Sorry, you need to enable JavaScript to visit this website.

NetWorks Group Blog

NetWorks Group is Proud to be Sponsoring BSides Detroit 2013

June 6th, 2013

IT Security is thriving in the Detroit Metro area and we're proud to be sponsoring BSides Detroit 2013 this year!  Security BSides is an innovative new un-conference style meetup that brings local security professionals together to share experiences, knowledge, and network.

Security B-Sides Detroit 2013 comes to the Renaissance Center on June 7-8 . The conference honors the tradition of Security B-Sides while continuing to build on its own unique history. We continue to showcase local speakers and stories that attendees not found at other conferences. With two days of content and several tracks, the conference will also feature some of the best and brightest national speakers. This year's event features workshops, contests, and a capture the flag contest. B-Sides Detroit is setting a new standard for Security B-Sides conferences. The tickets are available to users, security professionals and business leaders at http://bsidesdetroit13.eventbrite.com.

 

A play on words, Security B-Sides began as a small conference besides a major conference featuring B-track speakers. The Security B-Sides conference began in 2009 in Las Vegas, along side the Black Hat security conference. The idea of a community-driven event spread. By the end of 2010, Security B-Sides events had been held in San Francisco, Austin, Boston, Atlanta, and Dallas/Fort Worth running concurrently with such conferences as RSA, SxSW, and Source.

 

BSides Detroit was part of a new wave of cities that followed. Detroit broke the mold in many ways. First, unlike the original events, BSides Detroit began as a standalone destination conference. A commonly told joke is that Detroit is literally beside itself, as the conference is larger and longer than the early BSides events. While BSides Detroit embraces the local speaker model, the organizers also concentrate on attracting A-list national speakers. 

http://www.securitybsides.com/w/page/63094316/BSidesDetroit13About

We'll see you Tomorrow(6/7/2013) and Saturday(6/8/2013) for some great talks and workshops!

Twitter Adds Two-Factor Authentication for Users

May 24th, 2013

After a string of high-profile account compromises that included the Associated Press and Burger King, Twitter has added an additional (but optional) layer of authentication to help protect users from being the next big-name account that's compromised.

By adding a second-factor of authentication (that's to say, beyond the user's password), Twitter is able to provide a higher-level of integrity to the authentication process by utilizing a user's cell phone number to send an SMS with a one-time token. In this manner, a compromised password will not yield account access unless that same attacker is able to intercept the SMS or steal the user's phone. Clearly, this is a great step in the right direction and something other companies have done previously, such as Dropbox and Facebook.

If you or your company wants to proactively protect a Twitter account, simply review the step-by-step directions posted by CNET. By enabling this extra step, the likelihood of an attacker compromising a Twitter account will generally plummet (save for some very sophisticated attackers).

As end-users, the best way to get other companies to follow-suit is to use these types of features when made available to show that demand exists. Through implementation of two-factor authentication, the user once again has a fighting chance against password brute-forcing and general phishing attacks.

Failing Gracefully: Using AWS for Web Site Failover

May 13th, 2013

When it comes to the Internet, keeping your organization's presence online is crucial to the accessibility of resources for customers, potential and existing. At NetWorks Group, we understand that despite the best of intentions and planning, downtime will likely still occur, at least a few minutes per year. Many teams put forth a goal of 100% uptime for their web site, but often get a dose of reality when a large storm hits their data center or other issues pop-up that may be out of their direct control. To this end, we wanted a way to minimize full-downtime so that our presence on the Internet would only be down as minimally as possible, without going over-the-top on infrastructure to do so.

Amazon Web Services provides a plethora of cloud services to help teams do more for their environment with less overhead of capital expenditures. By cherry-picking needed services with AWS, you can find great cost-saving solutions to otherwise expensive — or complicated — problems. In the instance of a web site, the overhead costs and management of a second (or third?) data center to avoid an hour of downtime a year may be overkill for many organizations. For NetWorks Group, our web site being down, while not desirable, is not so critical that it will impede our ability to provide amazing service to our customers. With that in mind, we wanted to take a direction with web site downtime that would be economical, easy to manage, but also give us a minimal downtime of our Internet presence.

