file - All Articles - CISO Platform2024-03-29T00:07:57Zhttps://www.cisoplatform.com/profiles/blogs/feed/tag/fileSAP NetWeaver ABAP Security Configuration Part 5: Insecure Settingshttps://www.cisoplatform.com/profiles/blogs/sap-netweaver-abap-security-configuration-part-6-insecure2015-04-02T14:30:00.000Z2015-04-02T14:30:00.000ZAlexander Polyakovhttps://www.cisoplatform.com/members/AlexanderPolyakov743<div><p>Each application has several security settings that do not fit into any of the critical issues groups mentioned in our series of articles.Among such settings there are both standard settings (such as password length or the number of attempts given to enter invalid password) and the specific to the system, individual settings. In this article we are going to use as an example the SAP Gateway service access settings.<br /> <span id="more-7583"></span></p><p><em><strong>[EASAI-NA-15] Minimal password length</strong></em></p><p><em><strong>Description</strong></em></p><p>While choosing a new user password, consider that passwords should meet the SAP system requirements and correspond to the corporate policy. Various profile parameters are set up in order to control that passwords meet the requirements. Out of all those parameters, <strong>login/min_password_lng</strong> is the main one. It specifies the allowed minimal password length. This parameter’s default value is <strong>6</strong>, although its acceptable to use values ranging from <strong>3</strong> to <strong>40</strong>.</p><p><em><strong>Threat</strong></em></p><p>In case the minimum password length is set to <strong>less than 8</strong> symbols, an adversary can easily decrypt a password using <strong>USR02</strong> table hash. Alternatively, one can gain access remotely by bruteforcing the password, if the <strong>login/fails_to_user_lock</strong> parameter is set incorrectly. The login/failstouserlock parameter defines the number of available invalid login attempts, before the user’s account is locked out by the system.</p><p><em><strong>Solution</strong></em></p><p>Set the <strong>login/min_password_lng</strong> parameter value for <strong>more than 8</strong>, otherwise choose the value which is in accordance with the company’s security polity. This way, you can lessen the risk of potential attack.</p><p><em><strong>[EASAI-NA-16] Number of invalid logon attempts before the user account lock out</strong></em></p><p><em><strong>Description</strong></em></p><p>The <strong>login/fails_to_user_lock</strong> parameter defines the maximum number of incorrect passwords allowed to be entered before the user account is locked out. It’s very important as it interacts directly with the <strong>login/min_password_lng</strong> parameter. The<strong>login/min_password_lng</strong> parameter, in turn, defines the minimum password length, and thus, prevents remote password bruteforcing. This parameter’s default value is <strong>5</strong>, although it’s acceptable to set values ranging from <strong>1 to 99</strong>.</p><p><em><strong>Threat</strong></em></p><p>If the <strong>login/fails_to_user_lock</strong> parameter is set incorrectly or has a low value, an adversary may succeed in carrying out a brute force attack and get an unauthorized access to user credentials.</p><p><em><strong>Solution</strong></em></p><p>Set the <strong>login/fails_to_user_lock</strong> parameter value for not <strong>more than 6</strong>. This way, you’ll lessen the risk of potential brute force attack.</p><p><em><strong>[EASAI-NA-17] Password compliance with the security policies in place</strong></em></p><p><em><strong>Description</strong></em></p><p>The <strong>login/password_compliance_to_current_policy</strong> parameter is highly important. If this parameter is absent or or is set to <strong>0</strong>,the password length and complexity settings would affect only newly created users. Thus, the settings would not be automatically applied to all the other users. Consequently, all of those old users would have insecure passwords.<br /> If this parameter is set to <strong>1</strong>, the settings would affect old users with insecure passwords and force them to choose secure ones upon their logging into the system.</p><p><em><strong>Threat</strong></em></p><p>If the <strong>login/password_compliance_to_current_policy</strong> parameter is set to <strong>0</strong>, password policy compliance for old users is not set. This allows users to have insecure passwords. As a result, these user accounts are easy to be compromised.</p><p><em><strong>Solution</strong></em></p><p>Set the <strong>login/compliance_to_current_policy</strong> parameter to <strong>1</strong> to apply the password policy requirements for all users, including those newly created.