Skip to content

闡明設計決策的 6 步清單

Nice to know for UX, Product Designers, and Product Managers 

In the process of designing any digital product, there is always a time when you, as a UX or Product designer, need to make a tough decision.

It’s often combined with the limited time and pressure from customers, engineers, managers, and everyone else in the product development cycle.

You may need to accept that panic, fear, and lack of self-confidence are often part of the decision-making process.

Sounds familiar? In this article, I’ll share a six-step decision-making framework that will not only make your process faster but also easier to articulate to all those involved.

When making a decision, we form opinions and choose actions via mental processes which are influenced by biases, reason, emotions, and memories. The simple act of deciding supports the notion that we have free will. We weigh the benefits and costs of our choice, and then we cope with the consequences. Factors that limit the ability to make good decisions include missing or incomplete information, urgent deadlines, and limited physical or emotional resources.

Psychology Today

The ability to think critically is key to making good decisions without succumbing to common errors, bias, or intuition. “There is a need for disciplined intuition and what I mean by disciplined is delayed intuition. One of the many problems with our intuitions is they come too fast and we tend to confirm them.” (Kahneman, Daniel. Thinking, Fast and Slow. New York: Farrar, Straus, and Giroux, 2011.)When you look at all possible sources of information with an open mind, you can make an informed decision based on facts rather than intuition.

Let’s move on to putting the decision-making framework into action.

Design Decision Framework 

This process will ensure that you make a good decision in a complex situation, but it may be unnecessarily complicated for small or simple decisions. In these cases, jump ahead to step 5.

Step 1. Investigate the problem

Start by considering the decision in the context of the problem it is intended to address. You need to determine whether the stated problem is the real issue or just a symptom of something deeper.

To make a proper problem investigation, first you need to know the user that is facing this problem, why it happens, and how often it occurs – to name a few. There are many things to know about your user and product when you’re working on a new problem. To make sure that you understood the core problem, using the 5 Whys framework can be helpful.

Step 2. Set up the environment

Enable people to take the discussions without any fear of the other participants rejecting them and their ideas. Make sure that everyone recognizes that the objective is to make the best decision possible in the circumstances, without blame. This is often referred to as psychological safety, and it’s a key part of the process.

Step 3. Generate good alternatives

The wider the options you explore, the better your final decision is likely to be. Generating a number of different options may seem to make your decision more complicated at first, but the act of coming up with alternatives forces you to dig deeper and to look at the problem from different angles. Make sure that all of your options are good enough – you don’t need to create options just for illusion of choice or quantity.

When you’re satisfied with the choice of realistic alternatives, it’s time to evaluate the value, feasibility, and risks of each one.

Step 4. Select the best solution

This is the step where you make a decision!

In the design process, you can’t really develop a product by yourself, so you will probably make a decision as a group of people – and of course more people make it a more complicated decision process. It is optimal to keep the total number from 3 to 7, depending on your company process.

If there’s a tendency for certain individuals to dominate the process, you can arrange anonymous voting or assign a facilitator who will ensure equal participation.

To simplify the final decision, you can use the product design principles of your company to find the solution that will perfectly fit into your brand and strategy.

“Product design principles (or, in short, design principles) are value statements that describe the most important goals that a product or service should deliver for users and are used to frame design decisions.”

NNGroup

To make small design decisions—components, colors, alignment—lean into your design system and guidelines, as they should cover most of the cases. If they don’t, make a note and discuss it with a design system owner to make sure that your idea will fit into the general strategy.

If your product, for one reason or another, does not have an established design system, you can use well-known systems like Material Design, IBM, etc.

Step 5. Evaluate your decision

Now is the time to check your decision one more time. Before you start to implement your decision, take a long, dispassionate look at it to be sure that you have been thorough and that common errors haven’t crept into the process.

Your final decision is only as good as the facts and research you used to make it. Make sure that your information is trustworthy and try to avoid confirmation bias.

Of course, sometimes you are limited by resources for implementation, release date, or budget, so it’s impossible to implement the best solution. And that’s okay! As a designer, you should always remember that the development of the product is an iterative process, so you just need to choose the most suitable option in the current circumstances for your product to evolve, even if you personally do not like the solution. If this decision will have a balance of usefulness for the user vs. resources used – then you made the right decision.

Step 6. Communicate your decision and take action.

Once you’ve made your decision, you need to communicate it to everyone affected by it in an engaging, informative, and inspiring way.

Get them involved in implementing the solution by discussing how and why you arrived at your decision. The more information you provide about risks and projected benefits, the more likely people will be to support it.

Summary

  • Remember, we’re all humans. It’s okay to have emotions involved in the decision process – you just need to know how to handle it.
  • Think critically and make an informed decision based on facts rather than intuition – don’t allow the desires of others to dictate your decision.
  • You’re not alone: collaborate with your project team.
  • Communicate the decision that you made in an engaging and inspiring way. Explain why you came up with this decision – don’t present a decision as a fact.

Involved or interested in design? For further reading, check out our other blog posts by the Keepit design team, such as how Keepit puts UX first and why customers love Keepit’s ease of use.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Keepit
At Keepit, we believe in a digital future where all software is delivered as a service. Keepit’s mission is to protect data in the cloud Keepit is a software company specializing in Cloud-to-Cloud data backup and recovery. Deriving from +20 year experience in building best-in-class data protection and hosting services, Keepit is pioneering the way to secure and protect cloud data at scale.

為什麼沒有更多的中小企業使用多重身份驗證?

Cyberattacks against small and medium-sized enterprises (SMEs) are on the rise — from ransomware to Distributed Denial of Service (DDoS). Leveraged credentials, most often passwords, cause 61% of data breaches.

Nearly half of all cyberattacks target SMEs who are less equipped to recover from damages. 

Why don’t cybercriminals limit their nefarious activity to organizations with large bank accounts? They have strategically determined SMEs are less likely to invest in security best practices than large enterprises. 

Sadly, the consequences of these data breaches can be devastating. On average, 60% of SME breach victims file for bankruptcy within six months of an incident. The good news is SMEs can avoid nearly 100% of breaches by taking one simple action: implementing multi-factor authentication (MFA)

Why Aren’t More SMEs Using Multi-Factor Authentication?

person in a mask typing in code on a computer

According to a 2021 study, organizations that use MFA are 99.9% less likely to experience a breach than those that do not. 

