Skip to content

6-Step Checklist for Articulating Design Decisions

Nice to know for UX, Product Designers,and Product Managers 

In the process of designing any digital product, there is always a time when you, as a UX or Product designer, need to make a tough decision.

It’s often combined with the limited time and pressure from customers, engineers, managers, and everyone else in the product development cycle.

You may need to accept that panic, fear, and lack of self-confidence are often part of the decision-making process.

Sounds familiar? In this article, I’ll share a six-step decision-making framework that will not only make your process faster but also easier to articulate to all those involved.

When making a decision, we form opinions and choose actions via mental processes which are influenced by biases, reason, emotions, and memories. The simple act of deciding supports the notion that we have free will. We weigh the benefits and costs of our choice, and then we cope with the consequences. Factors that limit the ability to make good decisions include missing or incomplete information, urgent deadlines, and limited physical or emotional resources.

Psychology Today

The ability to think critically is key to making good decisions without succumbing to common errors, bias, or intuition. “There is a need for disciplined intuition and what I mean by disciplined is delayed intuition. One of the many problems with our intuitions is they come too fast and we tend to confirm them.” (Kahneman, Daniel. Thinking, Fast and Slow. New York: Farrar, Straus, and Giroux, 2011.)When you look at all possible sources of information with an open mind, you can make an informed decision based on facts rather than intuition.

Let’s move on to putting the decision-making framework into action.

Design Decision Framework 

This process will ensure that you make a good decision in a complex situation, but it may be unnecessarily complicated for small or simple decisions. In these cases, jump ahead to step 5.

Step 1. Investigate the problem

Start by considering the decision in the context of the problem it is intended to address. You need to determine whether the stated problem is the real issue or just a symptom of something deeper.

To make a proper problem investigation, first you need to know the user that is facing this problem, why it happens, and how often it occurs – to name a few. There are many things to know about your user and product when you’re working on a new problem. To make sure that you understood the core problem, using the 5 Whys framework can be helpful.

Step 2. Set up the environment

Enable people to take the discussions without any fear of the other participants rejecting them and their ideas. Make sure that everyone recognizes that the objective is to make the best decision possible in the circumstances, without blame. This is often referred to as psychological safety, and it’s a key part of the process.

Step 3. Generate good alternatives

The wider the options you explore, the better your final decision is likely to be. Generating a number of different options may seem to make your decision more complicated at first, but the act of coming up with alternatives forces you to dig deeper and to look at the problem from different angles. Make sure that all of your options are good enough – you don’t need to create options just for illusion of choice or quantity.

When you’re satisfied with the choice of realistic alternatives, it’s time to evaluate the value, feasibility, and risks of each one.

Step 4. Select the best solution

This is the step where you make a decision!

In the design process, you can’t really develop a product by yourself, so you will probably make a decision as a group of people – and of course more people make it a more complicated decision process. It is optimal to keep the total number from 3 to 7, depending on your company process.

If there’s a tendency for certain individuals to dominate the process, you can arrange anonymous voting or assign a facilitator who will ensure equal participation.

To simplify the final decision, you can use the product design principles of your company to find the solution that will perfectly fit into your brand and strategy.

“Product design principles (or, in short, design principles) are value statements that describe the most important goals that a product or service should deliver for users and are used to frame design decisions.”

NNGroup

To make small design decisions—components, colors, alignment—lean into your design system and guidelines, as they should cover most of the cases. If they don’t, make a note and discuss it with a design system owner to make sure that your idea will fit into the general strategy.

If your product, for one reason or another, does not have an established design system, you can use well-known systems like Material Design, IBM, etc.

Step 5. Evaluate your decision

Now is the time to check your decision one more time. Before you start to implement your decision, take a long, dispassionate look at it to be sure that you have been thorough and that common errors haven’t crept into the process.

Your final decision is only as good as the facts and research you used to make it. Make sure that your information is trustworthy and try to avoid confirmation bias.

Of course, sometimes you are limited by resources for implementation, release date, or budget, so it’s impossible to implement the best solution. And that’s okay! As a designer, you should always remember that the development of the product is an iterative process, so you just need to choose the most suitable option in the current circumstances for your product to evolve, even if you personally do not like the solution. If this decision will have a balance of usefulness for the user vs. resources used – then you made the right decision.

Step 6. Communicate your decision and take action.

Once you’ve made your decision, you need to communicate it to everyone affected by it in an engaging, informative, and inspiring way.

Get them involved in implementing the solution by discussing how and why you arrived at your decision. The more information you provide about risks and projected benefits, the more likely people will be to support it.

Summary

  • Remember, we’re all humans. It’s okay to have emotions involved in the decision process – you just need to know how to handle it.
  • Think critically and make an informed decision based on facts rather than intuition – don’t allow the desires of others to dictate your decision.
  • You’re not alone: collaborate with your project team.
  • Communicate the decision that you made in an engaging and inspiring way. Explain why you came up with this decision – don’t present a decision as a fact.

