Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4
311 posts

Ultimate Geek
+1 received by user: 69


  Reply # 1956392 13-Feb-2018 15:26
Send private message

You need to invest in some good AV for a start. Not just regular AV but look for Next Generation AV. Products like Cylance, Carbon Black and Sentinel One. Despite what most people think/say there are plenty of good tools available to prevent zero day malware attacks.

 

Here is what I look at for prevention:

 

 - good antispam with sandbox and link analysis (97% of ransomware attacks start via email)

 

 - a good firewall doing AV / IPS / Application inspection, with SSL decrypt and sandbox. On the gateway you need to be inspecting file downloads and webmail attachments (if not blocking them outright).

 

 - good desktop AV like Cylance/Carbon Black/Sentinel One

 

 

 

I have seen products like Microsofts AV take 4-6 weeks to detect malware that has been blocked by NGAV.

 

Once you get ransomware your odds of a reinfection go up exponentially.

 

Obviously you still want good backups as well.


17999 posts

Uber Geek
+1 received by user: 5180

Trusted
Lifetime subscriber

  Reply # 1956398 13-Feb-2018 15:38
Send private message

vulcannz:

 

Obviously you still want good backups as well.

 

 

No, you START with good backups. 

 

Cylance have attracted some interesting attention in other parts of the world for poor business practices. I can speak to it myself personally, but a google search would be worth while. 

 

I have no experience with Carbon Black but have heard it's quite hard to work with, esp in larger deployments. It's a new gen product, but also probably lacking some of the management basics a more mature offering has. 

 

 


311 posts

Ultimate Geek
+1 received by user: 69


  Reply # 1956412 13-Feb-2018 16:06
Send private message

Not sure about Cyclances business practices, but I used/tested it for a year - and also know of one large site using it with good results.




333 posts

Ultimate Geek
+1 received by user: 6


  Reply # 1959332 16-Feb-2018 20:42
Send private message

Thanks for those suggestions

 

It still hasn’t shown up on the workstations.

 

What we are doing is we have purchased a stand alone pc with two HDDs (1 is a 6T) and will use shadow protect to image the server. So if we get attached again we can just restore an image from an earlier time So we don’t have to at least reinstall the server software and accounting programme.

 

We also use offsite backups with Keepitsafe. With our other data that won’t fit on their online storage we will copy to external drives and not leave them in the server. And rotate them each day, and not leave them sitting in the server.

 

We are setting up hardware VPN’s. Teamviewer was suggested in the meatime, until the hardware arrives. Teamviewer maybe a safer alternative than RDP.

 

 

 

 


785 posts

Ultimate Geek
+1 received by user: 163


  Reply # 1959429 17-Feb-2018 03:16
Send private message

What’s the professional opinion on using DNS (e,g. OpenDNS/Cisco Umbrella) to block DNS requests of ransomware command and control centre domains?



https://umbrella.cisco.com/products/features/cryptolocker

Obviously I don’t mean as the sole means of prevention

2181 posts

Uber Geek
+1 received by user: 659

Subscriber

  Reply # 1959436 17-Feb-2018 06:13
Send private message

vulcannz:

 

You need to invest in some good AV for a start. Not just regular AV but look for Next Generation AV. Products like Cylance, Carbon Black and Sentinel One. Despite what most people think/say there are plenty of good tools available to prevent zero day malware attacks.

 

Here is what I look at for prevention:

 

 - good antispam with sandbox and link analysis (97% of ransomware attacks start via email)

 

 - a good firewall doing AV / IPS / Application inspection, with SSL decrypt and sandbox. On the gateway you need to be inspecting file downloads and webmail attachments (if not blocking them outright).

 

 - good desktop AV like Cylance/Carbon Black/Sentinel One

 

 

 

I have seen products like Microsofts AV take 4-6 weeks to detect malware that has been blocked by NGAV.

 

Once you get ransomware your odds of a reinfection go up exponentially.

 

Obviously you still want good backups as well.

 



We got pricing for Cyclane recently, and it was around £40 per machine per year (UK based). You would think you can't put a price on security, but when the likes of ESET come in around £25 per machine per year, it would have to be an amazing product and live up to it's marketing hype to be worth double what ESET is.


300 posts

Ultimate Geek
+1 received by user: 31


  Reply # 1959473 17-Feb-2018 09:14
Send private message

I use Bitdefender Total Security 2018. Has ransomeware protection built in. Never have a problem.

 

Best way to purchase is via https://www.dealarious.com/

 

Dealarious seem to have heavily discounted prices. Originally I thought they might not be legit, so I contacted Bitdefender but they said they are authorized resellers. Now I always purchase Bitdefender through Dealarious.

 

I'm very pleased with Bitdefender and it constantly ranks well against other AV products.

 

 


311 posts

Ultimate Geek
+1 received by user: 69


  Reply # 1960170 19-Feb-2018 09:41
Send private message

lxsw20:

 

We got pricing for Cyclane recently, and it was around £40 per machine per year (UK based). You would think you can't put a price on security, but when the likes of ESET come in around £25 per machine per year, it would have to be an amazing product and live up to it's marketing hype to be worth double what ESET is.

 

 

 

 

I tried it as part of a pilot. I was also comparing it's performance alongside Windows Defender and McAfee (Enterprise). I saw cylance block several interesting new attacks (all missed by the other AVs) including a new corrupted PNG image embedded in an email attack. In some cases I saw Cylance pick up stuff that Windows Defender didn't spot until 6 weeks later. Personally I think it is worth it.