By utilizing the AWS services Route 53 and S3, we're able to provide a great failover solution when our primary web server is unreachable or down. In February 2013, Route 53 added features to allow for DNS Failover and S3 Website Hosting. The idea is that a simple health check — i.e., AWS verifies it can receive a 200 response code from your web server — will decide whether or not to failover your web site from its regular home to a special S3 bucket with your "downtime" page. By configuring a low DNS Time-to-Live (TTL), your DNS record can be changed to point to this failover end-point within a minute or two.  Through having this S3 bucket at the ready, you can automatically failover to a static-content site to provide critical information to customers such as contact information, expected time-to-recovery, etc.

So the next time your team is considering spending double or triple its budget to handle a few annoying minutes of downtime, think about utilizing Amazon or other cloud service providers to handle the problem gracefully and economically.

NetWorks Group is Hiring: Come Join Our Team!

May 6th, 2013

If you're a fan of delicious restaurants, awesome concert venues, Big 10 sports, or just a bike-friendly city, then you should probably be working with us in beautiful downtown Ann Arbor, Michigan. The team at NetWorks Group works at the corner of Main and Huron, a central-point to blocks of great places to shop, eat, and relax at. Located a short distance from the University of Michigan, NetWorks Group benefits from the feeling of both a college-town and an active business hub for southeastern Michigan. For a vibrant mixture of cultures, architecture, and activities, Ann Arbor is hard to beat!

Beyond the location though, NetWorks Group allows for the growth of employees into various realms of information security and technology. If you've never had the opportunity to work for a Managed Services Provider before, you're in for one of the best learning experiences of your life. By interacting with dozens of different types of companies and industries in one position, you'll get a chance to learn about technologies and organizations that you likely never knew about. While the work is sometimes fast-paced, the knowledge gained is very rewarding and valuable to have. If you're passionate about maximizing your growth as a professional or gain knew insights into an industry you thought you already knew, we're here to lead the way.

If you're just getting started in IT or are 15-years in, we'd love to discuss the opportunities that we're currently looking to fill with bright and talented people. Even if a position matching your unique skill-set isn't listed, please still reach out to us and we'll certainly determine if we have a spot for you now, or in the near future. By working at NetWorks Group you will be joining a team of accomplished, talented professionals who love to take new challenges head-on.

Whether your talents or interests are in web application development, ethical hacking, compliance, network engineering, or systems administration, there's likely a place for you on our team. Be sure to take a look at our Careers page and check back often as our needs are always changing.

Configuration Backups for Enterprise Business Continuity

April 29th, 2013

Does your organization have backups? How about backups that are outside the confines of your primary data center? According to research (The Acronis Global Disaster Recovery Index: 2012) looking at data from 6,000 IT respondents, "Almost a quarter (23%) of all businesses still don’t have an offsite backup strategy in place today." The need for an off-site backup can be much more than just an added protection for availability, but also a point of integrity for changes occurring within your enterprise. Consider what would happen if an attacker was able to breach your network and then altered a crucial configuration file. Without an off-site backup, they could potentially edit the existing backups to hide their malicious change and you'd never be the wiser. Much in the same way that log backups sent off-site have added integrity, configuration backups also benefit from this technique.

It's also stated in the report by Acronis that "human error is still the most common cause (60%) of system downtime." Think about every change that happens to your firewall on a daily basis, policy update to your AV configuration, or VLAN alteration on a switch. Without a previous configuration, it can often be difficult (if not impossible) to determine how and when a change occurred to a given device. Further, by allowing for many backups to be retained off-site, differentials of backups can occur, helping to clarify any confusion around the way that a given device has been changed over time.

