Today’s Internet is a hectic place. A lot of different web technologies and services are “glued together” and help users shop online, watch the newest movies, or stream the newest hits while jogging. But these (paid) services are also constantly threatened by attackers – and no company, no matter how big, is completely immune. Take the recent Twitter compromise as an example: the attackers hijacked a number of influential Twitter accounts, including those belonging to … More
Specops Password Policy is a powerful tool for overcoming the limitations of the default password policies present in Microsoft Active Directory environments. To be fair, Microsoft did revise and upgrade the default password policy and introduced additional, granular fine-tuning options over the years, but for some enterprise environments that’s still not enough, so Specops Password Policy to the rescue!
For the purpose of this review, the installation was done on a server containing all necessary services: Specops Sentinel – a password filter that is installed on all domain controllers, and Specops Password Policy admin tools. Keep in mind that this can be split onto different servers if needed. If you purchased Breached Password Protection, you’ll need to install Specops Arbiter as well.
The setup process is smooth, and you can expect to be up and running within the hour. As you can see from the image below, the standard requirements are modest and should not be a problem for any enterprise environment that requires such a solution.
Figure 1. Specops Password Policy minimum requirements
Password policy templates
When you start with Specops Password Policy Domain Administration, you’ll notice four predefined password policy templates you can choose from:
Figure 2. Specops Password Policy Domain Administration including default templates
These templates are convenient for a fast setup but, naturally, you can take them to another level by customizing them. If you’re working in an environment that needs to meet specific regulatory standards, the provided templates can be a lifesaver. Even if you can’t or don’t want to use these policies, you can use them as a base to strengthen your policy or create a policy compatible with your environment.
Let’s create a new, blank policy to see what the process looks like. Creating one will take you to the Group Policy editor:
Figure 3. Specops Password Policy inside the Group Policy editor
If you find it familiar, it’s because it is the same environment where you would change your default password policy inside Active Directory. The one key difference here is that Specops Password Policy applies password settings to the user part of group policy rather than computer. This makes more sense as it’s the users that generally set bad passwords rather than machines.
After testing the options and thinking how this would fit into my network, I have to commend Specops for not unnecessarily complicating things and choosing to go with a workflow most system administrators are familiar with.
When I opened Specops Password Policy inside the Group Policy editor, I was pleasantly surprised to see that it supports the use of passphrases. More importantly, it also offers assistance for handling them (something that Active Directory does not). You can use regular expressions so that you can define what a passphrase means to your organization i.e. 3 words, with at least 6 characters in each word, no words should be repeated, and no patterns should be used 111111 222222 etc.
Figure 4, 5. Passphrase support and password options
The General Settings menu offers familiar settings for anyone that’s used to working with the Group Policy Editor in an Active Directory environment. A neat addition here is the “client message” option, which allows you to create a custom message to be shown on the Active Directory logon screen in case the password policy requirements are not met.
Figure 6. General Settings with options and client message notification
The Password Expiration tab offers a wealth of options, including the maximum password age, password expiration notifications, and so on. A key feature here is the length-based password aging rule. This means that the longer the password the longer the user gets to keep it. It can be real incentive to encourage users to move to passphrases.
Figure 7. Options for password expiration rules and password expiration notifications
The Password Rules menu brings additional password rules granularity which should allow for virtually any password policy scenario. Worth noting is that the use of dictionaries with forbidden words is possible either by creating a custom dictionary or downloading dictionaries provided by Specops.
Figure 8. Regulating password rules requirements in one place
Figure 9. Additional protection from users trying to subvert the password policy
Breached Password Protection
A great set of options are found under Breached Password Protection. In a nutshell, it allows the system to compare an Active Directory password to a list of known breached passwords. As might be expected, passwords are hashed in the process.
If a password is discovered in the breached password list, the action triggers the delivery of notifications/alerts.
Figure 10. Breached Password Protection Complete API
Figure 11. Breached Password Protection Express List
With the API, Specops Password Policy supports both email and SMS notifications. When using the Express List (a downloadable passwords list) you can use only email notifications.
I realize there’s a narrow application for it, but I would like to see support for custom SMS gateways in future versions, as large enterprises might find this useful. Specops Software tells me that since there’s no extra cost involved for using the SMS notification feature they’ve never been asked to provide a custom SMS platform.
The latest version of Specops Password Policy comes with several powerful new features, Powershell CMDlets and a security scanner.
Leaked password scanning
While Powershell support is nothing new to Specops Password Policy, the latest version brings us powerful new CMDlets:
- Get-SppPasswordExpiration and Get-PasswordPolicyAffectingUser are user-related CMDlets enabling checks which until now could not be requested nor scripted trough Powershell. I found them rather useful during troubleshooting while trying to discern why a certain policy was not working as intended. Using CMDlets with pretty self-explanatory names is much faster than going through the menus of a newly installed application.
- Get-SppPasswordExpiration checks for the password expiration date, returning the date and reliability of the password.
- Get-PasswordPolicyAffectingUser – if you ever handled a multi-policy environment, you know that something simple as knowing the exact policies applied to the user can be the difference between solving an issue or entering a virtually endless troubleshooting loop. You just need to provide the username in sAMAccountName or userPrincipalName format for which the CMDlet returns GpoID, GpoName, and the password policy name.
- Start-PasswordPolicyLeakedPasswordScanning – As evident from the name, it starts scanning for leaked passwords in your Active Directory environment. Even though this feature is present in the Domain Admin tool, this CMDlet is useful as it can be scripted and delayed, which is ideal for administrators working in large environments. After running the CMDlet, all users that are non-compliant to the policy will be notified on the next logon to change their password. Leaked passwords scanning requires the Specops Breached Password Protection license.
Figure 12. All available Specops Password Policy CMDlets
Looking after your passwords
Specops Software maintains a comprehensive list of leaked passwords based on numerous sources. It contains billions of passwords and is often updated.
Breached Password Protection can be configured with two settings: Breached Password Protection Complete and Breached Password Protection Express.
The Complete setting comes with a master list of leaked passwords that are stored in the cloud. If a user changes their password to one that can be found on the list, a notification is sent via email or SMS, and they are forced to change their password the next time they log in. For this, you’ll need .Net 4.7.1 and Windows Server 2012 R2 or later, with an installation of Specops Arbiter and an API key.