Involved or interested in design? For further reading, check out our other blog posts by the Keepit design team, such as how Keepit puts UX first and why customers love Keepit’s ease of use.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Keepit
At Keepit, we believe in a digital future where all software is delivered as a service. Keepit’s mission is to protect data in the cloud Keepit is a software company specializing in Cloud-to-Cloud data backup and recovery. Deriving from +20 year experience in building best-in-class data protection and hosting services, Keepit is pioneering the way to secure and protect cloud data at scale.

ESET Research: North Korea-linked group launches Dolphin backdoor, steals files of interest, communicates via Google Drive

  • ESET researchers analyzed Dolphin, a previously unreported backdoor used by the ScarCruft APT group.
  • Dolphin has many spying capabilities, including monitoring drives and portable devices, exfiltrating files of interest, keylogging, taking screenshots, and stealing credentials from browsers.
  • Dolphin is deployed on selected targets only; it searches the drives of compromised systems for interesting files and exfiltrates them to Google Drive.
  • ScarCruft, also known as APT37 or Reaper, is an espionage group that has been operating since at least 2012. It primarily focuses on South Korea. ScarCruft’s interests seem to be linked to the interests of North Korea.
  • The backdoor was used as the final payload of a multistage attack in early 2021, involving a watering-hole attack on a South Korean online newspaper, an Internet Explorer exploit, and another ScarCruft backdoor named BLUELIGHT.
  • Since the initial discovery of Dolphin in April 2021, ESET researchers have observed multiple versions of the backdoor in which the threat actors improved the backdoor’s capabilities and made attempts to evade detection.
  • A notable feature of earlier Dolphin versions is the ability to modify the settings of victims’ signed-in Google and Gmail accounts to lower their security.

BRATISLAVA —  November 30, 2022 —  ESET researchers analyzed a previously unreported sophisticated backdoor used by the ScarCruft APT group. The backdoor, which ESET named Dolphin, has a wide range of spying capabilities, including monitoring drives and portable devices, exfiltrating files of interest, keylogging, taking screenshots, and stealing credentials from browsers. Its functionality is reserved for selected targets, to which the backdoor is deployed after initial compromise using less advanced malware. Dolphin abuses cloud storage services — specifically Google Drive — for Command and Control communication.

ScarCruft, also known as APT37 or Reaper, is an espionage group that has been operating since at least 2012. It primarily focuses on South Korea, but other Asian countries have also been targeted. ScarCruft seems to be interested mainly in government and military organizations, and companies in various industries linked to the interests of North Korea.

“After being deployed on selected targets, it searches the drives of compromised systems for interesting files and exfiltrates them to Google Drive. One unusual capability found in prior versions of the backdoor is the ability to modify the settings of victims’ Google and Gmail accounts to lower their security, presumably to maintain Gmail account access for the threat actors,” says ESET researcher Filip Jurčacko, who analyzed the Dolphin backdoor.

In 2021, ScarCruft conducted a watering-hole attack on a South Korean online newspaper focused on North Korea. The attack consisted of multiple components, including an Internet Explorer exploit and shellcode leading to a backdoor named BLUELIGHT.

“In the previous reports, the BLUELIGHT backdoor was described as the attack’s final payload. However, when analyzing the attack, we discovered through ESET telemetry a second, more sophisticated backdoor deployed on selected victims via this first backdoor. We named this backdoor Dolphin based on a PDB path found in the executable,” explains Jurčacko.

Since the initial discovery of Dolphin in April 2021, ESET researchers have observed multiple versions of the backdoor, in which the threat actors improved the backdoor’s capabilities and made attempts to evade detection.

While the BLUELIGHT backdoor performs basic reconnaissance and evaluation of the compromised machine after exploitation, Dolphin is more sophisticated and manually deployed only against selected victims. Both backdoors are capable of exfiltrating files from a path specified in a command, but Dolphin also actively searches drives and automatically exfiltrates files with interesting extensions.

The backdoor collects basic information about the targeted machine, including the operating system version, malware version, list of installed security products, username, and computer name. By default, Dolphin searches all fixed (HDD) and non-fixed drives (USBs), creates directory listings, and exfiltrates files by extension. Dolphin also searches portable devices, such as smartphones, via the Windows Portable Device API. The backdoor also steals credentials from browsers, and is capable of keylogging and taking screenshots. Finally, it stages this data in encrypted ZIP archives before uploading to Google Drive.

For more technical information about the latest ScarCruft APT group campaign, check out the blogpost “Who’s swimming in South Korean waters? Meet ScarCruft’s Dolphin” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

Overview of the attack components leading to the execution of the Dolphin backdoor.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

Datto Integration

The first agent of SafeDNS was integrated into Datto RMM.
It simplifies the process of getting access to web filtering  for MSPs who use Datto.

Our Linux agent is now presented in the Datto ComStore. Any client of Datto can now download SafeDNS Linux agent straight from the RMM interface.

The process is simple:
1. Look for the Automation tab in the left menu.

2. Choose Comstore.

3. Type in SafeDNS in the search bar & download the agent.

Stay tuned for the integration of our Win & Mac agents!

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About SafeDNS
SafeDNS breathes to make the internet safer for people all over the world with solutions ranging from AI & ML-powered web filtering, cybersecurity to threat intelligence. Moreover, we strive to create the next generation of safer and more affordable web filtering products. Endlessly working to improve our users’ online protection, SafeDNS has also launched an innovative system powered by continuous machine learning and user behavior analytics to detect botnets and malicious websites.