Because NetWorks Group is focused on helping a wide variety of customers, the need to support an equally broad set of device types is required. When you utilize our Configuration Backup service, your team can rest assured that we are taking regular (daily, weekly, monthly — your choice) backups of your most critical devices and services. Because our customer's needs change so rapidly, we're constantly adding support for new backup types. If you're curious what we currently backup, here's our point-in-time view of backup types currently being supported:

  • Juniper: Junos, ScreenOS, Network and Security Manager, Trapeze, SSL VPN, RingMaster
  • Trend Micro: OfficeScan, Email Encryption Gateway, Worry-Free, InterScan (Web or Messaging) Security Virtual Appliances
  • Cisco: IOS, ASA
  • ​Aruba: Wireless Controllers
  • Check Point: Firewall
  • Axway: Mailgate
  • Miscellaneous: Web Servers (e.g. Apache + MySQL), Asterik PBX, BIND, Nagios

The need to backup these configurations is no more evident than in the following research quote: "The vast majority of organizations surveyed (86%) had experienced one or more instances of system downtime during the past 12 months that had, on average, lasted 2.2 days." Most teams can't afford to be down for hours, let alone days. Don't spend your time at 2AM trying to remember how to build a complex firewall configuration or IPS policy; let NetWorks Group provide you with the off-site backup of the configuration when you need it most.

Through a focus on redundancy and cryptography, NetWorks Group protects your data so that it's both safe from attackers and ready-to-go in a pinch. Remember, if you don't see your device or platform supported, just click "Contact Us" below and we'll be glad to discuss how our team can better serve yours. There's too much at stake not to.

Hiring an Ethical Hacker: Tips for Success

April 23rd, 2013

At a recent ISSA Motor CIty chapter meeting one of our Sr. Security Engineers, Mark Stanislav, presented his thoughts on how the process of hiring Ethical Hacking (EH) services could be better accomplished by an organization who may not be familiar with doing so. During Mark's presentation he outlined ten big-picture topics and sub-points to each, covering a broad set of ideas. We thought we'd share some of those points today in a post regarding this crucial and sometimes complicated process. If your company is trying to hire penetration testing services (or other EH projects), we hope these notes may give you a bit better of a sense of what to expect and how to ensure success with your project.

Understand Why You Need the Service
It's extremely common request for our team to handle a penetration test or web application security review for an organization based on the requirements of their customer or a compliance auditor. However, we always make sure that the service they are requesting is the service that they actually need. Because of the rather broad set of phases thrown around for Ethical Hacking services, customers sometimes are told to have "security testing" done, but not much more guidance is given. We highly recommend that for any required services a very clear statement of expectations is provided to you by your customer or auditor. Further, auditors should be able to clearly state, "You require an external penetration test.", or "You require a web application security review.", and not simply, "Test your security!".

Communicate With Your Teams
While the reasons for an Ethical Hacking project may vary customer-to-customer, we generally advise sharing the discussion with as many stakeholders as possible. We recommend to customers to let their team leaders, IT security managers, ISPs, data centers, and cloud services providers all know of the pending work. If we are interrupted during testing due to someone blacklisting our IP addresses or having an ISP null-route our network, the ability for us to assess security is highly impeded. Unless the goal of the test is a fully-stealth assessment, we recommend letting us test and report with the least impedance beyond proper security controls (e.g. IPS, existing firewalls, etc.). By communicating with your teams, everyone will be able to receive the most value from the work and we can do ours as intended!

Don't "Fix Things" During Testing
It's extremely tempting for a developer or systems administrator to make adjustments during a security assessment to slant the outcomes a bit more favorable to their roles. However, changing code or configuration during an assessment can lead to confusion among the people assessing your security which leads to delays and inaccurate findings. Unimpeded testing allows the professional that your organization has hired to best do their job and accurately represent the current status of information security. The myopic attitude of "I'll fix it before it's on the report" will likely end-up with us investigating with leadership why and how something changed during our work and still figuring out what changed and why. Letting the results stand as results gives a great way to have a direction for real, honest improvement for your organization which will surely benefit everyone in the long run.

