6 C
London
Wednesday, November 22, 2017
Home Tags Vulnerability scanner

Tag: vulnerability scanner

Deceive in order to detect

Interactivity is a security system feature that implies interaction with the attacker and their tools as well as an impact on the attack scenario depending on the attacker’s actions. For example, introducing junk search results to confuse the vulnerability scanners used by cybercriminals is interactive. As well as causing problems for the cybercriminals and their tools, these methods have long been used by researchers to obtain information about the fraudsters and their goals. There is a fairly clear distinction between interactive and “offensive” protection methods. The former imply interaction with attackers in order to detect them inside the protected infrastructure, divert their attention and lead them down the wrong track. The latter may include all the above plus exploitation of vulnerabilities on the attackers’ own resources (so-called “hacking-back”). Hacking-back is not only against the law in many countries (unless the defending side is a state organization carrying out law enforcement activities) it may also endanger third parties, such as users’ computers compromised by cybercriminals. The use of interactive protection methods that don’t break the law and that can be used in an organization’s existing IT security processes make it possible not only to discover if there is an intruder inside the infrastructure but also to create a threat profile. One such approach is Threat Deception – a set of methods, specialized solutions and processes that have long been used by researchers to analyze threats. In our opinion, this approach can also be used to protect valuable data inside the corporate network from targeted attacks. Characteristics of targeted attacks Despite the abundance of technology and specialized solutions to protect corporate networks, information security incidents continue to occur even in large organizations that invest lots of money to secure their information systems. Part of the reason for these incidents is the fact that the architecture of automated security solutions, based on identifying patterns in general traffic flows or monitoring a huge number of endpoints, will sooner or later fail to recognize an unknown threat or a criminal stealing valuable data from the infrastructure. This may occur, for example, if the attacker has studied the specific features of a corporate security system in advance and identified a way of stealing valuable data that will go unnoticed by security solutions and will be lost among the legitimate operations of other users. nother reason is the fact that APT attacks differ from other types of attacks: in terms of target selection and pinpoint execution, they are similar to surgical strikes, rather than the blanket bombing of mass attacks. The organizers of targeted attacks carefully study the targeted infrastructure, identifying gaps in configuration and vulnerabilities that can be exploited during an attack. With the right budget, an attacker can even deploy the products and solutions that are installed in the targeted corporate network on a testbed. Any vulnerabilities or flaws identified in the configuration may be unique to a specific victim. This allows cybercriminals to go undetected on the network and steal valuable data for long periods of time. To protect against an APT, it is necessary not only to combat the attacker’s tools (utilities to analyze security status, malicious code, etc.) but to use specific behavioral traits on the corporate network to promptly detect their presence and prevent any negative consequences that may arise from their actions. Despite the fact that the attacker usually has enough funds to thoroughly examine the victim’s corporate network, the defending side still has the main advantage – full physical access to its network resources. And it can use this to create its own rules on its own territory for hiding valuable data and detecting an intruder. After all, “locks only keep an honest person honest,” but with a motivated cybercriminal a lock alone is not enough – a watchdog is required to notify the owner about a thief before he has time to steal something. Interactive games with an attacker In our opinion, in addition to the obligatory conventional methods and technologies to protect valuable corporate information, the defensive side needs to build interactive security systems in order to get new sources of information about the attacker who, for one reason or another, has been detected inside the protected corporate network. Interactivity in a security system implies a reaction to the attacker’s actions. That reaction, for instance, may be the inclusion of the attacker’s resources to a black list (e.g. the IP address of the workstations from which the attack is carried out) or the isolation of compromised workstations from other network resources. An attacker who is looking for valuable data within a corporate network may be deliberately misled, or the tools used by the attacker, such as vulnerability scanners, could be tricked into leading them in the wrong direction. Let’s assume that the defending side has figured out all the possible scenarios where the corporate network can be compromised and sets traps on the protected resource: a special tool capable of deceiving automated vulnerability scanners and introducing all sorts of “junk” (information about non-existent services or vulnerabilities, etc.) in reports; a web scenario containing a vulnerability that, when exploited, leads the attacker to the next trap (described below); a pre-prepared section of the web resource that imitates the administration panel and contains fake documents. How can these traps help? Below is a simple scenario showing how a resource with no special security measures can be compromised: The attacker uses a vulnerability scanner to find a vulnerability on the server side of the protected infrastructure, for example, the ability to perform an SQL injection in a web application. The attacker successfully exploits this vulnerability on the server side and gains access to the closed zone of the web resource (the administration panel). The attacker uses the gained privileges to study the inventory of available resources, finds documents intended for internal use only and downloads them. Let’s consider the same scenario in the context of a corporate