Protection. Accompaniment. Security.

Multi-factor authentication, or MFA, is a security system requiring various means of identification. These are based on categories of independent identification information to ensure the verification of the user’s connection or all forms of transaction. For this, at least two independent credentials will be used: the password, the security token and the biometric verification.

The purpose of MFA is to put in place defenses at different levels and to make it more difficult for unauthorized people to gain access to targets (such as physical locations, computing devices, networks or databases) . If a factor is damaged or destroyed, the attacker must still overcome at least one obstacle before successfully entering the target. A few years ago, MFA systems were largely based on two-factor authentication. Today, vendors are increasingly using “multi-factor” tags to refer to any authentication system that requires multiple identities.

Risk-based authentication is a dynamic system that takes into account the user agent configuration file. This requests access to the system to know the identity of the user (IP address, access time, HTTP header of the user agent, etc.) associated with this transaction. Secondly, the risk profile is used to assess the complexity of the challenge. High-risk profiles pose greater challenges, while static usernames/passwords may be sufficient for low-risk profiles. The risk-based implementation only allows the application to ask users to provide additional credentials when the level of risk is appropriate.

Machine authentication is recurrent as part of a risk-based implementation. Machine authentication runs in the background and if the computer is unrecognizable, only the client is prompted for further authentication. In a risk-based authentication system, the organization decides whether further identity verification is required.

Strong authentication will be triggered if the risk is considered to be potential, by a unique password transmitted by an out-of-band communication for example.

When customers perform certain high-risk transactions (such as remittances or address changes), they can also use risk-based authentication to require additional authentication during the session.

Risk-based authentication is a very beneficial solution for customers, because additional steps are required only in certain unusual circumstances (such as trying to log in from a new computer).

The key is to improve the accuracy of user authentication without disrupting users. Large groups/enterprises use risk-based authentication.

Web application firewall is a special type of application firewall specifically for web applications. It is deployed in front of web applications and scans two-way web communications (HTTP) – detects and blocks any malware. OWASP provides a broad technical definition for WAF, i.e.: “From a technical point of view, it does not rely on the application itself as a web application level security solution “.

According to the PCI DSS 6.6 Required Information Supplement, WAF is defined as the “security policy enforcement point between the web application and the client point”. This function can be implemented in software or hardware, executed in a device or in a typical server running a general operating system. It can be a standalone device or integrated with other network components.

In other words, WAF can be a virtual device or a physical device that can prevent web application vulnerabilities from being exploited by external threats. These vulnerabilities can be caused by the application itself being an old version or insufficient coding in the design process. WAF fixes these code flaws through a special ruleset configuration (also called policy).

WAF is not the ultimate security solution, but is designed to be used in conjunction with other network perimeter security solutions (such as network firewalls and intrusion prevention systems) to provide a defense global strategy.

As the SANS Institute points out, the WAF generally follows a positive security model, a negative security model, or a combination of both. WAF uses a combination of rule-based logic, analysis, and signatures to detect and prevent attacks such as cross-site scripting and SQL injection. OWASP lists the top ten web application security vulnerabilities. All WAF business offerings cover at least these ten loopholes. There are also non-commercial options.

As mentioned earlier, the well-known open-source ModSecurity WAF engine is one such choice. The WAF engine alone is not enough to provide adequate protection, so OWASP and Trustwave’s Spiderlabs help organize and maintain a core set of rules for use with the ModSecurity WAF engine via GitHub.

Firewalls are divided into two categories: network-based systems and host-based systems. Network-based firewall can be placed anywhere in LAN or WAN. It can be a software device that runs on general-purpose hardware, a hardware device that runs on dedicated hardware, or a virtual device that runs on a virtual host controlled by a hypervisor. The firewall device may also provide other functions in addition to the firewall, such as DHCP or VPN service.

