Skip to content

Why Aren’t More SMEs Using Multi-Factor Authentication?

Cyberattacks against small and medium-sized enterprises (SMEs) are on the rise — from ransomware to Distributed Denial of Service (DDoS). Leveraged credentials, most often passwords, cause 61% of data breaches.

Nearly half of all cyberattacks target SMEs who are less equipped to recover from damages. 

Why don’t cybercriminals limit their nefarious activity to organizations with large bank accounts? They have strategically determined SMEs are less likely to invest in security best practices than large enterprises. 

Sadly, the consequences of these data breaches can be devastating. On average, 60% of SME breach victims file for bankruptcy within six months of an incident. The good news is SMEs can avoid nearly 100% of breaches by taking one simple action: implementing multi-factor authentication (MFA)

Why Aren’t More SMEs Using Multi-Factor Authentication?

person in a mask typing in code on a computer

According to a 2021 study, organizations that use MFA are 99.9% less likely to experience a breach than those that do not. 

Yet, despite having awareness of cybersecurity risks, an estimated 67% of business decision-makers don’t use MFA for any of their login points.

Why aren’t more SMEs using multi-factor authentication? Is the resistance to MFA one of misunderstanding, misinformation, or the perception of inconvenience? And how can it be overcome? Let’s explore MFA’s benefits, challenges, and common misconceptions around SMEs using multi-factor authentication — but first, a primer on MFA:  

What Is MFA? 

MFA is a method to protect an access transaction by utilizing multiple (often two) factors to verify a user’s identity. MFA, sometimes referred to as two-factor authentication (2FA), goes beyond vulnerable password authentication by requiring two or three forms of identity:

  • Something you are: biometric data like facial recognition, fingerprint, retinal imprint, or even speech and typing patterns.
  • Something you know: passwords or facts about your life or family history.
  • Something you have: a device in your possession, like a phone or a security key.

Though the technology has been around for decades, biometric data recognition was mostly relegated to sci-fi movies until recently. 

However, technologies like facial recognition and fingerprint scanning are now mainstream thanks to organizations embedding them into their products. A recent survey of 1,000 Americans found that 70% of them find biometrics easier to use than traditional passphrases. 

How Does MFA Work?

End users may see MFA as slightly inconvenient as it involves a few extra steps. But the process itself is relatively straightforward: 

  • The user logs in with their password (something they know).
  • The user is prompted to satisfy a second factor:
    • One-time passcode (TOTP) on their phone or tablet from an authentication app like Google Authenticator, or
    • One-time passcode (OTP) via email or SMS, or
    • Push notification from a smartphone or tablet app, or
    • Scan of fingerprint, face, or other biometric factor 

Once the user’s identity has been verified by the organization’s chosen secondary and/or tertiary factor, the user is granted admission to the network. 

Benefits and Challenges of Using MFA 

woman sipping from a coffee mug, petting her dog while working in front of her laptop

MFA Benefits

Implementing MFA has many benefits, but here are three: 

  • MFA keeps accounts secure even if passwords have been compromised.
  • MFA provides peace of mind for stressed-out cybersecurity teams. 
  • MFA lays the foundation for running a Zero Trust security framework, which maintains trust without maximum verification and introduces security vulnerabilities. 

In addition, MFA is one of the easiest security measures admins can take. 

MFA Challenges and Solutions

Now, let’s dig into why more SMEs aren’t using multi-factor authentication. Identity management is the only technology that requires users and admins to balance efficiency, convenience, and security all at once — a challenge, but a surmountable one. 

Here are the three challenges most often cited by SMEs resisting MFA:

  • MFA could be time-consuming and slow productivity.
  • MFA could negatively impact user experience (UX).
  • MFA could be expensive for small businesses to manage. 

When it comes to choosing between speed and security, speed often wins. Fortunately, new innovations in UX design are delivering a seamless user experience with no compromise. Implemented correctly, MFA can increase IT security without adding complexity or slowing productivity for the end user. 

business meeting in an office setting

Managed MFA solutions can support multiple factors depending on the applications, devices, and systems they protect. Integrated into a cloud directory platform like JumpCloud, managed MFA solutions reduce the complexity of protecting a single identity while securely connecting the user to multiple IT resources. Less complexity leads to higher user adoption rates and a greatly reduced attack surface.

Employees may continue to lose their smartphones on occasion, but this problem can be solved with an authentication app like JumpCloud Protect™. JumpCloud Protect will: (1) temporarily relax MFA requirements while the user sets up their new phone; or (2) shift MFA requirements to a non-smartphone-based method like a hardware-based key or fingerprint scanner.

Finally, MFA costs are scalable for SMEs, with simplified à la carte and bundled pricing plans that deliver what businesses of all sizes need, when they need it. (Note: Cloud MFA services are free with all bundled JumpCloud packages.)

The ROI of Multi-Factor Authentication for SMEs

With so much on the line for SMEs, whose data is frequently targeted by hackers, MFA adoption has never been more critical. MFA helps keep accounts secure even if passwords have been compromised. 

According to Aberdeen Research, small businesses of less than 500 employees with up to $50M in annual revenue experienced downtimes costs of up to $8,600 per hour in 2016. All things considered, a solid Zero Trust initiative like MFA is a drop in the bucket. 

Interested in learning more about JumpCloud and how to achieve more robust security practices? Open a JumpCloud Free account today. 

