Introduction

Details of a critical vulnerability impacting Microsoft’s Exchange 2013 and 2016 servers were recently discovered and made public.  If successfully exploited this vulnerability would allow an attacker to gain Domain Admin permissions within a company’s Active Directory infrastructure allowing nearly unrestricted access to a compromised server.  At this time Microsoft has not released a patch for this vulnerability.  Tier1Net customer’s which have implemented Tier1Net’s Cisco Umbrella Secure DNS and/or Duo Authentication services have their exposure to this vulnerability greatly reduced.

Technical Information

In order to successfully exploit this vulnerability an attacker would first need to gain the credentials to any existing mailbox on a targeted Exchange server.  This can be accomplished via phishing attacks or credential stuffing where an attacker uses breached credentials from one service to gain access to another service.  Once an attacker has access to a mailbox on the Exchange server they can then combine three known vulnerabilities to elevate the compromised account’s permissions to that of a Domain Admin.   A Domain Admin has full access to an Exchange server and can perform such tasks as resetting password, creating mailboxes, deleting mailboxes, etc.

Steps Being Taken by Tier1Net

Due to Tier1Net’s expertise and emphasis on cybersecurity, many of its customers are already protected from this latest vulnerability.  Furthermore, Tier1Net deploys multiple security layers to both its own internal and hosted infrastructures as well as client supported networks to greatly reduce the exploit risk of any single vulnerability.  To further reduce customer exposure to this vulnerability Tier1Net will be deploying a Microsoft supported mitigation tool to all managed and hosted Exchange servers.

Additional Information

https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/
https://nakedsecurity.sophos.com/2019/01/30/privilege-escalation-vulnerability-uncovered-in-microsoft-exchange/
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8581

SEC Office of Compliance Inspections and Examinations Announces 2019 Examination Priorities

FOR IMMEDIATE RELEASE
2018-299

Washington D.C., Dec. 20, 2018 —
The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) today announced its 2019 examination priorities. OCIE publishes its exam priorities annually to promote transparency of its examination program and provide insights into the areas it believes present potentially heightened risk to investors or the integrity of the U.S. capital markets. This year, particular emphasis will be on digital assets, cybersecurity, and matters of importance to retail investors, including fees, expenses, and conflicts of interest.

“OCIE continues to thoughtfully approach its examination program, leveraging technology and the SEC staff’s industry expertise,” said SEC Chairman Jay Clayton. “As these examination priorities show, OCIE will maintain its focus on critical market infrastructure and Main Street investors in 2019.”

“OCIE is steadfast in its commitment to protect investors, ensure market integrity and support responsible capital formation through risk-focused strategies that improve compliance, prevent fraud, monitor risk, and inform policy. We believe our ongoing efforts to improve risk assessment and maintain an open dialogue with market participants advance these goals to the benefit of investors and the U.S. capital markets,” said OCIE Director Pete Driscoll.

This year, OCIE’s examination priorities are broken down into six categories: (1) compliance and risk at registrants responsible for critical market infrastructure; (2) matters of importance to retail investors, including seniors and those saving for retirement; (3) FINRA and MSRB; (4) digital assets; (5) cybersecurity; and (6) anti-money laundering programs.

Compliance and Risks in Critical Market Infrastructure – OCIE will continue to examine entities that provide services critical to the proper functioning of capital markets. OCIE will conduct examinations of these firms which include, among others, clearing agencies, national securities exchanges, and transfer agents, focusing on certain aspects of their operations and compliance with recently effective rules.

Retail Investors, Including Seniors and Those Saving for Retirement – Protecting Main Street investors continues to be a priority in 2019. OCIE will focus examinations on the disclosure and calculation of fees, expenses, and other charges investors pay, the supervision of representatives selling products and services to investors, broker-dealers entrusted with customer assets, and portfolio management and trading.

