Penetration Tests – Why does your organization need one?

Chris Fortune[Security Consultant]

Penetration TestingPenetration testing helps businesses understand if their investment in security actually affords them the protection they want.  To help in your understanding, let’s start with defining some terms to make sure we are using the same vocabulary.

  • Threat – agent or actor that can cause harm
  • Vulnerability – a flaw someone can exploit to cause harm
  • Risk – Where threat and vulnerability overlap
  • Exploit – code or technique that a threat uses to take advantage of a vulnerability
  • Penetration testing  – involves modeling the techniques used by real-world computer attackers to find vulnerabilities and under controlled circumstances to exploit these flaws in a professional, safe manner according to a carefully designed scope and rules of engagement to determine business risk and potential impact.  All with the goal of helping the organization improve security.
  • Security/Vulnerability assessment – focus is on finding security vulnerabilities, which may or may not be used to get in or steal data.  These assessments are broader, and often include explicit policy and procedure review.

Now that we have a common vocabulary, you might be thinking “How is a penetration test different than a vulnerability assessment?”  The difference is action – the penetration test aims to breach the security of the business, where a vulnerability assessment is simply an evaluation of your organization’s security posture.

A penetration test can help answer the following questions:

  • Can vulnerabilities that are found be exploited to gain access or steal data?
  • Can lower-risk vulnerabilities be exploited in a way together that opens up a higher-risk vulnerability?
  • What does this mean to the business or operations if successful?
  • At what level can your business successfully detect and respond to attacks?

Other reasons a penetration test can provide value to your business:

  • Meeting compliance with regulatory standards
  • Automated network or application vulnerability scanning software can have difficulty detecting some types of vulnerabilities.
  • Provide evidence to support increased investments in security personnel and technology
  • Post security incident- to validate new security controls put in place will stop a similar attack in the future.

Security BreachPenetration tests can be scoped to your business needs from general to narrow.  On the general side of scope is a black box test.  The tester is given little to no information and tries to see if they can get access or business information.  On the narrow side of scope is a white box test.  This could be something like testing a new application with full knowledge of what it should do.  The tester in this case is given valid user accounts with different roles like a regular user and an admin user to test what each can do in the application.

If you would like to discuss penetration testing and the value it can bring to your organization, please contact your Keller Schroeder Account Manager to begin a discussion with our certified penetration testers.


It’s OK to Ignore the CEO, When it is NOT the CEO!

ImagineBrad Mathis  – [Senior Consultant – Information Security]

Imagine the following scenario.

You are going through your daily routine and you receive an urgent email from the CEO.  The email is urgent, appears to be time sensitive, and is requiring you to act immediately.  You are aware the CEO is currently out on vacation or away on business, and is therefore unreachable.  However, the email is direct and to the point.  “Get this Done!”  The email is asking for you, a member of the financial team, to process a payment or monetary transfer.  It may even inform you someone from another company will be reaching out to you with further instructions, such as account numbers and routing information. An abbreviated example of such an email may look something like this:

CEO Email
What if you also received an email ahead of this one from someone in finance saying “Keep an eye out for an email from the CEO asking about a funds transfer”, followed by an email from the alleged company the CEO mentioned in their original email?  Transferring large sums of money from one account to another is a normal part of your job.  Although this chain of events is a bit out of the ordinary, it also seems perfectly legitimate.  Would you process the transfer?  Would a co-worker?

Sadly, far too many organizations are falling victim to these type of crimes known as CEO Fraud and Business Email Compromise (BEC).  Some of the email senders’ email accounts are spoofed, meaning the criminal sender is making the recipient think the email is from the actual sender.  Even more concerning is when the actual senders’ email account credentials are compromised and the criminal is able to send emails directly from the account of a CEO, CFO, Attorney, and so on.  This may sound complicated, but it isn’t.  With the advancement of malware laced email attachments and infected links, it is far too easy to install malicious software on a victim’s workstation, thereby allowing the criminal to capture every keystroke the legitimate user types.  Even more concerning, cameras and microphones can be controlled by the criminals.

The FBI estimates the organizational amount lost to Business Email Compromise between October 2013 and February 2016 to be $2.3 Billion.  Since January 2015, the FBI has seen a 270 percent increase in identified victims and exposed loss! Keep in mind, this is only the amount of loss actually reported.  Many businesses remain quiet and never report their losses for fear of public reputation damage.

