After the successful launch of its business-oriented siblings, ESET has extended its latest technology to home users/consumers and stands ready to protect their Windows on Arm-based devices with our award-wining full-featured products. Our development teams put a lot of effort into reengineering ESET’s already mature security technology for ARM-powered devices, which are increasingly used in both business and home applications.
Thanks to its multilayered approach to protection, ESET Smart Security® Premium, ESET Internet Security and ESET NOD32 Antivirus products for Windows on ARM offer a slew of prevention and detection technologies. A key contribution to extending these functionalities was the invaluable feedback of the ARM64 beta products’ home testers. Their insights mean you will enjoy our well-regarded user experience and the same award-winning protection ESET customers are used to.
Just like the award-wining Windows-based product, the version for ARM64 also includes ESET LiveGuard, which provides an additional proactive layer of protection against never-before-seen types of threats, protecting users before the malware has a chance to execute its action. Another feature is the addition of Password Manager, which has been completely redesigned for improved security and an even more user-friendly experience.
Underlying these key improvements is the ESET Home platform, which is designed for on-the-go security management. The platform enables users to add, manage and share licenses with family and friends, and to manage Anti-Theft, Parental Control, and Password Manager via a web portal. ESET Home directly supports ARM64 users who’ve opted to protect the progress enabled by mobile-centric “always on” devices.
With so many of us experiencing crossover use of our work and personal devices in the current work from home/hybrid work regime, ESET technologies now better reflect the extra protection that highly mobile users and their computing needs demand. Whether moving between multiple public and private networks, or managing devices visiting your home network, our new products recognize that “Always On” also risks “always” being vulnerable. The risks are backed up by considerable research showing that threats targeting employees working remotely from home have vastly increased. And, via customer research conducted by ESET showing that households often have a single person who takes care of IT security for everyone, having a solution that provides easy-to-use security management at the home admin’s fingertips is crucial.
Hence, a critical part of your move to ARM should undoubtedly be security provided by a mature consumer security solution. To find out more about the new features and improvements in the latest version of our consumer offering, head to www.eset.com.
About Version 2 Limited Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About ESET For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.
Our research team has put together all of the most relevant news topics in the ICS, IT, Ransomware & OT security fields, as well as their impacts and their expert recommendations:
Secrets like passwords and ssh keys are scattered throughout the software development process. However, few people can access this data. Controlled access is still a major challenge for development teams, due to difficulties in managing this information and adopting non-recommended standards.
The standards that can compromise the security of a system include weak passwords, a topic already addressed here in senhasegura‘s blog.
However, in this article, we will bring more details about the management of secrets in development processes. To facilitate your understanding, we divided our text into the following topics:
What Are Secrets?
Challenges to Manage Secrets in Development Projects
Password Management: Non-Recommended Standards
Five Key Practices for Secret Management
Conclusion
Follow our text to the end!
What Are Secrets?
All authentication credentials used in applications and services in an IT structure are considered secrets. This includes passwords, ssh keys, API keys, OAuth tokens, and configuration files.
Secrets management can be viewed as enhanced password management, which includescreating, rotating, revoking, and storing credentials.
After all, the scope in this case is broader, but the purpose remains to protect against unauthorized access to data and systems, data losses, and breaches.
Secrets management contributes to cybersecurity in three instances. They are as follows:
Infrastructure Security – It prevents users, devices, applications, and other network elements from being invaded;
Cloud Service Security – It allows you to limit and manage access to cloud-based services;
Data Security – It makes it possible to protect critical systems, among other resources against data losses and breaches.
Another advantage of secrets management is to help bring organizations into compliance with the requirements of demanding cybersecurity standards, such as FIPS, NIST, and HIPAA.
Challenges to Manage Secrets in Development Projects
Secrets management involves some difficulties. Next, let’s point out the most common ones. Check it out:
Lack of Visibility
With the migration of IT infrastructure to the cloud, the number of resources, systems, applications, and accounts changes frequently. As a consequence, the places where secrets are stored also change.
Therefore, for an organization to remain secure, it is essential to know clearly where this information is stored. What’s more: A lack of visibility can also create obstacles to managing these resources, or when going through an audit.
Lack of Management Policies
To meet the criteria of security regulations and facilitate the control of the life cycle phases of a secret, companies must define rules in security policies, which does not always occur.
Manual Management
Most organizations do not use automated secret management capabilities to manage their digital credentials yet. In this way, they delay the management process and make the storage of secrets more vulnerable.
