Dear all,

My laptop (Microsoft Windows 10,  Enterprise 2016 LTSB, Build 14393). It's a Dell Latitude and a bit old but was working OK. Lately, it has been slow and displays erratic behaviors (strange processes, pop ups, power Shell down based on Event viewer, will come back to this in a second). Besides the Falcon Sensor Free trial and a paid version of Symantec End point protection, I've run different scans such as ESET  Online Scan, Restoro, I have done that for days with no luck so I think it could be a bad Windows 10 version.

Today when I checked the USERS folder in C, there was a new user! and there were traces of strange events on the event  viewer including the log on of this user (DAU1-2106).

On the other hand, I was installing Visual studio yesterday when the "log on" happened, can Visual Studio create a new user during installation?

I also tried identifying the username of the SID by using the wmic command in cmd and it was not found to be in the domain.



Please let me know if it's safe to attach the files on here as they can contain sensitive information of my network and user names, etc.


Thank you very much and I will check back in a few minutes.

Kind Regards,
D

Hi All,

In Mcafee EPO how can we identify the hash value of files and how to search and verify the malicious files with their hash values ?

Please advise

Best Regards,
Ganpat

We get an audit finding from one of the Big Four audit firms as follows:
"A study should be conducted to determine the granularity of the segmentation of end-users. Minimally,
  IT administrators should be in a separate network segment from the rest of the end-users."
"Inadequate network segmentation increases the ease and risk of lateral movement by cyber-
  attacks, if a server or device in the segment is compromised."

As sysadmins have "privileged" access to servers & compromise of their PCs will risk compromising
the servers in a 'privileged' way, we'll adopt the recommendation.

I'll need some good points/arguments to support our stand of not further segmenting each
departments from each other:

a) the main exposures are from "Internet surfing" & emails access (lots of malicious attachments,
    phishing, spam emails seen in email gateways) besides USB ports

b) all other users belong to same trust domain as they read emails & surf internet (yes, the
     sysadmins are encouraged to surf internet on PCs not used to surf Net & read emails)

c) for workstations used for Industrial Control Systems/Operations Tech, they don't have email
    access & Internet surfing &  have been rightfully segregated as per existing set-up

d) To prevent lateral attacks, EDR, AV & email security (forwarding of malicious emails to
     other colleagues) are in place with SIEM for detecting such events in the pipeline

e) if we were to segregate every departments (eg:…

Hi
Is there a technology related with Cybersecurity called Lawful Interception Solutions . If yes, what does this do ? Is it cloud based or on-prem. ? Which vendors has it etc .

Looking for basics to understand the concept and any links for me to move further .

Regards,
Sid

I'm trying to configure a rule in Cisco CES cloud platform the stops people masquerading as the CEO
for attempted Phishing. So on our previous FW we had if the mail has the sender as 'our ceo' but does not come from
our Domain, then drop. I can see where to configure this in the CES.

I have a question about ransomware.  If my computers C drive is already encrypted, is it still possible for ransomware to hold my computer hostage by encrypting files?  if we have office 365 and all the files are also backed up to the cloud through OneDrive, doesn’t that also create a level of protection?

We are looking for a way to make documents (preferably PDF files) self-destruct after a set period of time.  We strongly prefer a strictly client-side solution with no central management server.  Is there an easy solution?

Does FedRamp actually offer a Certification/Accreditation for their training course?   Is there an actual exam that you have to take at the end?

I want to ensure the integrity of the value that is set in a session will remain valid throughout the user's interaction with the site.

Can a session value be changed from the client-side?

Is there a way to emulate threat traffic in a controlled environment?  We would then use this information for common use cases.  I was thinking anything along the lines that could include log files that could give an indication of different attack signatures.  This method is obviously safer than injecting a virus on a test box and then introducing it to a customers network.  Any suggestions are GREATLY APPRECIATED!

Is it risky to use a 3rd-party VPN service such as NordVPN for a business?  The goal is to make it harder for attackers to break in to the office through the Internet.  The goal is not to allow people to connect to the office remotely.  The line of thought is that forcing all office Internet traffic through a VPN would make it harder for an attacker to target the office because the VPN would make the office Internet connection anonymous.

Would using a VPN in this way negate the protections provided by a NAT router?  What about if the router itself is configured to make the VPN connection for the whole office instead of having each individual client computer connect?  Which is the best way to do it?

Q1:
I'm making comparison for IPS brands that give the most virtual patches
for various CVEs for MS (Windows, Outlook, .Net,  MS SQL, IIS & MSOffice) ,
Oracle (Weblogic, Database, Java, Solaris), Linux (various Linux esp RHEL,
Ubuntu, Debian, CentOS used in microservices) & a couple Opensource
softwares (eg: PHP, Apache, Struts, Wordpress).

Reason is it's difficult to get downtime & lead time to patch can often
stretch to almost a year.   Currently, Trendmicro claims its Deep Security
is endorsed by MS as giving the most virtual patches for MS products.

Q2:
What about TippingPoint NIDS (acquired by Trendmicro) in terms of
its number of virtual patches for various products above?

Q3:
What about other products (esp coverage for Oracle & Linux-related ones)?
McAfee, Checkpoint, Sophos, ... ?

Q4:
Also, continued availability of obsolete versions of softwares are crucial
for us as we have a long lead time to tech refresh obsolete (ie principals/
developers don't release patches for it anymore) softwares.

Q5:
There's an argument that ultimately product patch still need to be applied?
What could be the possible reasons for these?   Heard that for NIDS, if
PCs got infected/compromised, the attacker could bypass NIDS & WAF to
attack the unpatched endpoint servers.  Guess an IPS with agent inside
the endpoint will mitigate, right?

just had two sites fail pci compliance tests with certificate errors on sonicwall tz180.  trustwave does the scans and this is what they said: The server should be configured to disable the use of the deprecated SSLv2, SSLv3, and TLSv1.0 protocols. The server should instead use stronger protocols such as TLSv1.1 and/or TLSv1.2. For services that already support TLSv1.1 or TLSv1.2, simply disabling the use of the SSLv2, SSLv3, and TLSv1.0 protocols on this service is sufficient.
i have no idea how to do what they said.  any help is really appreciated.  thanks