</p><p><em><strong>[EASAI-NA-18] Access control settings for RFC-service (reginfo.dat)</strong></em></p><p><em><strong>Description</strong></em></p><p>The <strong>SAP Gateway</strong> is the application server technical component with RFC-based functionality that manages communications between various SAP systems. Since the gateway is an interface of application server for external connections (with other SAP systems, external programs, etc.), higher security requirements are applied to it.The SAP Gateway security is managed by the <strong>reginfo</strong> and the<strong>sec_info</strong> files. The <strong>reginfo</strong> file is defined by the <strong>gw/reg_info</strong> parameter and the <strong>sec_info</strong> file is defined by the <strong>gw/sec_info</strong>parameter. <br /> Some clients may be allowed to register their services on the server. Specify the services registered in the reginfo file to control the access to them, cancel their registration, determine external server services allowed to be registered on the gateway. The file name (file path) is defined by the gw/reginfo parameter. The default file path is: <strong>/usr/sap/<SID>/<INSTANCE>/data/reginfo.</strong> <br /> If this file doesn’t exist, any server processes may be registered from any hosts. Speaking of which, starting from the kernel version 7.20 and higher, for security purposes, this process is restricted by the <strong>gw/acl_mode</strong> instance profile parameter. For further references, see SAP Security Note 1480644 . However, if this file exists but it is empty or has no valid records, it is not allowed to register. <br /> If somebody tries to register a service on the gateway, valid record is searched for in the file. The record specifies this user’s right to register this particular service. If the record is not found, user’s registration is denied. It is crucial to understand that the <strong>reginfo</strong> file can be read only ONCE, when a program is being registered. All the further changes and restrictions in the <strong>reginfo</strong> file do not affect successfully registered programs.</p><p><em><strong>Threat</strong></em></p><p>In case the reginfo.dat file is absent or its configuration is incorrect, an adversary may register any service on the SAP Gateway and get an unauthorized access to the SAP server. As an example, a wildcard “*” can be used in host definitions, signifying that service’s registration is available from any host. One may register a new service that would perform malicious functions. It may be registered under the same name, as has the service that already exists. Thus, a legitimate user would be able to run it.</p><p><em><strong>Solution</strong></em></p><p>Unauthorized service registration may be avoided by means of creating a <strong>reginfo.dat</strong> file in the SAP Gateway data directory. If the file exists, the system checks the availability of rights to call remote RFC functions from this file. This way, it prevents unauthorized access. <br /> File records should have the following syntax (note that each line must have TP record, all the other parameters are optional): <br /> <strong>TP=name [NO=<n>] [HOST=<host>] [ACCESS=<host>] [CANCEL=<host>]</strong>, where: <br /> <strong>TP=name</strong> is a registration ID of the external server program. <br /> <strong>NO=n</strong> shows what number of registrations with that ID is allowed. <br /> <strong>HOST=<host></strong> is (a) name(s) of a host using which registered servers are allowed to enter the system. Here you may specify host names’ list, IP addresses, domain names or subnet masks. The registration is allowed only if the server enters the system from this node. Without this optional parameter, it is allowed to register from any host. <br /> <strong>ACCESS=<host></strong> is(are) host name(s) that has (have) the right to use the registered service. Here you may specify the list of host names, IP addresses, domain names or subnet masks. The local system is always allowed to use the server. Without this optional parameter, the server is accessible from any node. <br /> <strong>CANCEL=<host></strong> is(are) (a) host name(s) that allow(s) to log off the registered system server. The same rules are applied as has the<strong>ACCESS</strong> parameter. <br /> Starting from the version kernels 6.40, patch 212; 7.00, patch 139; 7.10, patch 80, and higher, permit and deny values are added to the syntax. They are indicated by the Latin upper-case letters <strong>P</strong> and <strong>D</strong> respectively (see SAP Security Note 1105897 ). <strong>P</strong> means that a program is allowed to be registered, (as in the old syntax line); <strong>D</strong> prevents registration. The first line layout in such file is<strong>#VERSION=2</strong>. All the next lines are structured the following way: <strong>P|D TP=name [NO=<n>] [HOST=<host>] [ACCESS=<host>] [CANCEL=<host>]</strong> <br /> <strong>Warning!