Tag Archives: StealthWatch

June 17, 2013

Post NAC: Cisco Identity Services Engine (ISE) and Lancope StealthWatch for Total Access Control

Controlling who and what access your network is a critical element to keep your resources safe from malicious threats. Network Admission Control (NAC) solutions like the Cisco Identity Services Engine (ISE) can police who and what is permitted network access as well as enforce policy for those devices. Examples would be permitting an administrator with a government furnished Windows 7 laptop access to VLAN 10, which holds internal servers, while provisioning a marketing professional’s iPad with VLAN 20 access, which is limited to Internet and email through the use of ACLs.

But what happens once a device is granted network access? Access control solutions are pretty much out of the picture, aside from limited profile monitoring for identifying changes in device types. (Examples of this limited functionality include figuring out that an “Apple Device” is really an “iPad” based on DHCP and other traffic seen while the user is browsing the network, or blocking a user who attempts to spoof a printer’s MAC address to gain network access.)

Example ISE policy for profiled Apple iPad or iPhone and User “Joey” to get Apple_Mobile Access

Beyond this is where the handoff to an internal monitoring solution such as Lancope’s StealthWatch System should come into play. An internal monitoring solution can handle security where the access control solution leaves off. These solutions monitor all devices on the network for performance and suspicious behavior, regardless of whether or not they were approved by NAC. Examples of devices that NAC solutions may miss are virtual systems inside the data center, network sharing such as turning an iPhone into a wireless hub, Linksys routers using NATing to hide unauthorized access, or devices accessing a part of the network without access control.

An important function of a post access control solution is identifying devices compromised while on the network, since most access control solutions only verify policy for patch updates and other installed security applications (e.g. antivirus). Being compromised while on the network can happen when users surf the Internet, plug in a USB drive hosting malware, open an infected email, etc. In most cases, the threats that compromise internal users are not common viruses, meaning there isn’t a known signature that can be used by antivirus or firewall technologies to flag the attack. A post access control technology that leverages behavior as the means to identify threats can catch not only insider threats posed by authorized users, but also stealthy, externally-launched threats that bypass the security measures typically enforced by a NAC policy.

The integration of Cisco ISE for access control and Lancope’s StealthWatch for internal network monitoring saves customers money by leveraging NetFlow data already inherent in routers, switches and other network infrastructure devices to essentially turn the entire network into a giant sensor grid for detecting anomalous activity. Both Cisco and Lancope use industry standards leveraged by most vendor equipment (Cisco ISE using 802.1x and Lancope using NetFlow). Both companies also offer physical and virtual versions of all solution components, and both can be architected in a centralized or distributed design.

Here are the beneficial actions that can be taken by combining access control and internal monitoring:

Enforce policy on devices accessing the network.
Identify unauthorized devices not seen by NAC.
Monitor devices for threats and performance during their entire lifecycle on network.
Know who and what is on the network as well as what they are doing.
Automatically provision network access for trusted users and guests.
Identify threats on the internal network including malware, botnets and data loss.
Limit access for remediation of an identified threat.
Document a threat’s entire presence on the network for information assurance.

And here are the steps for setting up Cisco ISE and StealthWatch within a network:

Configuring On-Boarding via BYOD in ISE HERE
Setting up a Lancope StealthWatch small lab HERE

Click here for more information on how Cisco and Lancope work together to defend governments and enterprises against advanced threats.

Rating: 0.0/5 (0 votes cast)

1 Comment

Filed under Bring Your Own Device BYOD, Network Admission Control

Tagged as Access Control, advanced persistent threat, ATP, botnets, Cisco, Cisco NAC, cisco security, Clean Access, Compliance, Enforce Network Policy, Home, Identity Services Engine, insider threat, iPad, iPhone, ISE, ISE Integration, ISE Lancope, ISE1.0, ISE1.1, Joey, Joey Muniz, joseph, joseph muniz, LanCope, Lancope Integration, malware, Muniz, NAC, NAC appliance, NAC Integration, NAC Lancope, netflow, network access control, network security, Post Access Control, Security, Stealth Watch, StealthWatch, StealthWatch Collector, StealthWatch lab, StealthWatch Manager, Total Access Control, www.lancope.com

May 27, 2013

Kali Linux – The next generation for BackTrack

Written by Aamir Lakhani, www.DrChaos.com and Joey Muniz www.thesecurityblogger.com. Article is cross posted.

