Posts

New SonicWall TZ Series Firewall

GROW BY LEVERAGING THE WEB is today’s small and medium business rally call. But, it is the echo to the call that you need to pay attention to: as you open the internet door wider, you are also opening the door for more cyber-attacks. Protection does not have to break the bank or leave you up at night. With the new SonicWall TZ Series Firewalls, you can get a better firewall that performs at faster broadband speeds at a low total cost of ownership.

The new SonicWall TZ is better.

There is no reason why your firewall does not have the same protections that big business demand. The thinking behind all our network security products is to not cut corners when it comes to inspecting traffic. We inspect the whole file, no limits on file size, the port or protocols being used. The new TZ offers 1 GbE network interfaces and gives you the type of protection that big businesses, large universities and government agencies enjoy. Now, you can impress your big business partners with enterprise grade protection with anti-malware, intrusion prevention, content and URL filtering, application control and secure mobile access.

The new SonicWall TZ is faster.

Faster broadband is the starting point, then, you want faster wireless. To accomplish this, your firewall needs lots of horsepower. The SonicWall TZ has plenty. Designed with the knowledge of the exploding growth in SSL use, the new series has the horsepower to identify malware lurking in encrypted SSL traffic. With an integrated wireless controller, the business does not require additional costs to offer their customers and employees that extreme speeds that 802.11ac can deliver.

Product image of the SonicWall TZ Firewall series

The new SonicWall TZ is affordable.

In the past, to meet high speed broadband requirements, business owners would have to pay a hefty price. The new SonicWall TZ300 can deliver full Deep Packet Protection at 100 Mbps broadband speeds for less than a thousand dollars (this TotalSecure bundle includes the Appliance, content filtering, application control, intrusion protection, SSL inspection and antivirus).

The new SonicWall TZ is the new solution for small and medium businesses

Don’t let cybercriminals compromise your organization. The new SonicWall TZ can solve your performance and security requirements at a price that does not break the bank. For more information, take a look at the SonicWall TZ Series Data Sheet that gives you the details on this great new product.

Ten Tips for Protecting POS Systems from Memory Scraping Malware

In the recently published 2015 SonicWall Security Threat Report, one of the observations on the evolution of attacks on POS systems is the rise in popularity of malware that uses memory scraping to steal sensitive data. No matter how many layers of encryption are applied to sensitive payment data and how carefully this encryption is deployed, at some point the primary account number and other sensitive information must exist in an unencrypted form in order to be useful. The moment that payment data is decrypted for processing, it ends up in the memory of the POS machine, creating a perfect window of opportunity for an attacker to snag this data. Advanced malware can use multiple techniques to access and scan contents of this temporary storage and look for patterns that resemble raw payment data. This data can then be used, for example, to clone cards for fraudulent purchases. This is exactly what happened in some of the high profile retail breaches of 2013 and 2014.

The ultimate goal of RAM scraping malware is exfiltration of the unencrypted data stolen from memory of the infected machine. Therefore, this malware will be very well hidden and it will attempt to remain as invisible as possible in order to access as much data as possible. Mitigating the risks of being hit with such malware falls into two categories: Pre-infection best practices to avoid infection and post-infection best practices to detect and control the attack.

Pre-infection best practices

Protecting yourself from new advanced attacks must always be done on top of executing on the basics which serve to reduce the risk of getting critical systems such as POS systems infected by any malware.

  1. Keep the OS and applications on POS systems fully patched. Most patches are security related, so ignoring them only opens up a larger window of opportunity for attackers.
  2. Firewall off the POS network from the rest of the network with strong (i.e. bare minimum access) access policies as well as with Intrusion Prevention and Anti-Malware.
  3. Use strong, non-default and not shared, passwords.
  4. Deploy and enforce endpoint anti-virus as a last measure of defense.
  5. Encrypt traffic VPN tunnels.
  6. Enable protection against MAC spoofing within the POS network and for critical systems with which the POS terminals communicate.
  7. Lock down remote access to pin-point level of access. Do not allow full L3 tunnels into sensitive networks and use remote access tools that allow verification of remote host integrity before granting access.