We hope that you have found some value and insight in these points. While there are certainly many more that Mark shared with his audience, we thought these may give some direction to the organizations out there having to hire Ethical Hacking services for the first time! As always, we're happy to discuss how we handle EH projects, from penetration testing and vulnerability assessment, to web application security and code reviews. Feel free to contact us via the "Contact Us" button below for any additional information your organization needs about these important services.

Come Chat with NetWorks Group at an Upcoming Event

April 17th, 2013

At NetWorks Group, we put a lot of value in interacting in person with the various technology communities important to our team. More than that, we love to be able to meet with customers and people looking to find out more about what we do and how our team could help yours achieve tough goals.

Part of this community interaction often leads our team to present and attend at a variety of events, especially in the mid-west. Here are some upcoming events where you can meet and chat with some of our team!

  • ISSA Motor-City — Livonia, MI — http://www.issa-motorcity.org/
    Mark Stanislav (Sr. Security Engineer) and Don Ledwidth (Sr. Auditor) will be in attendance on April 18th, 2013. Mark will be one of the presenters that evening, with his talk titled, "So You Want to Hire a Penetration Tester? 10 Tips for Success".
     
  • NOTACON — Cleveland, OH — http://www.notacon.org/
    Scot Armstrong (Account Manager) and Mark Stanislav (Sr. Security Engineer) will be headed down to Cleveland April 19th - 21st, 2013, for the tenth NOTACON! Mark will be presenting regarding RubyMotion iOS development.
     
  • Penguicon — Pontiac, MI — http://www.penguicon.org/
    Mark Stanislav (Sr. Security Engineer) will be presenting on Sunday, April 28th, 2013 at Penguicon. This will be the third year in a row that Mark has presented at this content-diverse event. He'll be discussing the downfalls of poor web application programming and more!
  • #misec — Royal Oak, MI — http://michsec.org/
    Mark Stanislav (Sr. Security Engineer) will be giving a talk about core Linux security practices on May 9th, 2013, calling upon over a decade of systems administration experience during his career. Come meet with one of the largest monthly-ran security groups in Michigan.
     
  • Michigan Cybersecurity Industry Summit — Ann Arbor, MI — http://www.merit.edu/cyberrange/industrysummit.php
    Matt Warner (Creative Manager) and Mark Stanislav (Sr. Security Engineer) will be in attendance for this first annual event on May 14th, 2013. The line-up is great, so we hope to see you there for the talks and conversation.
     
  • Great Lakes 2013 InfraGard Conference — Ypsilanti, MI — http://efmevents.com/2013/infragard/
    Mark Stanislav (Sr. Security Engineer) will be presenting his talk, "Core Linux Security: 0-Day Isn't Everything", at this year's annual event on May 16th, 2013. InfraGard provides for an exciting variety of talks from information technology to homeland security.
     
  • Stir-Trek — Columbus, OH — http://stirtrek.com/
    Mark Stanislav (Sr. Security Engineer) will be attending the latest installment of this event on May 17th, 2013. Mark will be speaking about web application security. If you love technology and want to catch a free movie, this event is for you!
     
  • Security B-Sides Detroit — Detroit, MI —  http://www.securitybsides.com/w/page/61144863/BSidesDetroit13
    Matt Warner (Creative Director) will be attending the third year of this community-driven event. Free attendance downtown in the beautiful Renaissance Center! Come hang out June 7th and 8th, 2013.

If you know of any cool events happening that we should be attending or maybe even presenting at, feel free to contact us using the "Drop Us A Line" button below, we'd love to hang out. Come find us at one of these events and we'll be sure to update everyone where we'll be headed later this Summer and Fall in a future blog post.

Drupal Deployment Security Hardening

April 16th, 2013

Web applications continue to be an easy target for many attackers. There's generally a large attack surface, many best practices are often forgotten, and a single coding flaw can lead to a full compromise of the database or arbitrary code execution. Still, a quality Content Management System (CMS) can provide for a very functional web deployment and is hard to pass-up for many organizations.

Here are some thoughts and tips for helping to add overall improvements to the deployment stack of a Drupal 7 site. While some of these items may not fit your deployment needs, you should still be able to find equivalent technologies to do similar hardening. As a further caveat, additional areas of hardening have been excluded since this list could go on for a few blog posts if we tried to fit in everything.