FINRA and MSRB – OCIE will continue its oversight of FINRA by focusing examinations on FINRA’s operations and regulatory programs and the quality of FINRA’s examinations of broker-dealers and municipal advisors. OCIE will also examine MSRB to evaluate the effectiveness of select operations and internal policies, procedures, and controls.

Cybersecurity – Each of OCIE’s examination programs will prioritize cybersecurity with an emphasis on, among other things, proper configuration of network storage devices, information security governance, and policies and procedures related to retail trading information security.

Anti-Money Laundering Programs – Examiners will review for compliance with applicable anti-money laundering requirements, including whether firms are appropriately adapting their AML programs to address their regulatory obligations.

The published priorities for 2019 are not exhaustive and will not be the only issues OCIE addresses in its examinations, Risk Alerts, and investor and industry outreach. While the priorities drive OCIE’s examinations, the scope of any examination is determined through a risk-based approach that includes analysis of the registrant’s operations, products offered, and other factors.

The collaborative effort to formulate the annual examination priorities starts with feedback from examination staff, who are uniquely positioned to identify the practices, products, and services that may pose significant risk to investors or the financial markets. OCIE staff also seek advice of the Chairman and Commissioners, staff from other SEC divisions and offices, and the SEC’s fellow regulators.

OCIE is responsible for conducting examinations of entities registered with the SEC, including more than 13,200 investment advisers, approximately 10,000 mutual funds and exchange traded funds, roughly 3,800 broker-dealers, about 330 transfer agents, seven active clearing agencies, 21 national securities exchanges, nearly 600 municipal advisors, FINRA, the MSRB, the Securities Investor Protection Corporation, and the Public Company Accounting Oversight Board, among others. The results of OCIE’s examinations are used by the SEC to inform rule-making initiatives, identify and monitor risks, improve industry practices, and pursue misconduct.

https://www.sec.gov/news/press-release/2018-299

Recently, Cybersecurity experts Marc Capobianco and Patrick Ramsdell presented at a conference regarding the future of Cybersecurity at The Exchange (formerly Advent User’s Group) technology round table.  The sold out event was attended by many of Boston’s prominent Wealth Management firms.

 2018 will go on record as one of the worst years for data breaches with over 3600 breaches reported involving more than 3.6 Billion records.  Cybercriminals have rapidly acquired new cyber weapons and modified the ways they launch cyberattacks.

Weapons and attack capabilities that were previously only used by large-scale nation-state operations are now falling into the hands of the everyday criminals.  43% of these attacks target small businesses. Today’s attackers are more sophisticated and capable of exploiting weaknesses at previously unseen speed and scale.

The average security incident takes 240 days to detect and 87% of these incidents are first discovered by external sources. As such the need for advanced detection and response technologies is greater than ever.

 Tier1Net discussed the benefits of its Cybersecurity Business Operating Platform for Financial Services Organizations.  This advanced platform meets the current regulations, is ahead of newly proposed compliance regulations and includes four distinct tiers leveraging Hybrid Artificial intelligence and Advanced Machine Learning technologies.

 What attendees had to say:

 “A truly enlightening session.  Tier1Net presented a detailed overview of cybersecurity trends combined with specific examples of attacks they are currently seeing targeting financial firms.  With each example they explained strategies and solutions they can offer to stay ahead of these threats and also meet current and upcoming compliance regulations.  Its clear Tier1Net understands the challenges firms like ours face.”     ~ Kristin Vespucci-Case, Boston Financial Management

“Tier1Net’s cybersecurity roundtable was very informative. Not only did they give us an update on the current cyber landscape but they also provided us with some practical solutions that were appropriate for a company of our size. It was time well spent!”   ~ Patricia Melnick, Prio Wealth

If you are a financial service firm in need of guidance regarding Cybersecurity Best Practices and Compliance, please contact Tier1Net at 781-935-8050 to inquire about our Cybersecurity Business Operating Platform for Financial Services Organizations.