Breached Password Protection Express downloads a subset of the list of leaked passwords, updated usually every 6 months. This also means administrators will need to manually check for updates and initiate a download of the updated list. Users are also immediately prevented from changing their password to a password found in the leaked list.
Length based password expiration
Specops has found a way to reward security-conscious users by extending the timeframe for mandated password change.
Figure 13. The longer the password, the later it expires
Users can be notified of their upcoming mandated password change. As the timeframe for mandated password change is dictated by password length, notifying users is of great importance as it can help user to prepare in advance. The notification can be shown to the users using regular Active Directory resources, on the logon screen or via email. For both methods you can define the number of days before a mandated password change notification is shown or sent.
This is a security scanner for Active Directory, and it’s such a simple yet invaluable tool. It is included in Specops Password Policy and is available as standalone freeware. It groups all possible password security issues found inside your Active Directory. This at-a-glance overview essentially points out all the things you need to worry about, and it’s the place to discover quickly if there’s a problem you might not be aware of like a password being on a leaked list.
Specops has chosen smart way of aggregating important areas around password security and polices, showing the most relevant issues and offering quick insight of potential issues.
Figure 14. A closer look at expiring passwords
Once you’re aware of all the issues, you can quickly focus on what’s critical. I find this to be an easy way to audit your Active Directory environment for a variety of issues at the same time.
After testing Specops Password Policy for a week in a variety of scenarios, I can definitely say we’re talking about a formidable solution. Not only does it make the process of strengthening the password policies better while being simple to use, but it can detect and resolve issues you might not be aware of in the first place.
I can highly recommend Specops Password Policy for any Active Directory environment, and I would go as far as to say it’s a necessity for complex environments dealing with compliance regulations, as well as specific password policy requirements. This solution can raise security level on any Active Directory environment, and you can’t argue about the benefits of better security, can you?
Vulnerability scanners can be a very useful addition to any development or operations process. Since a typical vulnerability scanner needs to detect vulnerabilities in deployed software, they are (generally) not dependent on the language or technology used for the application they are scanning.
This often doesn’t make them the top choice for detecting a large number of vulnerabilities or even detecting fickle bugs or business logic issues, but makes them great and very common tools for testing a large number of diverse applications, where such dynamic application security testing tools are indispensable. This includes testing for security defects in software that is being currently developed as a part of a SDLC process, reviewing third-party applications that are deployed inside one’s network (as a part of a due diligence process) or – most commonly – finding issues in all kinds of internally developed applications.
We reviewed Netsparker Enterprise, which is one of the industry’s top choices for web application vulnerability scanning.
Netsparker Enterprise is primarily a cloud-based solution, which means it will focus on applications that are publicly available on the open internet, but it can also scan in-perimeter or isolated applications with the help of an agent, which is usually deployed in a pre-packaged Docker container or a Windows or Linux binary.
To test this product, we wanted to know how Netsparker handles a few things:
1. Scanning workflow
2. Scan customization options
3. Detection accuracy and results
4. CI/CD and issue tracking integrations
5. API and integration capabilities
6. Reporting and remediation efforts.
To assess the tool’s detection capabilities, we needed a few targets to scan and assess.
After some thought, we decided on the following targets:
1. DVWA – Damn Vulnerable Web Application – An old-school extremely vulnerable application, written in PHP. The vulnerabilities in this application should be detected without an issue.
3. Vulnapi – A python3-based vulnerable REST API, written in the FastAPI framework running on Starlette ASGI, featuring a number of API based vulnerabilities.
After logging in to Netsparker, you are greeted with a tutorial and a “hand-holding” wizard that helps you set everything up. If you worked with a vulnerability scanner before, you might know what to do, but this feature is useful for people that don’t have that experience, e.g., software or DevOps engineers, who should definitely use such tools in their development processes.
Initial setup wizard
Scanning targets can be added manually or through a discovery feature that will try to find them by matching the domain from your email, websites, reverse IP lookups and other methods. This is a useful feature if other methods of asset management are not used in your organization and you can’t find your assets.
New websites or assets for scanning can be added directly or imported via a CSV or a TXT file. Sites can be organized in Groups, which helps with internal organization or per project / per department organization.
Adding websites for scanning
Scans can be defined per group or per specific host. Scans can be either defined as one-off scans or be regularly scheduled to facilitate the continuous vulnerability remediation process.
To better guide the scanning process, the classic scan scope features are supported. For example, you can define specific URLs as “out-of-scope” either by supplying a full path or a regex pattern – a useful option if you want to skip specific URLs (e.g., logout, user delete functions). Specific HTTP methods can also be marked as out-of-scope, which is useful if you are testing an API and want to skip DELETE methods on endpoints or objects.
Initial scan configuration
Scan scope options
One feature we quite liked is the support for uploading the “sitemap” or specific request information into Netsparker before scanning. This feature can be used to import a Postman collection or an OpenAPI file to facilitate scanning and improve detection capabilities for complex applications or APIs. Other formats such as CSV, JSON, WADL, WSDL and others are also supported.
For the red team, loading links and information from Fiddler, Burp or ZAP session files is supported, which is useful if you want to expand your automated scanning toolbox. One limitation we encountered is the inability to point to an URL containing an OpenAPI definition – a capability that would be extremely useful for automated and scheduled scanning workflows for APIs that have Swagger web UIs.
Scan policies can be customized and tuned in a variety of ways, from the languages that are used in the application (ASP/ASP.NET, PHP, Ruby, Java, Perl, Python, Node.js and Other), to database servers (Microsoft SQL server, MySQL, Oracle, PostgreSQL, Microsoft Access and Others), to the standard choice of Windows or Linux based OSes. Scan optimizations should improve the detection capability of the tool, shorten scanning times, and give us a glimpse where the tool should perform best.
The next important question is, does it blend… or integrate? From an integration standpoint, sending email and SMSes about the scan events is standard, but support for various issue tracking systems like Jira, Bitbucket, Gitlab, Pagerduty, TFS is available, and so is support for Slack and CI/CD integration. For everything else, there is a raw API that can be used to tie in Netsparker to other solutions if you are willing to write a bit of integration scripting.
One really well-implemented feature is the support for logging into the testing application, as the inability to hold a session and scan from an authenticated context in the application can lead to a bad scanning performance.
