Forefront Endpoint Protection 2012 Beta is out…

It’s been a while Microsoft has been working on its Forefront products and they have been really successful in offering products that are of great help to increase the security of the network environment and systems both on the server-side and client-side.

I personally love them all and have more experience working with Forefront Threat Management Gateway 2010 and truly enjoyed all the better features it has in comparison with ISA Server 2006. When you have the experience of working with a product for quite a long time and wish for some added functionalities, once the new product is out and gives you all of them, that’s when you have a really good feeling. I guess Forefront products give you exactly the same kind of feeling.

Now Forefront Endpoint Protection 2012 Beta is out. Before we go a little bit further with the features, let me give you an overview on what it is. FEP helps businesses efficiently improve endpoint protection while decreasing the costs. It is built on System Center Configuration Manager allowing businesses to use their existing client management infrastructure to manage the endpoint protection. Right now this beta version is compatible with System Center Configuration Manager 2012.

But let’s see what’s new in this new beta release of FEP:

  • Supporting System Center Configuration Manager 2012
  • Improved real time alerts and reports
  • Role-based management
  • User-centric reports (post beta)
  • Easy migration from FEP 2010/ConfigMgr 2007
  • Support for FEP 2010 client agents
FEP 2012 provides protection against known and unknown threats using advanced techniques such as behavior monitoring, network inspection system and heuristics. It also has a real-time cloud-based update system through Spynet service helping it to stay up-to-date.
If you need more information on FEP you can click here and here.
I hope you will be among the early adopters of FEP 2012.
Cheers

Encryption at Layer-2 or Layer-3 ??!

This is the question that often times comes to mind? Where do we need to apply encryption and why? Do we need to apply it at layer-2 which is much more low-level or do we need to apply it at layer-3 where Internet Protocol finds its definition?

Well, in the world today it is the speed of communication which every one thinks of first and talking about that, encryption at later-2 is the best option if you are sending data over a very fast network and if you do not want the flow of the traffic to be slow by any means. Layer-2 encryption reduces the overhead required by layer-3 encryption protocols or protocol suits like IPSec and reduces CPU utilization in devices applying it. Considering the great usage of VoIP nowadays and knowing that security and speed play very important roles in voice communications, layer-2 encryption for sure will be the best choice.

Having mentioned above, layer-3 encryption is still well-suited for environments where you have low-bandwidth connections and really do not have devices to support encryption at layer-2. There are also situations where companies have offices around the world and it is not anymore the matter of only a few devices but hundreds, so you need to consider the fact that encryption at layer-2 is on a hop-by-hop basis and not end-to-end just like layer-3.

Nowadays there are so many devices supporting Layer-2 encryption and it is not like the past anymore as there is a standard for it therefore there could be layer-2 encrypted communication between devices of different vendors. For instance Cisco Catalyst Switches (3560-X series and 3750-X series) now pretty well support data-link layer encryption by IEEE 802.1AE (MACsec), 802.1x REV.

So if you think that you need to apply encryption over your high-speed links and security really matters to you as well as low-latency and simplicity in management, you can for sure go for layer-2 encryption.

The Enhanced Mitigation Experience Toolkit (EMET)

In the previous posts of my blog we talked a little bit about security exploits and how they function and how to prevent from attacks using security exploits. In this post I am so excited to introduce a great toolkit offered by Microsoft to defense against the exploitation of the system.

The tool is called Enhanced Mitigation Experience Toolkit (EMET) which uses exploitation mitigation techniques making it very difficult for exploits to defeat the system. However the protection applied by EMET does not guarantee that the system will not be exploited but it just makes it as difficult as possible to exploit the system even using a 0-Day vulnerability exploits. 

Working with EMET is pretty simple and you just need to download it from here  and then install it on your machine and simply choose the software that you want it to protect and you believe is more probable to have a security vulnerability and then you are all done. It is possible through the GUI interface of the tool.

EMET is compatible with any software and it does not really matter whether the software you want to protect is a Microsoft software or not. Below is a screenshot of the GUI interface of the toolkit:

You should for sure try this tool as it’s a must for every security engineer worrying about the security of their environment with all those softwares installed on their servers which each could have possible security vulnerabilities putting the whole network and system at risk.

You want to learn more? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book: 

To get more information about the book click on the book below:

1

Cheers

Possible Attacks on Windows and Countermeasures – Part 2

In the previous post I talked about password cracking and how you could actually protect against these attacks. In this article I want to explore another type of attacks:

Buffer Overflow Attacks:

This is a very common type of attack that is triggered against an operating system (Not necessarily Windows) due to a security vulnerability existing whether inside the operating system or the applications installed on top of that. Probably the reason why this is a very common type of attack is because the security bugs inside the softwares and applications on the OS could also result in a security hole in the OS…

What is buffer overflow vulnerability?

This happens when data copied into the memory buffer is larger than the buffer size making it overflow. This problem could be mostly seen in applications written with C and C++ programming languages which offer no built-in protection against accessing or overwriting data in any part of memory.

This problem could result in execution of some malicious codes by a hacker making it pretty easy for a hacker to even remotely execute malicious codes on an OS so that they could access the OS.