BackTrack is a digital forensics and penetration testing arsenal used by many security professionals and malicious hackers. The last release of BackTrack was 5r3 and many expected a new release sometime in 2013. The creators of BackTrack decided to start from the ground up building a full-fledged operating system and release a next generation penetration distribution rather than updating the existing live CD release. The creators note “Kali Linux is a more mature, secure and enterprise-ready version of BackTrack Linux”.

Lifeline of BackTrack ending with Kali 1.0

Kali Linux has many advantages over Backtrack. Kali comes with more updated tools. The tools and streamlined with Debian repositories and synchronized four times a day. That means users have the latest package updates and security fixes. The new compliant file systems translate into running most tools from anywhere on the system. Kali has also made customization, unattended installation, and flexible desktop environments and strong feature in Kali Linux.

Kali Linux offers a number of customized tools designed for penetration testing. Tools are categorized in the following groups as seen in dropdown menu shown below.

Main Tool Categories in Kali Linux

Most of the useful tools from BackTrack made it into Kali with updated versions as well as some new stuff. For example, Vega and Proxy Strike are updated, while tools like Grendel-scan were removed. One interesting catalog is the separate Top 10 Security tools listing.

Top 10 Security Tools in Kali Catalog

Kali Linux does have some limitations to its predecessor BackTrack. Some tools do not operate correctly in the new environment or require customization to gain stability. Some of these limitations will probably be fixed in updates. Within a few minutes of using Kali, we realized that darkc0de.lst dictionary file wasn’t loaded with Kali, or get SET needed some reconfiguration for updates to work. Most of these gotchas are well documented and a simple Google search will get you to the right place.

Sticking with the last release of BackTrack 5 RC3 has some advantages such as having more streamlined installation options on various operating systems. One huge limitation for Kali is support in a large VMware ESXI server environment due to VMTools not running on the 64-bit version of Kali. There is a workaround using 32-bit images with VM Tools preinstalled that is downloadable from the Kali website. If you want to install VMware Tools natively on the Kali Linux ISO (including 64-bit versions of the ISO) than check out our HowTo Install VMware Tools On Kali Linux.

BackTrack also has much more content available online as a veteran to Kali’s 1.0 release.

So far I like the new platform and have been using it for multiple projects. I haven’t had issues running Kali on a MacBook Pro as a VMware fusion server as well as MACMINI hosting ESXI 5.1 (note the MACMINI operates like a desktop therefor avoiding issues found with ESXI server farms.). I recommend checking out the new release at http://www.kali.org/.

Aamir Lakhani (www.DrChaos.Com) and Joey Muniz (www.thesecurityblogger.com) are co-writing a new book on Kali for Web Penetration Testing. Stay tuned for details!

Rating: 0.0/5 (0 votes cast)

Defining The Difference Between A Penetration Test, Vulnerability Assessment and Security Audit

The terms Penetration Test, Vulnerability Assessment and Security Audit are often blended together when requested by clients or offered by security service providers. All three terms have security aspects however are very different regarding what purpose they serve as well as the expected deliverable.

A Security Audit typically means evaluating a system or application’s risk level against a set of standards or baselines. Standards are mandatory rules while baselines are the minimal acceptable level of security. Standards and baselines achieve consistency in security implementations and can be specific to industries, technologies and processes.

Most requests for Security Audits are focused on passing an official audit (IE preparing for a corporate or government audit) or proving the baseline requirements are met for a mandatory set of regulations (HIPAA, PCI, etc.). In many cases, Security Audit services do not include any level of insurance or protection if an audit isn’t successful post services meaning services will only provide information that a client can use to become compliant.

IMPORTANT: In many cases, security audits give customers a false sense of security. Most standards and baselines have a long update process that is unable to keep up with the rapid changes in threats found in today’s cyber world. It is highly recommended to go beyond standards and baselines to raise the level of security to an acceptable level of protection for real world threats.