Netsparker has the support for classic form-based login, but 2FA-based login flows that require TOTP or HOTP are also supported. This is a great feature, as you can add the OTP seed and define the period in Netsparker, and you are all set to scan OTP protected logins. No more shimming and adding code to bypass the 2FA method in order to scan the application.
Custom scripting workflow for authentication
If we had to nitpick, we might point out that it would be great if Netsparker also supported U2F / FIDO2 implementations (by software emulating the CTAP1 / CTAP2 protocol), since that would cover the most secure 2FA implementations.
In addition to form-based authentication, Basic NTLM/Kerberos, Header based (for JWTs), Client Certificate and OAuth2-based authentication is also supported, which makes it easy to authenticate to almost any enterprise application. The login / logout flow is also verified and supported through a custom dialog, where you can verify that the supplied credentials work, and you can configure how to retain the session.
Login verification helper
And now for the core of this review: what Netsparker did and did not detect.
In short, everything from DVWA was detected, except broken client-side security, which by definition is almost impossible to detect with security scanning if custom rules aren’t written. So, from a “classic” application point of view, the coverage is excellent, even the out-of-date software versions were flagged correctly. Therefore, for normal, classic stateful applications, written in a relatively new language, it works great.
One interesting point for vulnerability detection is that Netsparker uses an engine that tries to verify if the vulnerability is exploitable and will try to create a “proof” of vulnerability, which reduces false positives.
On the negative side, no vulnerabilities in WebSocket-based communications were found, and neither was the API endpoint that implemented insecure YAML deserialization with pyYAML. By reviewing the Netsparker knowledge base, we also found that there is no support for websockets and deserialization vulnerabilities.
That’s certainly not a dealbreaker, but something that needs to be taken into account. This also reinforces the need to use a SAST-based scanner (even if just a free, open source one) in the application security scanning stack, to improve test coverage in addition to other, manual based security review processes.
Multiple levels of detail (from extensive, executive summary, to PCI-DSS level) are supported, both in a PDF or HTML export option. One nice feature we found is the ability to create F5 and ModSecurity rules for virtual patching. Also, scanned and crawled URLs can be exported from the reporting section, so it’s easy to review if your scanner hit any specific endpoints.
Scan results dashboard
Scan result details
Instead of describing the reports, we decided to export a few and attach them to this review for your enjoyment and assessment. All of them have been submitted to VirusTotal for our more cautious readers.
Netsparker’s reporting capabilities satisfy our requirements: the reports contain everything a security or AppSec engineer or a developer needs.
Since Netsparker integrates with JIRA and other ticketing systems, the general vulnerability management workflow for most teams will be supported. For lone security teams, or where modern workflows aren’t integrated, Netsparker also has an internal issue tracking system that will let the user track the status of each found issue and run rescans against specific findings to see if mitigations were properly implemented. So even if you don’t have other methods of triage or processes set up as part of a SDLC, you can manage everything through Netsparker.
Netsparker is extremely easy to set up and use. The wide variety of integrations allow it to be integrated into any number of workflows or management scenarios, and the integrated features and reporting capabilities have everything you would want from a standalone tool. As far as features are concerned, we have no objections.
The login flow – the simple interface, the 2FA support all the way to the scripting interface that makes it easy to authenticate even in the more complex environments, and the option to report on the scanned and crawled endpoints – helps users discover their scanning coverage.
Taking into account the fact that this is an automated scanner that relies on “black boxing” a deployed application without any instrumentalization on the deployed environment or source code scanning, we think it is very accurate, though it could be improved (e.g., by adding the capability of detecting deserialization vulnerabilities). Following the review, Netsparker has confirmed that adding the capability of detecting deserialization vulnerabilities is included in the product development plans.
Nevertheless, we can highly recommend Netsparker.
Andrew Magnusson started his information security career 20 years ago and he decided to offer the knowledge he accumulated through this book, to help the reader eliminate security weaknesses and threats within their system.
As he points out in the introduction, bugs are everywhere, but there are actions and processes the reader can apply to eliminate or at least mitigate the associated risks.
The author starts off by explaining vulnerability management basics, the importance of knowing your network and the process of collecting and analyzing data.
He explains the importance of a vulnerability scanner and why it is essential to configure and deploy it correctly, since it gives valuable infromation to successfully complete a vulnerabilty management process.
The next step is to automate the processes, which prioritizes vulnerabilities and gives time to work on more severe issues, consequently boosting an organization’s security posture.
Finally, it is time to decide what to do with the vulnerabilities you have detected, which means choosing the appropriate security measures, whether it’s patching, mitigation or systemic measures. When the risk has a low impact, there’s also the option of accepting it, but this still needs to be documented and agreed upon.
The important part of this process, and perhaps also the hardest, is building relationships within the organization. The reader needs to respect office politics and make sure all the decisions and changes they make are approved by the superiors.
The second part of the book is practical, with the author guiding the reader through the process of building their own vulnerability management system with a detailed analysis of the open source tools they need to use such as Nmap, OpenVAS, and cve-search, everything supported by coding examples.
The reader will learn how to build an asset and vulnerability database and how to keep it accurate and up to date. This is especially important when generating reports, as those need to be based on recent vulnerability findings.
Who is it for?
Practical Vulnerability Management is aimed at security practitioners who are responsible for protecting their organization and tasked with boosting its security posture. It is assumed they are familiar with Linux and Python.
Despite the technical content, the book is an easy read and offers comprehensive solutions to keeping an organization secure and always prepared for possible attacks.
Malcolm McDonald, with his 20 years of experience in programming, poured his knowledge into this book to offer comprehensive information about everything a developer needs to know to do their job properly and thoroughly.
After a short lesson in internet history, the author puts the reader in the shoes of the attacker and explains how simple it is to hack a website, as well as how easy it is to obtain and apply hacking tools.
The author proceeds to offer basic knowledge about how the internet, browsers, web servers and programmers work.
Every following chapter explains major vulnerabilities and how to fix them, but also the various types of attacks, describing the damage they can cause. To help the reader better understand these processes, the author added coding examples.
Luckily, tools needed to help secure a website are also freely accessible and easily implemented.
As he points out, the goal is not only to protect a website but also to make it safe for the users. This means, besides preventing major system compromises, it is crucial to simultaneously protect users’ data by securely storing it, requesting authentication and implementing encryption.
Who is this book for?