Yet, despite having awareness of cybersecurity risks, an estimated 67% of business decision-makers don’t use MFA for any of their login points.

Why aren’t more SMEs using multi-factor authentication? Is the resistance to MFA one of misunderstanding, misinformation, or the perception of inconvenience? And how can it be overcome? Let’s explore MFA’s benefits, challenges, and common misconceptions around SMEs using multi-factor authentication — but first, a primer on MFA:  

What Is MFA? 

MFA is a method to protect an access transaction by utilizing multiple (often two) factors to verify a user’s identity. MFA, sometimes referred to as two-factor authentication (2FA), goes beyond vulnerable password authentication by requiring two or three forms of identity:

  • Something you are: biometric data like facial recognition, fingerprint, retinal imprint, or even speech and typing patterns.
  • Something you know: passwords or facts about your life or family history.
  • Something you have: a device in your possession, like a phone or a security key.

Though the technology has been around for decades, biometric data recognition was mostly relegated to sci-fi movies until recently. 

However, technologies like facial recognition and fingerprint scanning are now mainstream thanks to organizations embedding them into their products. A recent survey of 1,000 Americans found that 70% of them find biometrics easier to use than traditional passphrases. 

How Does MFA Work?

End users may see MFA as slightly inconvenient as it involves a few extra steps. But the process itself is relatively straightforward: 

  • The user logs in with their password (something they know).
  • The user is prompted to satisfy a second factor:
    • One-time passcode (TOTP) on their phone or tablet from an authentication app like Google Authenticator, or
    • One-time passcode (OTP) via email or SMS, or
    • Push notification from a smartphone or tablet app, or
    • Scan of fingerprint, face, or other biometric factor 

Once the user’s identity has been verified by the organization’s chosen secondary and/or tertiary factor, the user is granted admission to the network. 

Benefits and Challenges of Using MFA 

woman sipping from a coffee mug, petting her dog while working in front of her laptop

MFA Benefits

Implementing MFA has many benefits, but here are three: 

  • MFA keeps accounts secure even if passwords have been compromised.
  • MFA provides peace of mind for stressed-out cybersecurity teams. 
  • MFA lays the foundation for running a Zero Trust security framework, which maintains trust without maximum verification and introduces security vulnerabilities. 

In addition, MFA is one of the easiest security measures admins can take. 

MFA Challenges and Solutions

Now, let’s dig into why more SMEs aren’t using multi-factor authentication. Identity management is the only technology that requires users and admins to balance efficiency, convenience, and security all at once — a challenge, but a surmountable one. 

Here are the three challenges most often cited by SMEs resisting MFA:

  • MFA could be time-consuming and slow productivity.
  • MFA could negatively impact user experience (UX).
  • MFA could be expensive for small businesses to manage. 

When it comes to choosing between speed and security, speed often wins. Fortunately, new innovations in UX design are delivering a seamless user experience with no compromise. Implemented correctly, MFA can increase IT security without adding complexity or slowing productivity for the end user. 

business meeting in an office setting

Managed MFA solutions can support multiple factors depending on the applications, devices, and systems they protect. Integrated into a cloud directory platform like JumpCloud, managed MFA solutions reduce the complexity of protecting a single identity while securely connecting the user to multiple IT resources. Less complexity leads to higher user adoption rates and a greatly reduced attack surface.

Employees may continue to lose their smartphones on occasion, but this problem can be solved with an authentication app like JumpCloud Protect™. JumpCloud Protect will: (1) temporarily relax MFA requirements while the user sets up their new phone; or (2) shift MFA requirements to a non
-smartphone-based method like a hardware-based key or fingerprint scanner.

Finally, MFA costs are scalable for SMEs, with simplified à la carte and bundled pricing plans that deliver what businesses of all sizes need, when they need it. (Note: Cloud MFA services are free with all bundled JumpCloud packages.)

The ROI of Multi-Factor Authentication for SMEs

With so much on the line for SMEs, whose data is frequently targeted by hackers, MFA adoption has never been more critical. MFA helps keep accounts secure even if passwords have been compromised. 

According to Aberdeen Research, small businesses of less than 500 employees with up to $50M in annual revenue experienced downtimes costs of up to $8,600 per hour in 2016. All things considered, a solid Zero Trust initiative like MFA is a drop in the bucket. 

Interested in learning more about JumpCloud and how to achieve more robust security practices? Open a JumpCloud Free account today. 

JumpCloud Free grants new admins 10 systems and 10 users free to help evaluate with access to the complete platform. Once you’ve created your organization, you also receive 10 days of Premium 24×7 in-app chat support to help you with any questions or issues.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.


About JumpCloud
At JumpCloud, our mission is to build a world-class cloud directory. Not just the evolution of Active Directory to the cloud, but a reinvention of how modern IT teams get work done. The JumpCloud Directory Platform is a directory for your users, their IT resources, your fleet of devices, and the secure connections between them with full control, security, and visibility.

最小特權原則:理解這個概念的重要性

Granting administrator access to a user who does not even have time to explain why they need this permission is not an efficient way to solve a company’s problems but rather to harm its security. 

This is because sensitive data can fall into the wrong hands through a cyber invasion, in addition to the organization’s own collaborator posing a threat due to the possibility of human, accidental, or purposeful errors. 

In this context, it is recommended to apply the Principle of Least Privilege, which grants these users only the necessary permissions to perform their tasks. 

In this article, we explain in detail this concept and its importance, among other information on the subject. To facilitate your reading, we divided our text into topics, which are:

  • What is the Principle of Least Privilege?
  • Why is the Principle of Least Privilege Important?
  • 10 Benefits of the Least Access Principle
  • How to Implement the Principle of Least Privilege
  • Principle of Least Privilege: Example
  • Challenges of the Principle of Least Privilege
  • Need-to-Know Principle and Principle of Least Privilege: What Is the Relationship?
  • Zero Trust and the Principle of Least Privilege: What Is the Relationship?
  • How to Keep Your Data Protected Using Passwords
  • About senhasegura
  • Conclusion

Enjoy the read!

What is the Principle of Least Privilege?

Also known as Least Access Principle, the Principle of Least Privilege (POLP) refers to a concept of cybersecurity according to which users should receive only the necessary permissions to read, write, and execute files indispensable to their operations.