Know Be 4Luckily, the risk of becoming a victim to this type of crime, as well as other email and web based threats can be reduced.  A modern and evolving layered security infrastructure is extremely important.  It cannot and should not be overlooked.  However, the most effective and most overlooked method to reduce your risk of becoming a cybercrime victim is effective and measurable End User Security Awareness Education.

While we constantly stress the importance of Vulnerability and Patch Management, this does not just apply to your technology.  User vulnerability levels need to be assessed in order to gauge their likelihood of falling prey to a Phishing email and other criminal scams.  This activity is most effective when supplemented with required security awareness training.  This is where it sometimes gets tricky.  The simulated phishing campaigns and security awareness training requirements must apply to ALL employees, up to and including the President and CEO.

Identifying your employee vulnerability baseline is an important and effective step toward lowering your overall risk profile, as well as empowering your workforce to always be on the lookout for malicious and criminal activity that can threaten your business.

So, Yes… It is OK to ignore the CEO’s request when it cannot be verified it is truly the request of the CEO.  When the business is on the line, they will thank you for your due diligence.

How vulnerable are your users?  How likely are they to fall prey to becoming a victim?  How have you taken steps to get data to support your answers to those questions?  When performing these employee vulnerability baseline assessments, we have already seen as high as a 75% failure rate for the initial Phishing test.  Launching an effective awareness solution that allows you to measure risk and track improvements is a critical first step in lowering your employee vulnerability risk, making your organization less likely to become a victim of cybercrimes such as CEO Fraud, Business Email Compromise, and Ransomware.

Contact Keller Schroeder today to find out how we can help you implement solutions that effectively reduce your employee vulnerability risk through ongoing security awareness training and testing.


ProofPoint Email Protection – Not Your Average Spam Filter

ProofpointChance Webster  – [Systems Engineer – Network Solutions Group]

In today’s fast paced world, e-mail is the medium that drives business.  Not only do we use email to conduct day to day operations and communicate with employees, customers, and business partners, we also use email to advertise products and services, convey information to a large group, or even send that all-important casserole recipe to a coworker.  With the pervasiveness of email, a common business concern is how to filter out junk mail or messages with malicious content.  There are many good solutions on the market today, however there are sometimes gaps in coverage as vendors try to keep up with ever-evolving tactics used by spammers and other malware techniques.  A complete solution to mitigate both junk mail and mail-based risks and provide solid intelligence on these threats is ProofPoint Email Protection.

ProofPoint Email Protection is a cloud-based platform that grows with your business and can be used to develop a highly reliable, low latency solution to protect your users from malicious or otherwise unwanted messages by use of policies rather than a set of rules that apply to everyone in the organization.  By using policies to define your message filtering rules, administrators can allow for a more targeted audience for messages from a particular source, sender, or classification of messages, if required.  Since ProofPoint Email Protection is cloud-based, it also provides for continuity of incoming email if your email servers go down and will automatically restart delivery when your email services are restored.

Proofpoint DemoProofPoint Email Protection also provides a high level of visibility and reporting for your email administrators while also providing your users with some level of control.  Messages can be searched using the message tracing logs and dozens of search criteria to quickly identify messages and take action as necessary.  There are also a large number of detailed reports that can be used to provide a vast array of information and allow administrators to make informed decisions when approving or denying messages with questionable content.  End users can also be provided some freedom to opt in or out of routine quarantined message notifications, ProofPoint-managed or Administrator-defined Safe and Block lists for known spam or malware sources, or even Bulk Message delivery.

If you are considering more effective ways to manage against mail-based malware risks or the loss of time related to sorting through spammed messages, make contact with your Keller Schroeder Account Manager and let us show you more about the ProofPoint Email Protection solution.


Systems Team Proactive Performance Management (PPM) Services

Chris Haynes  – [Keller Schroeder Engineer]

        An ounce of prevention is worth a pound of cure. – Benjamin Franklin

Virtualization has become the norm in most data centers, but so is the expectation of zero downtime. Preventative maintenance is the best insurance against downtime and security threats in your storage/virtualization environment.SV PPM Wheel

Preventative maintenance can:

  • Prevent productivity losses due to unscheduled downtime
  • Reduce security risk
  • Increase the quality & reliability of mission-critical IT operations
  • Maximize performance & efficiency
  • Lower overall maintenance costs

Keller Schroeder’s System Team offers a Proactive Performance Management (PPM) service to perform regular preventative maintenance services and provide remedy reporting and resolution for storage/virtualization environments.

