Wednesday, August 17, 2016

The Death of Commercial AV Products

We keep beating the drums... reduce what is most likely the largest line item in your Security Expense Budget, Anti-Virus.  Another data point to make our case:

1. Microsoft Word file propagating the Internet as of ~8amCDT was detected by our Forcepoint Sandbox:


2. Note the SHA-256 Hash in the above screen shot.  Note the same hash below and how only 5 of 53 AV Engines are currently detecting this threat:


3. How bad is the malware?  Per below, it attempts to "post" some of your data to a site in the Ukraine:


In summary, did you see that Freeware AV Engines are detecting this threat?  Why is it you're paying all that money to the "enterprise class AV companies"?  Again... reduce your spend and invest the savings in next gen solutions.  Call ESPO Systems for a free consultation.
Posted by at 1 comment:

Tuesday, August 2, 2016

QUIC Best Practice



As we all know, Google has a habit of updating their code frequently.  From a Feature Perspective that is obviously good.  From a Security Perspective this can create a problem.  For example, if you have a DLP Endpoint Agent installed to identify/block confidential posts... you may have issues if Chrome gets too far out in front of your agent.  Another example is QUIC.

https://en.wikipedia.org/wiki/QUIC

This UDP Based Protocol will render your proxies useless as we setup redirection for outbound connections destined to TCP:80 & 443.  ESPO Best Practices are as follows:

Option 1: Disable Experimental QUIC protocol on individual Google Chrome browsers. - This can be done by opening Google Chrome, in the URL type "chrome://flags". Look for Experimental QUIC protocol and disable it.




Option 2: Block QUIC using firewall policy - Create a custom firewall service for UDP port 80 and port 443. Configure a firewall policy with the custom service created and set the action to Deny. Make sure this policy on top of all (inside/trusted to outside/untrusted)

Option 3:  Similar to Option 1, you can utilize a GPO to turn off QUIC protocol.  Download the latest chrome adm/admx templates from https://support.google.com/chrome/a/answer/187202?hl=en#windows and find it in Administrative templates > Google Chrome > Allows QUIC protocol.  Set to disable.

In summary, the Easy Button answer might be Option 2.  Block outbound connections destined to UDP:80 & 443 and the browser will have to fail back to TCP.
 
Posted by at 3 comments:

Monday, August 1, 2016

New Malware on the Loose

Heads up!  The following site is actively hosting malware as of the writing of this Blog Post:


What exactly is the malware doing?  Forcepoint indicates nothing good:


Well... I have Cisco you may say... I will be fine:  Ummmm no:


OK, Ok, ok... I have a web security solution from 1 of the other 68 solutions available on the market. Oops!


You may then say, I have defense-in-depth... I have a top notch AV solution.  Unfortunately, only 2 of 54 AV Engines are actively protecting against this executable:


What can I do to protect against this active threat?  Call ESPO Systems for a free consultation.

Posted by at No comments:
Subscribe to: Posts (Atom)