Drupal

  • Patch all modules as soon as updates are available, preferably after you've tested them on a development site.
  • Install and configure the module Security Kit to provide for additional protections against XSS, CSRF, click-jacking, and add HSTS for SSL.
  • Utilize the Tiny-IDS module to view attacks against your site. Add IP addresses attacking your deployment to a firewall or block via .htaccess.
  • Investigate findings of the Security Review module to see any misconfiguration that may lead to potential issues.
  • Integrate Duo Security's module to provide for two-factor authentication, preventing simple brute-force attacks against weak passwords.
  • If you don't utilize two-factor (or even if you do), please enforce strong passphrases to ensure that you're not compromised easily.

MySQL

  • Limit exposure of your database service to only the loop-back interface (lo0) or, better yet, only to a socket (skip-networking in my.cnf).
  • Use a separate user for Drupal, different from your 'root' MySQL account. Do not give more privileges than are required to run your site.
  • If you're very concerned about SQL Injection attacks, you have the option to deploy an SQL security proxy such as GreenSQL.

CentOS

  • Ensure a fully patched, current-branch of your Operating System deployment.
  • Leave SELinux enabled and fix any incompatibilities that you run across (sealert -a /var/log/audit/audit.log).
  • Similar to Drupal, utilize Duo Security for two-factor authentication for SSH.
  • ​Limit SSH access to internal networks or via VPN — don't needlessly expose it to the Internet.
  • Utilize IPTables to firewall all ingress and egress traffic not explicitly needed to run your web site properly.

​​Apache

  • Disable all modules not required to run the site properly.
  • Set ServerTokens to Prod to reduce the amount of information the server discloses about its self.
  • Utilize SSL for any pages with sensitive form data (such as logins) and ensure proper configuration with SSL Server Test.
  • Ensure detailed logging exists for all traffic, whether successful or resulting in an error.
  • Limit visibility to sensitive pages or forms using .htaccess directives with authentication or IP requirements.

PHP

  • Keep your system's version of PHP fully patched.
  • Disable all modules not required to run the site properly.
  • Set expose_php to off to hide the specific version information of PHP running.
  • Set display_errors and display_startup_errors to off in order to prevent showing debugging information to end-users.
  • Enable session.cookie_secure with a setting of 1 in your server will be handling user sessions via SSL (which it should).
  • Set session.cookie_httponly to 1 to help prevent XSS attacks from stealing user sessions.
  • Configure session.hash_function to 1 for usage of SHA-1 instead of MD5 for session ID generation.

That concludes our overview of Drupal deployment hardening tips. While there are certainly other avenues, technologies, modules, and configuration settings possible to further increase security, this list would be considered a great start for most organizations. The best approach to security is one that has layered mechanisms to help provide a better, more holistic approach to mitigation. Before implementing any of these tips, however, you should thoroughly test each one in a sandboxed or development environment to ensure they work as you expected and have no adverse consequences for your deployment.

New NetWorks Group Site and Our Updated Services

April 16th, 2013

Welcome to the new NetWorksGroup.com! Over our last 15+ years, the environment around IT infrastructure — especially security — has evolved to an extent that to keep up with best practices and compliance standards most organizations require an on-staff security team, and we're here to be that team.

Our restructured Managed Services are focused on making your IT easier as a whole when it comes to managing the security and functionality of your infrastructure. Solving existing security issues, maintaining security and networking devices, as well as keeping technologies updated, all while reacting to threats and the need to improve continuously can be an exhausting challenge for companies of all sizes. Our services provide an all-encompassing organizational coverage of your infrastructure, no matter if you require specific compliance standards or have overall organizational policies in place, we can work with you to make your life easier.

We have streamlined our Ethical Hacking offerings to provide you with goal-oriented results and the quickest path to remediation of issues. While automated security scanning services may seem more cost-effective, reports littered with false positives due to no human oversight as well as no access to experienced security professionals can make resolving the issues found difficult at best. Leverage our expertise to make your company more secure and we'll make sure that you understand the full importance and scope of your vulnerabilities.