ESET Research: Bahamut group targets Android users with fake VPN apps; spyware steals users’ conversations

  • ESET researchers have identified an active campaign targeting Android users, conducted by the Bahamut APT group.
  • The main purpose of the spyware is to extract sensitive user data and actively spy on victims’ messaging apps such as WhatsApp, Facebook Messenger, Signal, Viber, and Telegram.
  • The app used has at different times been a trojanized version of one of two legitimate VPN apps, SoftVPN or OpenVPN, which have been repackaged with Bahamut spyware code.
  • The campaign appears to be highly targeted, since once the Bahamut spyware is launched, it requests an activation key before the VPN and spyware functionality can be enabled. Both the activation key and website link are likely sent to targeted users.
  • ESET was able to identify at least eight versions of these maliciously patched apps with code changes and updates being made available through the distribution website, which might mean that the campaign is well maintained.

BRATISLAVA, KOŠICE — November 23, 2022 — ESET researchers have identified an active campaign targeting Android users, conducted by the Bahamut APT group. This campaign has been ongoing since the start of this year. Malicious spyware apps are distributed through a fake SecureVPN website that provides only trojanized Android apps to download. This website has no association whatsoever with the legitimate, multiplatform SecureVPN software and service. Malicious apps used in this campaign are able to exfiltrate contacts, SMS messages, recorded phone calls, and even chat messages from apps such as WhatsApp, Facebook Messenger, Signal, Viber, and Telegram. ESET researchers discovered at least eight versions of the Bahamut spyware, which could mean the campaign is well-maintained. The malicious apps were never available for download from Google Play.

“The data exfiltration is done via the keylogging functionality of the malware, which misuses accessibility services. The campaign appears to be highly targeted, as we see no instances in our telemetry data,” explains ESET researcher Lukáš Štefanko, who discovered and analyzed the dangerous Android malware. “Additionally, the app requests an activation key before the VPN and spyware functionality can be enabled. Both the activation key and website link are likely sent to targeted users,” adds Štefanko. This layer aims to protect the malicious payload from being triggered right after launch on a non-targeted user device or when being analyzed. ESET Research has already seen similar protection being used in another campaign by the Bahamut group.

All exfiltrated data is stored in a local database and then sent to the Command and Control (C&C) server. The Bahamut spyware functionality includes the ability to update the app by receiving a link to a new version from the C&C server.

If the Bahamut spyware is enabled, then it can be remotely controlled by Bahamut operators and can exfiltrate various sensitive device data, such as contacts, SMS messages, call logs, a list of installed apps, device location, device accounts, device info (type of internet connection, IMEI, IP, SIM serial number), recorded phone calls, and a list of files on external storage. By misusing accessibility services, the malware can steal notes from the SafeNotes application and actively spy on chat messages and information about calls from popular messaging apps, such as imo-International Calls & Chat, Facebook Messenger, Viber, Signal Private Messenger, WhatsApp, Telegram, WeChat, and Conion apps.

The Bahamut APT group typically uses spearphishing messages and fake applications as the initial attack vector, against entities and individuals in the Middle East and South Asia. Bahamut specializes in cyberespionage, and ESET Research believes that its goal is to steal sensitive information from its victims. Bahamut is also referred to as a mercenary group offering hack-for-hire services to a wide range of clients. The name was given to this threat actor, which appears to be a master in phishing, by the Bellingcat investigative journalism group. Bellingcat named the group after the enormous fish floating in the vast Arabian Sea mentioned in the Book of Imaginary Beings written by Jorge Luis Borges. Bahamut is frequently described in Arabic mythology as an unimaginably enormous fish.

For more technical information about the latest Bahamut APT group campaign, check out the blog post “Bahamut cybermercenary group targets Android users with fake VPN apps” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

SecureVPN website provides a trojanized app to download.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

Fortinet Authentication Bypass Vulnerability – CVE-2022-40684

Introduction:

The latest FortiOS / FortiProxy / FortiSwitchManager vulnerability has been reportedly exploited in the wild, which allows an attacker to bypass authentication and login as an administrator on the affected system.

  • Vulnerability Release Time : Oct Nov, 2022

  • Vulnerability Component Name : FortiOS – FortiProxy – FortiSwitchManager

  • Affected Products :

    • Affected FortiOS

      • 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.2.0, 7.2.1

    • Affected FortiProxy

      • 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.2.0

    • FortiSwitchManager

      • 7.0.0, 7.2.0

    • FortiOS versions 5.x, 6.x are NOT impacted

    • FortiProxy version 7.2.0

Solutions :

  • Please upgrade to FortiOS version 7.2.2 or above

  • Please upgrade to FortiOS version 7.0.7 or above

  • Please upgrade to FortiProxy version 7.2.1 or above

  • Please upgrade to FortiProxy version 7.0.7 or above

  • Please upgrade to FortiSwitchManager version 7.2.1 or above

  • Please upgrade to FortiSwitchManager version 7.0.1 or above

  • Please upgrade to FortiOS version 7.0.5 B8001 or above for FG6000F and 7000E/F series platforms

Execution Summary:

The CVE-2022-40684 vulnerability allows adversaries to bypass authentication and login into the vulnerable systems as an administrator in FortiOS / FortiProxy / FortiSwitchManager products.