Whether you’re just starting out in your career as a web developer or are a seasoned pro, Web Security for Developers: Real Threats, Practical Defense will provide all the necessary information about the possible and imminent threats you will face and how to prepare yourself and your team to avoid them.
Although the content is very technical and covers coding and programming topics, the book reads easily and provides essential knowledge to aspiring web developers.
Dr. Chase Cunningham holds a Ph.D. and M.S. in computer science from Colorado Technical University and a B.S. from American Military University focused on counter-terrorism operations in cyberspace. He is a retired U.S. Navy chief with more than 20 years’ experience in cyber forensic and cyber analytic operations, and has spent time in work centers within the NSA, CIA, FBI, and other government agencies.
He has served as a director of cyber threat intelligence operations at Armor and was the computer network exploitation lead for Telecommunication Systems and the chief of cyber analytics for Decisive Analytics. He is currently a cybersecurity principal analyst at Forrester.
Cyber Warfare – Truth, Tactics, and Strategies
To help the reader understand the scale of today’s cyber threats, the author explains the history behind them and how they kept pace with the evolution of information and communications technologies, as they became an essential part of out everyday lives.
Many future battles will be fought with cyber weapons, narrowing the resources and capabilities gap that long existed between rich and poor nations. All of them can now effectively bring their enemy down.
The author describes the flaws of the networks we have built, why cybersecurity is a never ending pursuit and specifically why perimeter-based security is no longer a good option in the era of remote working and BYOD.
He digs deep into the reality of today, from the use of social media with malicious intent by exploiting the power of influence, to the abuse of deepfakes, AI, ML, and misinformation.
He emphasizes the importance of strategy in cyber warfare. Just like warfare in the physical space, a change in tactics is essential. One must adapt to new circumstances posed by the cyber enemy.
To help the reader better understand this issue, he correlates cyber attack tactics and techniques with real life (military) examples from the Iraq War.
The author also illustrates tools and technologies that can be useful to boost the security posture of an organization and help respond quickly and effectively to a potential cyber threat.
Though not in the traditional sense, this is a war, and only those who are well prepared and have a good strategy in place will be left standing.
The book ends with a list of major cyber incidents throughout 2019.
Who is it for?
Cybersecurity experience is assumed, so the book is primarily aimed at cybersecurity professionals who are interested in gaining knowledge about how to improve their organization’s cyber resilience and be prepared for possible threats.
It’s also a great read for those who are concerned about their security in the digital world, especially when it comes to social media. It’s an issue that affects all of us and the author has provided essential information in a very comprehensive way.
Tim Rains, who formerly held many essential roles at Microsoft and is currently working at Amazon Web Services as Regional Leader for Security and Compliance Business Acceleration for EMEA, had the opportunity to gain knowledge from and advise thousands of organizations and enterprises about incident response and threat intelligence.
Cybersecurity Threats, Malware Trends, and Strategies
He starts the book by explaining the importance of a cybersecurity strategy and why it should be implemented, but also how security leaders should search for knowledge from the past by using vulnerability disclosure data to help you build their own strategy and avoid making mistakes that others have already made.
He then proceeds to give readers an idea on how the threat landscape has evolved and the types of malware they could encounter. Only by knowing their variety and frequency it is possible to define an efficient cybersecurity strategy. Readers will also find out about internet-based threats, how they evolved and what are the most common attack methods used by cybercriminals.
The author uses the Cybersecurity Fundamentals Scoring System to evaluate the efficiency of every cybersecurity strategy, explaining them in detail and pointing out advantages and disadvantages.
Clearly, one size doesn’t fit all. The right strategy is the one that fits an organization and helps protect what is most valuable for that particular organization.
CISOs must be meticulous to get the best results in protecting their organization, but also aligned with the executives to understand the objectives of the business and how to make it thrive while being fully protected. This is the greatest challenge for every CISO.
He then describes the implementation of an attack-centric strategy, since it holds the highest Cybersecurity Fundamentals Scoring System score. He focuses on the intrusion kill chain and the different stages used by attackers, and finally measures the performance and efficacy of the above strategy.
The final chapter is dedicated to the cloud and why it is the best choice for enterprises to mitigate common risks, and the best tools cybersecurity teams can use to protect cloud data.
Who is it for?
The book is mainly aimed at CISOs, CIOs, CTOs but also others responsible for the cybersecurity of their organization, presuming they have basic IT knowledge.
If you’re looking for a book that’s easy to read but has a lot of useful information and may give you some new perspectives on cybersecurity, this is the right one for you.
It’s 2020 and the importance of vulnerability management should go without saying. In fact, knowing your assets and performing continuous vulnerability management are two of the Top 20 Critical Security Controls delineated by the Center for Internet Security (CIS).
This is a review of Qualys VMDR (Vulnerability Management, Detection, and Response), an integrated solution for:
- Detecting and identifying your assets
- Vulnerability identification and assessment
- Prioritization of vulnerability remediation efforts
- Finding missing patches and misconfigurations responsible for the vulnerabilities identified
- Patch prioritization and easy deployment of software patches
Qualys VMDR really shines in a hybrid environment of cloud instances (e.g. Amazon AWS EC2s), multiple offices and a remote workforce. Where such a large number of distributed devices is involved, Qualys VMDR minimizes the hassle of tracking those assets and checking what patches and/or mitigations are missing, which pose a high risk to the organization.
To top it off, it’s a cloud-based Software-as-a-Service solution, so it’s one less moving part that must be maintained on site.
Reporting and visualization
If you have thousands of hosts/assets scattered over multiple networks then dashboards, visualization and reporting is how you can easily collect information.
When you first open Qualys VMDR, you’ll be greeted by a default dashboard with pre-defined widgets that you can customize with bar charts, counters and tables. Some scenarios that we tried to display – e.g., visualizing asset breakdowns or vulnerability types – can be easily created, since the user can preview the actual result at the time of creation.
Complex visualizations can also be created, since the queries support Boolean logic and combos like “tags.name:`Cloud Agent` AND software: (name:`CiscoAnyConnect Secure Mobility Client`”. Complex queries are sometimes hard to create, but in Qualys VMDR tooltips, autocomplete and dropdown options are a great help with that.
Specific views into Qualys VMDR’s features, such as seeing which certificates have expired or are about to expire, are presented in a clear tabular view, where sorting by a column works well.