network where the valuable data is protected using an interactive system: The attacker searches for vulnerabilities on the server side of the protected infrastructure using automated means (vulnerability scanner and directory scanner). Because the defending side has pre-deployed a special tool to deceive scanning tools, the attacker has to spend time analyzing the scan results, after which the attacker finds a vulnerability – the trap on the server side of the protected infrastructure. The attacker successfully exploits the detected vulnerability and gains access to the closed zone of the web resource (the administration panel). The attempt to exploit the vulnerability is recorded in the log file, and a notification is sent to the security service team. The attacker uses the gained privileges to study the inventory of available resources, finds the fake documents and downloads them. The downloaded documents contain scripts that call the servers controlled by the defending side. The parameters of the call (source of the request, time, etc.) are recorded in the log file. This information can then be used for attacker attribution (what type of information they are interested in, where the workstations used in the attack are located, the subnets, etc.) and to investigate the incident. Detecting an attack by deceiving the attacker Currently, in order to strengthen protection of corporate networks the so-called Threat Deception approach is used. The term ‘deception’ comes from the military sphere, where it refers to a combination of measures aimed at misleading the enemy about one’s presence, location, actions and intentions. In IT security, the objective of this interactive system of protection is to detect an intruder inside the corporate network, identifying their attributes and ultimately removing them from the protected infrastructure. The threat deception approach involves the implementation of interactive protection systems based on the deployment of traps (honeypots) in the corporate network and exploiting specific features of the attacker’s behavior. In most cases, honeypots are set to divert the attacker’s attention from the truly valuable corporate resources (servers, workstations, databases, files, etc.). The use of traps also makes it possible to get information about any interaction between the attacker and the resource (the time interactions occur; types of data attracting the attacker’s attention, toolset used by the attacker, etc.). However, it’s often the case that a poorly deployed trap inside a corporate network will not only be successfully detected and bypassed by the attackers but can serve as an entry point to genuine workstations and servers containing valuable information. Incorrect implementation of a honeypot in the corporate network can be likened to building a small house next to a larger building containing valuable data. The smaller house is unlikely to divert the attention of the attacker; they will know where the valuable information is and where to look for the “key” to access it. Simply installing and configuring honeypots is not enough to effectively combat cybercriminals; a more nuanced approach to developing scenarios to detect targeted attacks is required. At the very least, it is necessary to carry out an expert evaluation of the attacker’s potential actions, to set honeypots so that the attacker cannot determine which resources (workstations, files on workstations and servers, etc.) are traps and which are not, and to have a plan for dealing with the detected activity. Correct implementation of traps and a rapid response to any events related to them make it possible to build an infrastructure where almost any attacker will lose their way (fail to find the protected information and reveal their presence). Forewarned is forearmed Getting information about a cybercriminal in the corporate network enables the defending side to take measures to protect their valuable data and eliminate the threat: to send the attacker in the wrong direction (e.g., to a dedicated subnet), and thereby concealing valuable resources from their field of view, as well as obtaining additional information about the attacker and their tools, which can be used to investigate the incident further; to identify compromised resources and take all necessary measures to eliminate the threat (e.g., to isolate infected workstations from the rest of the resources on the corporate network); to reconstruct the chronology of actions and movements of the attacker inside the corporate network and to define the entry points so that they can be eliminated. Conclusion The attacker has an advantage over the defender, because they have the ability to thoroughly examine their victim before carrying out an attack. The victim doesn’t know where the attack will come from or what the attacker is interested in, and so has to protect against all possible attack scenarios, which requires a significant amount of time and resources. Implementation of the Threat Deception approach gives the defending side an additional source of information on threats thanks to resource traps. The approach also minimizes the advantage enjoyed by the attacker due to both the early detection of their activity and the information obtained about their profile that enables timely measures to be taken to protect valuable data. It is not necessary to use prohibited “offensive security” methods, which could make the situation worse for the defending side if law enforcement agencies get involved in investigating the incident. Interactive security measures that are based on deceiving the attacker will only gain in popularity as the number of incidents in the corporate and public sector increases. Soon, systems based on the Threat Deception approach will become not just a tool of the researchers but an integral part of a protected infrastructure and yet another source of information about incidents for security services. If you’re interested in implementing the Threat Deception concept described in the post on your corporate network, please complete the form below:
The newest big thing in security is the cross-platform multi-device security suite.
Instead of seeking out different products for your Windows, Mac, and mobile devices, you use the same multi-device subscription on all of them, and you can manage them from a central console.
Some offer a specific number of licenses, others aren't limited.