Post-infection best practices

A good to approach in evaluating your network security stance is to assume that you will be infected at some point in the future and design processes to allow you to detect and control the infection. In the context of memory scraping malware, the ultimate observable behavior will be communication with non-trusted hosts on the internet. It may not be immediate and it may not be in bulk, as the attacker may want to put time between the act of infection and the act of data theft. However, sooner or later, the attacker will need to get the stolen data from the POS systems into his or her possession. This may happen naively via direct communication, or via more sophisticated methods such as using another compromised system outside the POS network, but with a connection to the POS network, as a gateway. That system may reside in a network that is less strictly observed than the POS network on which may not raise alarms at communication with random servers on the internet.

There are several key technologies that can help you detect or neutralize this data exfiltration:

  • Don’t allow direct communication with the internet from the POS network. This will lock down allowable communications and will block and detect naïve approaches at data exfiltration. For processing purposes, payment data can be sent via an encrypted tunnel to another trusted server(s) on the network (outside the POS network) and then via another encrypted tunnel to the processing server. Communication between these systems should be whitelisted by the firewall via ACLs, with all other traffic (besides perhaps management and updates) blacklisted.
  • Deploy Geo-IP and Botnet filtering detection on all networks. Lock down communication from sensitive systems only to locales that they need to communicate with (if your processor is in the US, why would your POS data need to have access to and from Europe, Asia, LATAM, etc.?)
  • Configure DLP and SSL Decryption to detect Credit Card type data leaving the network in plaintext or inside of SSL tunnels to internet hosts that are unknown. In other words, only allow such data to flow to CC processing servers known to you. Communication of such data to any other system on the internet should be intercepted, logged and investigated. Deny any SSL communication from sensitive networks that does not lend itself to inspection by not accepting your NGFW SSL inspection certificate.

Firewalls occupy an extremely valuable piece of real estate on any network since all Internet bound traffic must go through them. When properly deployed, next-generation firewalls play an important role in reducing the risk of advanced malware infection and data theft in POS networks. To find out more about the capabilities of state of the art NGFWs from SonicWall, read the eBook “Types of Cyber-Attacks and How to Prevent Them.” Follow me on Twitter: @threadstate.

Seven Layers of Protection from Hacked Websites

In January 2015, celebrity chef Jamie Oliver announced that his website, which attracts 10 million visitors per month, had been compromised. This followed an announcement by Forbes that a month earlier, in December of 2014, the highly visible “Thought of the Day” flash widget had been compromised as well. In both of these, the hacked website was simply the first step in a complex process that is carefully engineered to make money off of unsuspecting internet users.

Most people are surprised to learn that the Hollywood perpetuated stereotype of the cyber-criminal is a myth. We imagine an evil genius sitting in a dark room, typing feverishly to hack into the good guy’s networks in real time, guessing passwords and avoiding law enforcement through well-timed keystroke sequences as he goes. The reality is much less intriguing. The tools that are used for these exploits are often generic off-the-shelf software developed by third-party developers and then sold on the black market. The sale of criminal tools – exploit kits, malware droppers, malware itself and more — has become a big business in itself. In fact, according to researchers, in the case of the Jamie Oliver website, a popular and widely available hacking tool named Fiesta was used to scan visitors’ computers and look for vulnerabilities that could be exploited to deliver the malware. Our own  SonicWall threat research shows that Angler was the most commonly used exploit kit in 2014, resulting in over 60 percent of the exploits that we saw last year.

To add to the problem, NSS labs estimates that 75 percent of the world’s computers and 85 percent of the computers in North America are poorly protected against these exploits. Even worse, anti-virus (AV) software that is typically used to protect computers provides only adequate security at best.

How do websites get compromised?