A Vulnerability Assessment is the process in which network devices, operating systems and application software are scanned in order to identify the presence of known and unknown vulnerabilities. A vulnerability is a gap, error or weakness in how a system is designed, used and protected. When a vulnerability is exploited, it can result in giving unauthorized access, escalation of privileges or denial-of-service to the asset.

Vulnerability Assessments typically stop once a vulnerability is found meaning services doesn’t include executing an attack against the vulnerability to verify if it’s legitimate. A Vulnerability Assessment deliverable provides potential risk associated with all vulnerabilities found with possible remediation steps. There are many tools that can be used to scan for vulnerabilities based on system type, operating system, ports open for communication and other means. Vulnerability Assessments are a valuable way to assess a network for potential security weakness to identify where to invest for future security.

A Penetration Test is attempting to attack vulnerabilities in a similar method of a real malicious attacker. Typically, penetration services are requested when a system or network has exhausted investments in security and seeking to verify if all avenues of security have been covered. The key difference between a Penetration Test and Vulnerability Assessment is a penetration test will act upon vulnerabilities found and verify if they are legit reducing the list of confirmed risk associated with a target.

IMPORTANT: One popular misconception is a Penetration Testing service enhances IT security since services have a higher cost associated than other security services. Penetration Testing does not make IT networks more secure since services evaluates existing security! A customer should not consider a penetration test if there is a belief the target is not completely secure.

Hopefully these definitions help define future security service requests.

Rating: 0.0/5 (0 votes cast)

1 Comment

Filed under General Security

Tagged as audit, baselines, Compliance, compliant, Defining Security, HIPAA, Joey, Joey Muniz, joseph, joseph muniz, LanCope, Muniz, network security, Network Security Services, pci, Pen Test, pen testing, Penetration Test, Penetration Testing, RFI, RFQ, Security, security audit, Security Definitions, Security Services, standards, Stealth Watch, StealthWatch, vulnerability, Vulnerability Assessment, wireless security

March 27, 2013

Installing Lancope StealthWatch on a Mac mini for Small Lab

Lancope enables visibility for security and network performance. Security capabilities focus on identifying insider threats such as botnets, malware and data loss using non-signature network wide correlation of all traffic. Pretty much anything touching the physical or virtual network leaves a footprint known as NetFlow that is investigated for malicious intent and performance statics.

Lancope offers a virtual and physical appliance option for the StealthWatch technology making it easy to build a lab. This post will explain how to build a simple Lancope lab integrated with Cisco ISE 1.2 beta using an Apple Mac mini server hosting vSphere ESXI 5.1 with ASA 5505 firewall.

It’s important to understand components of Lancope.

StealthWatch Manager (SMC)– This is the centralized system that manages all other components. Administrators will access this system’s IP for GUI management.
StealthWatch Collector – This is what collects NetFlow. All devices generating NetFlow will send data to this device for correlation.
StealthWatch Sensor – This generates NetFlow on behalf of devices unable to send NetFlow. This also can view application layer data providing additional context.
StealthWatch Identity Box OR Cisco ISE – These identify users and devices based on authentication and profiling. IP addresses are linked to USER information.
StealthWatch Replicator – This replicates UDP management data such as Flow data, SNMP traps and syslog.
StealthWatch SLIC – This is a reputation feed that correlates external known threats with possible insider threats.

My lab is using virtualized appliances of all Lancope technology components. You can obtain Lancope .OVA files preloaded on Cisco 3850 switches, Lancope’s website or from a solution provider. The first step is loading the Lancope .OVAs into vSphere. All appliances will ask for basic IP, DNS and NTP information upon launching. The default login for everything is either admin or root and lan1cope or lan411cope. I had some problems with default logins and recommend accessing the administration of each Lancope appliance using command line, typing SystemConfig and resetting the passwords prior to logging into the GUI.