JumpCloud Free grants new admins 10 systems and 10 users free to help evaluate with access to the complete platform. Once you’ve created your organization, you also receive 10 days of Premium 24×7 in-app chat support to help you with any questions or issues.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About JumpCloud
At JumpCloud, our mission is to build a world-class cloud directory. Not just the evolution of Active Directory to the cloud, but a reinvention of how modern IT teams get work done. The JumpCloud Directory Platform is a directory for your users, their IT resources, your fleet of devices, and the secure connections between them with full control, security, and visibility.

Datto Integration

The first agent of SafeDNS was integrated into Datto RMM.
It simplifies the process of getting access to web filtering  for MSPs who use Datto.

Our Linux agent is now presented in the Datto ComStore. Any client of Datto can now download SafeDNS Linux agent straight from the RMM interface.

The process is simple:
1. Look for the Automation tab in the left menu.

2. Choose Comstore.

3. Type in SafeDNS in the search bar & download the agent.

Stay tuned for the integration of our Win & Mac agents!

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About SafeDNS
SafeDNS breathes to make the internet safer for people all over the world with solutions ranging from AI & ML-powered web filtering, cybersecurity to threat intelligence. Moreover, we strive to create the next generation of safer and more affordable web filtering products. Endlessly working to improve our users’ online protection, SafeDNS has also launched an innovative system powered by continuous machine learning and user behavior analytics to detect botnets and malicious websites.

ESET Research: Bahamut group targets Android users with fake VPN apps; spyware steals users’ conversations

  • ESET researchers have identified an active campaign targeting Android users, conducted by the Bahamut APT group.
  • The main purpose of the spyware is to extract sensitive user data and actively spy on victims’ messaging apps such as WhatsApp, Facebook Messenger, Signal, Viber, and Telegram.
  • The app used has at different times been a trojanized version of one of two legitimate VPN apps, SoftVPN or OpenVPN, which have been repackaged with Bahamut spyware code.
  • The campaign appears to be highly targeted, since once the Bahamut spyware is launched, it requests an activation key before the VPN and spyware functionality can be enabled. Both the activation key and website link are likely sent to targeted users.
  • ESET was able to identify at least eight versions of these maliciously patched apps with code changes and updates being made available through the distribution website, which might mean that the campaign is well maintained.

BRATISLAVA, KOŠICE — November 23, 2022 — ESET researchers have identified an active campaign targeting Android users, conducted by the Bahamut APT group. This campaign has been ongoing since the start of this year. Malicious spyware apps are distributed through a fake SecureVPN website that provides only trojanized Android apps to download. This website has no association whatsoever with the legitimate, multiplatform SecureVPN software and service. Malicious apps used in this campaign are able to exfiltrate contacts, SMS messages, recorded phone calls, and even chat messages from apps such as WhatsApp, Facebook Messenger, Signal, Viber, and Telegram. ESET researchers discovered at least eight versions of the Bahamut spyware, which could mean the campaign is well-maintained. The malicious apps were never available for download from Google Play.

“The data exfiltration is done via the keylogging functionality of the malware, which misuses accessibility services. The campaign appears to be highly targeted, as we see no instances in our telemetry data,” explains ESET researcher Lukáš Štefanko, who discovered and analyzed the dangerous Android malware. “Additionally, the app requests an activation key before the VPN and spyware functionality can be enabled. Both the activation key and website link are likely sent to targeted users,” adds Štefanko. This layer aims to protect the malicious payload from being triggered right after launch on a non-targeted user device or when being analyzed. ESET Research has already seen similar protection being used in another campaign by the Bahamut group.

All exfiltrated data is stored in a local database and then sent to the Command and Control (C&C) server. The Bahamut spyware functionality includes the ability to update the app by receiving a link to a new version from the C&C server.

If the Bahamut spyware is enabled, then it can be remotely controlled by Bahamut operators and can exfiltrate various sensitive device data, such as contacts, SMS messages, call logs, a list of installed apps, device location, device accounts, device info (type of internet connection, IMEI, IP, SIM serial number), recorded phone calls, and a list of files on external storage. By misusing accessibility services, the malware can steal notes from the SafeNotes application and actively spy on chat messages and information about calls from popular messaging apps, such as imo-International Calls & Chat, Facebook Messenger, Viber, Signal Private Messenger, WhatsApp, Telegram, WeChat, and Conion apps.

The Bahamut APT group typically uses spearphishing messages and fake applications as the initial attack vector, against entities and individuals in the Middle East and South Asia. Bahamut specializes in cyberespionage, and ESET Research believes that its goal is to steal sensitive information from its victims. Bahamut is also referred to as a mercenary group offering hack-for-hire services to a wide range of clients. The name was given to this threat actor, which appears to be a master in phishing, by the Bellingcat investigative journalism group. Bellingcat named the group after the enormous fish floating in the vast Arabian Sea mentioned in the Book of Imaginary Beings written by Jorge Luis Borges. Bahamut is frequently described in Arabic mythology as an unimaginably enormous fish.

For more technical information about the latest Bahamut APT group campaign, check out the blog post “Bahamut cybermercenary group targets Android users with fake VPN apps” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

SecureVPN website provides a trojanized app to download.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

How to Recover a FileVault Key

Jump to Tutorial

FileVault is a disk encryption feature built into macOS to protect your hard drive from unauthorized access. When enabled, your startup volume is locked when the Mac is sleeping or shut down, and the data is encoded so it can’t be read unless the login password is used. 

When enabling FileVault, macOS asks you a critical question on how you would like to unlock your disk. There are two options (Figure 1):

  1. Allow your iCloud account to unlock your disk
  2. Create a recovery key

If you choose the first option while enabling FileVault, you only need to access your iCloud account to unlock your Mac and the OS will not create a separate recovery key. If you choose the second option, macOS generates a recovery key that you are expected to store in a safe place. 