</strong> The system reads key words only if they are written in upper-case letters. Incorrect specification leads to <strong>HOST=*</strong> wildcard value, which would probably be undesired (there are instructions on how to fix it in SAP Security Note 1473017). <br /> In all the host names’ lists (<strong>HOST, ACCESS</strong> and <strong>CANCEL</strong>), key words must be separated by commas. Any space would indicate the end of host names’ list. <br /> You can find detailed syntax review in SAP Security Note 1069911 . <br /> For the correct <strong>reginfo.dat</strong> configuration use recommendations from SAP Security Note 1425765 and 1408081.</p><p><em><strong>[EASAI-NA-19] Access control settings for RFC-service (secinfo.dat)</strong></em></p><p><em><strong>Description</strong></em></p><p>In the <strong>secinfo</strong> file, you may specify which external services may be started. Also, you can specify who can register external server services on the gateway. And lastly, which external services can be registered on the gateway. Note that this concerns only kernel versions 46D and lower. Starting from the version 6.40, service registration from external servers is controlled with a separate<strong>RegInfo</strong> file. In other words, secinfo security file is used to prevent unsanctioned start of an external program. File name is defined by the parameter <strong>gw/sec_info</strong>. Default file path is: <strong>/usr/sap/<SID>/<INSTANCE>/data/secinfo</strong>. <br /> If the file does not exist the system runs all external programs. In case, this file is empty or has no valid lines, no external service may be started. <br /> Upon the start of an external service, the system scans the file, searching for a valid record. If it was not found, the system shows error message, and cancels the service start.</p><p><em><strong>Threat</strong></em></p><p>In case secinfo.dat file is absent or misconfigured (e.g., it has “*” wildcard in host, program of subnets definitions), an adversary may run a service registered in the SAP Gateway, and get an unauthorized access to its functionality. In some cases, if the program can execute OS commands, one may access the SAP server.</p><p><em><strong>Solution</strong></em></p><p>You should create <strong>secinfo.dat</strong> file in the SAP Gateway data directory. This way it would be possible to prevent unauthorized program launching. If the file exists, the system checks the availability of rights to call remote RFC functions from this file. This way, it prevents unauthorized access. <br /> File records should have the following syntax ( <strong>USER, HOST</strong> and <strong>TP</strong> lines are obligatory, and other parameters in each line are optional): <br /> <strong>TP=name HOST=<host> USER=<user> [USER-HOST=<user-host>]</strong>, where: <br /> <strong>TP=<program name></strong> is the name of a program, you would like to run (in addition, you can specify a wildcard for program ID, e.g.,<strong>TP=XYZ*</strong>) <br /> <strong>HOST=<host></strong> - name of the host where you would like to run a program. It defines destination address. Note the following difference: in the <strong>reg_info</strong> file syntax, this parameter specifies client address; it is available starting from the version 6.40, patch 194; 7.00, patch 119 and higher versions. <br /> <strong>USER=<user></strong> is the name of the user who would like to start a program. In case the program starts from application server, this is username for the system. However, if the program is external, this is OS username. <br /> <strong>USER-HOST=<host> </strong>(or a source address) is a hostname of the user who would like to start a program. For security purposes, it is strongly recommended to install this option (SAP Security Note 1434117 ). <br /> In 6.40 and lower versions, <strong>PWD=<Password></strong> parameter was supported (ignored in newer systems). <br /> In 6.40, patch 212; 7.00, patch 139; 7.10, patch 80, and higher kernel versions, there appeared additional <strong>permit</strong> and <strong>deny</strong> values indicated by the Latin upper-case <strong>P</strong> and <strong>D</strong> respectively (see SAP Security Note 1105897 ). <strong>P</strong> permits to run the program (the same as the old syntax line); <strong>D</strong> denies it. The syntax of the first line in such file is <strong>#VERSION=2</strong>, and that of all posterior lines is:<br /> <strong>P|D TP=<tp> HOST=<host> USER=<user> [USER-HOST=<userhost>]</strong> <br /> <strong>Warning</strong>: the system reads key words in the upper-case only. Incorrect specification leads to the <strong>HOST=*</strong> wildcard value, which is undesired. (there are guidelines on how to fix it in the SAP Security Note 1473017). <br /> For detailed explanation of this syntax check out the SAP Security Note 614971 . <br /> For the correct <strong>secinfo.dat</strong> configuration refer to SAP Security Notes 1408081, 1525125, 1425765.