So what does our PPM service include?

  • Review system logs, alerts, & diagnose problems
  • Identify capacity & performance issues & inefficiencies
  • Perform minor upgrades & apply patches
  • Analyze/validate system configurations
  • Remediate discovered issues
  • Make recommendations for improvements or industry common practice design changes

So why use Keller Schroeder for these services?

Our Systems Team has a combined years of experience in IT of 130+ years, which is an average of about 22 years per admin. We have deep knowledge & expertise in the storage/virtualization stack, both past and present.  We carry multiple certifications in various technologies, and continuously perform new installs and upgrade existing systems in the field, so we are fresh & familiar with the latest versions, compatibility requirements, and potential pitfalls.

We already perform PPM programs for many of our clients and have developed detailed & proven install, upgrade, & patch procedures, along with health assessments & checklists, and remedy/status reports. We typically provide these PPM services on a quarterly basis, but we can build a customized plan to meet your specific needs.

A key challenge in IT is having to do more with less and dealing with a lack of resources, so let us do what we do best, so you can focus on what you do best for your business.

Please contact your Keller Schroeder Account Manager for more information.


LogRhythm 7 – Next-Gen Security Threat Detection & Response

Brad Mathis[Senior Consultant, Information Security]LogRhythm Platform

 

LogRhythm, The Security Intelligence Company, recently unveiled LogRhythm 7, a major upgrade to their security intelligence and analytics platform.  With new and enhanced features and capabilities, LogRhythm continues to be a leader in the SIEM (Security Information & Event Management) space.

 

Chris Peterson, senior vice-president of products, CTO and co-founder at LogRhythm states, “The sophistication and resolve of today’s cyber adversaries continue to rise, as does the number of successful intrusions.” “The innovations in LogRhythm 7 empower IT security teams to detect, respond to and neutralize cyber intruders faster and more efficiently.”

 

LogRhythm DashboardWith LogRhythm’s HTML5 based dashboard, advanced security analytics and SmartResponse automation capabilities, and the ability to perform full-text unstructured search with the introduction of Elasticsearch, it is no surprise LogRhythm has been positioned as a Leader in Gartner’s SIEM Magic Quadrant report for four consecutive years.  LogRhythm scored highest in Gartner’s Critical Capabilities for Security Information and Event Management.

 

New features with LogRhythm 7 include:

  • Elasticsearch based indexing for expedited investigations
  • Architectural advancements for up to a 300 percent improvement in data indexing performance on a per-node basis
  • Real-time threat activity map
  • New Risk-Based scoring algorithms
  • Incident Response advancements
  • Extensions to the SmartResponse Automation framework, such as the ability to prevent malware outbreak with endpoint shutdown

For more information or to schedule a LogRhythm demonstration, contact your Keller Schroeder Account Manager.


Spotlight On…

Employee Owners: Chris FortuneChris Fortune

 

Chris Fortune is a 20 year veteran in IT. His experience began as a co-op student on a helpdesk and quickly escalated into increasingly challenging roles in network engineering, system engineering, and telecom. Security has always been the common thread of Chris’ work with these other disciplines.  He has also had direct responsibility for security such as managing firewalls, IDS/IPS, AV, VPN, remote access, log management and forensics.  Chris has worked for manufacturing, education, service provider, financial, healthcare and utility companies, as well as being an IT consultant for these types of businesses.

Chris has a Bachelor of Science in Computer Engineering from the University of Evansville and is working on a graduate certificate in Penetration Testing & Ethical Hacking from SANS Technology Institute.

Contact the Keller Schroeder Account Team to learn more about Chris and how you can leverage his experience and skills to benefit your organization.


Phish or Be Phished? The Choice is Yours

PhishingBrad Mathis, Senior Consultant, Information Security

It is mid-2015.  By now, we have all seen incoming emails claiming we have been bequeathed a huge sum of money from a Nigerian Prince, or we have won a foreign lottery we never entered.  Most employees have seen these scam emails long enough to know they are not real.

However,

  • What about the seemingly benign email coming in from a recognizable sender?
  • What if this legitimate looking email has an attached PDF or Word document?
  • What if it contains a seemingly real link to a web site?
  • How many of your employees would open the attachment or click on the link?
  • How many employees will assume it is safe since it made it unscathed through all of your layers of security, including email and web content filters?
  • Do your users understand the ramifications of introducing undetected malware into your environment? Do they know this malware can capture their keystrokes, turn on their web camera and microphone, and capture screen shots or data from their system and transmit this data to cyber-criminals completely undetected?