In practice, the Principle of Least Privilege integrates the security policy of companies and restricts access to applications, systems, and processes only to privileged users.

Depending on the system, it is possible to base these privileges on the roles of professionals within organizations. 

Why is the Principle of Least Privilege Important?

First, the Principle of Least Privilege is critical to reducing the attack surface, preventing the action of malicious users. This is extremely important, since privileged credentials are among the main targets of attackers.

That is, by limiting superuser and administrator access through the Least Access Principle, one can protect a company from intrusions. Moreover, it helps prevent the spread of malicious software, such as malware.

However, it is essential to be aware of the need to apply the Principle of Least Privilege to endpoints. This helps prevent hackers from using elevated privileges to increase their access and move laterally across the IT framework.

The need to keep companies in compliance with strict auditing standards also explains why the Principle of Least Privilege is important. 

10 Benefits of the Least Access Principle

The main benefits of the Least Privilege are:

  • Elevation of privileges when necessary
  • Restriction of access to applications
  • Restriction of access to system settings
  • Control of the data used
  • Smallest attack surface
  • Reduction of human failures
  • Malware containment
  • Enhanced data security
  • Protection against common attacks
  • Compliance with audit criteria

Here are more details on these benefits:

Elevation of Privileges When Necessary

It is necessary to apply the Least Access Principle (POLP) whenever one needs to elevate the privileges of an employee to a particular application for a specific time to operate. 

Restriction of Access to Applications

Another purpose of the Principle of Least Privilege is to prevent an administrator from changing the settings of equipment by installing applications and exposing the organization’s network to cyber threats.

Restriction of Access to System Settings

The  Principle of Least Privilege also has the function of reducing administrative privileges by restricting access to system settings. 

Thus, a user may have administrative privileges without being able, for example, to change firewall settings, since the control of the environment is intended for the administrator. 

Control of the Data Used

Through the Principle of Least Privilege, one can record and store detailed information about each access granted and obtain greater control of the company’s data. 

Smallest Attack Surface

If a malicious agent breaks into a user account with limited permissions, their attack will compromise only the resources accessed by that user. In contrast, if the hacked account is an administrator, the hack will impact the entire network.

This means that, in order to reduce the attack surface used by hackers to harm a business, it is recommended to keep the minimum number of administrator accounts.

Reduction of Human Failures

In addition to hacking, applying the Principle of Least Privilege in your organization helps prevent problems caused by human errors. After all, users with access to resources that go beyond what is necessary to perform their tasks can, unintentionally or even purposely, delete or reconfigure something.

Malware Containment

The  Principle of Least Privilege helps prevent your network from getting infected by malware. This is because an administrator with many accesses can spread malware to multiple systems, while it is possible to count its dissemination on networks where Least Privilege applies.

However, it is not enough to restrict users’ access, as the same must be done in relation to applications in order to prevent this type of attack on your network.

Enhanced Data Security

You may remember when Edward Snowden leaked millions of classified NSA (National Security Agency) files to the media due to his privileged access. The incident has caused many problems, which could be avoided if his permissions were limited to the scope of his work.

Applying the Least Access Principle is an efficient way to limit the number of users with access to sensitive data, reducing the possibility of internal leaks and strengthening digital security. 

Moreover, in the event of a violation, the restrictions imposed by the Principle of Least Privilege allow for easier tracking of the cause.

Protection Against Common Attacks

Applications with high privileges are often targeted by hackers, who insert malicious instructions into SQL statements to control critical systems. However, this type of attack can be avoided through the Principle of Least Privilege (POLP), which impacts the possibility of elevating permissions. 

Compliance with Audit Criteria

Applying the Least Access Principle allows organizations to operate in accordance with the most stringent audit requirements, making it possible to avoid threats and reduce the downtime and losses generated by a potential attack.

How to Implement the Principle of Least Privilege

Some practices are recommended when the goal is to apply the Principle of Least Privilege. Some of them are:

  • Conduct an audit of the accounts;
  • Establish the Least Privilege into new accounts;
  • Elevate privileges for a limited time;
  • Ensure that elevations of privileges are appropriate;
  • Track all user actions on the network; and
  • Conduct periodic audits.

Check out these items in more detail below:

Conduct an Audit of the Accounts;

The first step in implementing the Least Access Principle is to audit all existing privileges in accounts, programs, and processes, ensuring that users are only granted the necessary permissions to perform their activities.

Establish the Least Privilege Into New Accounts

Next, it is important to keep in mind that new accounts must be created in compliance with the Principle of Least Privilege, regardless of whether they are used by company managers or IT staff.

After all, if any of these users require a higher level of access afterward, it may be granted temporarily.

Elevate Privileges for a Limited Time

The privileges granted must be temporary whenever a user needs to raise the level of access for a specific project. In such cases, to ensure even greater security, it is possible to use single-use credentials.

Ensure that Elevations of Privileges Are Appropriate

Before applying the Principle of Least Privilege to accounts that already exist, you should assess which roles require elevated access and whether users actually rely on this elevation of privileges to perform their operations.

This assessment should be carried out periodically, including new tasks that may require privileged access. 

Track All User Actions On the Network

To apply the Principle of Least Privilege, it is also important to monitor and track all user actions on your network.

This monitoring will allow you to detect over-privileged users, track suspicious activity, and identify evidence of an intrusion before it causes incalculable damage.

Conduct Periodic Audits

To ensure that permissions are always at the appropriate level, periodic audits are required. 

Keep in mind that performing this type of maintenance is much easier than starting to implement the Principle of Least Privilege policy from the beginning, saving you time and ensuring more security for your company. 

Principle of Least Privilege: Example

Here are some cases where the use of POLP is indispensable:

  • Social Media

We advise the conscious and responsible use of social media through the application of the Principle of Least Privilege. In other words: to offer only the information necessary to make use of these media and not to share sensitive data with other user profiles.

In addition, it is important to configure privacy and security options in order to restrict users’ access to your publications.

  • Mobile Devices

Many applications request unnecessary permissions to perform their functions, such as telephone, location, and contacts, and can even be used to steal the banking details of the victims.

Therefore, it is also essential to apply the Principle of Least Privilege in this case in order to avoid damage caused by malicious apps.