However, what happens if you lose the key? We’ll cover your options for potentially recovering a FileVault key in this tutorial.

screenshot of security and privacy
Figure 1

Note: If you lose both your Mac password and FileVault recovery key, you will not be able to log in to your device or access the data on your startup disk.

Not Sure if the Recovery Key Is Correct?

Maybe you have a recovery key, but are unsure if it’s the right one for this computer. Fortunately, if you are already/still logged in to your Mac, there is a way forward. You can validate the recovery key by taking these steps:

  • Launch the Terminal.app on your Mac: search for “terminal” using the Spotlight search option on your device or navigate through Applications > Utilities > Terminal.
  • Run the command sudo fdesetup validaterecovery and click return. Enter your admin password when requested.
  • You will be prompted to enter the current recovery key. Do exactly that and ensure you do not leave out the hyphens in the key. Because your entry is hidden and you cannot use the backspace if you type a mistake, we offer this pro tip: copy and paste into Terminal. Just be sure you don’t copy any leading or trailing spaces.

There are three possible outcomes: 

  1. true (Figure 2a) if your key is correct
  2. false (Figure 2b) if the key you entered follows the format of a recovery key but is incorrect for this computer
  3. Error: Not a valid recovery key (Figure 2c) if the key does not look like a recovery key at all (e.g., if you leave out the hyphens)
screenshot of a possible outcome
Figure 2a
screenshot of a possible outcome
Figure 2b
screenshot of a possible outcome
Figure 2c

Recovery Key Incorrect or Lost?

Unless your system is managed by a device management platform, if your FileVault recovery key is completely lost or the validation keeps returning false, unfortunately you cannot recover it. It is gone. 

The only thing you can do while you still have access to your computer is to create a new key. You can do this in two ways: 

  1. Via Terminal.app
  2. Via the FileVault tab under Security & Privacy

Whichever method you choose, note that you will not get the same recovery key that was lost. Instead, a new key will be generated.

1. Create a New Key Via Terminal

Launch the Terminal.app and run the following command: 

sudo fdesetup changerecovery -personal 

This method will allow you to generate a new key without having to turn off FileVault and re-enable it. Enter your user name and password when prompted to do so. If the change is successful, you will see a new recovery key (Figure 3). 

Otherwise, you may get an error that you cannot change your key. We recommend trying the second method discussed below if this method doesn’t work for you.

screenshot of a possible outcome
Figure 3

2. Create a New Key Via FileVault Tab

With this method, you need to turn off FileVault and turn it back on to generate a new recovery key. On your Mac, go to Apple menu > System Preferences > Security and Privacy and click on the FileVault tab. 

Then, click the lock icon on the left-hand side of the pane, provide the administrator password, and click Unlock. Afterwards, select Turn Off FileVault… (Figure 4). The decryption of your disk occurs in the background as you use your device and only while the device is awake and plugged into AC power. You can track the progress under the FileVault tab. 

When the decryption is complete, return to the FileVault tab and click Turn On FileVault.You will be prompted to choose between iCloud or recovery key. If you choose “Create a recovery key and do not use my iCloud account,” be absolutely sure to copy it and store it in a safe place, such as your Password Manager

Do not save it on the same startup disk you are encrypting.

screenshot of security and privacy
Figure 4

Retrieving Your Key On a JumpCloud-Managed macOS Device

If you use a JumpCloud-managed macOS device, yes it is possible to retrieve your recovery key and avoid the perils of FileVault! Your IT admin will need to take the following steps:

  1. Log in to the JumpCloud Admin Portal via https://console.jumpcloud.com/login/admin
  2. Go to DEVICE MANAGEMENT > Devices 
  3. Under Devices, select the relevant device
  4. Under Details, click the view key button

Boom, your admin can now see your recovery key. To learn more about retrieving a recovery key on a JumpCloud-managed device, check out the following support documentation:

Not using JumpCloud yet? Our open directory platform goes beyond allowing you to easily access recovery keys. It empowers you to manage access, user privileges, and the security settings of your entire fleet — no matter the OS. Use our platform for free for up to 10 users and 10 devices so you never have to worry about losing your FileVault recovery key again.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About JumpCloud
At JumpCloud, our mission is to build a world-class cloud directory. Not just the evolution of Active Directory to the cloud, but a reinvention of how modern IT teams get work done. The JumpCloud Directory Platform is a directory for your users, their IT resources, your fleet of devices, and the secure connections between them with full control, security, and visibility.

Fortinet Authentication Bypass Vulnerability – CVE-2022-40684

Introduction:

The latest FortiOS / FortiProxy / FortiSwitchManager vulnerability has been reportedly exploited in the wild, which allows an attacker to bypass authentication and login as an administrator on the affected system.

  • Vulnerability Release Time : Oct Nov, 2022

  • Vulnerability Component Name : FortiOS – FortiProxy – FortiSwitchManager

  • Affected Products :

    • Affected FortiOS

      • 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.2.0, 7.2.1

    • Affected FortiProxy

      • 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.2.0

    • FortiSwitchManager

      • 7.0.0, 7.2.0

    • FortiOS versions 5.x, 6.x are NOT impacted

    • FortiProxy version 7.2.0

Solutions :

  • Please upgrade to FortiOS version 7.2.2 or above

  • Please upgrade to FortiOS version 7.0.7 or above

  • Please upgrade to FortiProxy version 7.2.1 or above

  • Please upgrade to FortiProxy version 7.0.7 or above

  • Please upgrade to FortiSwitchManager version 7.2.1 or above

  • Please upgrade to FortiSwitchManager version 7.0.1 or above

  • Please upgrade to FortiOS version 7.0.5 B8001 or above for FG6000F and 7000E/F series platforms

Execution Summary:

The CVE-2022-40684 vulnerability allows adversaries to bypass authentication and login into the vulnerable systems as an administrator in FortiOS / FortiProxy / FortiSwitchManager products.