 

 

 

 

 

 

 

Tier1Net would like to share the latest available information on the Spectre and Meltdown vulnerabilities.  First and foremost, it is important to note that there are still no known exploits actively targeting the vulnerabilities.

 

Firewall Layer

Tier1Net’s preferred firewall vendor, Sonicwall, has confirmed it has deployed antivirus and intrusion prevent signatures which will protect against attempted Spectre and Meltdown attacks.  These antivirus and IPS updates have already deployed to Tier1Net’s cloud and customer networks.

 

Patch Status

Tier1Net is actively tracking the status of patches as they are released.  Once released Tier1Net will evaluate patches for stability before releasing them for install.  A Tier1Net representative will contact you if it is determined that the installation of a particular patch requires manual intervention or a maintenance window.  Tier1Net recommends that its customers take immediate action to update their iPhone and Android devices using the Knowledgebase articles documented below.

To review the status of patches being released please see the following vendor list.

Microsoft

Microsoft has already released patches for the latest version of Windows 10 as well as patches for its web browsers, Internet Explorer and Edge.  With regards to older versions of Windows Microsoft will be releasing those patches this week.  PCs and servers within Tier1Net managed networks will automatically receive the patches via Tier1Net’s Windows Update service.

PCs not managed by Tier1Net (for example, personal use and home PCs) will automatically receive patches as long as they have been enabled to receive updates via Microsoft’s Windows Update service.  Please see the following for further information on enabling Microsoft’s Windows Update service: https://support.microsoft.com/en-us/help/12373/windows-update-faq

Apple

Apple has released iPhone iOS version 11.2.2 which includes code mitigating the Meltdown and Spectre vulnerabilities.  Tier1Net recommends installing the updates as soon as possible.  Please see the following KB detailing the steps required to update an iPhone’s iOS:  https://tier1net.itglue.com/DOC-1500653-1490177

Google

Google patched Android against Meltdown and Spectre in a January security update.  The specific availability of this update is based on the Android device manufacturer’s approval of the update.  Tier1Net recommends checking for and installing the most recent updates available as soon as possible.  Please see the following KB detailing the steps required to update an Android device:   https://tier1net.itglue.com/DOC-1500653-1490202

Google is also releasing an update for its Chrome web browser in the coming days which will obstruct attempts to exploit the Meltdown and Spectre flaws.  Chrome will automatically install the latest available version when the browser is launched.

Mozilla

Mozilla has released an update for Firefox to mitigate against Meltdown and Spectre.  The update will be installed automatically when the browser is launched.

VMware

VMware has released patches for its ESX hypervisor to address the Spectre and Meltdown vulnerabilities.  The ESX hypervisor typically operates on server hardware and is responsible for running virtual instances of Windows servers.  Tier1Net is in the process of evaluating these patches and will deploy them to its cloud and customer networks once patch stability has been fully confirmed.

 

Performance Concerns

There have also been reports of patches negatively impacting a device’s CPU performance once installed.  The initial reports of the performance impacts may have been overstated with conflicting reports on observed performance impact.  Microsoft has warned users of older PCs of a possible performance impact once patches are installed.  Regarding servers, any impact to performance is load dependent and may be further reduced by a new discovery made by Google researchers.

 

 

 

 

 

 

Introduction

Details on two security vulnerabilities impacting nearly all modern Operating Systems and Hardware were made public yesterday.  At this time new details are still emerging with many questions still unanswered.  Tier1Net has been evaluating information as it has been released and would like to share its findings with you.

Technical Information

The vulnerabilities have been named Meltdown and Spectre with Meltdown being the more serious of the two.  Based on current public information Meltdown impacts all devices running Intel CPUs while Spectre impacts nearly all CPUs made in the last 20 years including Intel and AMD.  A successful exploit of either would allow a bad actor or malicious program to read data as it passes from an Operating System to the CPU and back again.  This includes passwords and other sensitive data.  Spectre is less serious as it is much more difficult to exploit than Meltdown.  For further technical information please visit https://meltdownattack.com

Steps Being Taken by Tier1Net

As with all major security vulnerabilities there are a lot of news headlines sensationalizing the impact.  At this time there are no known exploits in the wild.  Furthermore, Tier1Net deploys multiple security layers to both its own internal and hosted infrastructures as well as client supported networks to greatly reduce the exploit risk of any single vulnerability.