Having admin user rights, adversaries can,

  • add new users to the vulnerable system

  • reroute the network traffic by updating network configurations

  • listen to and capture sensitive data by running packet capturing programs

CVSS v3:

  • Base Score: 9.8 (Critical)

  • Attack Vector:              Network

  • Attack Complexity:          Low

  • Privileges Required:        None

  • User Interaction:           None

  • Confidentiality Impact:     High

  • Integrity Impact:           High

  • Availability Impact:        High

Mitigation:

As mitigation measures and security workarounds for remediating the threat, Fortinet advisory recommends disabling the HTTP/HTTPS admin interface or limiting the IP address that can access the latter. Customers are also highly recommended to upgrade their potentially vulnerable software to the latest versions.

Furthermore,

In their PSIRT Advisories blog, the FortiGuard Labs have given some mitigation suggestions and recommended performing the following upgrades according to the vulnerable products.

For FortiOS:

  • Upgrade to version 7.2.2 or above

  • Upgrade to version 7.0.7 or above

If applying patch is not possible for some other reasons, apply the following mitigation suggestions.

Suggestion 1: Disable HTTP/HTTPS administrative interface

Suggestion 2: Limit IP addresses that can reach the administrative interface
  • config firewall address

  • edit "my_allowed_addresses"

  • set subnet <MY IP> <MY SUBNET>

  • end

Then crate an Address Group
  • config firewall addrgrp

  • edit "MGMT_IPs"

  • set member "my_allowed_addresses"

  • end

Create the Local in Policy to restrict access only to the predefined group on management interface.
  • config firewall local-in-policy

  • edit 1

  • set intf port1

  • set srcaddr "MGMT_IPs"

  • set dstaddr "all"

  • set action accept

  • set service HTTPS HTTP

  • set schedule "always"

  • set status enable

  • next

  • edit 2

  • set intf "any"

  • set srcaddr "all"

  • set dstaddr "all"

  • set action deny

  • set service HTTPS HTTP

  • set schedule "always"

  • set status enable

  • end

If you are using non default ports, create appropriate service object for GUI administrative access:
  • config firewall service custom

  • edit GUI_HTTPS

  • set tcp-portrange <admin-sport>

  • next

  • edit GUI_HTTP

  • set tcp-portrange <admin-port>

  • end

Use these objects instead of "HTTPS HTTP "in the local-in policy 1 and 2 above.

For FortiProxy:

  • Upgrade to version 7.2.1 or above

  • Upgrade to version 7.0.7 or above

If applying patch is not possible for some other reasons, apply the following mitigation suggestions.

Suggestion 1: Disable HTTP/HTTPS administrative interface
Suggestion 2: For FortiProxy VM all versions or FortiProxy appliance 7.0.6:

Limit IP addresses that can reach the administrative interface:
  • config system interface

  • edit port1

  • set dedicated-to management

  • set trust-ip-1 <MY IP> <MY SUBNET>

  • end

For FortiSwitchManager:

Upgrade to version 7.2.1 or above: Disable HTTP/HTTPS administrative interface

Technical Analysis / Exploits:

We found an open admin panel link and we tried to use default credentials but they failed.

  1. Now that our default bruteforce attack didn’t work, let’s try to use a new exploitation technique. Use below link to open exploit python script.

    https://github.com/horizon3ai/CVE-2022-40684

Open the python script file and copy complete code. Create a new file in your local directory and paste that copied python code in the new file.

      In our case we created a file with the name pocforti.py and pasted the code in it

Now let’s run this python script and let it do the magic trick. Use below command with fortinet admin server ip, port number, and your public key path.

python3 pocforti.py -t <fortinet admin server ip>:<port number> --username admin --key-file <your public key path>

Now after executing the python script, let’s try to SSH the fortinet hosted server. Use bellow command to successfully SSH in fortinet server.

ssh admin@<fortinet server ip>

After successfully get fortinet server access, let’s create a new user in fortinet database

Now after adding a new user with admin rights, let’s try this user.

After entering the new credentials of the created user, we successfully login to the fortinet admin panel as an admin user

Open the admin users to verify if your user is successfully added as admin user or not

As you can see, our created user is successfully added in fortinet users as an admin user.

Reference:

#fortinet #FortiProxy #ForitnetAdminAccess #CVE-2022-40684

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About vRx
vRx is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

Hardening

Hardening is the process of bringing our OS, application, etc. to a more secure state, by configuring the system aside from its default (or previous) settings by reducing the attack surface.

This process can (and will) usually include removing software/services from the OS, removing/changing default password, patching, and so on.

The process of hardening has for its aim to remove configuration vulnerabilities.

For example, you can place a password policy on your OS, so that the user has to enter more complex password, than no or a simple password which would classify as a configuration-based vulnerability.

The hardening process should be specific for the OS and the threats you’re attempting to control. It would not be the same for a Linux-based server that’s for example a public webserver and for a Windows desktop. This would be different because of the nature of the threats you’re going up against, i.e., you’d need to have different profiles for each of those.