SystemConfig found in the appliance command line

Lancope SMC ESXI Properties

The Lancope SMC requires a minimum of 8 Gigs or memory and 2 CPUs. Step up is basic IP and accessing its GUI via https. Additional system configuration can be done by clicking Administer this server or the User GUI can be opened by clicking Start. One important first step in the GUI is adding the main inside network subnet to the Catch All.

Adding Inside Network To Lancope Catch All

Lancope Collector ESXI Properties

The Lancope Collector lists an 8 Gig memory requirement with 2 CPUs however ESXI 5.1 gave a resource error message upon launching. I reduced the Memory to 4 Gigs per CPU, which fixed that issue. Once the Lancope Collector is up, access its GUI via https. You must point it at the SMC under the configuration tab.

I enabled NetFlow on an ASA5505 firewall (running 8.2(2) or greater) and pointed it at the Lancope Collector for network visibility. My ASA 5505 is also powering my 1121 Access Point for wireless. To enable NetFlow in ASDM, click Configuration under Device Management, click NetFlow under Logging, changed template timeout to 1 min, delay of 15 seconds and checked Disable Redundant Syslog”. Select Inside, enter the collector’s IP and UDP port of 2055.

Creating Netflow Collector in ASA

Next create a firewall policy under Firewall and Server Policy Rules. Click Global, give it a name, select All Traffic, click the tab for NetFlow and select the IP you built under device management. NOTE: If you update device management, you must first delete its reference under the firewall policy to avoid errors.

Add Firewall Policy in ASA

To add visibility into my ESXI environment, I have loaded a Lancope virtual Sensor. The Lancope Sensor requires 1 Gig of memory and 1 CPU. Once the Sensor is up, you must point it at the Lancope Collector and add the ESXI server. Prior to doing that, you must create a read-only user account in ESXI. NOTE: ESXI has discontinued GROUPs. Click Local Users & Groups and create a new user by right clicking and ADD. Give the user a name and password. Next click Permissions right click your New User and Edit. Add a permission of Read-Only. Once the account is ready, login to the https of the Lancope Sensor. Click the Configuration tab and add the Lancope Collector. Next, go under Configuration and add your ESXI server. If the steps are performed correctly, the SMC should automatically detect the new Lancope Sensor and virtual environment.

Adding VMware to Lancope SMC

I have ISE 1.2 providing admission control for my LAN and wireless networks. ISE data can be imported into the Lancope SMC. This is done from the GUI by right clicking Identity Services in the Lancope SMC tree and clicking ADD. Fill out the ISE information using the admin login for ISE.

At this point, the Lancope SMC has NetFlow from an ASA firewall seeing LAN and wireless traffic, ISE authentication and NetFlow from inside a virtualized environment. I plan to add SLIC feed for reputation once I obtain a license. I now have full visibility of my home network.

Lancope SMC Device Tree

Rating: 0.0/5 (0 votes cast)

2 Comments

Filed under Security Management & Analysis

Tagged as asa, ASA 5505, ASA firewall, Cisco, Cisco NAC, Clean Access, Compliance, Data Loss Prevention, DLP, esxi, esxi 5.1, Home, Identity Services Engine, ISE, ISE 1.2, ISE1.0, Joey, Joey Muniz, joseph, joseph muniz, lan1cope, lan411cope, LanCope, Lancope lab, Mac mini, Mac mini esxi, mac mini lab, mobile, Muniz, NAC, netflow, netflow ninja, network access control, Security, SLIC, SMC, Stealth Watch, StealthWatch, StealthWatch Collector, StealthWatch lab, StealthWatch Manager, StealthWatch Replicator, StealthWatch Sensor, SystemConfig, vmware

March 18, 2013

Situational Awareness For Cyber Threat Defense

Aamir Lakhani did a great post on Situational Awareness. The original post ca be found HERE

Illustration by Kekai Kotaki

Problem

Cisco Systems in their Cyber Security Threat Defense white papers outlines how the network security threat landscape is evolving. They describe how modern attacks are stealthy and evade traditional security perimeter defenses.

