Using Configuration Management to Detect Unwanted Software

The Log4j vulnerability is the latest cyber exploit, bringing a CVSS critical score of 10. It allows attackers to execute arbitrary Java code on remote computers, including accessing sensitive information.

Only a year since the world addressed the SolarWinds supply chain attack, it’s another  confirmation that network professionals must adopt long-term risk-management strategies.

Are Opmantek products affected? Opmantek does not release software written in Java or Log4J, nor do the projects we depend on directly utilize Java or Log4J. 

Leverage Configuration Data to Identify Risk

It can be difficult to identify if Log4j is being used, as it’s often bundled with other software. A configuration management system provides means to audit a resource configuration and inventory elements against a defined security policy.

Gather Configuration Data

Get data into the system through integration or direct collection

Extract Operational Information

Process the data to extract information about change and compliance

Gather Configuration Data

Get data into the system through integration or direct collection

Detecting Log4j on a Server with opConfig

Like any organization, our internal teams use a variety of third party software. In the case of the Log4J vulnerability, we needed to confirm if the library was installed on our servers, patch it, and ensure it wouldn’t then be installed in future.

Between our product, development and test servers we had about 50 Linux servers to check, so we needed to find a quick, automated solution.

Detection

Unfortunately, the software does not use a Linux package manager, so we can not use RPM and APT commands.  There is a simple way to verify if the software was installed, look in / (root directory and all child directories) to see if there were any files containing the name log4j.

The Linux command we needed was:

  • sudo find / -name “*log4j*”

We wanted to run this command quickly and easily on 50 Linux servers.  A new command set was needed which we called “Linux_Log4j”. We created a new command set file for this and similar things called “Linux_Software_Installed.nmis”.

Linux_Software_Installed Command Set

Command sets in opConfig are stored in /usr/local/omk/conf/command_sets.d by default.  We copied an existing one and edited it to make it reflect what we needed. ​​This change could also be made in the GUI, editing an existing command set and adding a new command collection.  Most importantly, this needed to have os_info matching Linux only and we needed to change the two commands. In the most recent version of opConfig for NMIS9 these files are JSON.

To understand the contents it is quite straightforward, os_info means only run these commands when these os_info conditions are met.  Each of the command sections are simple and the tagging system is powerful:

  • privileged: means does this require elevated privileges to run, e.g. sudo access
  • command: the command you want to run, which is also how the data is saved into the system
  • exec: optional if you want to save the command as some other name, use the exec as the command which is actually executed and the command item will be the name of the command to run.
  • tags: HOURLY means this will automatically run every hour, Linux and operations are handy for finding the command, detect-change and report-change means that opConfig will monitor this command output for change and if a change is found raise an event.

Linux_Software_Installed.json

The final command set looks like this:

{

“Linux_Log4j” : {

“commands” : [

{

“privileged” : “true”,

“command” : “Log4jSearch”,

“exec” : “sudo find / -name \”*log4j*\””,

“tags” : [

“HOURLY”,

“Linux”,

“operations”,

“detect-change”,

“report-change”

]

}

],

“scheduling_info” : {

“run_commands_on_separate_connection” : “false”

},

“os_info” : {

“os” : “/(Linux|CentOS|Ubuntu)/”

}

}

}

Running the Command Set

Because it is tagged with “HOURLY” the command set will run automatically every hour.  If you want to run it manually for testing, you run the following command:

sudo /usr/local/omk/bin/opconfig-cli.pl quiet=1 nodes=NODE-TO-TEST-WITH act=run_command_sets tags=HOURLY debug=true

Check for any errors, if all good, run manually for all nodes or wait an hour or so.

You may need to increase the timeout if you see the console lines as below.

[2021-12-22 03:58:48.21513] [23682] [warn] failed to make session privileged: read timed-out

[2021-12-22 03:58:48.21573] [23682] [warn] Failed to run command Log4jSearch: Could not make session privileged: read timed-out

[2021-12-22 03:58:48.21587] [23682] [warn] Command timed out – partial response was: “”

The /usr/local/omk/conf/opCommon.json file can be edited and the value for opconfig_command_timeout increased to a suitable number of seconds.

Running as Non-Privileged

You may not have (or want to use) the privileged user (using sudo). In this case, a more suitable exec string is below (and remember to set “privileged”: “false”).

“exec” : “find / -name \”*log4j*\” 2>/dev/null”,

Diagnose

Now we can go to the opConfig GUI and find the matching nodes.