With that in mind, Tier1Net is still taking all appropriate steps to address these vulnerabilities as quickly as possible.  Microsoft has released several patches via its updating service to mitigate the risk within its Windows Operating Systems while other patches from other vendors are still in development.  In the coming days and weeks Tier1Net will be testing and deploying patches as they become available with the goal of balancing security, vulnerability and stability.

Additional Information:

https://nakedsecurity.sophos.com/2018/01/03/fckwit-aka-kaiser-aka-kpti-intel-cpu-flaw-needs-low-level-os-patches/

https://www.pcworld.com/article/3245606/security/intel-x86-cpu-kernel-bug-faq-how-it-affects-pc-mac.html

https://www.theverge.com/2018/1/4/16848976/how-to-protect-windows-pc-meltdown-security-flaw

A new Ransomware attack named GoldenEye is rapidly spreading throughout Europe and Asia shutting down businesses and government networks alike.

Details are still emerging but experts believe the GoldenEye Ransomware attack is exploiting the same Windows vulnerabilities that were targeted by the WannaCry ransomware attack.  Microsoft released a patch to this vulnerability in March which was distributed to all potentially vulnerable PCs and servers via Tier1Net’s Windows Update services.

Nonetheless, it is possible this new Ransomware variant can exploit heretofore unknown exploits within Windows so Tier1Net recommends alerting all employees to be extra vigilant of all emails which request the recipient to click a link within the body of the email.  The GoldenEye attack has been using common phishing techniques so employees should be warned to suspect even emails coming from supposed trusted sources.

For more information or assistance please contact Tier1Net Support at 781-935-8050 or at help@tier1net.net.

 

 

The WannaCry ransomware is a perfect illustration of an attack which exploits multiple vulnerabilities within a network.

•  First it attempts to trick users into opening ransomware with common email phishing techniques
•  Then it attempts to exploit a Windows vulnerability to encrypt company data and hold it for ransom.
•  Finally it attempts to spread itself by infecting other PCs within the network.

There is no single solution to prevent cybersecurity threats such as WannaCry as they always attempt to expose multiple vulnerabilities within a company.  Tier1Net protects its clients against current and future cybersecurity threats by leveraging a balanced approach of prevention, education and redundancy.

How Do Tier1Net’s Managed Services Prevent Cybersecurity Threats?

Prevention:

•  Emails are scanned for known virus signatures, phishing techniques and potentially dangerous email attachments.
•  Network traffic is scanned at the perimeter by firewalls which examine all incoming and outgoing traffic for viruses and intrusions.
•  Tier1Net’s Managed Workplace solution automatically deploy patches to known vulnerabilities within a network.
•  Tier1net leverages advanced antivirus clients and internal network intrusion detection services to detect and prevent attacks from within the network.

Education: 

•  Tier1Net’s email phishing campaigns educate your employees on common email phishing techniques so they won’t be so easily fooled by the real thing.

Redundancy/Business Continuity:

•  Tier1net’s Disaster Recovery services provide the redundancy necessary to quickly recover from a cybersecurity attack.  Within minutes of an outbreak Tier1Net can quickly restore data from hourly snapshots which run seamlessly to protect corporate data.

It is this multilayered approach to Cybersecurity and data redundancy that Tier1net has specifically designed to prevent attacks and recover quickly should one ever occur.

If you have any questions about the WannaCry ransomware campaign or would like to learn more about Tier1Net’s services please email us at help@tier1net.net or call our office at (781)935-8050.

Thank you.

Tier1Net