Having admin user rights, adversaries can,

  • add new users to the vulnerable system

  • reroute the network traffic by updating network configurations

  • listen to and capture sensitive data by running packet capturing programs

CVSS v3:

  • Base Score: 9.8 (Critical)

  • Attack Vector:              Network

  • Attack Complexity:          Low

  • Privileges Required:        None

  • User Interaction:           None

  • Confidentiality Impact:     High

  • Integrity Impact:           High

  • Availability Impact:        High

Mitigation:

As mitigation measures and security workarounds for remediating the threat, Fortinet advisory recommends disabling the HTTP/HTTPS admin interface or limiting the IP address that can access the latter. Customers are also highly recommended to upgrade their potentially vulnerable software to the latest versions.

Furthermore,

In their PSIRT Advisories blog, the FortiGuard Labs have given some mitigation suggestions and recommended performing the following upgrades according to the vulnerable products.

For FortiOS:

  • Upgrade to version 7.2.2 or above

  • Upgrade to version 7.0.7 or above

If applying patch is not possible for some other reasons, apply the following mitigation suggestions.

Suggestion 1: Disable HTTP/HTTPS administrative interface

Suggestion 2: Limit IP addresses that can reach the administrative interface
  • config firewall address

  • edit "my_allowed_addresses"

  • set subnet <MY IP> <MY SUBNET>

  • end

Then crate an Address Group
  • config firewall addrgrp

  • edit "MGMT_IPs"

  • set member "my_allowed_addresses"

  • end

Create the Local in Policy to restrict access only to the predefined group on management interface.
  • config firewall local-in-policy

  • edit 1

  • set intf port1

  • set srcaddr "MGMT_IPs"

  • set dstaddr "all"

  • set action accept

  • set service HTTPS HTTP

  • set schedule "always"

  • set status enable

  • next

  • edit 2

  • set intf "any"

  • set srcaddr "all"

  • set dstaddr "all"

  • set action deny

  • set service HTTPS HTTP

  • set schedule "always"

  • set status enable

  • end

If you are using non default ports, create appropriate service object for GUI administrative access:
  • config firewall service custom

  • edit GUI_HTTPS

  • set tcp-portrange <admin-sport>

  • next

  • edit GUI_HTTP

  • set tcp-portrange <admin-port>

  • end

Use these objects instead of "HTTPS HTTP "in the local-in policy 1 and 2 above.

For FortiProxy:

  • Upgrade to version 7.2.1 or above

  • Upgrade to version 7.0.7 or above

If applying patch is not possible for some other reasons, apply the following mitigation suggestions.

Suggestion 1: Disable HTTP/HTTPS administrative interface
Suggestion 2: For FortiProxy VM all versions or FortiProxy appliance 7.0.6:

Limit IP addresses that can reach the administrative interface:
  • config system interface

  • edit port1

  • set dedicated-to management

  • set trust-ip-1 <MY IP> <MY SUBNET>

  • end

For FortiSwitchManager:

Upgrade to version 7.2.1 or above: Disable HTTP/HTTPS administrative interface

Technical Analysis / Exploits:

We found an open admin panel link and we tried to use default credentials but they failed.

  1. Now that our default bruteforce attack didn’t work, let’s try to use a new exploitation technique. Use below link to open exploit python script.

    https://github.com/horizon3ai/CVE-2022-40684

Open the python script file and copy complete code. Create a new file in your local directory and paste that copied python code in the new file.

      In our case we created a file with the name pocforti.py and pasted the code in it

Now let’s run this python script and let it do the magic trick. Use below command with fortinet admin server ip, port number, and your public key path.

python3 pocforti.py -t <fortinet admin server ip>:<port number> --username admin --key-file <your public key path>

Now after executing the python script, let’s try to SSH the fortinet hosted server. Use bellow command to successfully SSH in fortinet server.

ssh admin@<fortinet server ip>

After successfully get fortinet server access, let’s create a new user in fortinet database

Now after adding a new user with admin rights, let’s try this user.

After entering the new credentials of the created user, we successfully login to the fortinet admin panel as an admin user

Open the admin users to verify if your user is successfully added as admin user or not

As you can see, our created user is successfully added in fortinet users as an admin user.

Reference:

#fortinet #FortiProxy #ForitnetAdminAccess #CVE-2022-40684

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Topia
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

Hardening

Hardening is the process of bringing our OS, application, etc. to a more secure state, by configuring the system aside from its default (or previous) settings by reducing the attack surface.

This process can (and will) usually include removing software/services from the OS, removing/changing default password, patching, and so on.

The process of hardening has for its aim to remove configuration vulnerabilities.

For example, you can place a password policy on your OS, so that the user has to enter more complex password, than no or a simple password which would classify as a configuration-based vulnerability.

The hardening process should be specific for the OS and the threats you’re attempting to control. It would not be the same for a Linux-based server that’s for example a public webserver and for a Windows desktop. This would be different because of the nature of the threats you’re going up against, i.e., you’d need to have different profiles for each of those.