Password Management: Non-Recommended Standards
Many organizations still have non-recommended standards in their password management routine. Here are a few:
Weak Passwords
Due to the difficulty in memorizing complex passwords, many people adopt simple and easy-to-remember codes. However, this is one of the main vulnerabilities when it comes to password management. After all, easy-to-remember passwords are just as easy to crack.
Also, malicious agents can discover embedded and encoded passwords with the help of verification tools, by performing a brute force attack or simply guessing.
Password Sharing
Many companies use shared accounts and passwords to manage their systems, making it impossible to identify who performed each action within an online environment in the event of an incident.
In addition, their employees can share passwords with co-workers or others, facilitating the action of attackers interested in sensitive organization data.
Storing Secrets in Plain Text
It is common for employees in a company’s department to use text files that contain all passwords for critical situations or forward messages to colleagues with the necessary secrets to access a resource.
Nevertheless, these practices pose risks to the cybersecurity of organizations: attackers only need to obtain a file, message, or email to have tools to hack a system.
Reuse of Secrets
It is also very common to reuse secrets for different services in order to facilitate their memorization and save time. However, if one malicious user discovers one code, the others will also be compromised.
Unrevoked Secrets
NIST has as a criterion the revocation of user credentials when necessary. This should occur in the event an employee is fired or a contract with a third-party supplier is terminated, for example. However, this security procedure is not followed by all organizations.
Secrets Without Rotation
Various security standards dictate that passwords be changed within a given time frame, as do application keys and other types of secrets. Once again, it is not all companies that follow this recommendation.
Five Key Practices for Secret Management
There are several ways to provide a secure method for protecting secrets. The following are five important steps to achieve this goal:
Centralized Secrets Management
First, you should centralize your secrets in one place to ensure more security and facilitate their management. This makes it easier to build governance, security, and auditing to know who accesses this information and when it is accessed.
ACLs (Access Control Lists)
Once you have your secrets centralized in one place, make sure the right people have access to them. To do this, you can create human, machine, and application ACLs that give you control of that access.
Temporary Credentials
The third and fourth actions must occur simultaneously: they consist of having dynamic secrets. In practice, to ensure dynamic secrets, individuals and entities must be given temporary credentials to access the systems.
Encryption
As mentioned, it is important that data in transit or at rest can be encrypted, with encryption keys centralized in secrets management.
Audit
Now, you might be wondering how to audit your secrets management and know what was accessed by which user.
Each dynamic secret can be used by a single user, who is properly authenticated when retrieving this information, and encryption as a service allows you to know who accessed an encryption and decryption operation. All of this can give you a complete picture of everything that happens in your IT infrastructure.
Conclusion
By reading this article you have learned what secrets are, how they should be managed, and what are the biggest challenges in managing this information. You were also able to understand which standards are not recommended in password management, such as:
Weak Passwords;
Password Sharing;
Storing Secrets in Plain Text;
Reuse of Secrets;
Unrevoked Secrets; and
Secrets Without Rotation.
In addition, we presented five fundamental practices for good secrets management.
Did you like our text? Share it with someone interested in this information.
About Version 2 Limited Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About Senhasegura Senhasegura strive to ensure the sovereignty of companies over actions and privileged information. To this end, we work against data theft through traceability of administrator actions on networks, servers, databases and a multitude of devices. In addition, we pursue compliance with auditing requirements and the most demanding standards, including PCI DSS, Sarbanes-Oxley, ISO 27001 and HIPAA.
Everyday Loans is the UK’s leading independent loan lender, operating dozens of branches across the country and boasting a personal, hands-on approach to lending, uncommon in today’s digitally anonymous financial services industry.
Today, personal lending in the UK has grown to become an industry approaching 24 billion GBP, with recent acceleration due to widespread financial uncertainty and hardship in the wake of the COVID-19 pandemic.
The company’s IT department, led by Head of IT Tony Sheehan, experienced the tangible impact of this market growth as more and more customers walked through the doors of Everyday Loans’ many branches, and as the company increased its employee headcount in response to demand.
With more guests and customers on-site as well as a growing workforce, Sheehan and his team began to assess potential cybersecurity vulnerabilities – beginning with the corporate network.
Sheehan describes the company’s initial network security vulnerabilities: “We have a presence online, but we’re predominantly a face-to-face lender. We have over 75 offices with many new and repeat customers coming in to discuss a loan, as well as part-time staff for cleaning, security and maintenance. As a result, we knew network authentication was an obvious vulnerability.”