Drilling down into all of your assets – networks, IP addresses, domains, vhosts, asset groups, OSes, apps, ports/services and certificates – is simple, and tables and search bars make it easy to find what you want to see.
Reports based on information from/on scans, maps, patching, authentication, remediation, compliance levels and asset lists can be generated or scheduled for generation. Report templates can be configured. All classic output formats are supported: PDF, HTML, XML, CSV and MHT (Web Archive for Internet Explorer).
The tool has met all our reporting and visualization requirements. But let’s see now is how it handles asset discovery and the application of patches/mitigations.
Discovery can be performed either with passive scanning sensors, which need to be deployed on-site to monitor the network for information about assets, or by deploying an agent on the machine. Agents work as one would expect, and can be deployed on Windows, deb or rpm-based GNU/Linux distros, and macOS, AIX or BSD. They can either be installed directly on a machine (the user must add his CustomerID to associate the agent with his instance) or they can be deployed over AD or through other provisioning or management processes.
Assets can be organized into asset tags, which work exactly like classic tagging. Hosts can be added either via the manual “select than add” workflow or by simply pasting in a list of IP addresses/ hostnames. Grouping works either on the IP range, DNS, NetBios or Domain level. Per-user grouping and grouping hosts that are detected by a specific scanner are also available options.
One interesting thing we saw here is that each asset group can be labeled according to business impact, function, division and location, which makes searching for organizations’ information assets simpler and easier. Another interesting thing is the ability to add a CVSS metric info to the asset group. This means that a specific group can be labeled with its:
1. Collateral damage potential
2. Target distribution
3. Confidentiality requirement
4. Integrity requirement
5. Availability requirement.
This is useful if we want to add risk-specific information to our assets, which should highly improve the workflow for engineers performing vulnerability management.
Prioritization and remediation
The main view for prioritization is the prioritization report with a dashboard-like interface. This makes sense since, in practice, all of our remediation efforts will be bound in a “view” where we want to work on detection and remediation for a specific group of assets.
The dashboard enables us to select for specific asset tags for the use case in hand, which will then allow us to see the breakdown for the detection age for a number of threat indicators. Threat indicators are also grouped, and can be selected from a number of predefined categories, as seen in the next screenshot.
As an instance, if you want to identify the vulnerabilities getting exploited by malware in workstations then you will select asset tags related to your workstation and choose ‘Malware’ and ‘Wormable’ Threat Intelligence indicator to prioritize the relevant vulnerabilities.
The prioritization report takes a transparent approach to prioritize the vulnerabilities and its remediation efforts, the user has the flexibility to choose the criteria according to the use case in hand.
After we are greeted by the breakdown of our assets/vulnerabilities/patches, we can do our vulnerability management work. We can see what patches/mitigations are missing in our asset groups or we can go over specific assets and see what patches/mitigations are missing from that specific asset.
The recommended patches in the prioritization report take into account the supersedence of the patches and dynamically maps patches to the vulnerabilities to identify the exact patch which will fix the vulnerability(s).
From a workflow perspective, this enables a lot of flexibility and enables both a precise approach and a general/grouped approach. Since our management work won’t be done in one day, reports can be saved so that we can continue where we stopped the day before.
Selecting “Patch now” on the main dashboard will enable us to either create a new patching job, add this set of patches to an existing job, or just view what patches are missing. One part of that workflow can be seen in the following screenshots:
Conclusion and verdict
At the moment, Qualys VMDR doesn’t cover automatic patching for all types of vulnerabilities. It will identify vulnerabilities, but certain mitigations still have to be applied manually (e.g., configuration changes, many GNU/Linux-based patches). Applying software patches is a feature that works for the Windows ecosystem. However, Linux, Mac and Patching using third party patching systems are in the roadmap.
Additional elements such as support for containers and securing containers, mobile device management, and automatic renewal of certificates are scheduled to be released later this year. This is definitely not a deal-breaker, since automation in some of those features is highly dependent on the specific engineering practices inside the organization.
That said, Qualys VMDR successfully solves common enterprise problems: how to perform vulnerability management on a large number of assets, how to identify the assets, and how to find missing patches/misconfigurations and apply mitigations.
For a company that is heavily dependent on the Windows ecosystem and whose assets span to cloud providers and multiple networks, this is an excellent product that resolves a major pain point. It’s Even more important in mixed form environments is the vulnerability management workflow, where identification of missing mitigations is very useful, and Qualys offers an interesting approach for identification.
For existing Qualys customers or those looking to invest in a web scanner or PCI compliance offerings, expanding their tooling with Qualys VMDR makes strategic sense, since it will nicely integrate into the engineering workflow through the Qualys cloud platform.
Qualys has an open training library for VMDR and other tools that can provide our readers with more in-depth information on the inner workings of the product.
Kill Chain is an HBO documentary made and produced by Simon Arizzone, Russell Michaels and Sarah Teale.
Kill Chain: Inside the documentary
Arizzone and Michaels already worked on a documentary in 2006 called Hacking Democracy, which was about uncovering voting machines vulnerabilities and about how votes were manipulated, leading to George W. Bush winning the elections (2004).
And here we are again in 2020 talking about the same problem and uncovering the same old security holes inside the machines that are supposed to be secure and reliable, since they have the essential role of ensuring democracy is being practiced properly.
The authors gathered various experts, including Harri Hursti, a hacker and election security expert, to talk about their view and knowledge of the U.S. election system.
Hursti already warned about the hackability of the election machines in 2006. Now, once again, he went on a mission to expose the susceptibility of the U.S. election system by analyzing the machines currently in use, but also the discarded ones which he easily got hold of through eBay. As if that weren’t enough, the purchased ones still contained voting data.
He then decided to test the hackability of the machines by allowing hackers at the DEF CON hacker convention to try to access them. The task was shockingly easy and every single machine has been successfully breached, which meant anyone could effortlessly manipulate the election results.
The authors also interviewed a hacker that goes by “CyberZeist”, who claimed to have accessed the Alaska voting system website with little effort. Had he been backed by an organization with an agenda, the repercussions would have been much greater.
The documentary gives you the technical information about how a kill chain works and a hacker’s potential motivation, whether it’s personal satisfaction and gain or political reasons. It also sheds light on how technology is supposed to make things faster and easier but how, in the end, it can be easily manipulated.