This implies that there’s no general way to harden systems, however, there are things that you will tend to do that will hold for all those cases. Like, as I already mentioned, removing unnecessary stuff, reducing your attack surface by controlling what could be attacked better, etc.

Hardening is not a trivial task, as it requires in-depth understanding of a system you’re hardening. To make an extreme example – you could set your firewall to block all inbound traffic by default and you would be quite safe, but then again, the reason for that safety would be due to the fact you’ve rendered one of the (main) functionalities of that system unusable – Accessing the Internet. Thus, you really need to pay attention in order to strike that middle ground between usability and security in a sensible way. You don’t want to have issues with using your daily driver OS, and you don’t want to break it.

Layers

Its helpful to think of layers when hardening your systems. One such example can be the webserver I already mentioned. You would have the OS layer, thus you’d need to harden the OS itself, then if your, for example, Apache runs an app server, you’d need to harden that as well. Finally, if you have an application that’s running there – the code for that application would need to be written securely.

This is just an illustration, so that you have a general idea of what to think about when thinking about hardening, but I want to focus more on OSes (if necessary, I will create another OS dedicated article about hardening).

Standards

There are standards out there for mostly anything you’d like to harden, and it’s best to follow these. Similar to let’s say secure coding best practices, or any other type of best practices.

Also, there are scripts that can audit or remediate your system to a state you wanted, this not only saves you time, but it will also provide you with a good way to avoid any human-based errors, while hardening your system.

The standards can be called baselines, benchmarks, policies, standards, etc. Just an fyi. They still describe the same thing… also, note that these benchmarks are made by a community of security professionals, which is what we want.

One such hardening standard is the CIS Benchmarks. As you can see on the link, they offer hardening for Mobile Devices, Network Devices, Server/Desktop Software, Cloud, and more, aside from the OS benchmarks, and it’s a good place to start. Once you’ve found your target system you’d like to harden, you can click on the link for it and download the associated .pdf file for that specific benchmark. (You will need to fill out a form, but after that, you’ll be sent a link where you’ll be able to access all the available .pdfs and download them, for free).

Note that the standards needn’t necessarily align with your needs, so even these standards are not a silver bullet that you can implement blindly. Read it, understand it, and assess what you will need before going forward with the implementation.

Another one of these baselines is the NIST Configuration Baseline, but it’s a bit dated (offering only for Windows 7 and Red Hat – but if you have Red Hat in your environment, it might be useful to you). Regardless, it’s a good resource to skim through so you can learn a bit more on the topic.

One more standard/baseline is the Securiity Technical Implementation Guides (STIGs), from the DoD Cyber Exchange Team. These are up to date, and cover the latest OSes (mostly) and their respective security standards for hardening them. Do note that these are geared more towards the DoD and their requirements, so there might be some things in there that won’t be useful for your case. However, these are something I’d recommend anyone who wants to harden their system(s) to look at and think of them as general hardening guidelines. To view these, you’ll also need a STIG viewer, as they are in an XCCDF format.

Although this might be a bit of a hassle, it’s worth it because it will give you a very nicely laid out interface with recommended settings, references, information, and more – all related to the hardening of system(s).

SCAP – Security Content Automation Protocol

This is a NIST standard, and from their website, it’s about:

The Security Content Automation Protocol (SCAP) is a synthesis of interoperable specifications derived from community ideas. Community participation is a great strength for SCAP, because the security automation community ensures the broadest possible range of use cases is reflected in SCAP functionality.

And

NIST’s security automation agenda is broader than the vulnerability management application of modern day SCAP. Many different security activities and disciplines can benefit from standardized expression and reporting. We envision further expansion in compliance, remediation, and network monitoring, and encourage your contribution relative to these and additional disciplines.

The SCAP standard consists of the following components:

  • XCCDF
  • OVAL
  • DataStream
  • ARF
  • CPE
  • CVE

And is XML-based.

Simply put, SCAP is a protocol/standard that enables to create human and machine-readable security documents, that you can use with automated tools to audit/harden a target system.

Open SCAP is the implementation of SCAP. This is a bundle of tools, security policies, and is based on the SCAP standard. Be sure to check out the SCAP Workbench – This tool allows users to perform configuration and vulnerability scans on a single local or a remote system, perform remediation of the system in accordance with the given XCCDF or SDS file. Workbench can generate reports, in multiple formats, containing the results of a system scan.

It will both help you in case all of this is a bit confusing, and you can also run a test on your system, by inputting of the said standards in it and it will run it against that and tell you if your system passed/failed and if it has any vulnerabilities.

Unfortunately, Open SCAP is more focused on Linux systems (particularly Red Hat systems – CentOS/Fedora), but there is some (very minimal) MacOS and Windows support.

Conclusion

This is an extensive topic, and I hope my intro into it has attracted your attention. In the coming articles I will try to cover at least the OS portion of hardening – for Windows, Mac, and Linux.

Stay tuned!

Cover image by Ian Battaglia

#hardening #OS #application #SCAP #standard

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About vRx
vRx is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

OpenTelemetry: A modern observability standard

In the first part of our blog series about observability, we covered the basic principles of observability and explained how it differs from the classical monitoring term. In this article, we’ll discuss OpenTelemetry and its instrumentation approaches.

