0 Comments/in /by

In April 2018, SonicWall released Capture Client 1.0 featuring a next-generation, behavior-based antivirus (AV) engine, reporting and management, trusted certificate management, and endpoint enforcement on modern SonicWall firewalls. Despite landing with great enthusiasm as a superior upgrade over previous SonicWall AV clients, this was just the beginning.

In September 2018 we will release Capture Client 1.5, a next-generation endpoint antivirus solution. This blog will cover the five core missions of the release:

  • Expanded visibility and control
  • Better white/blacklisting
  • Automated malware analysis and response
  • Enriched threat intelligence
  • General enhancements

Expanded Visibility and Control

Capture Client will support Microsoft Windows servers. Furthermore, the cloud-based management console how allows persistent visibility and control of managed servers, irrespective of whether they are on premise or in a hosted private/public cloud.

Better White/Blacklisting

With a full application inventory, administrators will be able to easily — with one-click action — whitelist known good applications to minimize any false positives and proactively ensure a good user experience when deploying Capture Client.

No longer will there be a need to remember the path, executable name or even the hash value of the file. Just select the application to whitelist (even specific to a version) and off you go. In a similar fashion, administrators will be able to leverage blacklisting capabilities to disallow the running of unauthorized application in the environment.

Automated Malware Analysis and Response

Capture Client Advanced will integrate with SonicWall Capture Advanced Threat Protection (ATP), the network sandbox featuring RTDMI, which examines the behavior of suspicious files to discover new malware.

If you are paying attention, you’re thinking, “But doesn’t Capture Client continuously monitor the system for suspicious behavior?”

Yes, but a network sandbox can manipulate code and do things with files that an endpoint with antivirus is not supposed to do, like strip apart sequences in memory or fast-forward malware into the future. This is designed to find malware, such as Trojans, before they execute, and save people time from remediation, such as rolling the endpoint back to a state before the malware was downloaded and/or activated (e.g., malware with timing delays).

Enriched Cyber Threat Intelligence

Every business day, Capture ATP receives over 1.5 million requests to analyze suspicious files. To analyze that volume of files, the following process is followed:

  1. In order to make it as efficient as possible, every file is given a hash (unique identifier).
  2. Next, it checks to see if there is a verdict for the same hash.
  3. Then it completes a community check of over 60 virus scanners to better understand if the research community knows anything about the file.
  4. It is only after that investigation do we funnel the file automatically into the behavior-based engines of Capture ATP to process the file in question.

Since 45 percent of all requests are unique, the third and fourth processes eventually create hundreds of thousands of new verdicts every business day that we instantly apply in the second step listed above.

This growing database is then leveraged by Capture Client administrators to conduct manual checks of suspicious files on computers with Capture Client without the need to manually upload the file for analysis. This will return a near-instant verdict (for previously evaluated files) and will help mitigate any compliance issues for potentially sensitive files.

General Enhancements

Beyond the delivery of more features without a change to price, multiple stability and user-experience enhancements will be added to Capture Client 1.5, including:

  • Attack Execution Visualization – For threats that are detected during execution, the Capture Client console will show an advanced visualization of all the indicators of attack associated with the threat and how it progressed through its lifecycle.
  • Advanced Network Visualization – A unique network map will show admins the status of endpoints behind SonicWall firewalls that are enforcing the clients and allowing for drill down into device status, threat events and response actions.
  • Alerting and Notifications – Addition of email-based alerting for threat events as a foundation for admin notifications, reducing the need for “eyes-on-glass” monitoring.
  • Threat Analysis UX Improvements – Multiple enhancements will be made to the user experience of the threats page, providing more information about the threats, its lifecycle stage, indicators of attack and easy-to-understand threat response actions.
  • Client Improvements – Improved install/uninstall/upgrade experience for Capture Client and its modules.

Capture Client Endpoint Protection

To learn more about SonicWall Capture Client endpoint protection, download the in-depth data sheet. It explores the solution’s key capabilities, including advanced malware protection, continuous behavioral monitoring, workflow automation, cloud-based management and more.

GET THE DATASHEET

Cyber Security News & Trends

/0 Comments/in , /by

Each week, SonicWall collects the cyber security industry’s most compelling, trending and important interviews, media and news stories — just for you.

SonicWall Spotlight

Cybersecurity 500 List, 2018 Edition Cybersecurity Ventures

  • SonicWall is announced as #36 on Cybersecurity Ventures Cybersecurity 500: 2018 Edition List which includes the world’s hottest and most innovative cybersecurity companies to watch in 2018.

British Businesses Facing Cyber Ransom Demands of up to £200,000 The Daily Telegraph

  • Cyber criminals are arming themselves with “malware cocktails”, expertly blended using old variants of malicious computer code. The new viruses are more potent than their predecessors because they have adapted to companies’ cyber defenses, like a digital version of antibiotic-resistant superbugs.