311 posts

Ultimate Geek
+1 received by user: 69


  Reply # 1960172 19-Feb-2018 09:45
Send private message

Kiwifruta: What’s the professional opinion on using DNS (e,g. OpenDNS/Cisco Umbrella) to block DNS requests of ransomware command and control centre domains?



https://umbrella.cisco.com/products/features/cryptolocker

Obviously I don’t mean as the sole means of prevention

 

 

 

From a technical point of view OpenDNS if you compare other systems (I'm thinking DPI firewalls) they are inspecting ALL the traffic ALL the time - so they will look for (non-DNS) C&C communications. OpenDNS only looks at bad stuff it already knows about. So if a new C&C infrastructure pops up OpenDNS ain't gonna do nothing. I had a play with getting through OpenDNS (care of Air NZ lounges) and found it simplistic to beat because of this architecture.


What does this tag do
966 posts

Ultimate Geek
+1 received by user: 200

Subscriber

  Reply # 1960178 19-Feb-2018 09:59
Send private message

Ford:

 

Thanks for those suggestions

 

It still hasn’t shown up on the workstations.

 

What we are doing is we have purchased a stand alone pc with two HDDs (1 is a 6T) and will use shadow protect to image the server. So if we get attached again we can just restore an image from an earlier time So we don’t have to at least reinstall the server software and accounting programme.

 

We also use offsite backups with Keepitsafe. With our other data that won’t fit on their online storage we will copy to external drives and not leave them in the server. And rotate them each day, and not leave them sitting in the server.

 

We are setting up hardware VPN’s. Teamviewer was suggested in the meatime, until the hardware arrives. Teamviewer maybe a safer alternative than RDP.

 

 

 

 

 

 

Very disputable whether Teamviewer is safer than RDP; I'd rather open an RDP port on a fully patched server rather than Teamviewer (which is also not for commercial use unless you have the paid version).

 

Make sure you have a Shadowprotect account on the image server and that this account is the only account with read/write access to the backup directories - and that the credentials are only saved in Shadowprotect.

 

Any other admin accounts should get read only, to reduce the risk of your backups being encrypted


3295 posts

Uber Geek
+1 received by user: 1796

Trusted
Lifetime subscriber

  Reply # 1961015 20-Feb-2018 15:08
Send private message

jnimmo:

 

Very disputable whether Teamviewer is safer than RDP; I'd rather open an RDP port on a fully patched server rather than Teamviewer (which is also not for commercial use unless you have the paid version).

 

 

I'm confident that TeamViewer is safer than public RDP, but as noted it's not free for commercial use, and it's commercial licenses are fairly pricey for a temporary solution. 





Information wants to be free. The Net interprets censorship as damage and routes around it.


311 posts

Ultimate Geek
+1 received by user: 69


  Reply # 1961175 20-Feb-2018 18:40
One person supports this post
Send private message

Lias:

 

I'm confident that TeamViewer is safer than public RDP, but as noted it's not free for commercial use, and it's commercial licenses are fairly pricey for a temporary solution. 

 

 

 

 

That's like saying Aids is better than ebola.


2181 posts

Uber Geek
+1 received by user: 659

Subscriber

  Reply # 1961264 21-Feb-2018 01:50
One person supports this post
Send private message

vulcannz:

 

Lias:

 

I'm confident that TeamViewer is safer than public RDP, but as noted it's not free for commercial use, and it's commercial licenses are fairly pricey for a temporary solution. 

 

 

 

 

That's like saying Aids is better than ebola.

 

 

 

 

If you say so.

 


Have you used the Enterprise teamviewer offering? We have it deployed to pretty much every machine here at work.


3295 posts

Uber Geek
+1 received by user: 1796

Trusted
Lifetime subscriber

  Reply # 1961376 21-Feb-2018 10:00
Send private message

vulcannz:

 

Lias:

 

I'm confident that TeamViewer is safer than public RDP, but as noted it's not free for commercial use, and it's commercial licenses are fairly pricey for a temporary solution. 

 

 

 

 

That's like saying Aids is better than ebola.

 

 

I can't say I agree at all, but if you dislike them so much, what do you consider the best remoting solution?





Information wants to be free. The Net interprets censorship as damage and routes around it.


785 posts

Ultimate Geek
+1 received by user: 163


  Reply # 1961422 21-Feb-2018 11:03
Send private message

vulcannz:

 

Kiwifruta: What’s the professional opinion on using DNS (e,g. OpenDNS/Cisco Umbrella) to block DNS requests of ransomware command and control centre domains?



https://umbrella.cisco.com/products/features/cryptolocker

Obviously I don’t mean as the sole means of prevention

 

 

 

From a technical point of view OpenDNS if you compare other systems (I'm thinking DPI firewalls) they are inspecting ALL the traffic ALL the time - so they will look for (non-DNS) C&C communications. OpenDNS only looks at bad stuff it already knows about. So if a new C&C infrastructure pops up OpenDNS ain't gonna do nothing. I had a play with getting through OpenDNS (care of Air NZ lounges) and found it simplistic to beat because of this architecture.

 

 

 

 

My understanding is that OpenDNS uses algorithms (and I assume combined with a blacklist) as opposed to a pure blacklist.

 

Very interesting that you were able to beat OpenDNS. In what way were you beating it? (entering IP addresses directly instead of URLs?)


1 | 2 | 3 | 4
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.