AVG Protection Free (2016) has the distinction of offering multi-device protection at no cost. However, that great price point can't outweigh the fact that the security protection it offers doesn't measure up to that of the top products in this field.

AVG Protection Free helps you manage installations of AVG's free antivirus products for Windows, Mac OS, and Android (sorry, no iOS support). You can choose a 30-day trial of the non-free AVG Protection (2016).
If you do so and then decide you want to keep the Pro features, you'll pay $59.99 per year for unlimited devices. McAfee LiveSafe (2016) lists for $89.99 per year, for unlimited devices, but it adds support for iOS and Blackberry, and its Mac support is a full suite, not just antivirus like AVG.

For that same $89.99 you could also choose a 10-license subscription for Symantec Norton Security Deluxe, with 25GB of hosted online backup as a bonus. None of the competing services offer a free edition, though. Very ZenAs with the paid edition, installation of AVG Protection Free starts with AVG Zen, the management tool. You also need to create an online management account.

This account is what links all your devices through Zen. Like most of AVG's products, Zen uses color-coded circles to report your security status in various areas.

Four panels represent Protection, Performance, Safe Surf, and Web Tuneup.

A complete circle means you've got all available protection in the specified area; a partial circle means there's more you could add. When the circle is green, all's well with the world.
If it's yellow or red, the specified component needs attention. I installed AVG Protection on a Windows 8.1 test system, opting to go straight to the free edition rather than start a 30-day trial of the paid version.

As soon as Zen was installed, it started a background installation of the free antivirus. Once that installation completed, I got a three-quarter green circle in the Protection panel.

Completing that circle would require upgrading to the paid edition, so I left it alone. Clicking the Web TuneUp panel smoothly installed that feature on my browsers, giving me a complete green circle in that panel. Web TuneUp warns when you're about to visit an iffy or dangerous site, actively prevents tracking of your Web surfing habits, and lets you clear your browser history with one click. Safe Surf, AVG's VPN, is an extra cost, so that panel stayed blank.

As for the Performance panel, clicking that one installed AVG PC TuneUp. Note, though, that this is a one-day free trial, so don't start it until you have some free time to exercise this tool's powerful performance enhancement features. Extending protection to additional devices is a snap. You click a button to start the process, choose Windows, Mac OS, or Android, and send an email to an account used on the device in question.

The email contains a link to download the appropriate app.
Install Zen, install the antivirus, and link the installation to your account by logging in.

That's it.

The new device shows up in Zen's lineup across the top. You can check the status of any device by clicking it, and you can even remotely launch a scan or an update. Protection for WindowsOn your Windows devices, AVG Protection installs AVG AntiVirus Free (2016).

Do please read that review for full details on the antivirus.
I will summarize my findings here. All five of the antivirus testing labs I follow include AVG in their evaluations. My aggregate lab test score calculation for AVG gives it 8.4 of 10 possible points. Kaspersky holds the best aggregate score, 9.7 points. In my own hands-on testing, AVG earned 8.8 of 10 possible points, which is good, but not at the top.

Top score among products tested with the same samples goes to Bitdefender Total Security 2016, with 9.3 points.