Compliance is about more than just dotting the i's and crossing the t's of PCI, HIPAA and EI3PA (but that's important, too). Following frameworks, building policies, and having a plan in case of a disaster keeps your organization up and running, no matter the scenario. Taking a business-centric approach allows our experienced auditors to support your compliance needs without damaging or interrupting your existing infrastructure. Our Managed Services and Ethical Hacking offerings both can help you reach full compliance with PCI DSS, utilizing File Integrity Monitoring and Vulnerability Assessment.

We will be updating the site and blog often so please check back soon. Feel free to contact us via "Contact Us" found at the bottom of every page or through Contact and we'll get back to you ASAP!

Follow us on Twitter for updates from our company and security news that affects you.

Two-Factor Authentication for MediaWiki with Duo Security

April 9th, 2013

Two-factor authentication can be the difference between a major compromise and just a fleeting annoyance for a company. While there have always been a few multifactor authentication options on the market, they rarely have gone to the lengths that Duo Security has to provide multi-language, multi-device, and multi-application support for two-factor implementation with one service. I won't go into the details of all that they offer, but it's important to us and our clients to have a solution that can cover many avenues of technology seamlessly.

One such need that is often overlooked when evaluating infrastructure integrity are the all-too-vulnerable corporate web applications (e.g. blogs, content management systems, and wikis). While many companies spend large amounts of their time deploying quality firewall infrastructure, the public-facing web applications behind that firewall rarely get the treatment they deserve for security forethought.

While it's easy to say that a wiki may not be a real 'target' for attackers, it's important to remember that with general password reuse, it's convenient for an attacker to leverage stolen credentials against you, and could bounce from that mundane wiki into other parts of your infrastructure. The strategy of defense-in-depth should protect assets from being compromised if only a single point of a security mechanism has been beaten. If a user happens to get phished, that shouldn't allow an attacker to become an administrator on your corporate wiki or otherwise.

Recently, I deployed an internal wiki for the company using MediaWiki and wanted to ensure that we were following best practices by implementing two-factor authentication, even though the exposure was limited by design. Luckily, Duo Security recently published their two-factor authentication module for MediaWiki. Having had a chance to deploy it, I felt like this may be a topic that would be of interest for the many companies deploying wikis without that added protection. Here are a few quick implementation notes:

  1. Download the latest copy of the MediaWiki plugin from the Duo Security GitHub
  2. Copy the zip into the MediaWiki 'extensions' folder on your server and uncompress the file
  3. Ensure that the plugin folder is called 'DuoAuth'
  4. Edit your 'LocalSettings.php' file to include the following plugin directives:
    1. require_once( "$IP/extensions/DuoAuth/DuoAuth.php" );
    2. $wgRedirectOnLogin = 'Special:DuoAuth';
    3. $wgDuoIKey = '[The app's integration key]';
    4. $wgDuoSKey = '[The app's secret key]';
    5. $wgDuoHost = '[api-host].duosecurity.com';
  5. Finally, if you are using MediaWiki in 'Private Wiki' mode, add this final directive to your 'LocalSettings.php' file:
    1. $wgWhitelistRead = array("Special:DuoAuth");

These changes should make the MediaWiki installation require Duo Security following your initial login. Beyond MediaWiki, Duo Security also offers WordPress, Drupal, and Expression Engine (forked from original Duo Security module) plugins on the blog/CMS front. If those don't fit your needs, check out the rest of the Duo Security GitHub account for a collection of programming language development kits and build your own!

While two-factor authentication isn't a panacea to all security issues, it certainly mitigates the impact of a single set of user credentials getting stolen. It's important to understand that just because credentials to a web application seem unimportant, does not mean that the impact from such a compromise won't have cascading effects into the whole of your infrastructure integrity.

Pages

Drop us a line.

Personal Information
Company Details
What are you interested in?
Anything else we should know?

Subscribe to our mailing list.

* indicates required