Traditional monitoring and reporting tools are no longer sufficient in detecting true threats on the network. Modern security tools and hardware devices such as firewalls, anti-virus, patch management solutions, IPS, and other solutions can only provide a small amount of relief against attacks. Most of these tools seem to be really implemented to fulfill some sort of checkmark for an auditor on a compliance form. Security professional know these tools, although very important, alone don’t provide a full security defense architecture.

Furthermore, as security threats and malware invade systems, security administrators are having trouble understanding the nature of attacks, how they occur, and how to defend against them. Remember you can’t fight what you don’t understand.

“It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.”

- Sun Tzu, The Art of War (source: http://en.wikiquote.org/wiki/Sun_Tzu)

Image Source: Cisco Identity Services Engine

Cisco Identity Services Engine provides true network identification, profiling, and access controls.

Combined as a center piece for Cisco’s TruseSec Solution, Cisco ISE creates a secure ecosystem treating security as a holistic solution.

Federal Cyber Initiatives

New mandates are making cyber security front and center of the news. President Obama recently challenged the nation and the Federal government in the United States to increase its cyber defense capabilities. As Federal IT budgets are getting slashed back in 2013; however, spending for cyber security appears to be increasing in the eyes of the casual on-looker.

Cisco Systems, in their Cyber Threat Defense White Paper discusses how “with increasingly sophisticated cyber attacks like WikiLeaks on the rise, federal agencies require more innovative solutions for maintaining a strong security posture. Additionally, with the evolution of the CNCI (Comprehensive National Cybersecurity Initiative), federal agencies are being required to take a more holistic and collaborative approach to analyzing threat information across the totality of government networks for improved incident response and forensic investigation.”

Being constantly bombarded with continuous threats, how can security professionals even guadge they are being attacked or a threat is posing a clear and present danger (yes that was a Harrison Ford shout out).

RSA NetWitness Logo

Image Source: RSA

How To Solve The Problem

I recommend creating a conceptional framework for Threat Defense Visibility and Awareness program. The goal of program should be to (1) provide a framework that can be built by using products, technologies, and methodologies that are available today, (2) provide network visibility on network health and status in real-time, (3) provide real-time network posture and attack risk baselines, (4) provide a training facility for attack analysis and defense.

What Is Network Visibility?

According to Lancope (source: http://www.lancope.com/), “network visibility focuses on the most complex and dangerous information security threats – threats that lurk in networks for months or years at a time stealing vital information and disrupting operations. This type of solution provides visibility into these threats and context to decipher their targets and potential damage”. Lancope further states on their website, security analysts gain visibility into advanced cyber threats such as:

Network reconnaissance
Network interior malware proliferation
Command and control traffic
Data ex-filtration

Lancope Stealwatch provides network visibility

Understanding trends, anomalies, and threats of the network

Image Source: Lancope

Network visibility gives security administrators the ability to detect problems because they highlight changes in baseline behavior. Did traffic spike a 100%, did outbound traffic suddenly increase, are more requests being transmitted to new domain on the Internet? All these occurrences can indicate an attack. Network visibility shows network security professionals exactly what is different about today’s traffic patterns than what is normally looks like. Continue reading →

Rating: 0.0/5 (0 votes cast)

Cisco’s Cyber Solutions – What Is Happening In Your Network

Today’s threat landscape is loaded with malicious websites, malware and other risks that attack users every nanosecond of the day. There isn’t a single product available that can guarantee protection from cyber threats. Older solutions leveraging static technologies such as signatures are not good enough. The best approach for dealing with advanced threats is continuously monitoring the entire network through layering security technologies.

Cisco is known for network and collaboration products however Cisco also has a very strong security catalog that extends beyond traditional firewalls and IPS appliances. If I had to summarize Cisco’s core visibility technologies for cyber threats, I would highlight Cisco’s capabilities around Access Control, Web Security and partnership with Lancope for Insider Threats.

Access Control is critical for knowing who and what is accessing your network regardless if it’s the LAN, Wireless or remotely using VPN technology. Cisco Identity Services Engine ISE accomplishes visibility of users accessing the network by leveraging how people authenticate along with profiling what types of devices are being used. The screenshot below shows two users with mobile devices obtaining different levels of wireless access. Cisco ISE can also verify if devices meet specified polies by enforcing posture prior to providing network access meaning ensure Joey’s windows 7 laptop has the latest updates and security applications installed.