  • Health System

A receptionist of a health insurance plan should not have access to the clinical and confidential data of patients. This is because, without the Principle of Least Privilege, if a malicious user invades your computer, they will have access to these files.

  • Manufacturing Companies

A manufacturing company should also grant its employees only the level of access needed to perform their tasks, rather than giving access to your entire ICS. This is because remote access to industrial resources and interconnectivity generate security vulnerabilities for the organization.

  • Retail

The retail sector usually has a high turnover of employees, which can be a problem if there is no control over the levels of access granted. For this reason, companies in the segment must apply the Principle of Least Privilege to ensure that only the right people have access to their data and resources.

  • Financial Services

Professionals working in financial services deal with millions of customer files daily. To reduce risks, it is appropriate to apply the least access principle (POLP) in that context. 

  • Outsourced Activities

Many corporations outsource services such as CRM systems, HR, and databases. When they need technical support, it is advisable to apply the Principle of Least Privilege, ensuring that outsourced professionals have access only to the system they need to repair, which reduces risks to the company.

Challenges of the Principle of Least Privilege

The main feature of the Least Access Principle is the possibility of granting users only the necessary permissions to perform their tasks, and the major challenges related are the minimum access and the access expiration. Check it out:

  • Minimum Access

Often, the administrator is not sure if the user really needs a high level of access before providing it and grants this permission anyway to reduce inconvenience to the user and not needing to contact technical support.

Nevertheless, it is advisable not to provide privileged access without being 100% sure it is necessary. If the access provided is not required, this is unlikely to be reported to technical support, increasing the attack surface. In contrast, if the user does not receive the access they need, they may request this permission. 

  • Access Expiration

Another challenge related to privileged access is that often a user’s roles are changed over time, without removing previous privileges. As a result, many employees accumulate unnecessary privileges to perform their activities.

To avoid this problem, it is recommended to set a deadline for the access expiration, which ensures that it expires if it is not renewed. 

Need-to-Know Principle and Principle of Least Privilege: What Is the Relationship?

Used by governments and large organizations to protect state and industrial secrets, the Need-to-Know Principle is a concept that advocates restricting information access only to people who need it to perform their tasks, regardless of the corporation’s level of security or the authorization of superiors.

When we talk about digital security, its application involves the use of mandatory access control (MAC) and discretionary access control (DAC) solutions.

The Principle of Least Privilege, in turn, refers to the need to direct just the accesses each user of a network or system needs to perform their functions. 

Zero Trust and the Principle of Least Privilege: What Is the Relationship?

Under the Zero Trust-based security concept, organizations should not rely on anything that is within or outside their boundaries. Therefore, any access requests must be checked and evaluated before being granted.

To limit which systems a user can access, this security model uses features such as auditing, credential protection, and multifactor authentication (MFA).

Moreover, it is recommended to apply the Principle of Least Privilege as a strategy to limit the level of access of users only to the necessary permissions.

How to Keep Your Data Protected Using Passwords

The cyber universe requires many security measures to mitigate risks, and POLP is one of the most effective. However, there are other ways to protect an organization’s resources and data, and one of them is to choose secure passwords. 

Here’s what you should take into account to set a password:

  • Use long and complex passwords. This prevents hackers from using techniques to guess them. However, just using complex passwords may not be enough to avoid the action of malicious attackers.
  • Many devices are configured with default passwords. Change them immediately.
  • Avoid reusing your passwords on different accounts. In addition, constantly check if you have ever been a victim of data leaks through senhasegura Hunter. In that case, change your passwords immediately.
  • Set up your passwords to be changed frequently. The ideal is at least every three months.
  • Do not write down, store in an easily accessible place, or share your passwords with others, thus avoiding unauthorized access.
  • Consider password management solutions, or even privileged access management (PAM), to manage the use of systems and devices.
  • Use multifactor authentication (MFA) mechanisms to add a layer of security to your accounts.
  • Set up means of retrieving access, such as including phone numbers or emails.
  • Passwords are one of the oldest security mechanisms in the computing world and are also one of the main attack vectors by hackers. And in the “new normal” era, with increasing threats resulting from the covid-19 pandemic, it is vital that users be alert and properly protect their digital identities. In this way, we can avoid cyberattacks that can cause considerable damage not only to people, but also to businesses. Remember: security starts with you!

About senhasegura

We, from senhasegura, are part of the MT4 Tecnologia group, created in 2001, to promote cybersecurity.

We are present in 54 countries, providing our clients with control over privileged actions and data. In this way, we avoid the action of malicious users and data leaks. 

We understand that digital sovereignty is a right of all and this goal can only be achieved with applied technology. 

Therefore, we follow the life cycle of privileged access management, before, during, and after access, by using machine automation. Among our commitments, the following stand out:

  • To ensure more efficiency and productivity for businesses, as we avoid interruptions due to expiration;
  • To perform automatic audits on the use of privileges;
  • To automatically audit privileged changes to detect abuses;
  • To ensure customer satisfaction;
  • To perform successful deployments;
  • To provide advanced PAM capabilities;
  • To reduce risks;
  • To also bring companies into compliance with audit criteria and standards such as PCI DSS, Sarbanes-Oxley, ISO 27001, and HIPAA.

Conclusion

By reading this article, you saw that:

  • The Principle of Least Privilege is a security policy, where each user of a system must receive only the necessary permissions to complete their activities;
  • This allows to reduce the attack surface and avoid the action of malicious attackers;
  • It also brings other benefits, such as avoiding the proliferation of malware and human failures, that may generate risks;
  • To implement the Least Access Principle in an organization, it is necessary to audit existing accounts, ensure that elevation of privileges is granted for a limited period, and track all actions of users on the network, among other good practices;
  • As examples of situations in which the Principle of Least Privilege should be applied, we highlight social networks and health systems, among others;
  • The main challenges related to the adoption of the Principle of Least Privilege refer to minimum access and access expiration;
  • The Principle of Least Privilege can be associated with the Need-to-Know Principle and the Zero Trust-based security model.
  • In addition to using the Principle of Least Privilege, keeping an organization’s data secure involves other measures, such as the adoption of strong and unique passwords.

Did you like our article on the Principle of Least Privilege? Then share it with someone who may be interested in the topic. 

