I have two DL380 server with esxi 5.5 running on the top of both servers. I have connected these servers via cross cables with primary and secondary nic cards. I have made a vswitch and adaptor to connect to VM hosted on the respective servers. when i reb

This post was originally published on this site

I have two DL380 server with esxi 5.5 running on the top of both servers. I have connected these servers via cross cables with primary and secondary nic cards. I have made a vswitch and adaptor to connect to VM hosted on the respective servers. when i reboot the machine i can see that i will not be able to ping each other , in order to ping i need to disconnect and connect the adaptor towards the VM. my nic teaming is in active standby . please suggest a way to avoid this issue

NVidia GPU on ESXi 6.5 with V.M. not EFI Bios

This post was originally published on this site

Hello,

We need to install a NVidia P2000 (Q0V77A) on a HP ML 360 Gen10 with VMWare esxi 6.5 and pass it in passthrough to a Win2016 Virtual Machine already working.

I found fragmentary information on the internet (no precise and complete official VMWare article) explaining how to configure the video card to be viewed and managed directly by V.M. and the part that worried me is that someone says that the V.M. must be configured with the Bios in EFI mode while the V.M. which I have already operative from the customer is definitely installed in normal Bios mode, being also the mode recommended by VMWare during installation.

The problem is that if i change the Bios in EFI mode, the V.M. not boot anymore.

If the Bios in EFI is an essential prerequisite for the correct operation of the video card, this would mean having to reinstall the virtual machine, the terminal server, the ERP software. Can you give me more precise information?

Thanks a lot.

Questions Every CEO Should Ask About Cyber Risks

This post was originally published on this site

Original release date: December 4, 2018 | Last revised: December 14, 2018

As technology continues to evolve, cyber threats continue to grow in sophistication and complexity. Cyber threats affect businesses of all sizes and require the attention and involvement of chief executive officers (CEOs) and other senior leaders. To help companies understand their risks and prepare for cyber threats, CEOs should discuss key cybersecurity risk management topics with their leadership and implement cybersecurity best practices. The best practices listed in this document have been compiled from lessons learned from incident response activities and managing cyber risk.

What should CEOs know about the cybersecurity threats their companies face?

CEOs should ask the following questions about potential cybersecurity threats:

  • How could cybersecurity threats affect the different functions of my business, including areas such as supply chain, public relations, finance, and human resources?
  • What type of critical information could be lost (e.g., trade secrets, customer data, research, personally identifiable information)?
  • How can my business create long-term resiliency to minimize our cybersecurity risks?
  • What kind of cyber threat information sharing does my business participate in? With whom does my business exchange this information?
  • What type of information sharing practices could my business adopt that would help foster community among the different cybersecurity groups where my business is a member?

What can CEOs do to mitigate cybersecurity threats?

The following questions will help CEOs guide discussions about their cybersecurity risk with management:

  • What is the threshold for notifying executive leadership about cybersecurity threats?
  • What is the current level of cybersecurity risk for our company?
  • What is the possible business impact to our company from our current level of cybersecurity risk?
  • What is our plan to address identified risks?
  • What cybersecurity training is available for our workforce?
  • What measures do we employ to mitigate insider threats?
  • How does our cybersecurity program apply industry standards and best practices?
  • Are our cybersecurity program metrics measureable and meaningful? 
  • How comprehensive are our cybersecurity incident response plan and our business continuity and disaster recovery plan?
  • How often do we exercise our plans?
  • Do our plans incorporate the whole company or are they limited to information technology (IT)?
  • How prepared is my business to work with federal, state, and local government cyber incident responders and investigators, as well as contract responders and the vendor community?

Recommended Organizational Cybersecurity Best Practices

The cybersecurity best practices listed below can help organizations manage cybersecurity risks.