Cisco ISE showing Android with Contractor access and iPhone with Employee mobile access

Profiled devices in my home lab. “Apple-Device” is a MACMINI hosting ISE via “VMWare-Device”

Some default profiles for Cisco ISE.

Web Security is crucial for protecting internal users from threats while surfing the public Internet. Cisco Web Security Appliance WSA (previously Ironport) provides visibility of Internet usage as well as security through layered technologies. Network use policies such as denying gambling web content during work hours can easily be enforced through Cisco WSA’s categorized content classes.

Cisco WSA Content Dashboard

The real value of Cisco WSA is going beyond average web content filtering by offering layers of security options that protect users accessing approved content. The first layer is verifying if the web source is a known evil location based on reputation. Reputation can be factors such as where it’s located, how long it’s been up or if it has been marked as a source for malicious activity. If the web source has a safe reputation, WSA scans traffic with a combination of Sophos, McAfee and Webroot engines along with other intelligence looking for malicious behavior. There is also a botnet scanner that sits on a spam port designed to capture users that happen to get compromised and have malware phone home activity from their devices. The botnet scanner is a first step towards identifying insider threats but not good enough.

Cisco WSA Main Dashboard

Cisco WSA Threat Dashboard

True insider threat visibility can only be accomplished by monitoring all internal traffic for threats that can compromise your network through email, web, infected devices or other means. Cisco has partnered with Lancope to give network wide forensic visibility leveraging capabilities that exist within networking products such as routers, switches and firewalls as well as in the datacenter. Administrators can use Lancope’s Steathwatch to see the top 10 threats that range from Data Loss to Botnet infections.

Main Lancope Cyber Security Dashboard

(Top 4 machines infected with botnets)
Ethel’s Windows 7 Workstation With Botnet

Ethel’s Workstation communicating with malicious source

Lancope identifies threats using a combination of reputation and behavior regardless if the threat attempts to hide by throttling, encryption or interact through multiple compromised systems. Some examples are flagging a user dumping large amounts of data to dropbox, communication with known malware web sources, host-to-host reconnaissance and use of obscure ports. Lancope can zero in on a threat by stitching together the entire communication chain meaning an administrator will see a map of all infected devices, how the infection started, who the users are (including Cisco ISE integration), where its spreading and how its sending traffic off the network. Lancope also gives visibility into abusing network resources, unauthorized tunneling and problems in network performance.

Lancope Dataloss Diagram
Malware Propagation Diagram

Purple IP has infected green IP which is probing other systems
Known Botnet Sources via Reputation

Combing Access Control, Web Security and Insider Threat technology gives administrators complete visibility of what is happening on the network. There is a lot of power having reports showing every user and device on the network, how those devices access the public Internet and near real-time analytics on if any of those devices have been compromised. This information can dramatically improve identification and reaction to cyber threats saving time, money and other problems caused by network breaches.

Rating: 0.0/5 (0 votes cast)

2 Comments

Filed under Internet Defense, Network Admission Control, Security Management & Analysis

Tagged as 802.1x, Access Control, anti-virus, botnet, botnets, Cisco, cisco cyber, Cisco NAC, cisco security solutions, cisco web security appliance, Clean Access, Compliance, computer threats, content filter, cyber threat defense, Flow, Guest Server, Home, Identity Services Engine, insider threats, iPad, iPhone, ironport, ISE, ISE.1.1, ISE1.0, ISE1.2, Joey, Joey Muniz, joseph, joseph muniz, LanCope, malicious websites, malware, McAfee, Muniz, NAC, NAC appliance, netflow, network access control, network security, network threats, network visibility, prime, Profiler, reputation security, Security, security with NetFlow, Sophos, Stealth Watch, StealthWatch, top network threats, virtual wsa, virus protection, web reputation, web security, webroot, wsa

February 5, 2013

My Awesome Portable Lab – Apple Mac mini Running ESXI 5.0 5.1 hosting Cisco ISE, NCS, Backtrack, Lancope and More

Part of my job is being an expert on various technologies. This means having hands on experience with the latest products as well as the ability to demonstrate how specific solutions work. Many vendors are virtualizing their solutions making it easier to build a home lab that is portable and light on power usage. My team has researched the best method for a mobile home lab based on price, size, power consumption and noise. After comparing various servers and laptops, we found the Apple Mac mini to be the best choice. It’s small enough to fit in a backpack, low on power consumption, silent and around $1,400 fully loaded.

