Ransomware - Did you update your incident response plan?

At the beginning of 2016 an article was published about the increasing threat of ransomware and provided advice on having an incident response plan that is ready to face this emerging threat. Our article focused on tips related to prevention, response and evading extortion. If you did not have a chance to read our article from January, we recommend that you read it as soon as possible.

Now, at the end of the first quarter of 2016, it is evident that ransomware has become a headache for those who did not take all the necessary precautions to avoid being the next target. Recently, the FBI released a statement to The Wall Street Journal that ransomware is a prevalent and increasing threat. As this recent article describes, attackers are trying new approaches to infection, such as ransomware ‘malvertising’, and have succeeded in creating the first Mac OS X ransomware.

Have a plan, Be Prepared
Due to the fact that it is not easy to deal with the situation after an organisation is hit by ransomware, the best course of action is to ensure there is a backup plan in place. It might come as a surprise but in order to understand the seriousness of the situation, consider that an official in the FBI’s Boston field office went against normal FBI policy and suggested to a conference audience that often the only solution is to pay the ransom. Sysnet wants to make sure you do not have to face that moral dilemma and for that reason we are trying to inform you about the increasing threat and ensure you have taken all the necessary steps towards prevention.

The Badlock day has arrived!

Badlock is a a crucial security bug in Windows and Samba. Samba 4.4.2, 4.3.8 and 4.2.11 Security Releases are available [here]. 

Microsoft and the Samba Team have been working together in order to get this problem fixed and for a patch to be released. You will have to update your systems as this security flaw is expected to be actively exploited soon enough. 

Badlock is referenced by CVE-2016-2118 (SAMR and LSA man in the middle attacks possible).

There are additional CVEs related to Badlock. Those are:

• CVE-2015-5370 (Multiple errors in DCE-RPC code)
• CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP)
• CVE-2016-2111 (NETLOGON Spoofing Vulnerability)
• CVE-2016-2112 (LDAP client and server don't enforce integrity)
• CVE-2016-2113 (Missing TLS certificate validation)
• CVE-2016-2114 ("server signing = mandatory" not enforced)
• CVE-2016-2115 (SMB IPC traffic is not integrity protected)

Please, find more information about badlock at the dedicated website created for that reason: badlock.org

Start Google Chrome in Incognito Mode by Default

I tend to use different browsers for different tasks, and that makes my life a lot easier when it comes to managing all the different things I have to do. From my point of view, the Google Chrome web browser is the ideal browser for its incognito mode when accessing known safe websites. 

In order to speed things up, I tend to start it in incognito mode by default. Not many people know this, but it is really easy to start Chrome in incognito mode by default. 

If you already have Chrome already installed, locate the executable on  your system. You can R-Click on your existing shortcut (i.e. on the Start menu) and choose, "Open file location". 

Building a Security Operations Centre (SOC)

Building a Security Operations Centre (SOC) is undoubtedly the best move you can make towards protecting not only your organisation’s data, systems and services, but also any sensitive information about your clients that you handle or store. This article is a brief overview of the task of building a SOC, introducing not only the key elements but also how the challenges of increased security requirements and rapid response are addressed.

The process for building a SOC can be time consuming and it is directly related to the available budget. The best approach is to create a plan that allows for incremental phases of implementation. Starting with a gap analysis, you will be able to define and prioritise the milestones for incremental improvements by setting the appropriate expectations and timelines. To start with, take a look at the Centre for the Protection of National Infrastructure (CPNI) and more specifically the Top 20 Critical Security Controls guidance.

The incremental improvements need to take under consideration the collaboration and communication between people, technology, and processes. These are the three equally important components that define a SOC.

Format a memory card back to its original size

After using an SD card to install Kali Linux on Raspberry Pi, I decided I had to reformat it to its original size. If you try to do this using the format tool on Windows you won't be able to format your card. 

The best way to do this, if you want to use Windows, is to start the command prompt and use the diskpart command line tool. Insert your memory card and follow the instructions below.

Start the command prompt and run the command: diskpart

This will open up a new command prompt window similar to the following screen.