When a buffer overflow security hole is found, there will be usually security advisory released on the OS or software website. This security advisory to my way of thinking has advantages and disadvantages.

The advantage is that users become more aware of the security vulnerabilities on their OS or software and can better plan for protection using their firewalls by closing specific ports or even disconnecting a specific computer from the internet. I have written a specific article about this that you can read here.

The disadvantage is that hackers become aware of such vulnerabilities and will begin writing malicious exploits for that security bug so that they could take advantage of it to access affected systems. But what are exploits?

Exploits are programs maliciously written to take advantage of a security vulnerability. We have two general types of exploits. One is Remote Exploits that could be run remotely against a server with that problem and the other one is Local Exploits that could be run locally when the hacker has some limited local access on a machine so he could use the exploit to escalate his permission and get full access to the system.

If the vulnerability is pretty critical and is found on a popular OS like Windows or any other common software, there would be possible worms written for it. Worms are exploits with additional capabilities to scan the network and search for any machine with the same security problem and then try to penetrate into that machine and keep spreading.

Solution:

It’s really difficult to say how to protect against these attacks as there are so many applications installed on the OS and any of them could cause such a problem but the best practice is to keep your computer up to date by enabling automatic update on your Windows.

There is also a very good feature on Windows called DEP (Data Execution Prevention) that should be turned on. It can protect your computer against this type of attack by monitoring programs to make sure they use computer memory safely. If DEP realizes that a program is trying to run instruction from the portion of memory used for data, DEP will close the program and notifies you.

You can turn it on from System Properties -> Advanced System Settings -> Performance Settings -> Data Execution Prevention and enable Turn on DEP for essential Windows programs and services only

You want to learn more? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book:

To get more information about the book click on the book below:

1

Hope you enjoyed it

Cheers


Possible Attacks on Windows and Countermeasures – Part 1

It’s been a great week with so much news in the world of security. Of course Security both in the real world and the virtual world. Today I decided to begin writing a series of articles about possible attacks and their countermeasures on Windows operating systems whether client or server including the latest ones such as Windows 7 and Windows Server 2008 R2.

In this series I will try to put a little bit of my experiences into words and in easy words explain to you different types of hacking techniques used by attackers to penetrate into your network. I will try to get it started with the most common ones to the most advanced like those causing millions of dollars loss; and then I will dig into different ways of defense against such hacking techniques and will show you how to keep your network services and servers secure against them.

Password Cracking Attacks:

This is one of the most common types of attacks used at least once by every attacker. It always seems the dummiest but honestly this has shown to be one of the most effective way to find a way into somebody’s computer if not protected against such attacks.

This type of cracking has a pretty long history and I really cannot count the number of softwares developed to crack password by different hacking groups or even security companies. The only difference between these two is that the second one believe their software is only purposed for a so-called act of Ethical Hacking but who knows what is being done by those tools and softwares.

There are different ways to perform password cracking among which Brute Force attacks are the most popular. Brute Forcing is simply finding a computer’s password by trying different combinations of letters, numbers and even characters. The time required for it to work depends on the complexity of passwords. However more complex the password, the longer it takes to be cracked.

A single computer can try from one to fifteen million passwords per second against a password hash (That is true) for weaker algorithms like DES (Which is very commonly used nowadays) using a fairly good password cracking tool and if let’s say you choose an 8-character password of letters (both cases), numbers and symbols, we could say that it would take something like 16 minutes for it to be cracked. So you feel pretty unsafe.. huh???

Attackers nowadays could easily find pre-computed password hashes for different algorithms stored in database files called Rainbow Tables and it would take a matter of minutes to crack almost any passwords in a network.

There are other techniques used as well such as dictionary or words-list attacks that are usually tried before the Brute Force to kind of guess the user’s password if the user has used common dictionary words or things like 123456 or anything like that as passwords.

L0pht Crack:

One of the most famous password cracking tools is l0pht Crack developed by a famous group of expert hackers called l0pht who officially joined @stake which itself was later on announced to be an acquisition of Symantec corporation. You can download the latest version of L0pht Crack from their website. Below is a screenshot of this tool:

Any operating system could be the target of this tool even Windows Server 2008 R2 and could really well work on almost any operating system to target the other hosts on the network. You can get more information on their website.

John the Ripper:

John the Ripper is another well-known name among password cracking tools. This is a tool firstly developed to be run on Unix-based operating system but now it supports Windows as well. You can download this tool from their website.

John the Ripper truly is one of the fastest password cracking tools I have ever seen. It is being used by a lot of penetration testers and of course hackers every day.

Countermeasures:

Protecting your network against password cracking is completely dependent on the policies on your network and your servers and clients. Whether you have a very small environment and operating a workgroup of computers or you have a big domain network you should have policies and more specifically account and password policies.

Password policies can be defined in Group Policies in Windows and Active Directory. So if you open up the Group Policy Editor either locally (By typing gpedit.msc in thr Run) or on the domain using the Group Policy Management console, you need to go to:

Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy

Below you can see a screenshot of the password policies settings:

Now let’s go one by one with what they mean:

Enforce Password History: You can set how many passwords for each user is stored in the history. If we set this number to 10, it means the user is not able to choose any of the past 10 passwords for his new password.