This implies that there’s no general way to harden systems, however, there are things that you will tend to do that will hold for all those cases. Like, as I already mentioned, removing unnecessary stuff, reducing your attack surface by controlling what could be attacked better, etc.

Hardening is not a trivial task, as it requires in-depth understanding of a system you’re hardening. To make an extreme example – you could set your firewall to block all inbound traffic by default and you would be quite safe, but then again, the reason for that safety would be due to the fact you’ve rendered one of the (main) functionalities of that system unusable – Accessing the Internet. Thus, you really need to pay attention in order to strike that middle ground between usability and security in a sensible way. You don’t want to have issues with using your daily driver OS, and you don’t want to break it.

Layers

Its helpful to think of layers when hardening your systems. One such example can be the webserver I already mentioned. You would have the OS layer, thus you’d need to harden the OS itself, then if your, for example, Apache runs an app server, you’d need to harden that as well. Finally, if you have an application that’s running there – the code for that application would need to be written securely.

This is just an illustration, so that you have a general idea of what to think about when thinking about hardening, but I want to focus more on OSes (if necessary, I will create another OS dedicated article about hardening).

Standards

There are standards out there for mostly anything you’d like to harden, and it’s best to follow these. Similar to let’s say secure coding best practices, or any other type of best practices.

Also, there are scripts that can audit or remediate your system to a state you wanted, this not only saves you time, but it will also provide you with a good way to avoid any human-based errors, while hardening your system.

The standards can be called baselines, benchmarks, policies, standards, etc. Just an fyi. They still describe the same thing… also, note that these benchmarks are made by a community of security professionals, which is what we want.

One such hardening standard is the CIS Benchmarks. As you can see on the link, they offer hardening for Mobile Devices, Network Devices, Server/Desktop Software, Cloud, and more, aside from the OS benchmarks, and it’s a good place to start. Once you’ve found your target system you’d like to harden, you can click on the link for it and download the associated .pdf file for that specific benchmark. (You will need to fill out a form, but after that, you’ll be sent a link where you’ll be able to access all the available .pdfs and download them, for free).

Note that the standards needn’t necessarily align with your needs, so even these standards are not a silver bullet that you can implement blindly. Read it, understand it, and assess what you will need before going forward with the implementation.

Another one of these baselines is the NIST Configuration Baseline, but it’s a bit dated (offering only for Windows 7 and Red Hat – but if you have Red Hat in your environment, it might be useful to you). Regardless, it’s a good resource to skim through so you can learn a bit more on the topic.

One more standard/baseline is the Securiity Technical Implementation Guides (STIGs), from the DoD Cyber Exchange Team. These are up to date, and cover the latest OSes (mostly) and their respective security standards for hardening them. Do note that these are geared more towards the DoD and their requirements, so there might be some things in there that won’t be useful for your case. However, these are something I’d recommend anyone who wants to harden their system(s) to look at and think of them as general hardening guidelines. To view these, you’ll also need a STIG viewer, as they are in an XCCDF format.

Although this might be a bit of a hassle, it’s worth it because it will give you a very nicely laid out interface with recommended settings, references, information, and more – all related to the hardening of system(s).

SCAP – Security Content Automation Protocol

This is a NIST standard, and from their website, it’s about:

The Security Content Automation Protocol (SCAP) is a synthesis of interoperable specifications derived from community ideas. Community participation is a great strength for SCAP, because the security automation community ensures the broadest possible range of use cases is reflected in SCAP functionality.

And

NIST’s security automation agenda is broader than the vulnerability management application of modern day SCAP. Many different security activities and disciplines can benefit from standardized expression and reporting. We envision further expansion in compliance, remediation, and network monitoring, and encourage your contribution relative to these and additional disciplines.

The SCAP standard consists of the following components:

  • XCCDF
  • OVAL
  • DataStream
  • ARF
  • CPE
  • CVE

And is XML-based.

Simply put, SCAP is a protocol/standard that enables to create human and machine-readable security documents, that you can use with automated tools to audit/harden a target system.

Open SCAP is the implementation of SCAP. This is a bundle of tools, security policies, and is based on the SCAP standard. Be sure to check out the SCAP Workbench – This tool allows users to perform configuration and vulnerability scans on a single local or a remote system, perform remediation of the system in accordance with the given XCCDF or SDS file. Workbench can generate reports, in multiple formats, containing the results of a system scan.

It will both help you in case all of this is a bit confusing, and you can also run a test on your system, by inputting of the said standards in it and it will run it against that and tell you if your system passed/failed and if it has any vulnerabilities.

Unfortunately, Open SCAP is more focused on Linux systems (particularly Red Hat systems – CentOS/Fedora), but there is some (very minimal) MacOS and Windows support.

Conclusion

This is an extensive topic, and I hope my intro into it has attracted your attention. In the coming articles I will try to cover at least the OS portion of hardening – for Windows, Mac, and Linux.

Stay tuned!

Cover image by Ian Battaglia

#hardening #OS #application #SCAP #standard

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Topia
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

OpenTelemetry: A modern observability standard

In the first part of our blog series about observability, we covered the basic principles of observability and explained how it differs from the classical monitoring term. In this article, we’ll discuss OpenTelemetry and its instrumentation approaches.