<a href="https://service.sap.com/sap/support/notes/1425765"><br /></a></p><p><em><strong>Further steps.</strong></em></p><p>The number of various security settings to be fine-tuned is enormous, and there are specific ones to each particular SAP solution or module. As the starting point, you can refer to the document called SAP NetWeaver Security Guide. There you can find the User Authentication section. Afterwards, you better switch to a more detailed description of the papers where each module and service security configuration is described.</p></div>I Love Ransomwarehttps://www.cisoplatform.com/profiles/blogs/i-love-ransomware2017-03-08T07:30:00.000Z2017-03-08T07:30:00.000ZMeghana Phttps://www.cisoplatform.com/members/MeghanaP<div><p></p><p><a href="http://www.cisoplatform.com/profiles/blogs/i-love-ransomware" target="_blank"><img src="https://media.licdn.com/mpr/mpr/AAEAAQAAAAAAAAkyAAAAJDJiMzY0NDAwLTY5NzgtNGVhMC1hMTgxLWJjNDY1NWMzZGYwMA.jpg" class="align-full" alt="AAEAAQAAAAAAAAkyAAAAJDJiMzY0NDAwLTY5NzgtNGVhMC1hMTgxLWJjNDY1NWMzZGYwMA.jpg" /></a></p><p></p><p><span class="font-size-3">Before you go all torches and pitchforks on me, hear me out.</span></p><p><span class="font-size-3">I hated writing this article. Truly. My industry is, at its core, a service industry. Overwhelmingly I meet people who go into IT service, support and cybersecurity that have a real desire to help others.</span></p><p><span class="font-size-3">All too often, we get calls from clients, customers, friends and family panicking because they cannot open a critical document or are in tears that their most treasured memories have been taken away from them and they now have to pay some criminal somewhere to get them back.</span></p><p><span class="font-size-3">Nothing angers, and terrifies, a person more than being separated from something that is integral to who they are. If I had it my way my job wouldn’t even exist because the world would finally be rid of the people that would do this to another human being for profit. It’s tantamount to cyber-terrorism on a very personal level. If I never saw another virus infection of any kind, I would be beyond thrilled.</span></p><p></p><p></p><h2><span class="font-size-5">An Industry on Fire</span></h2><p><span class="font-size-3">So, why would I title this article as such? It’s simple, really. Ransomware makes my job easier by enumerating the many flaws in computer security. It is done so effectively that those I am fortunate enough to help with these issues quickly understand why the conventional wisdom regarding data protection is flawed.</span></p><p><span class="font-size-3">We are witnessing a Viking funeral of sorts in the IT industry and sadly, the boat is taking way too long to burn down. Who or what is on the boat, you ask? Every software-based anti-virus scanner people install on their computers. Time and again these virus scanners (basically insert your favorite anti-virus software company here) are so ineffective that article after article has been written about <a href="http://arstechnica.com/security/2014/05/antivurus-pioneer-symantec-declares-av-dead-and-doomed-to-failure/" target="_blank">how horrible these scanners really are</a>.</span></p><div class="slate-resizable-image-embed slate-image-embed__resize-full-width"><img src="https://media.licdn.com/mpr/mpr/AAEAAQAAAAAAAAmIAAAAJGZmMjQ1Mjk4LWQ4NjUtNDY1ZS04NWM4LTJlMTk1ZjEzZGYzNA.png" alt="AAEAAQAAAAAAAAmIAAAAJGZmMjQ1Mjk4LWQ4NjUtNDY1ZS04NWM4LTJlMTk1ZjEzZGYzNA.png" /></div><p></p><p><span class="font-size-3">However, this article is not about anti-virus scanners, though they contribute to the problem by giving people a false sense of security. This article is about Crypto Ransomware, how it can easily evade a virus scanner, and the most effective methods to prevent its infection or spread.</span></p><p><span class="font-size-3">As a primer to this article, I highly suggest you read Victoria Shaw’s <a href="http://www.smartfile.com/blog/ransomware-virus-prevention/" target="_blank">excellent article on ransomware</a> to understand what it is, as well as some of the basic techniques any user can do to help protect themselves from it.</span></p><p><span class="font-size-3">My article is more geared towards toward business, enterprise and education, and covers Crypto Ransomware (just “ransomware” from now on) delivery systems. So strap yourselves in, people. We’re going full out nerd technical on this one.</span></p><p></p><p></p><p></p><h2><span class="font-size-5">Ransomware Delivery</span></h2><p><span class="font-size-3">Ransomware can be delivered in a few different ways, though the most common infections come from hijacked websites and email. These files often bypass virus scanners because the actual coding of the infection is encrypted itself, so the scanners cannot open them up to look at the code.