Tested against a newer sample set, Webroot SecureAnywhere Internet Security Complete (2016) managed a perfect 10. In my malicious URL blocking test, AVG blocked 73 percent of the samples.
Symantec Norton Security Premium blocked 91 percent of the malware downloads, and Avira Antivirus Pro 2016 fended off 99 percent.
In my antiphishing test, AVG lagged 28 percentage points behind Norton. This product's antivirus protection isn't quite as good as the very best commercial antivirus tools, but it's impressive for a free antivirus.

AVG AntiVirus Free is an Editors' Choice for free antivirus, sharing that honor with Avast Free Antivirus 2016 and Panda Free Antivirus (2016). Protection for AndroidTo get a feel for AVG's Android protection, I sent a link to a Nexus 9 that I use for testing.

The user interface has changed since we reviewed AVG AntiVirus Security (for Android); no more color-coded circles! But the feature set remains effectively the same; refer to that review for additional details. Zen on the tablet retains those familiar circles, and works just as it does on Windows. For a complete installation, you need enable Anti-Theft and make AVG a Device Administrator. You'll probably also want to click the link that installs the free AVG Cleaner for Android.

As with AVG Protection itself, you can opt to get a 30-day trial of the paid edition.
I chose not to do so, and therefore found myself viewing banner ads across the bottom of the app's display. AVG scans your apps for malware and can optionally scan external storage.
It also finds and flags problems with security settings, offering instructions for correcting configuration errors.

The Safe Web Surfing feature steers your browser away from malicious and fraudulent URLs. Performance features include a task killer, to save battery life by ending unnecessary tasks, as well as a battery power tracker with an option to automatically turn off power-hungry features when battery power gets low.

AVG can also track your storage usage and monitor use of your data plan by apps. There's probably a better chance your Android device will be lost or stolen than that it will suffer a malware attack.

AVG offers a full-scale anti-theft component. You can use coded text messages or the online console to remotely locate, lock, or wipe the device, or trigger a noise to help you find a mislaid tablet.

That's it for the free edition.

The for-pay edition adds Camera Trap, which snap a thief's photo, and can also lock the device if a thief removes the SIM card.
It can protect private data and user-specified apps with a PIN code.

And it can back up your apps to an SD card. The free app installed by AVG Protection Free includes antivirus and anti-theft, the pillars of an Android security product, but lacks a number of useful features from the paid app. Our Editors' Choice products for Android antivirus are Norton Security and Antivirus (for Android) and Bitdefender Mobile Security and Antivirus (for Android). Like AVG, both of these offer a free edition with only the most necessary features. Mac ProtectionAVG AntiVirus (for Mac) is a free product. You could download and install it without any connection to AVG Protection, but then you'd miss out on the remote-control power of AVG Zen. This free, simple product offers protection against viruses and other types of malware.
It scans on demand and in real time.

To make sure your other devices don't get infected by way of the Mac, it looks for PC and Android malware as well.

And of course you'll find the user interface familiar. Keep those circles green! Norton gives Mac users rather more in the way of features.
It includes a firewall, a vulnerability scanner, and password protection for files, among other things. McAfee LiveSafe is somewhere between, with antivirus, firewall, Web reputation reporting, and password management. Free Isn't EnoughI rated the paid AVG Protection three stars, meaning it's good, but not outstanding.

For Windows devices, the paid edition installs AVG Internet Security, which doesn't rate as highly as the free antivirus because other components don't measure up.

Android protection in the paid edition is good, but Macs just get a simple always-free antivirus. With AVG Protection Free, the Android app loses Pro-only features and PCs just get a free antivirus—a good one—rather than a full security suite.
It's great that this product is free, and you still get the helpful remote management of AVG Zen, but competing (paid) cross-platform suites offer so much more.
In this instance, you really do get what you pay for. Symantec Norton Security Deluxe excels in just about every area and comes with 25GB of hosted online storage.
It protects PCs and Macs with a full security suite, and its Android version is an Editors' Choice. Where Symantec lets you protect 10 devices, McAfee LiveSafe puts no limit on the number of Windows, Mac OS, Android, iOS, and Blackberry devices you can connect.

These two are our Editors' Choice cross-platform multi-device security suites.