ALSO READ IN SENHASEGURA’S BLOG

Why Identity and Access Management is Important for LGPD Compliance

Windows Print Spooler Failure: Why Should I Upgrade Immediately?

What is An Incident Response Plan (irp) and Why is It Important to Have One?

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Senhasegura
Senhasegura strive to ensure the sovereignty of companies over actions and privileged information. To this end, we work against data theft through traceability of administrator actions on networks, servers, databases and a multitude of devices. In addition, we pursue compliance with auditing requirements and the most demanding standards, including PCI DSS, Sarbanes-Oxley, ISO 27001 and HIPAA.

如何恢復 FileVault 密鑰

JumpCloud’s Universal Chrome Browser Patch Management

Browsers are the gateway to online productivity. 

Without them, we would not be able to get work done. To that end, they are also one of the biggest attack targets for bad actors. If we are not careful, and do not make a conscious effort to upkeep web browser security, hackers can easily exploit browser vulnerabilities. 

What makes browsers especially appealing to these individuals? Browsers access, collect, and hold lots of sensitive data — from personal credentials to company information — that cyber hackers can sell on the dark web and use to blackmail companies.

According to Atlas VPN, Google Chrome, the world’s most popular browser, has the highest number of reported (303) vulnerabilities year to date. Google Chrome also has a total of 3,159 cumulative vulnerabilities since its public release. 

In this article, we’ll dive into the topic of browser vulnerabilities, the importance of patch management, and how to streamline protection.

Atlas VPN top web browsers by vulnerability graph
Image courtesy of Atlas VPN

A Closer Look at Google Chrome’s Latest Vulnerabilities

On November 8, 2022, the Center for Internet Security (CIS) reported finding multiple vulnerabilities in Google Chrome. 

The most severe vulnerability within this group could potentially allow for arbitrary code execution in the context of the logged on user. What does that mean? 

Depending on a user’s privileges, an attacker could install programs and view, change, or delete data. The bad actor could even create new accounts with full user rights! 

Of course, users whose accounts have minimal user rights on the system would be less impacted than those with administrative user rights.

Multi-OS systems were affected, including:

  • Google Chrome versions prior to 107.0.5304.110 for Mac
  • Google Chrome versions prior to 107.0.5304.110 for Linux
  • Google Chrome versions prior to 107.0.5304.106/.107 for Windows

First and foremost, CIS recommends applying appropriate updates provided by Google to vulnerable systems immediately after appropriate testing. See here for all the other CIS recommended actions. 

The Need for Browser Patching 

Here are the key reasons you should regularly update or patch your browsers:

  • Enhance Security: Prevention of spyware, malware, and other viruses that could give someone access to your data or trick you into handing it over.
  • Improve Functionality: Outdated browsers might not work (well) or support new apps or software.
  • Boost User Experience: Older browsers usually do not support the latest and greatest code and will have trouble loading component files in the website. This might cause a website to freeze, crash or take forever to work.

For IT admins, security aspects are probably the most important reason to patch browsers. Keeping browsers updated with the latest version (i.e., downloading and installing all provided patches) goes a long way toward preventing cyber attacks and bad actors from exploiting known vulnerabilities. 

How to Create Default Chrome Browser Patch Policies

One of the easiest ways to stay on top of patches, and reduce browser vulnerability risk, is to use the JumpCloud Directory Platform. 

The latest capability addition to our Patch Management solution provides a universal policy to keep Google Chrome up to date for macOS, Windows, and Linux. 

A universal policy saves time by automatically scheduling and enforcing Chrome security patches on a large number of managed devices.

Screenshot of JumpCloud Policy Management Console 
JumpCloud Policy Management Console 

The platform’s four universal preconfigured default Chrome browser patch policies allow admins to deploy browser updates with different levels of urgency. Admins also have the option to configure a custom universal policy; this feature allows for easy modification of existing policy settings to tailor update experiences to organizational needs. 

The four JumpCloud default Chrome browser patch management policies control how and when a Chrome update is applied. The recommended deployment strategies include:

  • Day Zero: Deploy automated upgrades inside your IT Department the first day an update is available.
  • Early Adoption: Deploy automated upgrades to early adopters outside of IT.
  • General Adoption: Deploy automated upgrades to general users in your company.
  • Late Adoption: Deploy automated upgrades to remaining users in your company.

Once you have created a Chrome browser patch policy, you can assign it to any devices, policy groups, or device groups. A policy group helps quickly and efficiently roll out existing policies to large numbers of similar devices. 

Capabilities of JumpCloud Browser Patch Management

JumpCloud’s new Browser Patch Management also introduces the following features:

  • Enforce Chrome updates and browser relaunch. 
  • Enforce or disable Chrome Browser Sign In Settings.
  • Restrict sign-in to a regex pattern to ensure users sign in via company email accounts.
  • Automate device enrollment into Google Chrome Browser Cloud Management, which unlocks limitless capabilities for browser and extension control within the Google Admin console. 

Dive deeper into the new Universal Chrome Browser Patch Management Release by exploring the release notes for this feature in the JumpCloud Community. 

Learn More About JumpCloud

The good news? Browser patching and patch management are included in JumpCloud’s affordable A La Carte pricing package. 

Try JumpCloud for free for up to 10 devices and 10 users. 

Complimentary support is available 24×7 within the first 10 days of acco
unt creation.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.


About JumpCloud
At JumpCloud, our mission is to build a world-class cloud directory. Not just the evolution of Active Directory to the cloud, but a reinvention of how modern IT teams get work done. The JumpCloud Directory Platform is a directory for your users, their IT resources, your fleet of devices, and the secure connections between them with full control, security, and visibility.

Fortinet 身份驗證繞過漏洞 – CVE-2022-40684

Introduction: 

The latest FortiOS / FortiProxy / FortiSwitchManager vulnerability has been reportedly exploited in the wild, which allows an attacker to bypass authentication and login as an administrator on the affected system.