If you can answer these questions with a high degree of certainty, you are either a one-user environment, you are sitting at each user’s desk approving their every keystroke, OR, you have already identified and implemented the requirement for measurable security awareness training and the importance of recurring testing of your staff to see how Phish prone they are.

This would be a good time to stress the importance of continuing to maintain an effective defense-in-depth strategy.  What does this mean?  Defense-in-depth all comes down to remembering not one single defense mechanism will protect your environment.  It takes several layers to lower risk.  Examples of necessary defense-in-depth layers are:

  • Continuous Vulnerability Management
  • Continuous Patch Management of Applications and Operating Systems
  • System Hardening and Configuration Standards
  • Effective Next Generation Firewall Strategy
  • Intrusion Detection and Prevention
  • Malware Defenses and Content Filtering
  • Secure Perimeter and Network Security Architecture
  • Complete elimination of obsolete operating systems and applications, as well as the elimination of technologies no longer supported or considered best practice, such as RIP and WINS
  • Strengthened Controls such as Password Requirements and Rights Management
  • Policies, Procedures, and Standards

Data SecurityWon’t a strong defense-in-depth strategy prevent the introduction of cyberattacks into my network? Unfortunately, no amount of technical defenses can completely prevent the actions of a user lacking security awareness from clicking or opening something they should not.  The danger point is the window of opportunity the cyber-criminal are all too familiar with.  Cyber-criminals know there is a time lag between the time vulnerabilities are discovered and the time organizations get around to correcting the vulnerability.  The criminals know to attack swiftly while defenses are down and the chance of detection is low.

According to a recent information security study, it takes organizations an average of 176 days to remediate known vulnerabilities.  However, it only takes cyber criminals an average of 7 days to exploit known vulnerabilities.  During the 169-day delta between vulnerability remediation and cyber-criminal exploitation, your defense in depth layers may be at the mercy of your end user’s level of security awareness education.  On top of this, we have been seeing a window of several days before anti-malware providers can detect the newest malware strains.

Of the 150+ Million phishing emails being sent every single day, over 10% are making it through SPAM filters.  Of those, over 8 million are opened, and over 800,000 users are clicking on phishing links.  An average of 80,000 users a day are actually providing sensitive information to cyber-criminals because they believe the email or web link to be legitimate.  Every Day!  Are your users among the 80,000 daily victims?

Know Be 4If you haven’t figured it by now, Security Awareness Training and Effectiveness Testing is now a required layer to an effective Defense-In-Depth strategy.  Knowing this is critical, Keller Schroeder has partnered with KnowBe4 to offer effective and measurable Information Security Awareness Training, as well as perform ‘safe’ simulated phishing attacks to help determine what your current Phish-Prone percentage is and how to lower it.  For years, law enforcement learned their best crime prevention techniques from Criminals.  KnowBe4 has taken this approach, as well, with Security Awareness Training.  The training was co-developed with reformed cyber-criminal Kevin Mitnick, the Most Wanted Hacker in the World during the mid-nineties.

For more information about how Keller Schroeder and KnowBe4 solutions can help you determine and lower your Security Awareness Risk, please contact your Keller Schroeder Account Manager.


TechSpot Recap : VMware-Kaspersky “Avengers: Age of Ultron” Premiere

Carissa Montgomery, Marketing & Communications CoordinatorStandee

 

On Friday May 1st, VMware and Kaspersky Lab joined Keller Schroeder in treating a group of our clients and their guests to a private showing of “The Avengers: Age of Ultron” at Showplace Cinemas.

Before the movie began, attendees and Keller Schroeder employee-owners listened to presentations from VMware and Kaspersky Lab featuring the latest from their technologies.

DezAfter beginning with an overview, VMware Healthcare Systems Engineer Max Abelardo discussed what was new with the vSphere 6 server virtualization platform, end-user computing using VMware, and the vRealize cloud management platform.

Chris Streeks, Systems MaxEngineer with Kaspersky Lab, then explained how clients could secure their virtual environments with Kaspersky. His talk centered around handling virtual endpoint security at scale and methods of virtualized protection.