Access the Commands Overview

From the opConfig menu, select “Views → Recent Commands” and you should see a screen which looks like below.

First we can see how many instances of “Log4jSearch” we have collected.In the box enter “Log4jSearch” change the select to “Command” and click “Go”. You will have a list of nodes and the command name.

Next, click on the “Advanced” button on the right.

Click on the Node Name to see the command output.

Here we can see this node has some possible files of concern.

Remediation

In this case remediation requires one of the operations team to install updated versions of Log4j or the packages from vendors using it. The Opmantek development team use Vagrant to automate this kind of activity and the issue was quickly resolved.

Conclusion

Using the Operational Process Automation methodology of detect, diagnose and act, Opmantek was able to identify which of our servers required change within 15 minutes.

Ready to see what opConfig can do for your organization?

Get in touch to speak with a network engineer. We’re a technically led team, so prepare for a conversation about solutions, not sales.

Or, get started straight away with a time-unlimited 20 node license.

Uncategorized

How to Stabilise & Audit Using Network Configuration And Compliance Monitoring

What is Network Configuration and Compliance Monitoring

Network Configuration and Compliance Monitoring (or NCCM) is a system that works closely with all devices in a set network, transmitting and receiving data from a wide range of devices to ensure that everything is acting in a compliant manner. In addition to this, NCCM can ensure that your devices are configured correctly, and in the case that they are not, can schedule reconfigurations at a time that is convenient to the user.

Automating NCCM processes is often required because companies often have thousands of devices that cannot be handled manually, making the entire process far simpler and more accurate through automation. One example of an NCCM is Opmantek’s “NMIS”, a network management system designed to offer comprehensive information to network engineers to assist in the diagnosis and resolution of network problems.

Change detection and rectification

When dealing with a device configuration, there are relatively few commands that you need to be aware of to know exactly how it is set up. In theory, by remembering these and applying them to a new device, it should act identically to the previous one. When these configurations change and nobody is informed, however, it can become incredibly difficult to replace the device should it become faulty.

By implementing effective change detection, which discovers any configuration adjustments in a device, you can stay on top of all of your device configurations and replace them with ease. Additionally, you can receive alerts to let you know of every configuration change, and how many times the configuration has changed. This change detection can be used with products such as “opConfig”, which processes and records configuration changes across entire networks.

Device configuration changes

The configuration backups are all saved without restriction, so reverting to any previous configuration is incredibly simple. Your NCCM can keep hourly backups of your configuration settings, allowing you to revert a previous device, router or switch to a previous version when the device was working as intended. This will either resolve the issue or inform you that the issue is likely with the hardware in use (in which case you can simply install new hardware with the successful configuration in place).

Servers and network scanning

In addition to tracking the configuration of your devices, it’s also possible to use an NCCM as a performance tracking tool. By performing automated network management, the system is also taking in significant amounts of data, including the levels of packet loss within servers over a set period of time. This can help you in an audit to establish whether the performance of a particular server is degrading. If the performance declines, you can compare this data with configuration changes to ensure that your network is using the optimal settings, and resolve the issue without having to go through a more thorough investigation of your network. The data is already collected and ready to be analysed.

Try Opmantek’s products

If you’re interested in Opmantek’s range of products and would like to learn more, listen to Packet Pushers’ episode with Keith Sinclair, or contact us today. We are proud to offer effective solutions to IT departments, providing meaningful and actionable data to assist in the troubleshooting process.

Uncategorized

How SMEs Can Manage Their Network Faults Using Event Actions

Fault management is the process of detecting, analysing and responding to faults in a system. It is an essential part of any IT infrastructure because it helps maintain availability and quality of service for applications.

Event actions, inside opEvents, provides your organisation with fault management visibility at the time of the event, while proactively remediating events, before they become major faults. Its ability to provide early warning detection of potential problems is more than an asset to businesses. By identifying potential hazards before they happen, signifying steps that need to be addressed or escalated before they become significant is highly desirable. You’ll be able to always see happening on your network, including; when events occur on a network, what events occur before faults, what steps were taken to remedy the faults. The combination of these factors will allow you to automatically close events and stop them from escalating to future faults.

This performance management tool will help you save time, money, resources and reputation when dealing with unexpected situations that may arise and allow you to better plan for IT emergencies.

Why Fault Tool Management is so important

The Fault Configuration Accounting Performance Security (FCAPS) framework for managing information security was developed by the National Institute of Standards and Technology (NIST) to provide a structured approach to Network Management.

It provides an overview of the capabilities required to manage networks effectively, and the F in FCAPS stands for Fault Management, including monitoring, detection and diagnosis.