  • Vulnerability Release Time : Oct Nov, 2022

  • Vulnerability Component Name : FortiOS – FortiProxy – FortiSwitchManager

  • Affected Products :

    • Affected FortiOS

      • 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.2.0, 7.2.1

    • Affected FortiProxy

      • 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.2.0

    • FortiSwitchManager

      • 7.0.0, 7.2.0

    • FortiOS versions 5.x, 6.x are NOT impacted

    • FortiProxy version 7.2.0

Solutions :

  • Please upgrade to FortiOS version 7.2.2 or above

  • Please upgrade to FortiOS version 7.0.7 or above

  • Please upgrade to FortiProxy version 7.2.1 or above

  • Please upgrade to FortiProxy version 7.0.7 or above

  • Please upgrade to FortiSwitchManager version 7.2.1 or above

  • Please upgrade to FortiSwitchManager version 7.0.1 or above

  • Please upgrade to FortiOS version 7.0.5 B8001 or above for FG6000F and 7000E/F series platforms

Execution Summary:

The CVE-2022-40684 vulnerability allows adversaries to bypass authentication and login into the vulnerable systems as an administrator in FortiOS / FortiProxy / FortiSwitchManager products.

Having admin user rights, adversaries can,

  • add new users to the vulnerable system

  • reroute the network traffic by updating network configurations

  • listen to and capture sensitive data by running packet capturing programs

CVSS v3:

  • Base Score: 9.8 (Critical)

  • Attack Vector:              Network

  • Attack Complexity:          Low

  • Privileges Required:        None

  • User Interaction:           None

  • Confidentiality Impact:     High

  • Integrity Impact:           High

  • Availability Impact:        High

Mitigation:

As mitigation measures and security workarounds for remediating the threat, Fortinet advisory recommends disabling the HTTP/HTTPS admin interface or limiting the IP address that can access the latter. Customers are also highly recommended to upgrade their potentially vulnerable software to the latest versions.

Furthermore,

In their PSIRT Advisories blog, the FortiGuard Labs have given some mitigation suggestions and recommended performing the following upgrades according to the vulnerable products.

For FortiOS:

  • Upgrade to version 7.2.2 or above

  • Upgrade to version 7.0.7 or above

If applying patch is not possible for some other reasons, apply the following mitigation suggestions.

Suggestion 1: Disable HTTP/HTTPS administrative interface

Suggestion 2: Limit IP addresses that can reach the administrative interface

  • config firewall address

  • edit "my_allowed_addresses"

  • set subnet <MY IP> <MY SUBNET>

  • end

Then crate an Address Group

  • config firewall addrgrp

  • edit "MGMT_IPs"

  • set member "my_allowed_addresses"

  • end

Create the Local in Policy to restrict access only to the predefined group on management interface.

  • config firewall local-in-policy

  • edit 1

  • set intf port1

  • set srcaddr "MGMT_IPs"

  • set dstaddr "all"

  • set action accept

  • set service HTTPS HTTP

  • set schedule "always"

  • set status enable

  • next

  • edit 2

  • set intf "any"

  • set srcaddr "all"

  • set dstaddr "all"

  • set action deny

  • set service HTTPS HTTP

  • set schedule "always"

  • set status enable

  • end

If you are using non default ports, create appropriate service object for GUI administrative access:

  • config firewall service custom

  • edit GUI_HTTPS

  • set tcp-portrange <admin-sport>

  • next

  • edit GUI_HTTP

  • set tcp-portrange <admin-port>

  • end

Use these objects instead of "HTTPS HTTP "in the local-in policy 1 and 2 above.

For FortiProxy:

  • Upgrade to version 7.2.1 or above

  • Upgrade to version 7.0.7 or above

If applying patch is not possible for some other reasons, apply the following mitigation suggestions.

Suggestion 1: Disable HTTP/HTTPS administrative interface
Suggestion 2: For FortiProxy VM all versions or FortiProxy appliance 7.0.6:

Limit IP addresses that can reach the administrative interface:

  • config system interface

  • edit port1

  • set dedicated-to management

  • set trust-ip-1 <MY IP> <MY SUBNET>

  • end

For FortiSwitchManager:

Upgrade to version 7.2.1 or above: Disable HTTP/HTTPS administrative interface

Technical Analysis / Exploits:

We found an open admin panel link and we tried to use default credentials but they failed.

  1. Now that our default bruteforce attack didn’t work, let’s try to use a new exploitation technique. Use below link to open exploit python script.

    https://github.com/horizon3ai/CVE-2022-40684

Open the python script file and copy complete code. Create a new file in your local directory and paste that copied python code in the new file.

      In our case we created a file with the name pocforti.py and pasted the code in it

Now let’s run this python script and let it do the magic trick. Use below command with fortinet admin server ip, port number, and your public key path.

python3 pocforti.py -t <fortinet admin server ip>:<port number> --username admin --key-file <your public key path>

Now after executing the python script, let’s try to SSH the fortinet hosted server. Use bellow command to successfully SSH in fortinet server.

ssh admin@<fortinet server ip>

After successfully get fortinet server access, let’s create a new user in fortinet database

Now after adding a new user with admin rights, let’s try this user.

After entering the new credentials of the created user, we successfully login to the fortinet admin panel as an admin user

Open the admin users to verify if your user is successfully added as admin user or not

As you can see, our created user is successfully added in fortinet users as an admin user.

Reference:

#fortinet #FortiProxy #ForitnetAdminAccess #CVE-2022-40684

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About vRx
vRx is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

硬化

Hardening is the process of bringing our OS, application, etc. to a more secure state, by configuring the system aside from its default (or previous) settings by reducing the attack surface.

This process can (and will) usually include removing software/services from the OS, removing/changing default password, patching, and so on.

The process of hardening has for its aim to remove configuration vulnerabilities.

For example, you can place a password policy on your OS, so that the user has to enter more complex password, than no or a simple password which would classify as a configuration-based vulnerability.

The hardening process should be specific for the OS and the threats you’re attempting to control. It would not be the same for a Linux-based server that’s for example a public webserver and for a Windows desktop. This would be different because of the nature of the threats you’re going up against, i.e., you’d need to have different profiles for each of those.

This implies that there’s no general way to harden systems, however, there are things that you will tend to do that will hold for all those cases. Like, as I already mentioned, removing unnecessary stuff, reducing your attack surface by controlling what could be attacked better, etc.

Hardening is not a trivial task, as it requires in-depth understanding of a system you’re hardening. To make an extreme example – you could set your firewall to block all inbound traffic by default and you would be quite safe, but then again, the reason for that safety would be due to the fact you’ve rendered one of the (main) functionalities of that system unusable – Accessing the Internet. Thus, you really need to pay attention in order to strike that middle ground between usability and security in a sensible way. You don’t want to have issues with using your daily driver OS, and you don’t want to break it.