The attacker will generally target websites with vulnerabilities that allow them to modify the HTML on the web page. A prime target for cybercriminals is a website that is highly trusted and high volume like Forbes.com. In many cases, attackers will look to compromise ad servers which generate a huge amount of views. After a webpage with a vulnerability is identified, users can be tricked into clicking links to a separate landing page on a rogue web server that hosts the exploit kit. In the more disturbing case of a so-called drive-by download, an exploit kit automatically loads content from the malware server with zero end user interaction required.

The exploit kit then attempts to scan the user’s computer looking for vulnerabilities in common applications. We know that most people ignore OS patches, and even more people ignore browser, Java and Flash patches. A sophisticated attacker may independently find a vulnerability, but more likely he or she will use published vulnerabilities. The level of sophistication of these exploit kits varies, but some will even check IP addresses to ensure that the target computer matches the desired profile, for example a residential PC.

Once a vulnerable application is discovered, the exploit is launched and if successful the chosen malware payload is finally downloaded to the victim’s computer. While one common payload delivers malware that takes control of the victim’s computers (this is called a bot as in robot or zombie), other malware can be used to steal data, log keystrokes, or launch distributed DOS attacks on other websites. Another common payload is called ransomware because it encrypts all data on the victim’s computer and holds it until the data owner provides a valid credit card number and pays to unlock the data. The reality with these attacks is that anybody and everybody is a target – the mom and pop business owner, gas station attendant, grandma and grandpa, business executive or school teacher – everyone is a potential victim.

A layered approach for protection from compromised website exploits

No single tool or technique is guaranteed to stop these attacks, but there are a variety of tactics that can be utilized to minimize the chance of a successful exploit.

  1. Gateway malware protection. Modern firewalls, also known as next-generation firewalls, provide much more intensive packet scanning than legacy firewalls. Deep packet inspection is used to inspect not only the header portion of the packet but also the payload, searching for viruses, Trojans and intrusion attempts. This level of inspection will often block the download of the malware payload.
  2. Patch management. Since most of the known exploits take advantage of vulnerable versions of applications, it is critical that you continuously apply the latest versions of software to all of your servers, PCs, Macs, Chromebooks, smartphones, tablets, printers, networking gear and other connected non-computing devices. Whew! Systems management solutions automate this patching for larger organizations.
  3. Automatically updated desktop AV clients. Standard desktop anti-virus clients provide a level of protection from the malware payloads that are used in these attacks, but it is critical that the desktop client is kept up-to-date. Ideally, if you are in charge of security, you would have a way to enforce the use of the clients because users love to turn off AV when they perceive that it slows down their computer. And unfortunately, in some cases malware disables AV or uses advanced methods to avoid detection so this is just one layer in the overall security strategy.
  4. Internet/web content filtering. There are a wide variety of solutions on the market that allow an organization to filter the URLs that can be accessed by users inside the network. Filtering in many cases will block the redirect to the malware server, and is a standard feature on most next-generation firewalls.
  5. Botnet filtering. Deep packet inspection also provides the ability to determine if connections are being made to or from botnet command and control servers. Many next-generation firewalls have continuously updated lists of these servers. Botnet filtering is a layer of security that will block communications to and from already compromised computers participating in botnets from behind the firewall.
  6. GeoIP filtering. Another feature of next-generation firewalls that can be useful in preventing bots from communicating with their command and control server is to restrict communications based on geography. GeoIP data includes the country, city, area code and much more. This is useful if an organization can exclude geographies that are known cyber-security risks such as Russia or China.
  7. Outbound email protection. Attackers will often use the computers that they are able to exploit as spambots to send spam mail as part of a larger spam campaign. These computers are often called zombies because they are remotely controlled by another person, in this case the spam botmaster. Email security solutions can scan outbound mail for signals that the computer has been compromised and determine that a system has been compromised.

Security professionals realize the complexity of the risks posed by compromised websites. Unfortunately, there is no magic bullet to preventing exploits, but a layered approach to security can minimize the risk to your organization.

To learn more about protecting your network from these types of exploits, read the new SonicWall Security eBook, “Types of Cyber-Attacks and How to Prevent Them.” Follow me on Twitter @johngord.