</span></p><p><span class="font-size-3">There is a plethora of FUD (Fully UnDetectable) tools and delivery systems available on the Dark Web for sale that a malware developer can purchase to wrap their code in. A recent example is a FUD known as Cryptex Reborn, which was being very widely used to protect malware from scanners. Available for $90, it is one of the easiest ways to pass files through a security system.</span></p><p><span class="font-size-3">Last year, <a href="http://www.helpnetsecurity.com/2015/11/24/two-arrested-for-helping-malware-developers-evade-av-software/" target="_blank">two malware developers were arrested</a> for selling the software and running a website that was a resource for malware developers. It is not technically illegal to own FUD tools. I actually own a few so I can keep up with the latest threats out there. I also use them as delivery systems to ethically hack my clients to test their defenses. What is illegal is using FUD tools to hold people’s data hostage for money.</span></p><p></p><p></p><p></p><h2><span class="font-size-5">After Ransomware KO’s the Virus Scanner…</span></h2><p><span class="font-size-3">Now that the ransomware is wrapped in encryption and can bypass software-based virus scanners, it’s time to go to work. The ransomware, typically downloaded via a user clicking a bad link or opening up an infected email, will decrypt and unpack the files into the computer for installation. This is the trickiest part of the infection for malware developers to handle.</span></p><p><span class="font-size-3">At this point, there is malicious code in the computer, however, it’s not yet performed a function call to begin its installation. An up-to-date virus scanner may scan these currently dormant files, detect malicious code and kill the files. It is for this reason that the developers of ransomware are constantly changing the coding in their files, sometimes multiple times a day.</span></p><p><span class="font-size-5"><span class="font-size-3">For example, the <a href="http://researchcenter.paloaltonetworks.com/2016/01/angler-exploit-kit-continues-to-evade-detection-over-90000-websites-compromised/" target="_blank">Angler exploit kit</a> evaded detection for quite some time until it had infected about 90,000 websites worldwide. This is the inherent flaw in anti-virus scanners. Their parent company needs to identify the threat, then analyze the threat to understand what exactly it does, then write an inoculation for the code. After that, they make this inoculation available for its virus scanners, then your computer has to download it and update it. This can take a good deal of time and most people don’t update their scanners immediately</span>.</span></p><p><span class="font-size-3">Often it can take days, at which time the ransomware code has changed a hundred times and the anti-virus scanner company has fallen behind since it’s still going through a variant from 50 code changes ago. It is for this reason alone that I never ever recommend a virus scanner as a primary line of defense for anything and the only reason why I love ransomware. The flaw is so obvious it hurts, but I digress.</span></p><p></p><h2><span class="font-size-5"><strong>…It Takes Over Your Network</strong></span></h2><div class="slate-resizable-image-embed slate-image-embed__resize-full-width"><img src="https://media.licdn.com/mpr/mpr/AAEAAQAAAAAAAAimAAAAJGFlZjliNzU4LWQ2NGMtNDZkYS1iYmU2LTNjNzUyNmUwZTNmZQ.png" alt="AAEAAQAAAAAAAAimAAAAJGFlZjliNzU4LWQ2NGMtNDZkYS1iYmU2LTNjNzUyNmUwZTNmZQ.png" /></div><p><span class="font-size-3">So, we have our unencrypted, recently changed ransomware code files that cannot be detected from the out-of-date anti-virus scanner. The ransomware now installs itself and immediately phones home via the internet to retrieve an RSA encryption key as well as the images for the ransom note. This connection is usually to an IP address or addresses that have been hijacked by the developers.</span></p><p><span class="font-size-3">In some cases, such as the Locky ransomware strain, it will also use a <a href="http://en.wikipedia.org/wiki/Domain_generation_algorithm" target="_blank">Domain Generation Algorithm</a> (DGA) to ensure that even if the IPs originally listed in the code are compromised by law enforcement, it will phone home to a new location. DGA generates domain names that match the developer’s DGA creation on his or her end, thus ensuring the ransomware can phone home until both ends are compromised.</span></p><p><span class="font-size-3">The infection now has an RSA encryption key and unfettered access to the computer, so it goes to work. Depending on which ransomware has been installed, the infection will attack, encrypt or spread in different ways. For example, CryptoLocker has a built-in whitelist, so it’s looking for specific files such as Office documents, PDFs, pictures, videos and other personal file types, as well as any mapped drives it can find.