SONICWALL TZ300P REVIEW: A MULTI-SITE MARVEL

A competitively priced desktop UTM appliance, with plenty of security and management features

Appliance with 1yr TotalSecure Advanced

Pros: Great monitoring capabilities; Simple multi-site deployment; Granular configuration options

Cons: No transparent email scanning

Verdict: The SonicWall TZ300P delivers a wealth of security measures at a great price. It’s comprehensive yet easy to deploy, and with remote management and zero-touch provisioning it will particularly appeal to businesses with multiple offices.

Targeting SMBs and remote offices, the TZ300P is one of SonicWall’s most versatile desktop appliances yet. Alongside a stiff set of unified threat management (UTM) security measures, it delivers software defined WAN (SD-WAN) services and wireless AP management – and, for good measure, it even supports PoE.See related WatchGuard Firebox M670 review: Dazzling valueZyxel Nebula Control Center 2019 review: Takes all the pain out of networkingSophos XG 125w review

Recommended for up to 25 users, the TZ300P boasts a raw firewall throughput of 750Mbits/sec, dropping to 235Mbits/sec with UTM services enabled. The compact box offers five Gigabit Ethernet ports, one of which is set aside for WAN duties, while the rest are available for LAN usage. Two of these are PoE-enabled, which is handy – just note that the small 35W power threshold means that it will only drive a single PoE+ device. The other notable connector is a USB port, which can provide WAN redundancy via a 3G or 4G mobile adapter.

The appliance itself costs £720 to buy, rising to £1,085 with a one-year TotalSecure Advanced subscription. This really unlocks the potential of the device, not only entitling you to 24/7 support, but enabling IPS, antivirus and anti-spyware functions. It also activates content filtering, application intelligence and Capture ATP, which watches for files such as Office documents, PDFs and executables, scans them in its cloud sandbox and only releases them if they pass a barrage of malware tests.

The latest SonicOS firmware sports a fresh web console exposing a wealth of information. Graphs and charts show appliance utilisation, security service status, the latest threats, risky apps, bandwidth consumption and the busiest users.

There’s also a quick-start wizard, which helped us set up the LAN and WAN ports for internet access and apply a security policy to the default zone. Optionally you can create multiple security zones, each with its own settings, and place selected ports in different zones. Zero-touch provisioning even allows you to send appliances to remote sites, where they will pick up their configuration as soon as they connect to the internet.

The various security features are very flexible. Virus scanning can be enabled for selected zones, using one global configuration for HTTP, FTP, IMAP, POP3, SMTP, CIFS and TCP streams. HTTPS inspection can be easily enabled too, while web filtering uses either the basic SonicWall CFS or the premium WebSense Enterprise hosted service, which costs an extra £179 per year.

The content filtering module is just as configurable: we were easily able to create filtering profile objects using the 64 available URL categories, assign action objects to block access and apply an acceptable use policy to redirect users to a consent web page.

Then there’s app control, which you’ll find on the console’s new Investigate page. From here, you can freely browse the AppFlow logs, and if you spot any suspect apps you can create an instant rule to block or monitor them. Advanced control rules are more complex to create, as they use signature IDs to identify specific activities, but if you’ve had enough of Facebook in the workplace, you can manage or block any of its services.

On top of all this, you may choose to pay £182 per year for the optional anti-spam module. This handles spam, phishing and suspicious attachments, while the Exchange Junk Store feature allows users to view their personal quarantine areas and delete or release messages. It doesn’t offer transparent scanning, though, so you need to set it up with details of your email server.

As a final bonus, if you’re using more than one SonicWall appliance, the Capture Security Center service lets you manage them all from one central cloud console, with an impressive collection of analytics and reporting services.

No doubt, the TZ300P delivers a wealth of security measures at a great price. It’s comprehensive yet easy to deploy, and with remote management and zero-touch provisioning it will particularly appeal to businesses with multiple offices.

Specifications:

Desktop appliance
800MHz dual-core CPU
1GB RAM
5 x Gigabit (WAN, 4 x LAN with 2 x PoE or 1 x PoE+)
USB 3
RJ-45 serial port
Web browser and CSC cloud management
External PSU
1yr hardware warranty and support
Options: Anti-spam service, £182 per year (exc VAT)

Attackers Demand $2.5 Million Ransom After Coordinated Ransomware Attacks on Texas Government Entities

  • Two of the impacted municipalities, the City of Borger, and the City of Keene, have publicly disclosed that they’ve been impacted by the coordinated ransomware attack.
  • Keene Mayor Gary Heinrich said that the threat actor infiltrated into the city’s IT software, which is managed by a managed service provider (MSP).