This framework aims to improve the quality of service that users receive from their networks while also reducing costs associated with faults, outages, and maintenance.

How is your network performing?

FirstWave’s opEvents platform provides an automated network management solution for IT events and faults, making it easy for SMEs to monitor their networks with minimal effort. With our software, you can identify where problems are happening in real-time; without affecting your business operations and customer experience.

We offer an integrated suite of products that can be tailored to meet any business’ needs, from small and medium-sized enterprises (SME) up to large corporations. In addition, our solutions are designed to provide maximum visibility into your networks so you can identify and resolve problems before they cause downtime or financial loss.

Network management system’s like NMIS (Network Management Information System) will send fault and performance events. Increasing the breadth and depth of event management, FirstWave senior engineer Mark Henry explains this in our recent webinar ‘opEvents: All about Event Actions’.

“NMIS has a foundation escalation system that handles events singularly, however by employing opEvents you have the ability of automated event correlation”.

You can install opEvents easily as a standalone product at our downloads page, or it is available as part of our FirstWave virtual appliance package.

Why log analysis tools are essential for all businesses

Pro-consumer cyber security and privacy comparison website Comparitech has ranked opEvents in its list of 12 Best Log Analysis Tools, stating that it ranks highly because: “This centralised log and event manager reduces the impact of network faults and failures using proactive event management.”

In the article, Comparitech network administration expert Tim Keary wrote that: “Poor performance can emerge unexpectedly at any time. Network monitoring platforms like log analysis tools allow you to spot performance issues before they arise.”

Keary outlined that strong log analysers like opEvents provided users with data they wouldn’t otherwise have that included:

  • The ability to quantify the number of log messages that arrive in a given period by using statistics to understand and improve performance-related issues and optimise security measures.
  • Filtering and sorting tools that are capable of identifying and separating sources and events.
  • Correlation systems enable log messages generated in different formats to be analysed together to make sense of fragmented data.
  • A system of highlighting to make patterns in data more accessible to identify visually.
  • The ability to interpret a wide range of raw data and then present it to you through charts that make sense.

Here at FirstWave, we have seen many IT departments transformed by implementing our suite of tools to automate network Fault Management. To start making decisions through meaningful and actionable data to automatically troubleshoot your events book a demo today.

Uncategorized

Why Configuration & Compliance Management Is Crucial

Network security is of paramount concern for all businesses in 2021 and beyond, one facet of network security that should be at the forefront of most organizations is Configuration and Compliance Management.

Creating and enforcing configuration and compliance management ensures that all your network devices are configured to meet your organisation’s standards and requirements. It also encapsulates all connected devices and helps identify potential risks.

The average cost of a cybercrime attack on an Australian business is $276,323. It then takes a company an average of 23 days to recover from an attack, this stresses the importance of having configuration and compliance in place. Simple processes for opConfig involve backing up all configuration data of your network devices, comparing configuration between your devices, and creating events when configuration changes. When it comes to recuperating from an attack or fixing the problem caused by a breach, heavy losses of time and money are a continual variable amongst many businesses, these are reduced by using opConfig if they occur at all.

Unauthorised devices, installing non-compliant software, or user errors are just a few ways of how systems can be compromised. From Open-AudIT to monitor new devices on a network or non-authorised software installation to using opConfig to monitor default passwords enabled, these risks can be reduced.

 

Early warnings are paramount to network security

Early warnings are essential for network security. If you can detect a security or compliance breach early, it’s easier to stop and prevent damage. But most companies don’t have the tools they need to do this effectively. Despite this, Opmantek senior engineer Mark Henry said many IT systems were running with low-scale early warning solutions.

“Generally speaking, a lot of the customers that we talked to, who haven’t adopted NMIS (Network Management Information System) as their network monitoring solution, are sitting down around the level zero or level one area (Gartner’s IT Service Management Maturity Model). That’s also the same for many kinds of low end, off-the-shelf, free or open-source monitoring solutions,” he said.

The truth is that most companies don’t have the time or resources to monitor their networks 24/7. Using NMIS, a reliable and robust monitoring system, means you don’t have to.

 

The benefits of an integrated network management information system

Network Management Information System (NMIS) is an open-source network management system that provides real-time monitoring, configuration, and troubleshooting capabilities. It’s used by many companies worldwide who are looking for ways to manage their networks efficiently, integrating this with other modules that Opmantek offer will help build an efficient and effective strategy to help mitigate network security risk.