The Mac mini is 7.7 by 7.7 and comes with standard apple OS and a hdmi display adaptor. Some monitors may need a VGA adapter, which a adapter can be purchased for $10-25 dollars. You will need a Apple super drive to load the ESXI ISO and possibly some drivers that are lost during the install depending on your Mac mini model and method of install. I’ve heard people doing it with other media methods such as USB storage however I’ve personally only used the super drive for two different Mac minis. Make sure to have a USB mouse and keyboard as well.

This website covers how to install ESXI 5.X on an older Mac mini (2011 or older) HERE. The steps are very straight forward however one lesson learned is you HAVE TO burn the driver disk that will be mounted from a windows computer. I wasted a dozen CDs burning the drivers with my MAC using various tools yet the CD never mounted. You can use any type of device to burn the ESXI software.

Continue reading →

Rating: 5.0/5 (1 vote cast)

6 Comments

Filed under Datacenter, General Security

Tagged as Access Control, apple, apple mac mini, BYOD lab, Cisco, Cisco NAC, Clean Access, custom ISO, esxi, esxi 5.0, esxi 5.1, esxi pink screen of death, Home, home lab, Identity Services Engine, Joey, Joey Muniz, joseph, joseph muniz, LanCope, Mac mini, Mac mini esxi, mac mini lab, Muniz, NAC, network security, Paraguin Consulting, pink screen of death, PSOD, Security, securityblogger, Stealth Watch, StealthWatch, thesecurityblogger, VirtuallyGhetto, zer010gic

January 15, 2013

How To Educate Your Employees About Social Engineering

A common saying is ” Amateurs Hack Systems, Professionals Hack People”. Social engineering is the art of manipulating people into performing actions or divulging confidential information. People fall for social engineering tricks based on their instinct to be helpful and trusting. The typical attacker never comes face-to-face with a victim using deception through email, social networks or over the phone.

Consultants list end-user training as a top prevention to defend against social engineering. How should you provide training for your user community? Here are some tips for educating your staff about common social engineering attacks.

Explain Why Policies Exist

It is common to see organizations send out policy reminders without explaining why they exist. The average user will delete a policy email once they realize its standard legal language.

Try explaining why users should care. For example, start off with a scenario about an email account being violated and or company data compromised. Include details about what social engineer tactic was used, investment by IT to clean up the issue and ways to avoid the threat. Close with the policy being enforced.

Provide Examples Beyond The Intranet

Organizations typically send warning emails to employees when they discover threats to internal sources. It is rare to see companies extend warnings about phishing or other external attacks. Try periodically sending out examples of different social engineering attacks highlighting what to look for and where they are common. Examples should include social networks, fake URLs, craiglist scams and threats using shareware. Your end-users can be targeted anywhere so educate on all forms of social engineering attacks. Continue reading →

Rating: 0.0/5 (0 votes cast)

2 Comments

Filed under Scams and Social Engineering

Tagged as Access Control, Compliance, Data Loss Prevention, DLP, Education, FlowSensor, Home, Joey, Joey Muniz, joseph, joseph muniz, LanCope, locked computers, mobile, mobile device, Muniz, NAC, netflow, network access control, network policy, network security, password security, Password strength, pen testing, Penetration Testing, phishing, phishing defense, policy enforcement, secure passwords, Security, security best practices, security education, social engineering, Social Engineering Training, social network secuirty, Stealth Watch, StealthWatch, unlocked computers, user training, weak passwords, wireless security

January 8, 2013

The Business Value Of NetFlow : Why Invest In NetFlow Technology?