The attacker who hit over 22 local government entities in Texas with a coordinated ransomware attack has demanded a collective ransom payment of $2.5 million.

Update on the attack

  • An update from the Department of Information Resources (DIR) reveal that the number of impacted entities has come down to 22.
  • Nearly 25% of the impacted entities have been moved from the response and assessment stage to remediation and recovery stage.
  • A number of impacted entities have restored their operations back to normal.
  • However, the identities of the impacted entities still remain undisclosed because of security reasons.

Meanwhile, two of the impacted municipalities have publicly disclosed that they’ve been impacted by the ransomware attack.

City of Borger

  • The City of Borger in Texas has released a press release stating that the attack has impacted the City’s business and financial operations.
  • However, the City assured that it continues to provide phone services and other basic emergency services such as Police, Fire, 9-1-1, Animal Control, Water, Wastewater and Solid Waste Collection.
  • The City confirmed that it is currently working with responders to bring its computer systems back online.

“State and Federal agencies continue investigating the origins of this attack; however response and recovery are the City’s priority at this time. Based on the current state of the forensic investigation, it appears that no customer credit card or other personal information on the City of Borger’s systems have been compromised in this attack,” read the press release.

City of Keene

The City of Keene in Texas admitted in a Facebook post that the attack has impacted the City’s services to process credit card payments.

“Keene is working with law enforcement to resolve a cyber incident that impacted servers state-wide. Because this is an investigation, we can’t share much.
Here’s what you need to know:
• No credit card payments or utility disconnections for now
• Our drinking water is safe
• Check back here for updates,” read the Facebook post.

Keene Mayor Gary Heinrich told National Public Radio that the threat actor infiltrated into the city’s IT software that is managed by an outsourced company, which also supports many of the other affected municipalities. Heinrich added that the threat actor demanded a collective ransom of $2.5 million.

“They got into our software provider, the guys who run our IT systems. A lot of folks in Texas use providers to do that, because we don’t have a staff big enough to have IT in house,” said Henrich.

  • + Aware

Sophos Firewall Manager and iView – Centralized management and reporting for all your XG Firewalls

Along with the new XG Firewall, we’ve also launched brand-new centralized management and reporting solutions that make managing multiple devices easy. I thought I would take this opportunity to tell you a bit more about Sophos Firewall Manager and iView, and encourage you to learn more and download the free trials.

Sophos Firewall Manager

Whether you have a few firewalls, or a few hundred, Sophos Firewall Manager (SFM) makes managing all your XG Firewalls easy with a comprehensive suit of helpful tools.

It starts at the Sophos Firewall Manager home screen that utilizes traffic-light style indicators to provide at-a-glance status for your various firewalls. You can instantly identify any devices that have security, resource, licensing or availability issues, from the new device-health monitor.

You can also take advantage of a variety of other views of your devices under management including a helpful flat NOC-type overview …

or a card view …

If you need to drill down to a specific Firewall, that’s easy and rewarding with a rich amount of detail visible at a glance …

But we know you can’t keep your eyes fixed on the screen all day long so that’s why Sophos Firewall Manager offers a comprehensive set of configurable alerts to get notifications on a broad range of events including subscription expiry, gateway status change, excessive disk usage, ATP events, IPS and virus threat counts, unhealthy surfing, and much more.

All the thresholds for status and alerts are completely customizable, ensuring you only get alerted when it’s important.

Sophos Firewall Manager also makes it easy to manage large groups of firewall devices with flexible and convenient grouping and sorting options. Conveniently group devices by model, firmware, country, device name and more for quick and easy action, management, and monitoring.

But that’s just the start – there’s a full set of powerful tools to make your job easier:

  • Streamline enrollment of new devices with a convenient wizard
  • Push, pull or replicate polices across your firewalls easily to ensure consistency
  • Utilize configuration templates to save time and effort setting up a new firewall
  • Centrally manage and monitor updates

And if you need flexible controls, Sophos Firewall Manager has you covered there too with role-based admin to delegate access to various staff based on their functions along with rigorous change control and audit logging.

Sophos iView

Sophos iView complements Sophos Firewall Manager perfectly, providing comprehensive, consolidated reporting across not only multiple XG Firewall devices, but UTM 9 and CyberoamOS devices as well.