Shifting Focus to Network Authentication
Implementing a solution for network authentication was a logical next step for Sheehan’s IT team. Given the increased branch foot traffic, the company needed to ensure it had total device awareness across the network. “This was a concern voiced to our new CTO when he came on board. He agreed, so we went about looking at different tools for network authentication and access control,” said Sheehan.
Another factor driving a focus on NAC was staff turnover. “Like every company, we have staff that leave us, and we need to ensure they can no longer access our network after they’ve departed,” said Sheehan. At that point in time, Everyday Loans knew that it’s usage of a hidden SSID paired with a PSK was not up to snuff from a security standpoint. As Sheehan and his team began to research potential solutions for network authentication and access control, two requirements became apparent:
They had no desire to build upon their existing on-prem or virtual footprint; adding maintenance tasks to the laundry list of other IT responsibilities was a non-starter
The company wanted a SaaS solution that could support its existing cloud-native hardware – primarily Meraki network devices and ChromeBox endpoints
Considering Network Access Control Options
Sheehan and his team found themselves at a crossroads as they mulled over these requirements. “We were either going to double down and stand-up another datacenter as part of a general infrastructure expansion initiative which would also enable us to deploy network access control on-premises, or we were going to go out and find a cloud-native NAC solution that fit our needs,” Sheehan said.
Portnox CLEAR was the only true cloud-native NAC we could find with the deployment and support model we wanted.
-Tony Sheehan, Head of IT at Everyday Loans
Having considered Microsoft NPS for RADIUS authentication and 802.1X, and Cisco ISE for full network access control, Sheehan and Everyday Loans’ IT team made the executive decision that neither tool was suited to their existing network security needs, internal skillsets, resource bandwidth or networking infrastructure. “We came across Portnox CLEAR fairly quickly thanks to the help of our partner, Haptic Networks,” Sheehan continued. “It was the only true cloud–native NAC we could find with the deployment and support model we wanted. Each of the other vendors had some solutions that were close in functionality, but in the end, they didn’t cover our needs totally – either functionally or operationally in terms of their ease-of-use. Ultimately, we went with Portnox CLEAR since it provided coverage across all our network devices and connected endpoints.”
Up & Running with Portnox CLEAR
After beginning a proof of concept of Portnox’s cloud-native NAC-as-a-Service, Everyday Loans ruled out competing alternatives. “It worked as expected. After comparing Portnox CLEAR’s robust, easy-to-use functionality to that of the other vendors up for consideration, we soon dismissed alternatives as they did not meet our technical security requirements,” Sheehan said.
The trial continued and Sheehan’s team threw every possible authentication and access control use case they could conjure up at the system to test its durability.
“Anyone with good network experience will pick up Portnox CLEAR with ease – it’s just a case of ensuring how you setup the network hardware and what control you have over employee and guest devices,” Sheehan went on to say.
Anyone with good network experience will pick up Portnox CLEAR with ease – it’s just a case of ensuring how you setup the network hardware and what control you have over employee and guest device.
-Tony Sheehan, Head of IT at Everyday Loans
Everyday Loans was able to deploy Portnox CLEAR across its 75 sites with relative ease, saving the company’s headquarters for last. “Portnox CLEAR has exceeded my expectations. Now that it is fully deployed, the visibility and control we have of users authenticating to the network is unparalleled,” Sheehan concluded.
“It is a huge bonus that the system easily integrates with Azure Active Directory and provides its own certificate authority out-of-the-box. Having multiple methods for authentications helps us ensure all our bases are covered. The solution has been reliable from day one.”
About Version 2 Limited Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About Portnox Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。
Prometheus seeks to be a new generation within open source monitoring tools. A different approach with no legacies from the past.
For years, many monitoring tools have been linked to Nagios for its architecture and philosophy or directly for being a complete fork (CheckMk, Centreon, OpsView, Icinga, Naemon, Shinken, Vigilo NMS, NetXMS, OP5 and others).
Prometheus software, however, is true to the “Open” spirit: if you want to use it, you will have to put together several different parts.
Somehow, like Nagios, we can say that it is a kind of monitoring Ikea: you will be able to do many things with it, but you will need to put the pieces together yourself and devote a lot of time to it.