Open-AudIT can be installed onto Linux, Windows, or Virtual machines and once installed, needs only credentials and a subnet to discover all the devices attached to that network. Integrating Open-AudIT and NMIS is incredibly easy, Open-AudIT will discover all the devices on your network and with a click of a button, they will all be managed by NMIS, read more here. Integrating opConfig into this is a matter of importing the nodes from NMIS and then creating/applying a credential set for that node, detailed here. From here, we have a system in place that will discover any devices on your network, monitor all software installations, monitor the status/availability of devices, and report on any configuration changes.

 

To test this out on a lab network, download Opmantek’s virtual machine, with everyone installed and ready to go, and see how easy it is to get ahead of network issues.

Uncategorized

4 Best Practices For Automating Your Network Management

This excerpt comes from a blog originally posted on MSP Insights

Murphy’s Law states: “Anything that can go wrong will go wrong.” Equipment always breaks when you’re on vacation, often when the on-call engineer is as far away as possible, and with little useful information from the network management software (NMS).

It’s critical for a network to be available 100% of the time and always performing at 100%. Network management is a core component of IT infrastructure that is put in place to minimize disruptions, ensure high performance, and help businesses avoid security issues. Network architectures and networking products handle the brunt of the work, but management tools and technologies are essential for picking up the slack and allowing the shift from reactive to proactive strategies.

Network automation can automate repetitive tasks to improve efficiency and ensure consistency in network teams. Ultimately, automation will improve the meantime time to resolve (MTTR) and drive down the total cost of ownership (TCO). Network automation enables staff to gain process and configuration agility while maintaining compliance standards. It will help simplify your network and lower maintenance costs.

Save Time And Money With Automation

According to Gartner, “The undisputed number one cause of network outages is human error.” As humans, we all make mistakes, which is why businesses must have comprehensive automation in place. Automation can reduce the likelihood of issues being missed by ensuring consistency and reducing the need for tedious manual configuration. It also can save time, money and improve productivity. The following are four steps organizations can take to build a reliable and agile network through automation.

1. Implement Operation Process Automation (OPA)

OPA is about getting the right systems in place to automate repetitive operational tasks to improve efficiency and ensure consistency in operations teams. OPA delivers process automation specifically to IT and network operations teams. As well as emulating actions that network engineers take within a network management system, OPA also can perform advanced maintenance tasks, assist in the interpretation of network data, and communicate effectively with other digital systems to categorize, resolve, and escalate potential network issues. Ultimately, OPA is about improving the MTTR and decreasing the cost of operations.

2. Improve Configuration Management

When considering automation solutions to scale your business, a critical variable to consider is time saved through automation compared to the amount of time tasks take if performed manually. A significant amount of administration time is consumed managing configurations and firmware updates, which could be better spent on proactive tasks. Organizations looking to become more efficient should consider an automated network management tool that integrates configuration management to reduce the risk of human errors and enable easier implementation of network-wide changes. This concept is not new, and it is the fundamental basis of making impactful decisions on how your organization can scale.

3. Single View Multi-Vendor Support

Most networks are composed of elements from multiple manufacturers. This can create challenges when overseeing the elements of each management system. A better, more efficient approach is to find and deploy management tools that offer true multi-vendor support. This will reduce the number of tools needed for day-to-day tasks and eliminate the need for learning and maintaining multiple management tools, which will improve operational responsiveness and efficiency.

4. Policy-Based Management Systems

Many common network administration activities should be handled by the network management system automatically. These systems should not require repeated configuration but be configured through a policy that captures the business rules and ensures that devices are handled consistently. Automated device discovery and classification is another important aspect, automatically determining what the device is, what to monitor, and what type of alerts and events will be generated, all without human intervention.

Combining People And Process Automation

According to Forrester, 56% of global infrastructure technology decision-makers have implemented/are implementing or are expanding/upgrading their implementation of automation software. It’s important to note that automation does not mean the replacement of individuals. Instead, it can benefit IT workers, by transferring routine and tedious elements of managing networks to machine learning models that can reduce the noise from the vast number of alerts and notifications. For organizations that are looking to scale, a combination of people and process automation will yield the best results book a demo from our experts to learn more.

Uncategorized

How to combat the growing threat of ransomware attacks?

There has been a significant growth in ransomware attacks in Australia and even other countries where hackers are especially leveraging the Covid-19 outbreak to dupe netizens. According to a report by Cybersecurity Ventures, by 2021, one business entity will succumb to ransomware attacks every 11 seconds, up from every 14 seconds in 2019.