Does it hit the spot?
This is an eye-opening and captivating documentary accompanied by an eerie soundtrack that complements the seriousness of the issue well. The technical parts are well explained and comprehensible to the average viewer.
A great number of politicians and decision-makers continue to dismiss warnings and refuse to pass bills that would guarantee a secure and protected election system. Experts are worried, but without political backup, there’s not much they can do about it. Hopefully, this documentary will make U.S. citizens worry about the outcomes of future elections and push them to demand changes.
Here’s a trailer for the documentary:
Yuri Diogenes, a professor at EC-Council University and Senior Program Manager at Microsoft, and Dr. Erdal Ozkaya, a prominent cybersecurity professional, advisor, author, speaker and lecturer, published the second edition of their acclaimed book “Cybersecurity – Attack and Defense Strategies”.
Cybersecurity – Attack and Defense Strategies
The book emphasizes, first and foremost, the necessity of every enterprise being aware of its threat landscape and its weakest points, and thus implement the right methods to boost its security posture.
This book will teach you how to identify unusual behaviors within your organization and use incident response methods by applying blue team and read team strategies.
You will also learn about the importance of a good cybersecurity strategy and how to develop it.
The authors explain common hacker tactics, techniques and procedures and the processes of a cyber attack, with a detailed description of tools commonly used during a cyberattack.
The book contains a lot of practical examples that can be applied/tested in a virtual lab. You’ll learn how to avoid wireless attacks and credential theft, how to protect a network, how to avoid phishing incidents, how to protect operating systems, how to avoid mobile phone attacks, details about the most common cloud hacking tools, and so on.
The authors highlight the importance of a well constructed security policy, which should include clearly defined procedures, standards, guidelines and best practices. Of course, these rules are only effective if you educate your staff, but should minimize the likelihood of your organization falling victim to compromise.
To boost performance and improve security, they point out the correct planning and implementation of network segmentation, but also that of a variety of active sensors that monitor unusual activities and threats.
The final chapters cover the procedures of an incident investigation and a recovery process, which give you insights on how to maintain business continuity and implement disaster recovery best practices.
Who is it for?
This is clearly a book aimed at IT professionals who are familiar with penetration testing, Windows and Linux operating systems, and are acquainted with the concept of information security. The content is evidently technical, but the language is clear and comprehensible.
It’s an excellent read for those who want the have all the essential information about how to protect their organization, all in one place. Besides getting detailed practical examples, the book offers various links to web sites to further broaden your knowledge.
Mobile device use continues to grow, while an increasingly mobile and remote workforce depends heavily on laptops. To secure those devices, organizations need to implement client-side security controls.
One of the more pressing risks linked to the use of mobile devices is the possibility of device loss or theft. If a device is lost, sensitive data (e.g., documents, account passwords) might get extracted and exposed.
One solution for this problem is full disk encryption, and one of the most popular systems is Microsoft BitLocker, which is part of every Windows 10 installation.
What happens when one of your users forgets their full disk encryption passphrase, or if this hasn’t been set up, simply plugs in new hardware that triggers a BitLocker Recovery Mode? If your organization uses Microsoft Active Directory and has set up the environment to store the recovery keys in AD, a system administrator can restore that machine.
Of course, the user will still need to contact their organization’s helpdesk, which will need to verify their identity in order to share the recovery key. Common problems with this scenario are issues with verifying the identity of the user and increased workload for the system administrators/helpdesk personnel.
Introducing Specops Key Recovery
Specops Software realized these problems and offers an interesting solution: Specops Key Recovery, a self-service tool for recovering BitLocker recovery keys.
Instead of contacting the helpdesk, which needs a way to verify the identity of a person over the phone (a hard problem to solve with high confidence given the lack of physical presence), Specops Key Recovery offers a cloud centric self-service portal.
An infographic from Specops illustrates the concept:
The user’s perspective (enrollment)
The user enrolls or can be pre-enrolled into the service. Pre-enrollment is achieved when an administrator selects identity services that leverage existing Active Directory details. When a user is pre-enrolled this means that he/she does not have to enroll but rather when a lock out occurs can utilize the system to authenticate identity and retrieve a recovery key.
However, it’s best practice to extend additional identity services to users to minimize failure for example if an identity service is unavailable. Enrollment will require the user to successfully login and enroll with any combination of identity services extended to them by their system admin. The solution supports a number of identity services that can serve as multi-factor authentication options, depending on the authentication policy set by the administrator. These include:
a. SMS (mobile code)
b. Windows Identity
c. Authenticators: Google, Microsoft, Specops
d. Service logins: Google, Facebook, LinkedIn, Live, Tumblr, Twitter
e. Other: Specops Fingerprint, Secret questions, Manager Identification
Administrators can vary the enrollment policy from the authentication policy to ensure that users have additional options when authenticating. Each service can be assigned a security weight reflected by stars. This depicts the security assurance level assigned to each service for example the screenshot below depicts Mobile Code as having a weight of two stars versus Security Questions which has a weight of one. Weights ensure that users are provided with options but that the alternatives are not sacrificing security as the required authentication weight will still have to be satisfied.
This screenshot of the administration interface illustrates the choices/flexibility:
The user’s perspective (use)
In the event of an encryption lock out, users are greeted with the infamous BitLocker Recovery screen:
Specops Key Recovery makes it possible for the user to visit a self-service portal via another device (e.g., a mobile phone) and verify their identity using a number of authentication factors provided by the previously enrolled identity services.
After proving their identity, they can enter the first 8 characters from the recovery key ID, press “Continue” and get the Bitlocker recovery key:
So, in a nutshell: enrolled users can recover access to their machine without having to ask the helpdesk for assistance. This is a cost savings but at the same time does not sacrifice security as users have to verify their identity before recovering access. This is what Specops Key Recovery does very well.
The sysadmin’s perspective (installation, setup, management)
To operate Specops Key Recovery, a sysadmin needs to set up multiple elements:
1. Register an account on the Specops cloud service.
2. Install the Specops Authentication Gatekeeper Administration tool on their Domain Controller (DC).
3. Set up the group policy to store the recovery passwords and key packages in the Active Directory Domain Services (AD DS).