Prometheus network monitoring architecture
Prometheus, written in the go programming language, has an architecture based on the integration of third-party free technologies:
Unlike other well-known systems, which also have many plugins and parts to present maps, Prometheus needs third parties to, for example, display data (Grafana) or execute notifications (Pagerduty).
All those high-level elements can be replaced by other pieces, but Prometheus is part of an ecosystem, not a single tool. That’s why it has exporters and key pieces that in the background are other Opensource projects:
HAProxy
StatsD
Graphite
Grafana
Pagerduty
OpsGenie
and we could go on and on.
What is Prometheus monitoring?
As we mentioned, Prometheus is an open-source monitoring tool.
The main difference with the rest of the tools we have, is that Prometheus is conceived as a framework for collecting data of undefined structure (key value), rather than as a monitoring tool. This allows you to define a syntax for your evaluation and thus store only in case of change events.
If you’re familiar with RRD, you’re thinking the right thing.
Prometheus does not store data in an SQL database.
Like Graphite, which does something similar, like other systems from another generation that store numerical series in RRD files, Prometheus stores each data series in a special file.
If you are looking for a Time series database information gathering tool, you should take a look at OpenTSBD, InfluxDB or Graphite.
What to use Prometheus for?
Or rather, why NOT use Prometheus.
They themselves say it on their website: if you are going to use this tool to collect logs, DO NOT DO it, they propose ELK instead.
If you want to use Prometheus to monitor applications, servers or remote computers using SNMP, you may do so and generate beautiful graphics with Grafana, but first of all…
Prometheus Settings
All Prometheus software configuration is done in YAML text files, with a rather complex syntax. In addition, each employed exporter has its own independent configuration file.
In the event of a configuration change, you will need to restart the service to make sure it takes the changes.
Prometheus reports
By default, Prometheus monitoring has no report type.
You will have to program them yourself using their API to retrieve data.
Of course, there are some independent projects to achieve this.
Dashboards and visual displays
To have a dashboard in Prometheus, you’ll need to integrate it with Grafana.
There is documentation of how to do this, as Grafana and Prometheus coexist amicably.
Scalability in Prometheus
If you need to process more data sources in Prometheus, you may always add more servers.
Each server processes its own workload, because each Prometheus server is independent and can work even if its peers fail.
Of course, you will have to “divide” the servers by functional areas to be able to differentiate them, e.g.: “service A, service B”. So that each server is independent.
There does not seem to be a way to “scale” as we understand it, since there is no way to synchronize, recover data and it does not have high availability or a common access framework to information on different independent servers.
But as we warned at the beginning, this is not a “closed” solution but a framework for designing your own final solution.
Of course, there is no doubt that Prometheus is able to absorb a lot of information, following another order of magnitude than other better known tools.
Monitoring with Prometheus: exporters and collectors
Somehow, each different “way” of obtaining information with this tool, needs a piece of software that they call “exporter”.
It is still a binary with its own YAML configuration file that must be managed independently (with its own daemon, configuration file, etc.).
It would be the equivalent of a “plugin” in Nagios.
So, for example, Prometheus has exporters for SNMP (snmp_exporter), log monitoring (grok_exporter), and so on.
Example of configuring an snmp exporter as a service:
To get information from a host, you may install a “node_exporter” that works as a conventional agent, similar to those of Nagios.
These “node_exporters” collect metrics of different types, in what they call “collectors”.
By default, Prometheus has activated dozens of these collectors. You may check them all by navigating to Annex 1: active collectors.
And, in addition, there are a multitude of “exporters” or plugins, to obtain information from different hardware and software systems.
Although the number of exporters is relevant (about 200), it does not reach the level of plugins available for Nagios (more than 2000).
Here we have included an example of an Oracle exporter.
Conclusion
Prometheus’ approach for modern monitoring is much more flexible than that of older tools. Thanks to its philosophy, you may integrate it into hybrid environments more easily.
However, you will miss reports, dashboards and a centralized configuration management system.
That is, an interface that allows observing and monitoring information grouped in services / hosts.
Because Prometheus is a data processing ecosystem, not a common IT monitoring system.
Its power in data processing is far superior, but the use of that data for day-to-day use makes it extremely complex to manage, as it requires many configuration files, many distributed external commands and everything must be maintained manually.