  • Elevate cybersecurity risk management discussions to the company CEO and the leadership team.
    • CEO and senior company leadership engagement in defining an organization’s risk strategy and levels of acceptable risk is critical to a comprehensive cybersecurity risk plan. The company CEO—with assistance from the chief information security officer, chief information officer, and the entire leadership team—should ensure that they know how their divisions affect the company’s overall cyber risk. In addition, regular discussion with the company board of directors regarding these risk decisions ensures visibility to all company decision makers.
      • Executives should construct policy from the top down to ensure everyone is empowered to perform the tasks related to their role in reducing cybersecurity risk. A top-down policy defines roles and limits the power struggles that can hurt IT security.
  • Implement industry standards and best practices rather than relying solely on compliance standards or certifications.
    • Lower cybersecurity risks by implementing industry benchmarks and best practices (e.g., follow best practices from organizations like the Center for Internet Security). Organizations should tailor best practices to ensure they are relevant for their specific use cases.
    • Follow consistent best practices to establish an organizational baseline of expected enterprise network behavior. This allows organizations to be proactive in combatting cybersecurity threats, rather than expending resources to “put out fires.”
    • Compliance standards and regulations (e.g., the Federal Information Security Modernization Act) provide guidance on minimal requirements; however, there is more businesses can do to go beyond the requirements.
  • Evaluate and manage organization-specific cybersecurity risks.
    • Identify your organization’s critical assets and the associated impacts from cybersecurity threats to those assets to understand your organization’s specific risk exposure—whether financial, competitive, reputational, or regulatory. Risk assessment results are a key input to identify and prioritize specific protective measures, allocate resources, inform long-term investments, and develop policies and strategies to manage cybersecurity risks.
    • Ask the questions that are necessary to understanding your security planning, operations, and security-related goals. For example, it is better to focus on the goals your organization will achieve by implementing overall security controls instead of inquiring about specific security controls, safeguards, and countermeasures.
    • Focus cyber enterprise risk discussions on “what-if” situations and resist the “it can’t happen here” patterns of thinking.
    • Create a repeatable process to cross-train employees to conduct risk and incident management as an institutional practice. Often, there are only a few employees with subject matter expertise in key areas.
  • Ensure cybersecurity risk metrics are meaningful and measurable.
    • An example of a useful metric is the time it takes an organization to patch a critical vulnerability across the enterprise. In this example, reducing the days it takes to patch a vulnerability directly reduces the risk to the organization.
    • An example of a less useful metric is the number of alerts a Security Operations Center (SOC) receives in a week. There are too many variables in the number of alerts a SOC receives for this number to be consistently relevant.
  • Develop and exercise cybersecurity plans and procedures for incident response, business continuity, and disaster recovery.
    • It is critical that organizations test their incident response plans across the whole organization, not just in the IT environment. Each part of the organization should know how to respond to both basic and large-scale cybersecurity incidents. Testing incident response plans and procedures can help prevent an incident from escalating.
    • Incident response plans should provide instructions on when to elevate an incident to the next level of leadership. Regularly exercising incident response plans enables an organization to respond to incidents quickly and minimize impacts.
  • Retain a quality workforce.
    • Cybersecurity tools are only as good as the people reviewing the tools’ results. It is also important to have people who can identify the proper tools for your organization. It can take a significant amount of time to learn a complex organization’s enterprise network, making retaining skilled personnel just as important as acquiring them. There is no perfect answer to stopping all cybersecurity threats, but knowledgeable IT personnel are critical to reducing cybersecurity risks.
    • New cybersecurity threats are constantly appearing. The personnel entrusted with detecting cybersecurity threats need continual training. Training increases the likelihood of personnel detecting cybersecurity threats and responding to threats in a manner consistent with industry best practices.
    • Ensure there is appropriate planning to account for the additional workload related to mitigating cybersecurity risks. 
    • Cybersecurity is emerging as a formal discipline with task orientation that requires specific alignments to key knowledge, skills, and abilities. The National Initiative for Cybersecurity Careers and Studies (NICCS) is a useful resource for workforce planning
  • Maintain situational awareness of cybersecurity threats.

 

This product is provided subject to this Notification and this Privacy & Use policy.

AA18-337A: SamSam Ransomware

This post was originally published on this site

Original release date: December 03, 2018

Summary

The Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and the Federal Bureau of Investigation (FBI) are issuing this activity alert to inform computer network defenders about SamSam ransomware, also known as MSIL/Samas.A. Specifically, this product shares analysis of vulnerabilities that cyber actors exploited to deploy this ransomware. In addition, this report provides recommendations for prevention and mitigation.