According to Gartner’s definition, Next-Generation Firewall (NGFW) is a “deep packet inspection firewall, which can not only check and block ports/protocols, but also add network-level inspection. enforcement, intrusion prevention and providing information outside the firewall.”

Next-generation firewall (NGFW) is part of third-generation firewall technology, which combines traditional firewalls with other network device filtering functions, such as application firewalls that use deep packet inspection (DPI) and intrusion prevention systems (IPS).

Other technologies may also be used, such as TLS/SSL encrypted traffic inspection, website filtering, QoS and bandwidth management, virus inspection and web integration, third-party identity management (i.e. LDAP, RADIUS, Active Directory).

NGFW must be able to identify users and groups and enforce identity-based security policies. Where possible, this should be achieved through direct integration with existing enterprise authentication systems (such as Active Directory) without custom server-side software. This allows administrators to create more granular policies.

Ransomware, commonly known as CryptoLocker, CryptoDefense, or CryptoWall, is a type of malware that restricts or even prevents users from using their computers completely. They usually lock the computer screen or encrypt files.

New type of Crypto Ransomware ransomware forces users to pay certain amount to get unlock key.

Today’s ransomware families have their origins in the early days of rogue antivirus, then locker variants, and then the file encryption variants that make up the majority of ransomware today.

Each type of malware has a common goal, which is to extort money from victims through social engineering and using intimidation. Each time, the ransoms demanded are more and more important.

To ensure a higher level of security, anti-exploit programs block techniques implemented by attackers.

These solutions can protect you from Flash attacks and browser vulnerabilities, and even prevent undiscovered or unpatched retries.

The “elimination chain” of exploits is made up of several steps. Web exploits often use download attacks such as drive-by download. The infection starts when the victim visits an infected website that is infected with malicious JavaScript code.

After several checks, the victim was finally redirected to the homepage via Flash, Silverlight, Java or Web browser vulnerabilities. In contrast, for vulnerabilities in Microsoft Office or Adobe Reader, the initial infection vector may be phishing emails or malicious attachments.

After the initial delivery phase, the attacker uses one or more software flaws to control the execution flow of the process, then enters the development phase. Due to security measures built into the operating system, it is usually impossible to directly execute arbitrary code, so attackers must first bypass them.

A successful exploit allows execution of shellcode, in which the attacker’s arbitrary code begins to execute, which ultimately leads to payload execution. The payload can be downloaded as a file or even loaded and executed directly from system memory.

No matter how the initial steps are performed, the attacker’s ultimate goal is to initiate malicious activity. Starting another application or a thread can be very suspicious, especially if you know that the application in question does not have this functionality. Anti-intrusion technology monitors these operations, suspends the flow of application execution, and applies further analysis to verify whether the attempted operation is legitimate.

Program activity (memory changes in a specific memory area and source of the code start attempt) that occurred before the suspect code was launched is used to identify whether the user took action.

Additionally, the PE has implemented numerous security measures to address most of the attack techniques used in exploits, including Dll hijacking, reflective Dll injection, heap spray allocation, the battery perspective, etc.

These other behaviour indicators provided by the behaviour detection component’s execution tracking mechanism allow the technology to safely block payload execution.

Network performance monitoring and diagnostic tools help IT and network operations teams understand the ongoing behavior of the network and its components in response to traffic demands and network usage. It is essential to measure and report on network performance to ensure that performance remains at a tolerable level. Customers in this market seek identification tools to detect application issues, identify root causes, and plan capacity.

Using network monitoring software and network monitoring tools can simplify and automate the process of network monitoring and management.

A network monitoring system is essential to troubleshoot bottlenecks and network performance issues that can negatively impact network performance.

With the rapid development of enterprise network monitoring and remote network monitoring, various network monitoring equipment and solutions are available in the market. An effective network management system will include a built-in network monitoring tool that can help administrators reduce personnel and automate basic troubleshooting techniques.

Functions of effective network monitoring software:

– Visualize the entire IT infrastructure and have further classifications based on type or logical group.