Sophos iView includes:

  • Intelligent centralized reporting and analytics
  • Consolidated reporting across multiple firewalls or customers
  • Support for XG Firewall, UTM 9, and Cyberoam firewall devices
  • Easily monitor and analyze security risks across the entire network
  • Provide insight into specific device or customer usage, traffic, and risks
  • Compliance reporting for HIPAA, PCI-DSS, GLBA, and SOX
  • Convenient backup and long-term storage for all your firewall data

How to get started

You can download the SFM and iView datasheets or get started with a limited trial of each today. The Sophos Firewall Manager trial is limited to managing five XG Firewall devices, while the iView trial is limited to 100GB of data storage. Both should be plenty to get you started seeing the power and convenience these tools provide.

Catch the SonicWave of WiFi

Meet the New SonicWave 200 Series Wireless Access Points

SonicWall has been busy with new product releases in 2019, with the SOHO 250 and TZ350 firewalls and Cloud App Security already making waves in the cyber security market. Speaking of waves, SonicWall’s latest devices expand on its wireless access point offerings, with the SonicWave 200 Series. Three new models make up the new series of SonicWave APs, offering a new option for any type of environment complete with improved uptime, easy deployment, cloud management, and stronger security. The 224Wis wall-mountable, the 231C goes on the ceiling, and the 231O is ready for whatever the great outdoors has to throw its way.

These APs feature 802.11ac Wave 2 technology and attain MU-MIMO (multi-use, multi-input, multi-output) support to maximize performance. They’re also simple to deploy thanks to integration with the SonicWiFi App (scan a QR code and they’re ready to use) and simple to manage whether you use SonicWall’s WiFi Cloud Manager or your SonicWall firewall – either way you need not pony up for an expensive, complex wireless access controller.

And SonicWall never forgets security. With Advanced Security Service, your AP will have Content Filtering and Capture Advanced Threat Protection (ATP), a cloud-based secure sandbox. The 231c and 231o also come complete with a dedicated third scanning radio to detect rogue access points.

Charting the SonicWave Waters

To take an even deeper dive into the specs for each SonicWave, paddle over to our handy comparison table:

How Do I Get One?

So now that you’ve seen what each new SonicWave AP has to offer, you’re probably wondering, “How do I get 1…or 4…or 10 (depending on your space and user needs)?” We have you covered! Visit our SonicWave Access Point page to see all the available options to help you get your network up and running – and secure. Plus, you’ll also be eligible for special discounts through SonicWall’s Get More WiFi, Pay Way Less promotion, which can save you up to 25% off MSRP if you buy an 8-pack of APs with Advanced Security Services. But hurry, the promotion is for a limited time only!

Destructive malware attacks double as attackers pair ransomware with disk wipers

IBM Security’s X-Force Incident Response and Intelligence Services (IRIS) team reported this week that it witnessed a 200 percent increase in destructive malware attacks over the first half of 2019, compared to the second half of 2018.

These malware attacks typically incorporated a disk wiper component to them. Wipers are historically associated with nation-state-sponsored attacks against politically strategic targets. However, the activity that the IRIS team encountered largely consisted of financially-motivated attacks that combined ransomware’s malicious encryption capabilities with disk wiper functionality, in order to create even more dire consequences for victims who fail to pay the ransom demand. Malware strains exhibiting these dual functionalities include LockerGoga and MegaCortex.

“Now you have to not only recover the data that you lost, but you have to recover the entire operating system along with that and that’s a larger effort for a company to work with,” said Christopher Scott, global remediation lead at X-Force IRIS, in a video interview with SC Media at Black Hat in Las Vegas. And that places more pressure on impacted organizations to acquiesce to the attackers’ demands.

According to a newly released IBM Security white paper and corresponding blog post, an analysis of the X-Force IRIS team’s incident response data found that destructive attacks are costing multinational companies an average of $239 million and necessitate an average of 512 hours of incident response and remediation. Moreover, a single attack destroys an average of roughly 12,000 machines.

IBM researchers also noted that the attackers demonstrated a particular affinity for attacking chemical and manufacturing companies. This observation jibes with widely circulated reports this year of ransomware attacks affecting such chemical and manufacturing companies as Norsk Hydro, Hexion, Momentive and Aebi Schmidt. Attacks on such businesses can threaten not only IT infrastructure, but also OT systems, which can lead to dangerous consequences. “There’s a lot of security aspects to those systems and there’s a lot of safety aspects,” said Scott.