Blog thumbnail 2022 11 24 2

 

OpenTelemetry

Please check out our first article on observability to gain a fuller context for the topic we’re about to discuss. OpenTelemetry is currently the most actively developed standard in the field of observability. It is being adopted as the Cloud Native Computing Foundation incubating project. Born primarily as a merging of former OpenTracing and OpenCensus standards, OpenTelemetry continues to gain popularity, with its supporters including representatives of Google, Microsoft, and Uber.

The goal of the OpenTelemetry project is to introduce a standardized open solution for any development team to enable a proper observability layer in its project. OpenTelemetry provides a standard protocol description for metrics, tracing, and logging collection. It also collects APIs under its nest instrumentation for different target languages and data infrastructure components.

Below is a visualization of the overall scope of OpenTelemetry (credits to CNCF):

The development of specifications and all related implementations is being run in an open way in Github, so anyone involved can propose changes.

Different instrumentation implementations for different languages are in development. The current state of readiness can always be found on a related page of official documentation (for example, PHP).

Logs

Logs are the oldest and best-known type of telemetry signals, and they have a significant legacy. Log collection and storage is a well-understood task, with many solutions being established and widely adopted to carry it out. For example, the infamous ELK (or EFK) stack, Splunk, and Grafana Labs recently introduced the Loki project, a lighter alternative to ElasticSearch.

The main problem is that logs are not integrated with other telemetry signals – no solutions offer an option to correlate a log record with a relative metric or trace. Having the opportunity to do this can form a very powerful introspection framework.

OpenTelemetry specifications try to solve this problem with a logging format standard proposal. It allows correlating logs via execution context metadata, timing, or a log emitter source.

However, right now the standard is at an experimental stage and under heavy development, so we won’t focus on it here. The current specifications can be found here.

Metrics

As discussed previously, metrics are numeric data aggregates representing the software system’s performance. Through aggregation, we can develop a combination of measurements into exact statistics during a time window.

The OpenTelemetry metrics system is flexible. It was designed to be like this to cover the existing metric systems without any loss of functionality. As a result, a move to OpenTelemetry is less painful than other alternatives.

The OpenTelemetry standard defines three metrics models:

  • Event model — metric creation by a developer on the application level.

  • Stream model — metric transportation.

  • Time Series model — metric storage.

The metrics standard defines three metric transformations that can happen in between the Event and Stream models:

  • Temporal reaggregation reduces the number of high frequency metrics being transmitted by changing the resolution of the data.

  • Spatial reaggregation reduces the number of high frequency metrics being transmitted by removing some unwanted attributes and data.

  • Delta-to-cumulative reduces the size of high frequency metrics being transmitted via a move from absolute numbers (cumulative) to changes between different values (delta).

We will talk about the Stream and Time Series models in the third part of our blog series, where we will discuss signal transportation and storage. For now, let’s focus on the Event model, which is related to instrumentation.

The process of creation for every metric in OpenTelemetry consists of three steps:

  • Creation of instruments that will generate measurements – particular data points that we evaluate.

  • Aggregation of measurements into a View – a representation of a metric to output from the instrumented software system.

  • Metric output – the transportation metrics to storage using a push or pull model.

The OpenTelemetry measurements model defines six types:

  1. Counter – non-negative, continually increasing monotonic measurement that receives increments. For example, it may be a good fit for counting the overall number of requests the system has processed.

  2. UpDownCounter – the same as the Counter, but non-monotonic, allowing negative values. It may be a good fit for reporting the amount of requests being currently processed by the system.

  3. Histogram – multiple statistically relevant values distributed among a list of predefined buckets. For example, we may be interested not in particular response time but in the percentile of response time distribution, it falls into (a Histogram would be useful here).

  4. Asynchronous Counter – the same as the Counter, but values are emitted via a registered callback function, not a synchronous function call.

  5. Asynchronous UpDownCounter – the same as the UpDownCounter, but values are emitted via a registered callback function, not a synchronous function call.

  6. Asynchronous Gauge – a specific type for values that should be reported as is, not summed. For example, it may be a good fit for reporting the usage of multiple CPU cores – in this case, you will likely want to have the maximum (or average) CPU usage, not summed usage.

Through Aggregations in OpenTelemetry, measurements are being aggregated into end metric values that afterward will be transported to storage. OpenTelemetry defines the following measurements as Aggregations:

  • Drop – full ignore of all measurements.

  • Sum – a sum of measurements.

  • Last Value – only the last measurement value.

  • Explicit Bucket Histogram – a collection of measurements into buckets with explicitly predefined bounds.

  • Exponential Histogram (optional) – the same as the Explicit Bucket Histogram but with an exponential formula defining bucket bounds.

A developer can define their own aggregations, but in most cases, the default ones predefined for each type of measurement will suit the developer’s needs.

After all aggregations have been done, additional filtering or customization can be carried out on the View level. To summarize, an example of a simple metric creation is the following (in GoLang):

import “go.opentelemetry.io/otel/metric/instrument”

 

counter := Meter.SyncInt64().Counter(

 

“test.counter”,

 

instrument.WithUnit(“1”),

 

instrument.WithDescription(“Test Counter”),

 

)

 

// Synchronously increment the counter.

 

counter.Add(ctx, 1, attribute.String(“attribute_name”, “attribute_value”))

Here we create a simple metric consisting of one counter-measurement. As you can see, many details we discussed are hidden but can be exposed if the developer needs them.

In the next part of our blog series, we will talk about metrics transportation, storage, and visualization.

Traces and spans

As we discussed previously, traces represent an execution path inside a software system. The execution path itself is a series of operations. A unit of operation is represented in the form of a span. A span has a start time, duration, an operation name, and additional context attached to it. Spans are interconnected via context propagation and can be nested (one operation can consist of multiple smaller operations inside itself). The resulting hierarchical tree structure of spans represents the trace – an entire execution path inside a software system.

