info@qualityplusconsulting.com l +1 262-553-6510

QPC podcasts have moved

Please forgive our old content here while we reorganize and redo our old website.

All new QPC podcasts are hosted on a more convenient platform for all of us.

Please visit https://qpcsecurity.podbean.com where you can use the Podbean mobile app, stream directly from the site, and sign up for the RSS feed.

Breakfast Bytes - Security Solutions that Work

7/15/2016

 

Security solutions that are working to keep business productivity up
Examples of security solutions that are working in today's world and that adapt to mitigating new threats

This past Tuesday was the largest patch Tuesday in several months. Patches should be deployed within 48 hours of the patch release. Are your systems patched?

MP3 - Security solutions that work to keep business productivity up

 
 

Web content filtering at the network layer is absolutely critical

Overwhelming statistics demonstrate that over 50% of legit websites are hosting some form of malicious content.

In some cases, the content is attempting to install malware or ransomware. In other cases, the content is attempting to run data analytics on you using privacy invasion spy techniques.

This is an example of a security summary on blocked destinations from WatchGuard Dimension, which is a SIEM logging and analytics tool. The type of network layer security a properly programmed perimeter security appliance can provide enables you and your staff to safely use the internet and its vast resources while having the undesired content selectively blocked.

Blocked Website Destinations

Website-based IPS attacks are a daily attack vector even for a single user

In a single week, an organization is likely to see this type of volume of IPS-based attacks in web browsing traffic. So if the network layer protects were not in place, how many of these systems would have fallen prey to the web-based attacks?

IPS Attacks

Widespread DDoS, port-scan, and hack attacks

In the past week, I have seen one of the most widespread DDoS and port scanning attacks to hit the United States. A group of IP addresses on InterNap's network in the 66.150.8 range have been issuing widespread attacks on the infamous 3344x port range. These are clearly attacks intended to breach perimeter devices that are vulnerable to these types of attacks.

InterNap has datacenters that host a global content distribution network. So it appears as if InterNap has allowed hackers to buy space on their CDN to use for their nefarious purposes. Hackers are really into using CDNs and hosted services these days, so you will also see a lot of attacks coming from what appears to be Amazon Web Services IP addresses.

A properly programmed WatchGuard Firebox will used blocked sites with a special policy to target this type of traffic and prevent the Firebox from responding in any way to any communications from the attacking IP address. So if there is a port scan or a staggered DDoS attack coming from that IP, the Firebox will have proactively addressed the attacks.

Very few consultants know how to implement this feature correctly. Be sure to ask your security practitioner to explain if your perimeter device has the blocked sites feature fully implemented to handle DDoS and port scan attacks.
Blocked IP addresses from InterNap

Blocked Ports

Using Network Discovery to identify naughty devices on guest wireless

I was reviewing traffic logs earlier this week on a guest wireless network. I was finding that there were several devices that were launching port scan attacks against the WAN IP address of the perimeter security appliance providing them an internet connection.

As a security practitioner, you need to be able to identify devices on your guest network for malicious activity. While you know that the malicious traffic is being blocked, you still need to go find that device to investigate it.

WatchGuard's latest addition to analytics tools, Network Discovery, satisfied that need. Network Discovery is configurable to run on a customized interval. Daily may be sufficient for your internal LAN for organization owned devices, but you may want it to occur more frequently on the guest network based upon the frequency of turnover of guest devices. If a problem is occurring, such as the one that I saw, you would want to find out as quickly as possible what device that traffic is coming from and visit that device's owner. Network discovery allowed for rapid identification of the offending device.

In this case, Network Discovery revealed the owner of the iPhone. (Name removed for privacy reasons) We were able to go have a chat with the owner of the iPhone and find out what was going on with the phone that was attempting to hack the perimeter security appliance.
Network Discovery identifies malicious iPhone

 

OpenDNS can increase your security if you have a static IP address

You either need a static IP or you need to use a Dynamic IP DNS updater app if you want to have customized rules for your OpenDNS account. OpenDNS can be used without a static IP or any customized account if you want to accpet their defaults. Simply use their DNS servers for your client DNS traffic. I do not suggest using it for your network appliance DNS traffic due to latency reasons. Check out my article on optimizing WAN performance using DNS for more information on that.

Undesirable destinations blocked by OpenDNS

Linkedin