One of the cases that Scott and the X-Force IRIS team responded to involved an energy and manufacturing company with about 20,000 users. In this instance, the attackers had established administrative access to the company’s network in less than a week, but then waited a full 120 days before enabling the malware’s destructive capabilities. This gave them time to initially conduct reconnaissance, map out the systems and develop a strategy for how to pull off a successful attack.

“As we worked through the remediation of that system, we focused on some pretty key concepts to prevent the attack. One of the major ones there was multifactor authentication for  online services to make sure attackers weren’t able to come through the system. The other was really layered controls and that defense in depth that still works very well, especially within administrative ranks,” said Scott.

State Farm Suffers Data Breach

State Farm, the insurance provider in the US, has been compromised in a credential stuffing attack, according to a news report. 

The firm, says the report, acknowledged the cyberattack, filing a data breach notification with the California Attorney General, and by sending out “Notice of Data Breach” emails to users whose online account log-in credentials were obtained by the hackers. 

The insurer’s data breach notification email said,“State Farm recently detected an information security incident in which a bad actor used a list of user IDs and passwords obtained from some other source, like the dark web, to attempt to access to State Farm online accounts. During our investigation, we determined that the bad actor possessed the user ID and password for your State Farm online account.”

According to the report, State Farm confirmed in its “Notice of Data Breach” email that the attacker obtained usernames and passwords of some policyholders’ accounts, but no personally identifiable information was obtained and no fraud was detected. It is unknown if the attacker logged into accounts. 

​State Farm customer accounts breached in credential stuffing attack

  • Attackers used a list of usernames and passwords obtained via credential stuffing attack to access State Farm customers’ online accounts.
  • The investigation revealed that attackers were able to confirm valid usernames and passwords for some online accounts, however, no personal information was accessed.

What is the issue?

Insurance company State Farm notified its customers that it suffered a credential stuffing attack during which attackers were able to confirm valid usernames and passwords for some customer accounts.

The big picture

On July 6, 2019, State Farm became aware that attackers used a list of usernames and passwords obtained via credential stuffing attack to access customers’ online accounts.

  • Upon discovery, the insurance company launched an investigation and determined that the attackers compromised usernames and passwords for some user accounts.
  • The investigation revealed that attackers were able to confirm valid usernames and passwords for some online accounts, however, no personal information was accessed.
  • After this, State Farm reviewed the accounts of impacted customers and confirmed that no fraudulent activity occurred.

“State Farm recently detected an information security incident in which a bad actor used a list of user IDs and passwords obtained from some other source, like the dark web, to attempt access to State Farm online accounts. During our investigation, we determined that the bad actor possessed the user ID and password for your State Farm online account,” State Farm said in a data breach notice.

What actions were taken?

  • State Farm has reset passwords for all impacted customer accounts in order to avoid further access attempts by the attackers.
  • The insurance company has notified the affected customers and has requested them to change their passwords for State Farm accounts as well as for other online accounts if they’ve reused the same passwords.
  • Furthermore, the company has implemented additional security controls to avoid such incidents from happening in the future.

“We have implemented additional controls and continue to evaluate our information security efforts to mitigate future attacks,” a spokesperson for State Farm told ZDNet.

Worth noting

According to the data breach notification filed with the Office of the California Attorney General, the first attempted attack on State Farm accounts occurred on July 6, 2019, followed by subsequent attacks on July 8, 12, 13, 14, 17, 19, 20, and 22.

Security bug in Microsoft Hyper-V could impact its Azure cloud services

  • The flaw which leads to remote code execution was identified in Remote Desktop Protocol earlier this year.
  • Microsoft has patched this bug after it was found to impact Hyper-V.

A security flaw that was discovered in Microsoft’s RDP has been found to impact another product of the tech giant. The flaw, uncovered by researcher Eyal Itkin of Check Point this year, also affects virtualization software Hyper-V and is a path traversal bug. It could lead to remote code execution(RCE) on the virtual machines connected to Hyper-V.

A proof-of-concept (PoC) exploit demonstrated by the researcher showed how a file delivered on the host connected to a malicious virtual machine could allow remote execution after a system reboot. The demonstration can be found here.