Blog thumbnail 2022 11 24 2

 

OpenTelemetry

Please check out our first article on observability to gain a fuller context for the topic we’re about to discuss. OpenTelemetry is currently the most actively developed standard in the field of observability. It is being adopted as the Cloud Native Computing Foundation incubating project. Born primarily as a merging of former OpenTracing and OpenCensus standards, OpenTelemetry continues to gain popularity, with its supporters including representatives of Google, Microsoft, and Uber.

The goal of the OpenTelemetry project is to introduce a standardized open solution for any development team to enable a proper observability layer in its project. OpenTelemetry provides a standard protocol description for metrics, tracing, and logging collection. It also collects APIs under its nest instrumentation for different target languages and data infrastructure components.

Below is a visualization of the overall scope of OpenTelemetry (credits to CNCF):

The development of specifications and all related implementations is being run in an open way in Github, so anyone involved can propose changes.

Different instrumentation implementations for different languages are in development. The current state of readiness can always be found on a related page of official documentation (for example, PHP).

Logs

Logs are the oldest and best-known type of telemetry signals, and they have a significant legacy. Log collection and storage is a well-understood task, with many solutions being established and widely adopted to carry it out. For example, the infamous ELK (or EFK) stack, Splunk, and Grafana Labs recently introduced the Loki project, a lighter alternative to ElasticSearch.

The main problem is that logs are not integrated with other telemetry signals – no solutions offer an option to correlate a log record with a relative metric or trace. Having the opportunity to do this can form a very powerful introspection framework.

OpenTelemetry specifications try to solve this problem with a logging format standard proposal. It allows correlating logs via execution context metadata, timing, or a log emitter source.

However, right now the standard is at an experimental stage and under heavy development, so we won’t focus on it here. The current specifications can be found here.

Metrics

As discussed previously, metrics are numeric data aggregates representing the software system’s performance. Through aggregation, we can develop a combination of measurements into exact statistics during a time window.

The OpenTelemetry metrics system is flexible. It was designed to be like this to cover the existing metric systems without any loss of functionality. As a result, a move to OpenTelemetry is less painful than other alternatives.

The OpenTelemetry standard defines three metrics models:

  • Event model — metric creation by a developer on the application level.

  • Stream model — metric transportation.

  • Time Series model — metric storage.

The metrics standard defines three metric transformations that can happen in between the Event and Stream models:

  • Temporal reaggregation reduces the number of high frequency metrics being transmitted by changing the resolution of the data.

  • Spatial reaggregation reduces the number of high frequency metrics being transmitted by removing some unwanted attributes and data.

  • Delta-to-cumulative reduces the size of high frequency metrics being transmitted via a move from absolute numbers (cumulative) to changes between different values (delta).

We will talk about the Stream and Time Series models in the third part of our blog series, where we will discuss signal transportation and storage. For now, let’s focus on the Event model, which is related to instrumentation.

The process of creation for every metric in OpenTelemetry consists of three steps:

  • Creation of instruments that will generate measurements – particular data points that we evaluate.

  • Aggregation of measurements into a View – a representation of a metric to output from the instrumented software system.

  • Metric output – the transportation metrics to storage using a push or pull model.

The OpenTelemetry measurements model defines six types:

  1. Counter – non-negative, continually increasing monotonic measurement that receives increments. For example, it may be a good fit for counting the overall number of requests the system has processed.

  2. UpDownCounter – the same as the Counter, but non-monotonic, allowing negative values. It may be a good fit for reporting the amount of requests being currently processed by the system.

  3. Histogram – multiple statistically relevant values distributed among a list of predefined buckets. For example, we may be interested not in particular response time but in the percentile of response time distribution, it falls into (a Histogram would be useful here).

  4. Asynchronous Counter – the same as the Counter, but values are emitted via a registered callback function, not a synchronous function call.

  5. Asynchronous UpDownCounter – the same as the UpDownCounter, but values are emitted via a registered callback function, not a synchronous function call.

  6. Asynchronous Gauge – a specific type for values that should be reported as is, not summed. For example, it may be a good fit for reporting the usage of multiple CPU cores – in this case, you will likely want to have the maximum (or average) CPU usage, not summed usage.

Through Aggregations in OpenTelemetry, measurements are being aggregated into end metric values that afterward will be transported to storage. OpenTelemetry defines the following measurements as Aggregations:

  • Drop – full ignore of all measurements.

  • Sum – a sum of measurements.

  • Last Value – only the last measurement value.

  • Explicit Bucket Histogram – a collection of measurements into buckets with explicitly predefined bounds.

  • Exponential Histogram (optional) – the same as the Explicit Bucket Histogram but with an exponential formula defining bucket bounds.

A developer can define their own aggregations, but in most cases, the default ones predefined for each type of measurement will suit the developer’s needs.

After all aggregations have been done, additional filtering or customization can be carried out on the View level. To summarize, an example of a simple metric creation is the following (in GoLang):

import “go.opentelemetry.io/otel/metric/instrument”

 

counter := Meter.SyncInt64().Counter(

 

“test.counter”,

 

instrument.WithUnit(“1”),

 

instrument.WithDescription(“Test Counter”),

 

)

 

// Synchronously increment the counter.