Maximum Password Age: The maximum time a user can keep a password and after it comes to an end, they should change it.You could use it to force the users to change their passwords every now and then.

Minimum Password Age: The minimum time a password must be used before a user changes that. You can use it to stop users from changing their passwords every hour.

Minimum Password Length: The number of characters that a user must have in a password. Do not let it be less than 8.

Password must meet complexity requirements: You can decide whether or not you want to force the user to choose a password including letters (Both cases), numbers and symbols. You must definitely enable it.

Store passwords using reversible encryption: Let it be disabled as it is used by some protocols rarely used and enabling it is equal to storing the passwords plain-text.

The other settings that you need to configure is Account Lockout policies which are more important if you want to protect against the brute force attacks:

So in order to access the policies you need to open the Group Policy Editor and go to this address:

Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Account Lockout Policies

Account Lockout Duration: How long do you want the account to be locked out after a number of invalid logon attempts.

Account Lockout Threshold: How many invalid logon attempts are needed to lock the account. If you set it to a number, then the password cracking tools can not try millions of passwords on your computer since the account is going to get locked.

Reset Account Lockout Counter After: If you set it to 30 minutes for example, in 30 minutes if there are more than 4 invalid logon attempts are made, then the account gets locked. If it takes more than 30 minutes for the number of invalid logon attempts specified in the previous settings, then the account does not get locked and the policy will not apply so you must be really careful when defining your policies.

Usually 30 minutes will be the best since it can block all kinds of password cracking tools even the slowest ones.

Here we come to the end of this first article and I hope you liked it. If you had any question, please leave me a comment and I will answer that almost in no time.

You want to learn more? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book: 

To get more information about the book click on the book below:

1

Cheers

Security in the cloud

A few weeks ago I shared a link on my blog about Steve Ballmer’s speech on cloud computing and how it really works. Cloud computing in terms is referred to all kinds of services provided online on the internet. To make things clearer, cloud computing is a way to make data always accessible for anyone to use at any time. Such a technology brings a lot of convenienve and a really fast access to the data using the services in the cloud. For instance imagine that you could have your Microsoft office tools available whereever you would need it on any computer whether with or without the real office installed.
With this rapid growth of cloud computing and different companies having their own clouds with their services available and ready to give services on it, who knows maybe on day all the services would go online and working offline had no meaning to anyone. We have to wait and see how fast the technology is going…
When it comes to the reliabiliy of the services provided in the cloud, one of the first things that comes to everyone’s mind is security and how the companies providing such online services are approaching security. There are many items that could be listed here but to be brief I’d like to mention a few of them:
Trusting the cloud: This is probably the most fundamental concept of security which is very hard to gain. Trusting the company and therefore trusting their cloud and its services is definitely crucial because you are putting all your information up there and you must make sure that the company is trustworthy to keep all those provate information. This type of trust also comes from the level of popularity of a company. Let’s say if www.microsoft.com is providing services online, then the name is well-known to anyone and there will be no more question.
-Availability of the cloud: Basically this concept is more related to the availability than security, but the first step to secure your data is to have the servers available all the time. This is something not many companies pay a lot of attention to and also clients do not question the companies about the availability of their services. It has happned in the real world that a little bit of interruption in service provision has caused loss of thousands of dollars.
-Identity in the cloud: Whoever using the cloud has his identity and is known to the others using let’s say a username. this user is given an ientity from the cloud provider and he is the only one reponsible to keep his credentials safe. On the other hand, the company is also required to set policies to force users to better protect their credentials.
-Policies in the cloud: Everyone would make a lot of connections in the cloud and could share his/her information with the others. This is the company giving the user this ability to customize his/her privacy policies and give the rest of the people different types of permission to access his/her data. You could see a lot of such issues recently in Facebook regarding different privacy policies resulting in many of its users to go angry and even quit using it. So wha can be concluded is that it is not only the user who has to be aware enough to set proper policies but also the company must give him this ability.
The history of loud computing maybe dates back to the time Hotmail became so popular and everyone was creating accounts in it and ever user was communicating with the rest, uploading their data somehow and doing so many new things. The technology has expanded up until now that we have lots of services provided like having a lot of space for storing my information and even I could have more than what I have on my pc at home. right? With all this rapid expansion, there comes security risks also. One of them could be the server downtime due to any serious security issues. In these situation we should look at our company’s plan to see how prepared they are for such cases and how secure their infrastructure is. At the same time, we should see how they react to such problems in the cloud really and what back-up plans they have.
Something else which plays a very important role in the level of trust and reliability from the users is the support they receive from the technical team. The users always need a team to respond well to the issues they have and we should really see how a company as big as Microsoft and with the users as many as Microsoft users, is supporting so many users.
In the future posts I ll try to make it so specific on different cloud providers and how they interact with each other and how the users are connected from different clouds. For the time being this link is a great source of information on Microsoft website.
Late at night
Befoe the morning clouds are out, let’s get some night sleep…. 🙂