Key highlights

  • Dubbed as “Poisoned RDP vulnerability,” Microsoft also mentions that the flaw allows attackers to exploit clipboard redirection in RDP.
  • The vulnerability is tracked as CVE-2019-0887.
  • In a case study, Microsoft suggests that Hyper-V, which uses RDP is affected by the latter’s security flaws.
  • The RCE vulnerability in RDP could be used to escape a virtual machine in Hyper-V. This resulted in a sandbox escape vulnerability.
  • After finding it was affecting Hyper-V, Microsoft patched the flaw in its July 2019 security update.
  • The tech giant indicated that there were no active exploits leveraging this bug.

Post-breach detection

Microsoft stated that it worked with Itkin to devise solutions in order to detect attacks carried out through this flaw.

“While we worked on fixing the vulnerability, it was important for us to develop a post-breach detection in order to protect customers from attacks that might exploit the vulnerability. For this effort, we worked closely with Eyal, whose cooperation was critical to the development of these solutions,” said Microsoft.

Data Breach Reminds: Configuration Is Key

An Unfortunate Reminder

If we’ve said it once, we’ve said it 1,000 times – and we’ll keep saying it: the right configuration is key for your network to be fully secure. We had another reminder this week, with news of a data breach affecting Capital One in which a hacker gained access to more than 100 million credit card applications and accounts, in what CNN calls, one of the biggest data breaches ever. Capital One had security measures in place, but the breach still occurred. So how did the hacker get through? A misconfigured web application firewall.

Misconfiguration Opens the Door

More specifically, according to the criminal complaint filed by the U.S. Department of Justice, “a firewall misconfiguration permitted commands to reach and be executed by [a specific] server, which enabled access to folders or buckets of data in Capital One’s storage space at the Cloud Computing Company.” Unfortunately, this is all too common. According to Gartner, 99% of successful network breaches can be attributed to a misconfiguration of the firewall.

The DOJ complaint alleges the hacker gained access multiple times over a few months. It wasn’t until Capital One received an anonymous tip that the company became aware of the data breach. That means the stolen personal information – which included approximately 120,000 social security numbers, more than 75,000 bank account numbers, and millions of names, addresses, and birth dates – was available to the highest bidder for quite some time.

Not only was the firewall misconfigured, the theft was not quickly detected. Those are two expensive issues you don’t want your network to have. Capital One expects to spend $100 to $150 million in costs related to this data breach.

How Can I Prevent a Breach?

So how do you prevent the same thing from happening to you? Get a professional configuration with ongoing management of your network. Our network engineers provide personalized solutions based on your unique needs, ensuring optimized performance and security. Once your configuration is complete, they offer managed security services that take the burden of everyday monitoring, patching vulnerabilities, threat detection, and more away, allowing you to rest assured that the security of your valuable data is in the hands of top-notch, certified professionals. And anytime you have a question, they’ll be there at our Security Operations Center to help.

RUSSIA’S NEW ‘SOVEREIGN BILL’ COULD GIVE THE COUNTRY ITS OWN GREAT FIREWALL

The world is well aware of China’s Great Firewall, which gives its government total power over the dissemination of content. Anything which falls outside the state parties’ propaganda is blocked or purged from the internet. Now we hear that a similar kind of situation could potentially be brewing in Russia as well.

President Vladimir Putin is proposing a “Sovereign Bill” which will let hub officials control the flow of information in the country. While the official version of the bill is to counter a cyber strategy the US adopted last year against the Kremlin, it is believed that the bill could be used to stifle political and civil unrest in the country.

The report by Bloomberg states that the bill has been made to create a single command post where the relevant authorities will be able to manage the content on the internet. The bill would also give these authorities, the metaphorical ‘killswitch’ to shut down any information deemed harmful for the government.

Russia has been internal criticism for blocking Telegram and streaming website Twitch, and since the re-election victory, Putin’s public support has reportedly been in a downslide. Russia ranks quite poorly in terms of internet freedom as well according to research done by Freedom House.

Andrei Lugovoiwho has co-authored this bill said as per the report, that officials have “absolutely no clue about the communications networks laid in Russia and cross-border connections—who owns them, how they’re used, what kind of information is sent.” He continued by saying that once the monitoring hub is set up, “we’ll be able to see all this online.”

It remains to be seen what exactly will this “Sovereign Bill” will be used for in Russia. At the moment we can only guess.

Find our entire collection of stories, in-depth analysis, live updates, videos & more on Chandrayaan 2 Moon Mission on our dedicated #Chandrayaan2TheMoon domain.