Appendix 1: Collectors active in Prometheus
Here are the collectors that Prometheus has active by default:
These “node_exporter” collect metrics of different types, in what they call “collectors”, these are the serial collectors that are activated:
arp
Exposes ARP statistics from /proc/net/arp.
bcache
Exposes bcache statistics from /sys/fs/bcache/.
bonding
Exposes the number of configured and active slaves of Linux bonding interfaces.
btrfs
Exposes btrfs statistics
boottime
Exposes system boot time derived from the kern.boottime sysctl.
conntrack
Shows conntrack statistics (does nothing if no /proc/sys/net/netfilter/ present).
cpu
Exposes CPU statistics
cpufreq
Exposes CPU frequency statistics
diskstats
Exposes disk I/O statistics.
dmi
Expose Desktop Management Interface (DMI) info from /sys/class/dmi/id/
edac
Exposes error detection and correction statistics.
entropy
Exposes available entropy.
exec
Exposes execution statistics.
fibrechannel
Exposes fibre channel information and statistics from /sys/class/fc_host/.
filefd
Exposes file descriptor statistics from /proc/sys/fs/file-nr.
filesystem
Exposes filesystem statistics, such as disk space used.
hwmon
Expose hardware monitoring and sensor data from /sys/class/hwmon/.
infiniband
Exposes network statistics specific to InfiniBand and Intel OmniPath configurations.
ipvs
Exposes IPVS status from /proc/net/ip_vs and stats from /proc/net/ip_vs_stats.
loadavg
Exposes load average.
mdadm
Exposes statistics about devices in /proc/mdstat (does nothing if no /proc/mdstat present).
meminfo
Exposes memory statistics.
netclass
Exposes network interface info from /sys/class/net/
netdev
Exposes network interface statistics such as bytes transferred.
netstat
Exposes network statistics from /proc/net/netstat. This is the same information as netstat -s.
nfs
Exposes NFS client statistics from /proc/net/rpc/nfs. This is the same information as nfsstat -c.
nfsd
Exposes NFS kernel server statistics from /proc/net/rpc/nfsd. This is the same information as nfsstat -s.
nvme
Exposes NVMe info from /sys/class/nvme/
os
Expose OS release info from /etc/os-release or /usr/lib/os-release
powersupplyclass
Exposes Power Supply statistics from /sys/class/power_supply
pressure
Exposes pressure stall statistics from /proc/pressure/.
rapl
Exposes various statistics from /sys/class/powercap.
schedstat
Exposes task scheduler statistics from /proc/schedstat.
sockstat
Exposes various statistics from /proc/net/sockstat.
softnet
Exposes statistics from /proc/net/softnet_stat.
stat
Exposes various statistics from /proc/stat. This includes boot time, forks and interrupts.
tapestats
Exposes statistics from /sys/class/scsi_tape.
textfile
Exposes statistics read from local disk. The –collector.textfile.directory flag must be set.
thermal
Exposes thermal statistics like pmset -g therm.
thermal_zone
Exposes thermal zone & cooling device statistics from /sys/class/thermal.
time
Exposes the current system time.
timex
Exposes selected adjtimex(2) system call stats.
udp_queues
Exposes UDP total lengths of the rx_queue and tx_queue from /proc/net/udp and /proc/net/udp6.
uname
Exposes system information as provided by the uname system call.
This is an example of the type of information that an Oracle exporter returns, which is invoked by configuring a file and a set of environment variables that define credentials and SID:
oracledb_exporter_last_scrape_duration_seconds
oracledb_exporter_last_scrape_error
oracledb_exporter_scrapes_total
oracledb_up
oracledb_activity_execute_count
oracledb_activity_parse_count_total
oracledb_activity_user_commits
oracledb_activity_user_rollbacks
oracledb_sessions_activity
oracledb_wait_time_application
oracledb_wait_time_commit
oracledb_wait_time_concurrency
oracledb_wait_time_configuration
oracledb_wait_time_network
oracledb_wait_time_other
oracledb_wait_time_scheduler
oracledb_wait_time_system_io
oracledb_wait_time_user_io
oracledb_tablespace_bytes
oracledb_tablespace_max_bytes
oracledb_tablespace_free
oracledb_tablespace_used_percent
oracledb_process_count
oracledb_resource_current_utilization
oracledb_resource_limit_value
To get an idea of how an exporter is configured, let’s look at an example, with an JMX exporter configuration file:
About Version 2 Limited Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About PandoraFMS Pandora FMS is a flexible monitoring system, capable of monitoring devices, infrastructures, applications, services and business processes. Of course, one of the things that Pandora FMS can control is the hard disks of your computers.