Securing Your Journey to Success With Innovation and Security: SonicWall Silicon Review

  • Recently announced as one of the 10 Best Security Companies in 2018, SonicWall is featured in an editorial highlighting the company’s history and success with CEO Bill Conner at the forefront.

10 Best Security Companies in 2018 Silicon Review

  • SonicWall is announced as one of the 10 Best Security Companies in 2018.

Cyber Security News

Cybercriminals on Average Have Seven-Day Window of Opportunity to Attack SC Magazine

  • Once a vulnerability is announced, the average attacker has a seven-day window of opportunity to exploit the flaw before a defender is even aware they are vulnerable, according to report from Tenable.

Deadly Attacks Feared as Hackers Target Industrial Sites The Hill

  • The hacking threat to critical infrastructure in the United States and beyond is growing larger, with nation states and other malicious actors looking to gain a foothold in sensitive technologies to conduct espionage and potentially stage disruptive or destructive attacks.

U.S. Judge Dismisses Kaspersky Suits to Overturn Government Ban Reuters

  • A U.S. federal judge on Wednesday dismissed two lawsuits by Moscow-based Kaspersky Lab that sought to overturn bans on the use of the security software maker’s products in U.S. government networks.

BackSwap Banking Malware Bypasses Browser Protections With Clever Technique SC Magazine

  • A new banking malware called BackSwap has replaced tricky conventional browser injections with a simpler browser manipulation technique.

Over 5K Gas Station Tank Gauges Sit Exposed on the Public Net Dark Reading

  • It’s been three years since researchers first discovered automated tank gauges (ATGs) at some 5,000 US gas stations exposed on the public Internet without password protection, and a recent scan found 5,635 locations were vulnerable to the same issue.

In Case You Missed It

Upcoming Webinars & Events

June 4
Webinar
1 a.m. PDT
Technical Deep Dive – Securing Office 365 with SonicWall Email Security
> Register Now

Cyber Security News & Trends

/0 Comments/in /by

Each week, SonicWall collects the cyber security industry’s most compelling, trending and important interviews, media and news stories — just for you.

SonicWall Spotlight

New DHS National Cybersecurity Framework Sets Goals, Milestones — MSSP Alert

  • As a result of the recent elimination of the White House cybersecurity coordinator role, SonicWall CEO Bill Conner is featured for his perspective and insight into what the move implies for the future of cybersecurity policy.

SonicWall Pushes Capture Cloud Platform with Endpoint Security — Chinabyte.com

  • SonicWall’s recent updates including the company’s new Capture Cloud Platform, enhanced RTDMI technology and more are featured in this article.

Cybersecurity Sourcebook 2018 Looks at Evolving Data Threat Landscape — Database Trends & Applications

  • This article explains the serious need to safeguard data using key SonicWall threat data. Specifically, they’ve included stats sharing that cyberattacks are becoming the number-one risk to businesses, brands, operations, and financials, and that there were 9.32 billion malware attacks in total in 2017, representing an 18.4% increase over 2016.

Cyber Security News

Brutal Cryptocurrency Malware Crashes Your PC When Discovered — ZDNet

  • The malware, dubbed WinstarNssmMiner by 360 Total Security researchers, has been used in half a million attempted attacks leveraged at PCs in only three days.

What Makes ZTE a Cybersecurity Threat? Congress Wants to Know — CNET

  • Congress wants a detailed explanation on what cybersecurity threats the Chinese phone company poses.

Mexico Central Bank Says Hackers Siphoned $15 Million from Five Companies — Reuters

  • Mexico’s central bank said on Wednesday that a cyber attack had sucked around 300 million pesos ($15.33 million) in fraudulent transfers from five companies, but it was unclear how much thieves had managed to pull out in cash.

Former CIA Software Engineer ID’ed as Suspect in Vault 7 Leaks — SC Magazine

  • The former CIA software engineer believed to have leaked the CIA’s Vault 7 hacking tools is already behind bars at the Metropolitan Correctional Center in New York City, after being indicted for possessing child pornography.

DHS Issues More Medical Device Cybersecurity Alerts — GovInfo Security

  • The Department of Homeland Security has yet again issued a warning about cybersecurity vulnerabilities in medical devices. These warnings have come after independent researchers, or the companies themselves, have reported the problems.

Cybersecurity Whistleblowers are Growing Corporate Challenge — The Wall Street Journal

  • Signals from the U.S. Securities and Exchange Commission over how seriously it takes cybersecurity, combined with a Supreme Court ruling on whistleblower protections, are putting pressure on companies to be more careful about how they deal with potential tipsters, lawyers say

In Case You Missed It