4. Configure the service according to their required policies.
We particularly liked the fact that during account registration Specops Key Recovery insists on enabling 2-factor authentication (2FA). It’s SMS-based 2FA, but that’s still better than no 2FA, and you can swap it with something else later on. It’s also great that the system checks for common blacklisted passwords, adds a reCAPTCHA to curb automated attacks (which can be enforced or disabled), and has a default level logging and reports.
The cloud user management component is the solutions service desk. It allows the IT helpdesk to verify users’ identities using the same MFA factors they enrolled with before performing sensitive tasks such as recovering keys or resetting passwords. The interface also presents helpdesk users with details such as enrollment and authentication information. For example:
From the AD-tooling side of things, installation is straightforward and the documentation covers the entire process in enough detail that any junior system administrator could set the system up.
If we really wanted to nitpick, we could suggest that the documentation or the tool itself could help admins set up the group policy to store the recovery passwords and key packages in the AD DS.
If you have a large, distributed and remote workforce, you will benefit from the increased security and convenience offered by the solution.
Although we only illustrated the key recovery option, the Specops Authentication platform also offers additional account management features like password reset, change, and account unlocking – all utilizing the same multi-factor authentication engine. One important feature that stands out for those with a global workforce is geo-blocking, which may prove to be helpful in a number of situations.
From a diagnostics standpoint, it’s easy enough to see if your Gatekeeper software is working on the DC, and the variety of supported identity services provides enough freedom/ flexibility for anyone to specify which service or method they trust and how much.
Customers will appreciate the fact that the web interface can be customized and the self-service portal can be integrated with the specific visual style of an organization.
By default, the application logs privileged events like key recovery to Windows events. Reporting is also available through a dashboard, where one can search for specific events. One thing I would love to see is the actual information about user logins to the cloud service in the event logs.
Specops Key Recovery helps system administrators and users: it removes complexity and successfully solves a common problem.
Humans are an essential part of any enterprise and should be considered the foundation of its cybersecurity. That’s probably easier said than done, but Shira Rubinoff has some useful tips for you.
Aside from being a prominent cybersecurity executive, speaker, cybersecurity and blockchain advisor, and having built two cybersecurity companies, Rubinoff also has an educational background in psychology. That’s why Cyber Minds is very human-oriented, meaning she views cybersecurity through its interconnectivity with humans.
Inside Cyber Minds
Every enterprise should take care of its cybersecurity by taking care of every single employee and giving them the opportunity and the knowledge to practice good cyber hygiene within the company. A company’s cybersecurity is as strong as its weakest link and every executive must realize that.
The author emphasizes four essential steps to achieve cyber hygiene that every company should implement in their workforce development strategies:
- Continuous training
- Global awareness
- Updated security and patching
- Zero trust
After giving you these guidelines, she warns about the most common behaviors that could lead to a data breach and the psychology behind them.
The next chapters include interviews with cybersecurity professionals where they share their opinions and knowledge, as well as give you real-life examples.
They talk about the possible impact of blockchain on the future of cybersecurity, about cloud technology concerns, the biggest breaches, the trends in cybersecurity, how to keep IoT safe, and the benefits of introducing military elements into cybersecurity.
The author dedicates a chapter to AI and the fear that such technology induces. AI is, without a doubt, the technology of the future and will become part of our lives whether we want it or not. The question is, can it be trusted? Can we let it manage cybersecurity?
Who is it for?
The book aims at business leaders, to make them recognize the importance of cybersecurity and the fact that setting rules is not enough. Employees must be educated and, from a psychological point of view, feel as an essential link in the cybersecurity chain.
The language is simple and comprehensible, the author doesn’t use excessive technical language, and the book is a great read for those in the C-suite that want to have a broader perspective of their company’s cybersecurity posture.
Seemingly every day news drops that a popular site with millions of users had been breached and its user database leaked online. Almost without fail, attackers try to use those leaked user credentials on other sites, making password stuffing one of the most common attacks today.
Users often use the same username/email and password combination for multiple accounts and, unfortunately, enterprise accounts are no exception. Attackers can, therefore, successfully use leaked credentials to access specific company resources.
For example: An attacker wants to target CompanyX and sees that 30 users that work in CompanyX also had their account credentials leaked following a recent breach (let’s say Zynga). Trying to enter those credentials into the company’s SharePoint, Exchange, VPN, and various web portals to see if they might gain access is a no-brainer for them.
This common occurrence has resulted in the launch of several commercial and free solutions that try to mitigate this specific risk. One of them is Enzoic for Active Directory.
About Enzoic for Active Directory and this review
“Enzoic for AD is a tool that integrates into Active Directory and enforces additional password rules to prevent users from using compromised credentials,” the product’s page says.
“Unlike products that only check passwords after they are saved, thus requiring subsequent reset by the user, Enzoic validates the password at the time it is being selected. Passwords are then continuously monitored to detect if they become compromised – with automated remediation and alerts. It helps organizations with NIST Password Guideline compliance in Active Directory.”
We tested the Enzoic for AD solution and this review will focus on the following main points:
1. Setup experience – The solution’s install process and setup process.
2. A cursory overview of the privacy implications of the solution – Since the solution has to query Enzoic’s cloud to verify if a password is contained in a breached set, we decided to check what is actually sent to the cloud.
3. Usefulness and coverage – The effectiveness of the solution when tested against multiple breached credentials lists.
4. Final thoughts and impressions.
The installer for Enzoic for AD is available in both EXE and MSI file format. The software is a plugin for Microsoft Active Directory, which needs to be installed on all AD servers in your organization to achieve coverage.
The installation process begins with a standard Windows install:
Enzoic for Active Directory needs to be configured. Which Users, Groups, Containers should be covered by its functionality to check for compromised password? Will the entire AD be covered? (For this test, we left the default “All Users in Active Directory” option.)
After confirming coverage, monitoring options can be configured. The options are:
1. Reject common passwords found in cracking dictionaries (or not).
2. Check passwords during password resets (or not).
3. Use fuzzy password matching (or not).
In the next step we needed to select the remediation action. The solution allows for the following options:
1. User must change password on next login.
2. User must change password on next login (delayed).
3. Disable account.
4. Disable account (Delayed).
5. Notify only (via email to the user and to a number of other accounts). E-mail is sent by Enzoic (through Amazon SES) and you cannot configure a specific email server to use.
Installation and configuration are simple and easy even for a beginner. After-setup configuration capabilities are also very easy to understand and to tweak.