Ransomware, defined in the simplest terms, is malicious software that secretly seeps into your computer or data center and encrypts some/all data using a unique key that can only be decrypted and accessed using the same key. Attackers then demand a ransom to let you gain access to your data. According to Datto, American cybersecurity and data backup company, ransomware costs businesses more than $75 billion per year.

Some common types of ransomware attacks include:

  • Crypto malware gains unauthorized access to IT systems and encrypts valuable data and files, disrupting IT operations. The hacker demands payment to hand over decryption keys.
  • Lockers block users and administrators from logging into their systems, blocking access to files and applications. The attacker demands a ransom to grant access and restore systems to normalcy.
  • Doxware, also known as extortionware, obtains sensitive information and threatens to publish it online, putting confidential, mission-critical business data at risk. As businesses are responsible for protecting their user data, this situation can disrupt legal compliance.

Most of the ransomware attacks start with a phishing email. A simple click with a link to download a malicious attachment can be the gateway to a successful attack. With the ongoing stress and uncertainty of the coronavirus pandemic, people are more vulnerable to fall victim to carefully designed phishing attacks.

Amidst rising Coronavirus cases, there has been a significant increase in the ransomware attacks on hospitals and healthcare institutions. However, this doesn’t mean others businesses are safe. Many companies are succumbing to these attacks as many of their employees are working remotely in insecure networks. The coronavirus crisis is impacting business revenues and cash flows already, and a  successful ransomware attack on top of it will impact business continuity drastically.

Use-cases of Toll Group and Epiq Global, among others
Ransomware and related attacks worth about $241 million were reported in Australia alone in 2019, according to a new report. The attacks have continued in 2020, with the Australian logistics company, Toll Group, being hit by a ransomware attack on 31 Jan 2020. The company, with over 40,000 workers, had to shut down, disable and isolate its systems and resort to manual processing of the massive amount of data it deals with daily. On 26 Feb 2020, a ransomware attack impacted Talman Software, which serves 75% of the Australian wool industry. As a result, the whole wool buying and selling system went offline across Australia and New Zealand.

Globally, organizations are focusing on digital transformation initiatives—making them primary targets of ransomware attacks. On 29 Feb 2020, a ransomware attack on legal services giant Epiq Global had quickly spread and affected all computers across their 80 global locations. On 2 Mar 2020, Visser Precision LLC, US-based aerospace, automotive, and industrial parts manufacturer, fell victim to a ransomware attack by the DoppelPaymer group. It affected industrial giants Lockheed Martin, General Dynamics, Boeing, Tesla, and SpaceX, among other companies who subcontracted work to Visser Precision LLC.

Paying the ransom doesn’t guarantee recovery, especially if hackers are amateurs. They buy ransomware on the dark web without having the technical proficiency to infect networks, thereby failing to decrypt data.

Mitigating the Risk of Ransomware Attacks
The approaches to mitigation vary from business to business. Some conventional approaches to reducing the risk are:

  • Backup business-critical and sensitive data periodically on local machines, removable hard risks, and the cloud
  • Segregate your networks and systems so that a successful attack on one subsystem doesn’t transmit to others and mitigates that impact
  • Perform necessary software and OS updates to ensure software is up to date and secure enough to mitigate the vulnerabilities
  • Review your existing endpoint security solution for its readiness and capability to protect against ransomware attacks. If it’s inadequate, upgrade to a suitable alternative solution.
  • Deploy modern security solutions for email and web security.

Secure remote working with web and endpoint security
The coronavirus crisis has been an opportunistic moment for cybercriminals. The workforce across the globe is working remotely, either from home or any other location; and many employees are using personal devices for work—accessing corporate data using their home networks. Home networks are not as secure as office networks and result in compromised security, offering a gateway to cybercriminals.

How do you strengthen the security posture of your remote workers? Securing endpoints and web access is the key! Endpoint security secures laptops, mobile phones, tablets, and other device connections that tap into corporate networks.

At FirstWave, our solution provides comprehensive, state of the art endpoint security—protecting devices like PCs, Macs, and mobile phones and letting remote workers access corporate applications securely. Moreover, it provides web security to prevent data leaks and protects from malicious web content; and employs cognitive threat analytics for enhanced security.

We all hope that the disruption to people’s lives and work from Covid-19 will end soon and we pray for everyone’s well-being. However, even when we get over Covid-19, remote working will be the new norm across many companies. Don’t forget to secure remote working with FirstWave Cloud as business continuity is more important than ever before!

Uncategorized