-Use of predefined templates to automatically configure devices and interfaces.

– Monitor and troubleshoot network, server and application performance.

– Implement advanced network performance monitoring technology to quickly resolve outages by identifying the root cause of the problem.

-Benefit from advanced reporting functions, which can automatically schedule and send or publish reports by e-mail.

Network monitoring has become an important aspect of managing any IT infrastructure. Likewise, network assessment is considered as the basic step to align your IT infrastructure with business goals, which is achieved by network monitoring applications.

Penetration testing (commonly referred to as the pen test, pentest, or ethical hacking) is an authorized simulated network attack on a computer system to assess system security. Not to be confused with vulnerability assessment.

Perform testing to identify two weaknesses (also known as vulnerabilities), including the ability and benefits for unauthorized parties to gain access to system functions and data, so that system risks can be fully assessed.

This process mostly identifies the target system and specific goals, then verifies available information and uses various methods to achieve that goal. Penetration test targets can be white boxes (providing background and system information) or black boxes (providing only basic information or providing no information other than the company name).

Gray box penetration testing is a combination of the two (the verifier shares limited knowledge of the target). Penetration testing can help determine if the system is vulnerable to attack if the defenses are adequate, and which defenses (if any) failed the test.

Any security issues revealed by penetration testing should be notified to the system owner. The penetration test report can also assess the possible impact on the organization and offer recommendations to mitigate the risks.

The endpoint detection and response (EDR) solutions market is defined as: the recording and storage of endpoint behaviors at the system level, using various data analysis techniques to detect behaviors suspects from the system, providing contextual information, preventing malicious activity, and providing recommendations for restoring affected systems.

CED solutions must provide the following four essential functions:

– Respond to threats in real time
– Increase visibility and transparency of user data
– Detect critical events and malware installations
– Creation of blacklists and whitelists
– Integration with other technologies

The Application Delivery Controller (ADC) is a computer network device in the data center, usually integrated with the Application Delivery Network (ADN), and can perform common tasks such as those performed by IT organizations. The web server itself. Many of them also provide load balancing. The DNA is usually placed in the DMZ, between the firewall or external router and the web farm.

A common misconception is that the Application Delivery Controller (ADC) is an advanced load balancer. This description is not accurate. ADC is a network device that helps applications direct user traffic to eliminate excessive load from two or more servers. In fact, ADC includes many OSI services from 3 to 7 layers, including load balancing.

Other features common to most CDAs are IP traffic optimization, traffic channel/direction, SSL offloading, web application firewall, CGNAT, DNS, and proxy/reverse proxy, for n to name a few. They also tend to provide more advanced features, such as content redirection and server status monitoring.

Cisco Systems offered application delivery controllers until its withdrawal from the market in 2012. Market leaders such as F5 Networks, Citrix, KEMP, Radware, etc. had managed to grow in the market thanks to Cisco during the previous years.

Stronghold/PAM Protection

ETHIC IT offers you an innovative and essential solution, developed by our partner SSH.

Principle of a Bastion solution (PAM)

A PAM (Privileged Access Management) solution, or Bastion, allows you to manage your privileged accounts transparently and securely.

The goal of the solution is:
• To have a unique and secure access point: No need to use bounce machines
• Manage access: A user, administrator or external profile will only be able to see and access what they need.
• Ensure traceability: Actions and connections are logged and Sessions can be video recorded and archived
• Prevent certain actions: Detect and block certain actions based on defined rules (example: prevent a reboot command)

Simple and transparent use

The user interface is simple and aggregates all your environments on a web window.
The Bastion solution allows you to assign roles to users with specific access rights for each role for all your environments. Thus, on a single interface, you can manage your users’ access to all your machines and trace all operations.
The user only has visibility on the environments that are accessible to him, and the administrator can manage access and review recordings from this same interface.

Ethic IT supports you in setting up the Bastion PrivX by SSH solution.