Layers

Its helpful to think of layers when hardening your systems. One such example can be the webserver I already mentioned. You would have the OS layer, thus you’d need to harden the OS itself, then if your, for example, Apache runs an app server, you’d need to harden that as well. Finally, if you have an application that’s running there – the code for that application would need to be written securely.

This is just an illustration, so that you have a general idea of what to think about when thinking about hardening, but I want to focus more on OSes (if necessary, I will create another OS dedicated article about hardening).

Standards

There are standards out there for mostly anything you’d like to harden, and it’s best to follow these. Similar to let’s say secure coding best practices, or any other type of best practices.

Also, there are scripts that can audit or remediate your system to a state you wanted, this not only saves you time, but it will also provide you with a good way to avoid any human-based errors, while hardening your system.

The standards can be called baselines, benchmarks, policies, standards, etc. Just an fyi. They still describe the same thing… also, note that these benchmarks are made by a community of security professionals, which is what we want.

One such hardening standard is the CIS Benchmarks. As you can see on the link, they offer hardening for Mobile Devices, Network Devices, Server/Desktop Software, Cloud, and more, aside from the OS benchmarks, and it’s a good place to start. Once you’ve found your target system you’d like to harden, you can click on the link for it and download the associated .pdf file for that specific benchmark. (You will need to fill out a form, but after that, you’ll be sent a link where you’ll be able to access all the available .pdfs and download them, for free).

Note that the standards needn’t necessarily align with your needs, so even these standards are not a silver bullet that you can implement blindly. Read it, understand it, and assess what you will need before going forward with the implementation.

Another one of these baselines is the NIST Configuration Baseline, but it’s a bit dated (offering only for Windows 7 and Red Hat – but if you have Red Hat in your environment, it might be useful to you). Regardless, it’s a good resource to skim through so you can learn a bit more on the topic.

One more standard/baseline is the Securiity Technical Implementation Guides (STIGs), from the DoD Cyber Exchange Team. These are up to date, and cover the latest OSes (mostly) and their respective security standards for hardening them. Do note that these are geared more towards the DoD and their requirements, so there might be some things in there that won’t be useful for your case. However, these are something I’d recommend anyone who wants to harden their system(s) to look at and think of them as general hardening guidelines. To view these, you’ll also need a STIG viewer, as they are in an XCCDF format.

Although this might be a bit of a hassle, it’s worth it because it will give you a very nicely laid out interface with recommended settings, references, information, and more – all related to the hardening of system(s).

SCAP – Security Content Automation Protocol

This is a NIST standard, and from their website, it’s about:

The Security Content Automation Protocol (SCAP) is a synthesis of interoperable specifications derived from community ideas. Community participation is a great strength for SCAP, because the security automation community ensures the broadest possible range of use cases is reflected in SCAP functionality.

And

NIST’s security automation agenda is broader than the vulnerability management application of modern day SCAP. Many different security activities and disciplines can benefit from standardized expression and reporting. We envision further expansion in compliance, remediation, and network monitoring, and encourage your contribution relative to these and additional disciplines.

The SCAP standard consists of the following components:

  • XCCDF
  • OVAL
  • DataStream
  • ARF
  • CPE
  • CVE

And is XML-based.

Simply put, SCAP is a protocol/standard that enables to create human and machine-readable security documents, that you can use with automated tools to audit/harden a target system.

Open SCAP is the implementation of SCAP. This is a bundle of tools, security policies, and is based on the SCAP standard. Be sure to check out the SCAP Workbench – This tool allows users to perform configuration and vulnerability scans on a single local or a remote system, perform remediation of the system in accordance with the given XCCDF or SDS file. Workbench can generate reports, in multiple formats, containing the results of a system scan.

It will both help you in case all of this is a bit confusing, and you can also run a test on your system, by inputting of the said standards in it and it will run it against that and tell you if your system passed/failed and if it has an
y vulnerabilities.

Unfortunately, Open SCAP is more focused on Linux systems (particularly Red Hat systems – CentOS/Fedora), but there is some (very minimal) MacOS and Windows support.

Conclusion

This is an extensive topic, and I hope my intro into it has attracted your attention. In the coming articles I will try to cover at least the OS portion of hardening – for Windows, Mac, and Linux.

Stay tuned!

Cover image by Ian Battaglia

#hardening #OS #application #SCAP #standard

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.


About vRx
vRx is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

如何在您的公司中防止 DDoS 攻擊?

There are several methods by which malicious agents attack websites and destabilize network services and resources. One of the most widely used techniques is the DDoS attack, which means distributed denial-of-service.

Through this attack, a website ends up becoming inoperable and overloaded with malicious traffic. However, DDoS attacks can also be made against all types of network resources, such as virtual applications, data centers, enterprise servers, and APIs.

Traffic overload can cause a variety of problems for your company, from bottlenecks in accessing important data to the unavailability of all digital tools in the corporation. Therefore, it is important to be attentive and know how to prevent DDoS attacks.

There are several ways to prevent DDoS attacks on your company servers. In this text, we will explain in more detail what DDoS attacks are and how they can affect your business. Moreover, we will show you how to prevent DDoS attacks on your company. 

To make our article clearer, we divided our content into topics. These are:

  • What Are DDoS Attacks?
  • How Can DDoS Attacks Affect Your Business?
  • How to Prevent DDoS Attacks?
  • About senhasegura
  • Conclusion

Enjoy the read!

What Are DDoS Attacks?

Before specifying what DDoS attacks are and how to avoid them, we must understand what DoS (denial-of-service) attacks are in general.

A DoS attack is a way of rendering a network resource unusable. The attack is usually carried out with a traffic overload, directing a series of superfluous requests to render the website unusable.

Through these malicious requests, the system ends up being overloaded and unable to process legitimate requests.

In the DDoS attack, the traffic maliciously directed to the resource comes from several sources. By multiplying the source of the attack, the method makes it impossible to avoid overloading by blocking a single source.