 

counter.Add(ctx, 1, attribute.String(“attribute_name”, “attribute_value”))

Here we create a simple metric consisting of one counter-measurement. As you can see, many details we discussed are hidden but can be exposed if the developer needs them.

In the next part of our blog series, we will talk about metrics transportation, storage, and visualization.

Traces and spans

As we discussed previously, traces represent an execution path inside a software system. The execution path itself is a series of operations. A unit of operation is represented in the form of a span. A span has a start time, duration, an operation name, and additional context attached to it. Spans are interconnected via context propagation and can be nested (one operation can consist of multiple smaller operations inside itself). The resulting hierarchical tree structure of spans represents the trace – an entire execution path inside a software system.

The internal span structure can be visualized like this:

Here is an example of the simplest span creation (in GoLang):

import “go.opentelemetry.io/otel/trace”
 
var tracer = otel.Tracer(“test_app”)
 
// Create a span

 

ctx, span := tracer.Start(ctx, “test-operation-name”,

 

trace.WithSpanKind(trace.SpanKindServer))
 
testOperation()

 

// Add attributes

 

if span.IsRecording() {

 

span.SetAttributes(

 

attribute.Int64(“test.key1”, 1),

 

attribute.String(“test.key2”,“2”),

 

)

 

}
 
// End the span

 

span.End()

Now we have our first trace.

A trace can be distributed through different software microservices. In this case, so as not to lose the interconnection, OpenTelemetry SDK can automatically propagate context through the network according to the protocol being used. One example is the W3C Trace Context HTTP headers definition. However, not all language SDKs support automatic context propagation, so you may have to instrument it manually depending on the language you use.

Detailed documentation about traces with format explanations can be found here.

Signal interconnections

The ability to interconnect different types of signals makes an observability framework powerful. For example, it allows you to identify a service response that took too long via metrics and, in one click, jump to the correlating trace of this response execution to identify what part of the system caused the slow processing.

Signals in OpenTelemetry can be interconnected in a couple of ways. One is the use of Exemplars – specific values supplied with trace, logs, and metrics. These consist of a particular record ID, time of observation, and optional filtered attributes specifically dedicated to allowing a direct connection between traces and metrics. Detailed documentation about Exemplars can be found here.

Another approach to signal interconnection is the association of the same metadata with the use of Baggage and Context. Baggage is a specific value supplied with traces, logs, and metrics that allows you to annotate it and consists of user-defined pairs of keys and values. By annotating corresponding metrics and traces with the same values in Baggage, the user can correlate them. Detailed documentation about Baggage can be found here.

Conclusion

We covered the pillars of OpenTelemetry and some details of application instrumentation. But we don’t just need to instrument our applications – we should also introduce tooling for the aggregation, storage, and visualization of the signals we supply. In the third part of this series, we will discuss tooling and the OpenTelemetry collector component in detail.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Nord Security
The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

Migrate your VFE licenses to Google Cloud Storage to save thousands at renewal time

It’s that time of the year again.

No, not the holiday season. It’s nearly the start of Google’s financial year, and, with that, time for a lot of you to renew your Google Workspace licenses. This year though, you might get hit by an unexpected surprise. Umer Hamid, one of our dedicated Google Sales Architects at CloudM, explains why.
“Around this time of year, I find customers getting in touch with me in a panic. In January, they will be renewing their Google Workspace license, but this time, it’s going to cost thousands more. Why? Because they have a few hundred Vault Former Employee (VFE) licenses gathering dust. As Google phases out free VFE and replaces them with paid Archived User (AU) licenses, many businesses find $$$ added to their bill.”

Ouch!

Well, what can you do to beat the bill (or at least make a considerable dent in it), whilst keeping compliant with data retention rules and regulations? Especially when you have a lot of data to move, are short on time, and you are restricted by Google’s limit of allowing only 20 VFE licenses to be migrated at any one time? Don’t worry! Here is the approach that Umer has suggested to our customers that are also facing this daunting situation.

Step 1

Quite simply, use CloudM Migrate to move all the required data in bulk and at speed from Google Vault into your own Google Cloud Storage, completely owned and managed by you as part of your Google Cloud Platform. Instead of paying for individual AU licenses for every offboarded employee, you will only have to pay the data storage cost. With the VFE data export limit of 20 concurrent users in place, some businesses might struggle to move all of their suspended users to storage before the renewal deadline, but CloudM Migrate is one of the fastest and most reliable ways to chip away at the number of AU licenses you might need, significantly reducing the figure you will need to pay out.  

Step 2

Phew! It was close but you’ve managed to migrate all that data (or at least a significant chunk) before your renewal date. Now though, how do you make sure that you never have a large amount of expensive Google licenses sitting idle, and costing you money at renewal time, ever again? CloudM Archive comes to your rescue! All you need to do is configure CloudM Archive so that it can offboard data to your Google Cloud Storage buckets, and add the Archive step to your CloudM Automate Offboarding Workflows. When an employee leaves, their email and drive data will automatically be sent to whichever bucket you specify on the Workflow. Using CloudM Archive, your data is secure, easily searchable and instantly restorable, and will automatically be deleted as part of data retention policies so you always stay compliant.  