AudienceAttendees also had the chance to win prizes. Matthew Yeley from MSWARS Research walked away with an Avengers-themed prize pack. David King with P&I Supply won our grand prize, a $100 VISA gift card.

For more information regarding the VMware, Kaspersky, or our upcoming events, please contact your Keller Schroeder Account Manager.


Security Requires Visibility

syslogSchuyler Dorsey [Security Consultant]

As both attacks and networks grow more complex, it becomes increasingly difficult to secure the infrastructure and its data. One of the key components to retaining network security is ensuring you have insight or visibility as to what is actually happening in your network. For total visibility, you need to be able to combine nouns, verbs and timestamps to build a timeline of who did what and when. The need for total visibility extends beyond security best practices and can certainly aid in troubleshooting; however, monitoring for and responding to a security incident is when it is most crucial to have this visibility data.

It is a common misconception network devices and endpoints will automatically log everything needed, by default. Unfortunately, the default logging levels of most network devices and operating systems leave much to be desired. Here are some example default logging configurations which may leave gaping holes in your investigations:

  • Many network switches will not log local failed login attempts by default.
  • Windows will not log failed changes to group memberships or accounts.
  • Windows will not log file creation, deletion, or execution.
  • Many network firewalls will log very minimal traffic information.

So, if we take the example of a malware attack on an organization, and your infrastructure is configured with default logging settings, it would be extremely difficult to track down how the malware originally entered the network (patient zero), what actions the malware took on the endpoint(s), what other internal and external IPs the infected endpoint(s) connected to and ultimately, what malicious actions the malware performed.

In addition to enhanced logging providing this insight, building a proper timeline of the malware infection can also help remediation efforts. As an example, if we assume the proper logging is in place, we would be able to know what file was initially downloaded and executed, what IPs it connected to in order to download its payload, what files were created and deleted as a result of the malware installing itself, and what registry keys were altered to ensure malware persistence.

Once all this logging is enabled, it begs the question, how can it be efficiently managed? The answer is a Security Information & Event Management (SIEM) platform. Not only do SIEM solutions provide a central repository and dashboard for all the logs in the enterprise, most will come with signature/correlation rules to automatically try to detect malicious actions based on those logs. The most important thing to remember, though, is the SIEM can effectively review and analyze only the information it receives. So if your infrastructure’s logging posture is not configured effectively, the SIEM will be ineffective.

A healthy logging posture is crucial in ensuring network visibility; visibility is the only way to effectively monitor and respond to malware and/or Advanced Persistent Threats.

Contact your Account Manager at Keller Schroeder for more information about these products and how they might benefit your organization.

 


The End of an Era

Corey Ainscough, Sr. Systems Consultant


That's All FolksDoes your environment include any Windows Server 2003 servers? Did you know Microsoft will end support on July 14, 2015 for all versions of this product? This truly marks the End of an Era and could mean a drastic risk to your business. After July 14, 2015 Microsoft will provide no additional security updates or patches for this system. As a result, we recommend you consider the following when establishing project prioritization:

  • Overall Cost – Without Microsoft support, Windows Server 2003 will be more expensive to maintain due to third party application vendors ending support for their products. In addition, deployment of updated firewall rules, intrusion detection, and vulnerability management solutions will be needed to help mitigate unsupported operating system risk.

  • Compliance and Security – Vulnerability scans and audit reviews will identify Windows Server 2003 as an unsupported operating system, increasing your overall security risk score.

  • Windows Server


    Now is the time to consider alternatives for application migration and server operating system upgrades including Windows Server 2012 R2. This latest member of the Microsoft server operating systems provides a dramatic improvement over its decade old counterpart, including Work Folders, Storage Tiering and Workplace Join, just to name a few. One of the most beneficial solutions Microsoft has offered to administrators with Server 2012 R2 is the ability to centrally manage all servers via the Microsoft Server Manager dashboard. Microsoft Server Manager removes the boundaries of managing a single server (2003) to the ability to manage multiple servers throughout the environment from a single host. With Server 2012 R2 you can check performance statistics, identify troubled remote services, and take corrective action all from one centralized, customizable dashboard. Multiple servers can be grouped by role, location, or other special criteria.


    As you can see, upgrading to the Windows Server 2012 R2 Server from Windows Server 2003 will save you time and money. Why not make it happen now, well before the End of an Era arrives?


    Contact your Account Manager at Keller Schroeder for more information about these products and how they might benefit your organization.