The internal span structure can be visualized like this:

Here is an example of the simplest span creation (in GoLang):

import “go.opentelemetry.io/otel/trace”
 
var tracer = otel.Tracer(“test_app”)
 
// Create a span

 

ctx, span := tracer.Start(ctx, “test-operation-name”,

 

trace.WithSpanKind(trace.SpanKindServer))
 
testOperation()

 

// Add attributes

 

if span.IsRecording() {

 

span.SetAttributes(

 

attribute.Int64(“test.key1”, 1),

 

attribute.String(“test.key2”,“2”),

 

)

 

}
 
// End the span

 

span.End()

Now we have our first trace.

A trace can be distributed through different software microservices. In this case, so as not to lose the interconnection, OpenTelemetry SDK can automatically propagate context through the network according to the protocol being used. One example is the W3C Trace Context HTTP headers definition. However, not all language SDKs support automatic context propagation, so you may have to instrument it manually depending on the language you use.

Detailed documentation about traces with format explanations can be found here.

Signal interconnections

The ability to interconnect different types of signals makes an observability framework powerful. For example, it allows you to identify a service response that took too long via metrics and, in one click, jump to the correlating trace of this response execution to identify what part of the system caused the slow processing.

Signals in OpenTelemetry can be interconnected in a couple of ways. One is the use of Exemplars – specific values supplied with trace, logs, and metrics. These consist of a particular record ID, time of observation, and optional filtered attributes specifically dedicated to allowing a direct connection between traces and metrics. Detailed documentation about Exemplars can be found here.

Another approach to signal interconnection is the association of the same metadata with the use of Baggage and Context. Baggage is a specific value supplied with traces, logs, and metrics that allows you to annotate it and consists of user-defined pairs of keys and values. By annotating corresponding metrics and traces with the same values in Baggage, the user can correlate them. Detailed documentation about Baggage can be found here.

Conclusion

We covered the pillars of OpenTelemetry and some details of application instrumentation. But we don’t just need to instrument our applications – we should also introduce tooling for the aggregation, storage, and visualization of the signals we supply. In the third part of this series, we will discuss tooling and the OpenTelemetry collector component in detail.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Nord Security
The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

How to Not Fall Victim to Browser Vulnerabilities

JumpCloud’s Universal Chrome Browser Patch Management

Browsers are the gateway to online productivity. 

Without them, we would not be able to get work done. To that end, they are also one of the biggest attack targets for bad actors. If we are not careful, and do not make a conscious effort to upkeep web browser security, hackers can easily exploit browser vulnerabilities. 

What makes browsers especially appealing to these individuals? Browsers access, collect, and hold lots of sensitive data — from personal credentials to company information — that cyber hackers can sell on the dark web and use to blackmail companies.

According to Atlas VPN, Google Chrome, the world’s most popular browser, has the highest number of reported (303) vulnerabilities year to date. Google Chrome also has a total of 3,159 cumulative vulnerabilities since its public release. 

In this article, we’ll dive into the topic of browser vulnerabilities, the importance of patch management, and how to streamline protection.

Atlas VPN top web browsers by vulnerability graph
Image courtesy of Atlas VPN

A Closer Look at Google Chrome’s Latest Vulnerabilities

On November 8, 2022, the Center for Internet Security (CIS) reported finding multiple vulnerabilities in Google Chrome. 

The most severe vulnerability within this group could potentially allow for arbitrary code execution in the context of the logged on user. What does that mean? 

Depending on a user’s privileges, an attacker could install programs and view, change, or delete data. The bad actor could even create new accounts with full user rights! 

Of course, users whose accounts have minimal user rights on the system would be less impacted than those with administrative user rights.

Multi-OS systems were affected, including:

  • Google Chrome versions prior to 107.0.5304.110 for Mac
  • Google Chrome versions prior to 107.0.5304.110 for Linux
  • Google Chrome versions prior to 107.0.5304.106/.107 for Windows

First and foremost, CIS recommends applying appropriate updates provided by Google to vulnerable systems immediately after appropriate testing. See here for all the other CIS recommended actions. 

The Need for Browser Patching 

Here are the key reasons you should regularly update or patch your browsers:

  • Enhance Security: Prevention of spyware, malware, and other viruses that could give someone access to your data or trick you into handing it over.
  • Improve Functionality: Outdated browsers might not work (well) or support new apps or software.
  • Boost User Experience: Older browsers usually do not support the latest and greatest code and will have trouble loading component files in the website. This might cause a website to freeze, crash or take forever to work.

For IT admins, security aspects are probably the most important reason to patch browsers. Keeping browsers updated with the latest version (i.e., downloading and installing all provided patches) goes a long way toward preventing cyber attacks and bad actors from exploiting known vulnerabilities. 

How to Create Default Chrome Browser Patch Policies

One of the easiest ways to stay on top of patches, and reduce browser vulnerability risk, is to use the JumpCloud Directory Platform. 

The latest capability addition to our Patch Management solution provides a universal policy to keep Google Chrome up to date for macOS, Windows, and Linux. 

A universal policy saves time by automatically scheduling and enforcing Chrome security patches on a large number of managed devices.

Screenshot of JumpCloud Policy Management Console&nbsp;
JumpCloud Policy Management Console 

The platform’s four universal preconfigured default Chrome browser patch policies allow admins to deploy browser updates with different levels of urgency. Admins also have the option to configure a custom universal policy; this feature allows for easy modification of existing policy settings to tailor update experiences to organizational needs. 