Read our Counting the (recurring) costs of AU licenses blog for a more in-depth look at how CloudM Archive continues to save you money and time, year in, year out.

If your Google Workspace license renewal is coming up quickly, and you want to avoid paying out for unnecessary AU licenses, the quicker you act, the more you will save. Umer and the team are on hand to help you so get in touch today.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About CloudM
CloudM is an award-winning SaaS company whose humble beginnings in Manchester have grown into a global business in just a few short years.

Our team of tech-driven innovators have designed a SaaS data management platform for you to get the most from your digital workspace. Whether it’s Microsoft 365, Google Workspace or other SaaS applications, CloudM drives your business through a simple, easy-to-use interface, helping you to work smarter, not harder.

By automating time-consuming tasks like IT admin, onboarding & offboarding, archiving and migrations, the CloudM platform takes care of the day-to-day, allowing you to focus on the big picture.

With over 35,000 customers including the likes of Spotify, Netflix and Uber, our all-in-one platform is putting office life on auto-pilot, saving you time, stress and money.

This Thanksgiving, Be Thankful for OT Security | SCADAfence

Thanksgiving – when families get together and express gratitude for everything they have, accompanied by good food and hopefully great football. For most families and network security teams who just feel like family, this is a great time for looking back and evaluating the past year and giving thanks for how far we’ve come. 

Continue reading

From Nuclear Bombs to Zero Days

For those faithful few who follow my posts here regularly, you’re aware that much of my recent writing has explored cybersecurity in the context of national security. I’ve looked at how several countries are developing their national cyber defenses, and how some other countries are going on the offensive, using cyber attacks to achieve geopolitical ends. I think the evolution of international relations and realpolitik into the digital realm is a fascinating subject that will alter some of our fundamental expectations about how power operates across the globe. And we’re just seeing the start. I don’t mean to sound excited – there’s plenty to be terrified about – but I’m certainly riveted, and I hope others are too.

Given my recent writing, a report from several weeks back immediately caught my attention. In Microsoft’s 2022 Digital Defense Report, China is accused of essentially stockpiling cyber vulnerabilities for potential use in future cyber attacks. Countries used to hoard bombs and bullets. Now they’re doing the same things with accelerants for cyber attacks. It’s an alarming development that, to my genuine chagrin, aligns exactly with what I’ve been harping on of late. Let’s take a closer look.

Turning Weaknesses Into Weapons

Most developed nations, the US included, have formal channels in place to report cyber vulnerabilities. China took that one step further through a series of laws passed in 2021. Those laws made it mandatory for network operators and hardware/software makers to report any vulnerability discovered to local officials. That wouldn’t seem all that unusual in a centrally controlled, risk-averse country like China. But the laws made an unusual stipulation: report vulnerabilities to local officials but not anyone else. Officials would have to give permission before the vulnerability was disclosed to the developer or the public at large.

Officials explained this stipulation as a way to strengthen China’s cyber defenses – they could use the vulnerabilities to harden themselves against attacks before someone had a chance to exploit them. But it did not take a military mind to see an alternate and opposite scenario as just as likely: China was using turning these vulnerabilities into cyber attacks before anyone else knew they were exposed.

The more cynical interpretation is given credence by the fact that hackers based in or supported by the Chinese government have proven especially proficient at exploiting zero day (unknown) vulnerabilities, especially in just the last six months according to Microsoft. One can easily guess why: the Chinese government is feeding them intelligence.

I would encourage anyone interested in the technical specs to reference the report, which explains the particular vulnerabilities that have been exploited by China-affiliated hackers. Also interesting are some of the targets of these attacks, including energy, telecommunications, and government systems throughout Southeast Asia. If the reports are true, China clearly sees cyber attacks based on undisclosed vulnerabilities as both potent tools in their digital arsenal and a way to exert their influence throughout the region (and beyond.)

A Different Kind of Arms Race

I should probably stress here that I don’t think what China is alleged to be doing is all that surprising. Like so many aspects of cybercrime and digital disruption, what we see isn’t something totally new and novel but rather a futuristic spin on long-running forms of crime and conflict. For all of history, groups have been searching for their enemy’s weak points and keeping quiet when they find something. We used to look for cracks in the fortress walls, now we look for misconfigurations in the cloud. It makes sense that China would incorporate this technique into its cyber strategy.


Which leads me to believe they’re not the only ones doing it. Other countries may not have laws on the books requiring people to report vulnerabilities. That said, they almost certainly have ways to discover and leverage vulnerabilities early and quietly. It would be glaring a oversight not to.


Predictable as all of this may be, I think the long-term consequences are much harder to surmise. Just one example: what will happen with zero day attacks once countries are racing to both find vulnerabilities and keep them out of public knowledge? There’s been an admirable and to some extent effective push to see zero days as a collective problem that we must address through transparency and information sharing – but seeing vulnerabilities as valuable weapons of war would seem to undermine that effort. Then what?


We won’t have to wait long for the answer, I suspect. The cyber saber-rattling has been ramping up for years now. And with the conflict in Ukraine making this a record-setting year for cyber attacks sponsored by nation-states…the gloves are coming off.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About vRx
vRx is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.