They include the same options offered at setup-time, plus two additional ones. One allowed adding a custom password dictionary, which can include a word or parts of words that should not appear in a password (e.g., the name of your business). Another setting allowed password blocking based on similarity, according to a configurable distance value that defines how closely a new password can match a previous password.
After a quick mandatory server restart, we proceeded to test the usability of the application.
A cursory overview of the privacy implications of the solution
“Trust but verify,” says an old proverb, so we decided to inject a CA certificate into our AD server, to be able to sniff the communications between our AD server and Enzoic’s servers to see what actually gets shared with Enzoic. We entered a very common password (administrator) and tried to verify it:
As you can see, that password was rejected, but let’s see what was shared on the wire:
In the request you can see that the application takes the input string “administrator” and hashes that value with MD5, SHA1 and SHA256 hashes and sends the first 40 bits of each hash to Enzoic’s cloud, which responds with the possible candidates to check. This is similar to the k-anonymity algorithm used by HaveIBeenPwned’s API service, which shares only the starting 20 bits of SHA1 hash output.
We did not actually try to reverse engineer the application, since this was a cursory review just to make sure that the actual passwords are not being sent to Enzoic’s cloud.
We also left our domain controller (DC) connected to the internet for 48 hours to see what kind of data (if any) is being sent to Enzoic. We found that the app shares some telemetry with the Enzoic cloud, namely the number of matches of breached passwords in the organization and number of users, probably for licensing purposes:
Usefulness and coverage
Next, we wanted to see how Enzoic for AD handles leaked passwords, so we covered a few scenarios that might be interesting to our readers:
- Verifying if the application correctly detects passwords from common wordlists used by attackers.
- Verifying if the application correctly detects passwords from common large-scale breaches (LinkedIn, RockYou).
- Verifying if the application correctly detects passwords from very recent leaks (Zynga).
We decided to take a random sample from SecLists, the LinkedIn and RockYou leaks, and even fully random passwords that were a part of a breached set (e.g., *23P%GWtUPST2jQ&auUB7j542) were correctly identified. We also ran a random sample of passwords from other leaks (e.g., the Hak5 leak) and they were also correctly detected.
One thing that interested us was whether Enzoic for AD could detect passwords from recent leaks. (Un)fortunately, a week before this test the full user database from game company Zynga was leaked on the internet, so we decided to test Enzoic for AD with the newly available leaked passwords.
We sampled passwords randomly but also tried to find unique passwords that were contained in the Zynga breach but not in the sets we used previously. We found a couple of such passwords, and they were successfully detected as breached passwords by Enzoic for AD. Good job!
Looking to the future
We couldn’t test the breached password notification option, since that would require us to actually have users who are a part of an actual breach that is about to occur, which cannot be easily simulated.
Looking forward to the future, there are a few things that could be changed, but are in no way a deal-breaker from our perspective.
The first one is the sharing of three types of hashes and 40 bits of data per hash. We could argue this is excessive since the reference implementation for k-anonymity only shares 20 bits of a single hash.
Enzoic tells us that they chose that length of partial hash as a good balance between anonymity and performance. Keeping the number of candidate hashes returned to a more reasonable number and thus reducing latency for the call is an important concern, since many of their customers are very sensitive to latency.
They view the additional data sent as of minimal risk (keep in mind no usernames are shared and none of these requests are logged on their end). That said, they do have it on their roadmap to make the partial hash match length configurable in the future – with the trade-off that some users might have longer latencies when attempting a password change if this length is significantly reduced.
Secondly, when the user gets notified that a breached password was found, the notification could also contain the information in which breached set that password was found. This would be interesting to both users and security personnel in an organization. We are aware that this information cannot be shared with the user through the standard Windows interface, but it can be sent via email or stored in event logs.
Enzoic for Active Directory is a first-rate solution for ensuring that your users don’t select passwords that were part of a breach. Its coverage of leaked lists is very good, since any list we could legally obtain was correctly flagged by it. Installation is simple and configuration and maintenance are no hassle.
One excellent aspect of this tool is that even someone who is marginally acquainted with Active Directory and has zero experience with Enzoic’s solution can install and make the solution work out of the box. Definitely a 10/10 for user experience.
Do you believe you’re not interesting or important enough to be targeted by a cybercriminal? Do you think your personal data doesn’t hold any value? Bart R. McDonough proves why those beliefs are wrong in his book Cyber Smart: Five Habits to Protect Your Family, Money, and Identity from Cyber Criminals.
McDonough, CEO and Founder of Agio, is a cybersecurity expert, speaker and author with more than 20 years of experience in the field, and this is his debut book.
Cyber Smart: Five Habits to Protect Your Family, Money, and Identity from Cyber Criminals
He starts by debunking the most common cybersecurity myths, like the one mentioned above. Whether you like it or not, you are important, and your data is important. Also, everything has a price.
McDonough explains all the possible risks and threats you could encounter in a connected world, who are the bad actors, what their goals are and, most importantly, their attack methods.
The author presents five golden rules – or, as he calls them, “Brilliance in the Basics” habits – you should be complying with to maintain a good cybersecurity hygiene: update your devices, enable two-factor authentication, use a password manager, install and update antivirus software, and back up your data.
The second half of the book gives you detailed and specific recommendations on how to protect your:
- Social media
- Website access and passwords
- Mobile devices
- Home Wi-Fi
- IoT devices
- Your information when traveling.
McDonough doesn’t use scare tactics that could possibly make you want to forego all technology and go live in the woods. On the contrary, he wants you to embrace it and understand that even if the online world poses so many threats, there’s a lot you can do to protect yourself.
Who is this book for?
You don’t need to be a cybersecurity professional to understand this book. Its language is simple and it offers many comprehensible everyday examples and detailed tips. It’s a book you should definitely have in your home library, also for future reference.
The author has a very clear message: don’t just sit back and hope bad actors will pass you over. Be proactive and take all the possible and necessary steps to secure your data and your devices.
Computers have become an essential part of everyday life, but this widespread usage comes with serious risks, especially for organizations. To address the issue, the author, Dr. Jason Andress, an experienced security professional and researcher who has been writing about security for more than 10 years, wrote this very detailed book that guides the reader through the essentials of information security. Foundations of Information Security The book contains a total of 14 chapters which, as … More