The four JumpCloud default Chrome browser patch management policies control how and when a Chrome update is applied. The recommended deployment strategies include:

  • Day Zero: Deploy automated upgrades inside your IT Department the first day an update is available.
  • Early Adoption: Deploy automated upgrades to early adopters outside of IT.
  • General Adoption: Deploy automated upgrades to general users in your company.
  • Late Adoption: Deploy automated upgrades to remaining users in your company.

Once you have created a Chrome browser patch policy, you can assign it to any devices, policy groups, or device groups. A policy group helps quickly and efficiently roll out existing policies to large numbers of similar devices. 

Capabilities of JumpCloud Browser Patch Management

JumpCloud’s new Browser Patch Management also introduces the following features:

  • Enforce Chrome updates and browser relaunch. 
  • Enforce or disable Chrome Browser Sign In Settings.
  • Restrict sign-in to a regex pattern to ensure users sign in via company email accounts.
  • Automate device enrollment into Google Chrome Browser Cloud Management, which unlocks limitless capabilities for browser and extension control within the Google Admin console. 

Dive deeper into the new Universal Chrome Browser Patch Management Release by exploring the release notes for this feature in the JumpCloud Community. 

Learn More About JumpCloud

The good news? Browser patching and patch management are included in JumpCloud’s affordable A La Carte pricing package. 

Try JumpCloud for free for up to 10 devices and 10 users. 

Complimentary support is available 24×7 within the first 10 days of account creation.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About JumpCloud
At JumpCloud, our mission is to build a world-class cloud directory. Not just the evolution of Active Directory to the cloud, but a reinvention of how modern IT teams get work done. The JumpCloud Directory Platform is a directory for your users, their IT resources, your fleet of devices, and the secure connections between them with full control, security, and visibility.

Migrate your VFE licenses to Google Cloud Storage to save thousands at renewal time

It’s that time of the year again.

No, not the holiday season. It’s nearly the start of Google’s financial year, and, with that, time for a lot of you to renew your Google Workspace licenses. This year though, you might get hit by an unexpected surprise. Umer Hamid, one of our dedicated Google Sales Architects at CloudM, explains why.
“Around this time of year, I find customers getting in touch with me in a panic. In January, they will be renewing their Google Workspace license, but this time, it’s going to cost thousands more. Why? Because they have a few hundred Vault Former Employee (VFE) licenses gathering dust. As Google phases out free VFE and replaces them with paid Archived User (AU) licenses, many businesses find $$$ added to their bill.”

Ouch!

Well, what can you do to beat the bill (or at least make a considerable dent in it), whilst keeping compliant with data retention rules and regulations? Especially when you have a lot of data to move, are short on time, and you are restricted by Google’s limit of allowing only 20 VFE licenses to be migrated at any one time? Don’t worry! Here is the approach that Umer has suggested to our customers that are also facing this daunting situation.

Step 1

Quite simply, use CloudM Migrate to move all the required data in bulk and at speed from Google Vault into your own Google Cloud Storage, completely owned and managed by you as part of your Google Cloud Platform. Instead of paying for individual AU licenses for every offboarded employee, you will only have to pay the data storage cost. With the VFE data export limit of 20 concurrent users in place, some businesses might struggle to move all of their suspended users to storage before the renewal deadline, but CloudM Migrate is one of the fastest and most reliable ways to chip away at the number of AU licenses you might need, significantly reducing the figure you will need to pay out.  

Step 2

Phew! It was close but you’ve managed to migrate all that data (or at least a significant chunk) before your renewal date. Now though, how do you make sure that you never have a large amount of expensive Google licenses sitting idle, and costing you money at renewal time, ever again? CloudM Archive comes to your rescue! All you need to do is configure CloudM Archive so that it can offboard data to your Google Cloud Storage buckets, and add the Archive step to your CloudM Automate Offboarding Workflows. When an employee leaves, their email and drive data will automatically be sent to whichever bucket you specify on the Workflow. Using CloudM Archive, your data is secure, easily searchable and instantly restorable, and will automatically be deleted as part of data retention policies so you always stay compliant.  

Read our Counting the (recurring) costs of AU licenses blog for a more in-depth look at how CloudM Archive continues to save you money and time, year in, year out.

If your Google Workspace license renewal is coming up quickly, and you want to avoid paying out for unnecessary AU licenses, the quicker you act, the more you will save. Umer and the team are on hand to help you so get in touch today.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About CloudM
CloudM is an award-winning SaaS company whose humble beginnings in Manchester have grown into a global business in just a few short years.

Our team of tech-driven innovators have designed a SaaS data management platform for you to get the most from your digital workspace. Whether it’s Microsoft 365, Google Workspace or other SaaS applications, CloudM drives your business through a simple, easy-to-use interface, helping you to work smarter, not harder.

By automating time-consuming tasks like IT admin, onboarding & offboarding, archiving and migrations, the CloudM platform takes care of the day-to-day, allowing you to focus on the big picture.

With over 35,000 customers including the likes of Spotify, Netflix and Uber, our all-in-one platform is putting office life on auto-pilot, saving you time, stress and money.

This Thanksgiving, Be Thankful for OT Security | SCADAfence

Thanksgiving – when families get together and express gratitude for everything they have, accompanied by good food and hopefully great football. For most families and network security teams who just feel like family, this is a great time for looking back and evaluating the past year and giving thanks for how far we’ve come. 

Continue reading