There has been a rapid increase in demand for security solutions that can defend against Advanced Persistent Threats (APTs). Why? Because today, cyber criminals don’t use a specific attack to compromise targeted networks.

Successful attacks are typically made up of a number of chained exploits. A hacker may start with social engineering, deliver malware through phishing and gain internal access through compromised machines. Once the hacker has established a foothold into the internal network, he may spread rootkits through a hidden torrent like environment to communicate under the radar and steal information.

Defending against attacks like this is difficult to detect and to remediate. Point productions may catch a piece of the puzzle however you will need the complete picture to deal with sophisticated attacks. Solutions must have network wide visibility, which typically can be accomplished through logging, packet capture or network analysis. Logging requires security tools such as firewalls and IPS appliances spread across the network sending logs to a centralized system for event correlation and reporting. Analyzing packets usually requires collectors analyzing a tremendous amount of data obtained from key network segments. Network security and performance analytics can be obtained directly from network devices capable of providing NetFlow such as routers and firewalls.

Of the three methods, network analysis is becoming an extremely attractive method to defend against advanced threats since NetFlow can be harvested from existing devices.

What are the key reasons to invest in NetFlow when an organization has already invested in firewalls, anti-virus, IPS systems, and other security tools? Continue reading →

Rating: 5.0/5 (1 vote cast)

1 Comment

Filed under Security Management & Analysis

Tagged as advanced persistent threat, APT, buying netflow solutions, Cisco, Compliance, cyber criminals, Data Loss Prevention, DLP, FlowSensor, hacker, Home, Identity Services Engine, ISE, Joey, Joey Muniz, joseph, joseph muniz, LanCope, mobile, Muniz, NAC, NAC appliance, netflow, network access control, network performance, network performance monitoring, network security, network visibility, network wide visibility, packet capture, prime, Security, sflow, Stealth Watch, StealthWatch

December 18, 2012

Beating Signature Based Security – Dynamic Software That Obfuscates Malware

Most Security solutions leverage a combination of signature and behavior based technology (more HERE). This worked in the past however today these solutions are not good enough regardless if you layer multiple products that are built upon similar scanning methods. There are many ways to bypass point Security products such as throttling behavior and masking the known fingerprint of the attack code. A example of a technique used to hide malware from popular Anti-Virus packages is leveraging Dynamic Obfuscation software.

Obfuscation software was designed to protect source code from piracy by making the original code more complicated to read while retaining functionality. There are commercial obfuscation software packages available for programmers looking to hide their source code which is also obtainable for malware developers. This is bad for anti-virus vendors responsible for developing methods to fingerprint malicious code.

Malware producers can make things even more difficult for Anti-Virus vendors by adding dynamic elements that randomizes malicious code and encryption keys on the fly. For example, a victim accessing a malicious website could see a different variation of the same exploit each session. Dynamic obfuscation provides an endless number of variants making it almost impossible for signature based Security to identify the threat.

There are dozens of examples for commercial Java obfuscator packages. Some common packages are Zelix KlassMaster, Dash-O, ProGuard, Smokescreen, Thicket and Allitori. Popular penetration toolsets such as Metasploit also include malware obfuscating modules such as the VoMM module. Research on VoMM from a few years ago can be found HERE .

Examples of Java Obfuscation Software Continue reading →

Rating: 0.0/5 (0 votes cast)

Tag Archives: StealthWatch

Post NAC: Cisco Identity Services Engine (ISE) and Lancope StealthWatch for Total Access Control

Kali Linux – The next generation for BackTrack

Defining The Difference Between A Penetration Test, Vulnerability Assessment and Security Audit

Installing Lancope StealthWatch on a Mac mini for Small Lab

Situational Awareness For Cyber Threat Defense

Cisco’s Cyber Solutions – What Is Happening In Your Network

My Awesome Portable Lab – Apple Mac mini Running ESXI 5.0 5.1 hosting Cisco ISE, NCS, Backtrack, Lancope and More

The Business Value Of NetFlow : Why Invest In NetFlow Technology?

Beating Signature Based Security – Dynamic Software That Obfuscates Malware

Search

Topics

Cisco ISE Documentation

Subscribe

Blogroll