</span></p><p><span class="font-size-3">CryptoWall will infect everything CryptoLocker does, plus it will also change file names and also sideload other malware to try and steal the user’s passwords and Bitcoin wallets. And on and on. Until recently, most strains of ransomware stayed away from backup sets and images.</span></p><p><span class="font-size-3">Ransomware developers realized this mistake on their part and have now changed the code so even backups are at risk of being encrypted and locked out. Even newer versions are now looking for UNC paths. This means any computer or server on a network that is broadcasting any kind of folder for sharing even if the infected computer is not connected to it directly can potentially be encrypted and infected.</span></p><p><span class="font-size-3">These last two have essentially replaced the digital white whale in most IT support personnel’s nightmares. Basically, <a href="http://nakedsecurity.sophos.com/2016/02/17/locky-ransomware-what-you-need-to-know/" target="_blank">the infection can spread to computers and servers</a> that many non-cybersecurity-centric IT technicians have traditionally considered “safe.”</span></p><p></p><p></p><p></p><h2><span class="font-size-5"><strong>The Ransomware Nuisance: The File Lockout</strong></span></h2><p><span class="font-size-3">At this point, the computer is infected and the user has no access to their personal documents or server shares. The ransomware will then <a href="http://www.bleepstatic.com/fhost/uploads/2/cryptolocker-2.0.jpg" target="_blank">display an image</a> saying that they’ve been infected and to get the data back they will need to pay a ransom.</span></p><p><span class="font-size-3">Most ransomware payments are made in Bitcoin or another cryptocurrency because this currency is essentially untraceable once transferred to the developer and can be converted to their local currency if need be. There is always a timer on these kinds of infections because the developers have to use rotating encryption keys and codes in an effort to avoid being caught by the international law enforcement who hunt these people 24/7.</span></p><p><span class="font-size-3">If the user has no backups and want their stuff back, payment must be made. However, there may be some good news on this front for some. If they’re infected with an older ransomware variant the decryption protocols may be online for them to use! A recent example is that the developer of TeslaCrypt, a newer ransomware targeting gamers, “retired” and <a href="http://www.zdnet.com/article/teslacrypt-no-more-ransomware-master-decryption-key-released/" target="_blank">released his public decryption keys online</a> so infected people could unlock their computers for free. Sometimes checking online will reveal a white hat hacker who has found a way to crack the encryption algorithms and has released a tool to help</span>.</p><p></p><p></p><p></p><h2><strong>I Love Cybersecurity Even More!</strong></h2><p><span class="font-size-3">So, how do we defend an infection that can bypass virus scanners, encrypt backups and change its code daily to evade security? The easy answer is: don’t download it! The long answer is…a bit longer. The best approach is a layered security approach and it all starts with the first and best line of defense: firewalls.</span></p><p><span class="font-size-3">Firewalls are the most critical piece in the cybersecurity arsenal and also in threat mitigation. Not all firewalls are built the same. The better firewalls have integrated Unified Threat Management (UTM) with an anti-viral inoculation cycle known as Zero Day.</span></p><p></p><p></p><p></p><h2><span class="font-size-5"><strong>Zero Day Firewalls: Playing in the Sandbox Can Save Your Files</strong></span></h2><p><span class="font-size-3">In a Zero Day firewall, an unknown threat to one of the firewalls will trigger it to stop the suspect traffic and forward it to the firewall maker’s virus sandboxing cloud service. This sandboxing will let the suspect traffic do its thing, usually letting the infection download, install and run itself.</span></p><p><span class="font-size-3">This way the firewall company can analyze its characteristics and develop an inoculation, plus create variants of the code based on behavior so new code changes may also be covered, and then push this out to every firewall that is subscribed to this service worldwide.