The SamSam actors targeted multiple industries, including some within critical infrastructure. Victims were located predominately in the United States, but also internationally. Network-wide infections against organizations are far more likely to garner large ransom payments than infections of individual systems. Organizations that provide essential functions have a critical need to resume operations quickly and are more likely to pay larger ransoms.

The actors exploit Windows servers to gain persistent access to a victim’s network and infect all reachable hosts. According to reporting from victims in early 2016, cyber actors used the JexBoss Exploit Kit to access vulnerable JBoss applications. Since mid-2016, FBI analysis of victims’ machines indicates that cyber actors use Remote Desktop Protocol (RDP) to gain persistent access to victims’ networks. Typically, actors either use brute force attacks or stolen login credentials. Detecting RDP intrusions can be challenging because the malware enters through an approved access point.

After gaining access to a particular network, the SamSam actors escalate privileges for administrator rights, drop malware onto the server, and run an executable file, all without victims’ action or authorization. While many ransomware campaigns rely on a victim completing an action, such as opening an email or visiting a compromised website, RDP allows cyber actors to infect victims with minimal detection.

Analysis of tools found on victims’ networks indicated that successful cyber actors purchased several of the stolen RDP credentials from known darknet marketplaces. FBI analysis of victims’ access logs revealed that the SamSam actors can infect a network within hours of purchasing the credentials. While remediating infected systems, several victims found suspicious activity on their networks unrelated to SamSam. This activity is a possible indicator that the victims’ credentials were stolen, sold on the darknet, and used for other illegal activity.

SamSam actors leave ransom notes on encrypted computers. These instructions direct victims to establish contact through a Tor hidden service site. After paying the ransom in Bitcoin and establishing contact, victims usually receive links to download cryptographic keys and tools to decrypt their network.

Technical Details

NCCIC recommends organizations review the following SamSam Malware Analysis Reports. The reports represent four SamSam malware variants. This is not an exhaustive list.

For general information on ransomware, see the NCCIC Security Publication at https://www.us-cert.gov/security-publications/Ransomware.

Mitigations

DHS and FBI recommend that users and administrators consider using the following best practices to strengthen the security posture of their organization’s systems. System owners and administrators should review any configuration changes before implementation to avoid unwanted impacts.

  • Audit your network for systems that use RDP for remote communication. Disable the service if unneeded or install available patches. Users may need to work with their technology venders to confirm that patches will not affect system processes.
  • Verify that all cloud-based virtual machine instances with public IPs have no open RDP ports, especially port 3389, unless there is a valid business reason to keep open RDP ports. Place any system with an open RDP port behind a firewall and require users to use a virtual private network (VPN) to access that system.
  • Enable strong passwords and account lockout policies to defend against brute force attacks.
  • Where possible, apply two-factor authentication.
  • Regularly apply system and software updates.
  • Maintain a good back-up strategy.
  • Enable logging and ensure that logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.
  • When creating cloud-based virtual machines, adhere to the cloud provider’s best practices for remote access.
  • Ensure that third parties that require RDP access follow internal policies on remote access.
  • Minimize network exposure for all control system devices. Where possible, disable RDP on critical devices.
  • Regulate and limit external-to-internal RDP connections. When external access to internal resources is required, use secure methods such as VPNs. Of course, VPNs are only as secure as the connected devices.
  • Restrict users’ ability (permissions) to install and run unwanted software applications.
  • Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.

Additional information on malware incident prevention and handling can be found in Special Publication 800-83, Guide to Malware Incident Prevention and Handling for Desktops and Laptops, from the National Institute of Standards and Technology.[1]

Contact Information

To report an intrusion and request resources for incident response or technical assistance, contact NCCIC, FBI, or the FBI’s Cyber Division via the following information:

Feedback

DHS strives to make this report a valuable tool for our partners and welcomes feedback on how this publication could be improved. You can help by answering a few short questions about this report at the following URL: https://www.us-cert.gov/forms/feedback.

References

Revisions

  • December 3, 2018: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.