</span></p><p><span class="font-size-3">To be considered a Zero Day firewall, this entire turnaround time should take no more than 24 hours from detection to anti-viral inoculation. Not all Zero Day firewalls are built the same or as effective at filtering out bad traffic. There are definitely leaders in this field who have more aggressive detections and without naming names (you can check the citation link <a href="http://www.paloaltonetworks.com/products/secure-the-network/subscriptions/wildfire" target="_blank">here</a> if you’re interested) one firewall company even has a turnaround time for Zero Day in as little as 5 minutes.</span></p><p><span class="font-size-3">These firewalls stop and kill the infections at the edge of the network so between the effectiveness of the turnaround time and stopping the infections at the front door, this makes the firewall incredibly critical and vastly superior to a local computer-based virus scanner, which can’t update as fast and will only detect the infection once it’s in the system.</span></p><p><span class="font-size-3">The best firewalls will have everything listed above and also have options like Application Whitelisting, which only allows the approved traffic of specific applications. Traffic is still scanned for threats, just in case a good application is compromised, and allowed through to the users.</span></p><p></p><p></p><p></p><h2><span class="font-size-5"><strong>Next Step: The DNS-Based Web Filter</strong></span></h2><p><span class="font-size-3">Following the firewall is a good DNS-based web filter. Basically, many infections can be avoided if the user simply cannot go to the website that has the infection in it. There are many DNS web filters available, and Zero Day firewalls will also do this kind of filtering as well. If web-based is needed, the biggest player in this space is <a href="http://www.opendns.com/" target="_blank">OpenDNS</a>, now owned by Cisco. Anyone can use their product for free, though businesses will want the analytics their licensed software will bring.</span></p><p><span class="font-size-3">A cloud-based spam filter for email is also a must since email is still a major delivery system for ransomware. Cloud-based spam filters are able to turn around Zero Day inoculations better than on-premises spam filters, unless the spam filtering is part of a good Zero Day firewall. It also has the added benefit of improving internet bandwidth performance in that the only email a company will see come into their on-premises email server is legitimate email. Let the cloud take all the bad traffic that is spam and give the internet connection a rest!</span></p><p></p><p></p><p></p><h2><span class="font-size-5"><strong>Don’t Forget to Educate Your Users</strong></span></h2><p><span class="font-size-3">With all of these safeguards in place, we can vastly mitigate an infection that will cost time, money, reputation and even heartbreak. The final major aspect needed for security is the human element. Educating users on good web surfing habits, replicating backups to off-site locations not directly accessible by the network, and creating network policies that are unobtrusive, but keep employees in line with the company’s needs go a very long way to making choices that will help keep everyone safe.</span></p><p><span class="font-size-3">One of the best things I can hear from a client, and I may have written this before, is “We haven’t had any problems in a long time. Why on earth do we even need all this equipment and all of these policies?” It always puts a smile on my face when I lead that horse to the virtual water on this one.</span></p><p><span class="font-size-3">So, yes…I love ransomware and now you know why. It really is helping us make the world a safer place in its own disastrous way.</span></p><p></p><p></p><p><span class="font-size-5"><strong>Check out this Ransomware Infographic:</strong></span></p><div class="slate-resizable-image-embed slate-image-embed__resize-full-width"><a href="http://www.cisoplatform.com/profiles/blogs/i-love-ransomware" target="_blank"><img src="https://media.licdn.com/mpr/mpr/AAEAAQAAAAAAAAfGAAAAJDM1ZTBjZGVkLTc4NmYtNDA5Ni04MmFkLTBhZWNkYzg2MWE5Nw.png" class="align-full" alt="AAEAAQAAAAAAAAfGAAAAJDM1ZTBjZGVkLTc4NmYtNDA5Ni04MmFkLTBhZWNkYzg2MWE5Nw.png" /></a></div><p></p><p></p><p><span class="font-size-3"><strong>Post Author</strong> : Nick Espinosa, CIO & Chief Security Fanatic, BSSi2 LLC</span></p><p><span class="font-size-3">This post was initially posted <a href="https://www.linkedin.com/pulse/i-love-ransomware-nick-espinosa?trkInfo=VSRPsearchId%3A3898440781485937785617%2CVSRPtargetId%3A6188861777724350464%2CVSRPcmpt%3Aprimary&trk=vsrp_influencer_content_res_name" target="_blank">here</a> & has been reproduced with permission.</span></p><p></p><p></p><p><span class="font-size-3"><a href="{{#staticFileLink}}8669809660,original{{/staticFileLink}}"><img src="{{#staticFileLink}}8669809660,original{{/staticFileLink}}" class="align-full" alt="8669809660?profile=original" /></a></span></p><p></p><p></p></div>