DDoS attacks are often used as a criminal mechanism. By making the system unusable, hackers can blackmail large organizations, so it is important to know how to prevent DDoS attacks

There are numerous techniques for performing a DDoS attack. The simplest way to do this type of attack is through a specialized tool, such as Slowloris or Stacheldraht. This type of tool is included in several types of malware and can carry out an attack without the knowledge of the system administrator.

The best way to understand an attack like this is through the following metaphor: imagine a group of people crowding into a shop entrance, preventing access to legitimate consumers. In this way, the store itself becomes inaccessible.

How Can DDoS Attacks Affect Your Business?

DDoS attacks are intended to make legitimate use of websites and web resources in general unavailable. Thus, the attacker is able to disrupt the activity of the attacked organization.

The main targets of these attacks are online services that we use frequently and contain sensitive data, such as internet banking, media, educational tools, medical management systems, e-commerce, etc.

The motivations behind attackers vary. Different groups have different reasons for carrying out DDoS attacks.

Attacks are sometimes carried out as a form of political activism. When government agencies are the victims, the agents generally seek to cause some type of economic or social instability.

In the case of massive attacks organized by large groups, DDoS can be used as a distraction tactic, directing the attention of authorities and technical teams to smaller attacks.

In other cases, the motivations may be strictly financial. For example, a malicious competitor could order a DDoS attack to make its service more attractive to consumers.

Or, more directly, the attacker can use the DDoS attack to extort a company and gain illicit profits.

In these cases, the malicious agent produces an attack to disable some digital service and charges a ransom to return the system to normality. These are the attacks known as RDDoS (ransom distributed denial-of-service).

Another tactic is to just threaten the organization with an attack. To convince the company to pay the ransom, the attacker can make an attack demonstration, a “sneak peek”, proving its disruptive capacity and thus increasing their chances of profiting from the fear and panic produced, especially in people who do not even imagine how to prevent DDoS attacks

Unfortunately, the company does not always have an adequate protection system. Furthermore, contacting law enforcement authorities can be a time-consuming solution and cause even more trouble with invaders.

Most of the time, hackers are not even tracked because they use cryptocurrency wallets to receive ransoms.

Besides, there is a whole lot of calculation to be done in the event of ransomware attacks. In fact, the answer to the simple question “should I or should I not pay the ransom?” may be more complicated than you think. 

The consequences of a DDoS attack can be disastrous. The instability of internal systems, for example, can make the production process more expensive or even totally hindered. On the other hand, the unavailability of websites accessed by the public can make it impossible to attract customers and make sales.

How to Prevent DDoS Attacks?

However, the development of DDoS attacks has also given rise to a number of defense techniques.

In fact, there is a way to know how to prevent DDoS attacks. Defenses against these attacks involve a combination of detection technologies, traffic classification, and response tools.

Basically, the goal is to block traffic identified as malicious and only allow traffic classified as legitimate.

About senhasegura

We, from senhasegura, are a company specializing in digital security. Through our services, we seek to give companies sovereignty over their actions and privileged information.

Our job is to fight corporate cyberattacks and data theft by protecting one company from others who track the actions of network administrators, databases, and internal servers through an integrated PAM solution. 

We also work to comply with demanding audit requirements and other standards, such as the Sarbanes-Oxley Act.

Conclusion

By reading this article, you saw that:

  • A DDoS attack consists of distributed denial-of-service;
  • These DDoS attacks can be made against websites and all types of network resources;
  • The attack is usually performed with a traffic overload;
  • In the DDoS attack, the traffic maliciously directed to the resource comes from several sources;
  • There are numerous techniques for performing a DDoS attack and the attackers’ motivations are also varied;
  • DDoS attacks allow attackers to disrupt an organization’s operations. Hence the importance of knowing how to prevent DDoS attacks;
  • To prevent DDoS attacks, it is necessary to combine detection technologies, traffic classification, and response tools.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Senhasegura
Senhasegura strive to ensure the sovereignty of companies over actions and privileged information. To this end, we work against data theft through traceability of administrator actions on networks, servers, databases and a multitude of devices. In addition, we pursue compliance with auditing requirements and the most demanding standards, including PCI DSS, Sarbanes-Oxley, ISO 27001 and HIPAA.

OpenTelemetry:現代可觀察性標準

Blog thumbnail 2022 11 24 2

OpenTelemetry

Please check out our first article on observability to gain a fuller context for the topic we’re about to discuss. OpenTelemetry is currently the most actively developed standard in the field of observability. It is being adopted as the Cloud Native Computing Foundation incubating project. Born primarily as a merging of former OpenTracing and OpenCensus standards, OpenTelemetry continues to gain popularity, with its supporters including representatives of Google, Microsoft, and Uber.

The goal of the OpenTelemetry project is to introduce a standardized open solution for any development team to enable a proper observability layer in its project. OpenTelemetry provides a standard protocol description for metrics, tracing, and logging collection. It also collects APIs under its nest instrumentation for different target languages and data infrastructure components.

Below is a visualization of the overall scope of OpenTelemetry (credits to CNCF):

The development of specifications and all related implementations is being run in an open way in Github, so anyone involved can propose changes.

Different instrumentation implementations for different languages are in development. The current state of readiness can always be found on a related page of official documentation (for example, PHP).

Logs

Logs are the oldest and best-known type of telemetry signals, and they have a significant legacy. Log collection and storage is a well-understood task, with many solutions being established and widely adopted to carry it out. For example, the infamous ELK (or EFK) stack, Splunk, and Grafana Labs recently introduced the Loki project, a lighter alternative to ElasticSearch.

The main problem is that logs are not integrated with other telemetry signals – no solutions offer an option to correlate a log record with a relative metric or trace. Having the opportunity to do this can form a very powerful introspection framework.

OpenTelemetry specifications try to solve this problem with a logging format standard proposal. It allows correlating logs via execution context metadata, timing, or a log emitter source.

However, right now the standard is at an experimental stage and under heavy development, so we won’t focus on it here. The current specifications can be found here.

Metrics

As discussed previously, metrics are numeric data aggregates representing the software system’s performance. Through aggregation, we can develop a combination of measurements into exact statistics during a time window.

The OpenTelemetry metrics system is flexible. It was designed to be like this to cover the existing metric systems without any loss of functionality. As a result, a move to OpenTelemetry is less painful than other alternatives.

The OpenTelemetry standard defines three metrics models:

  • Event model — metric creation by a developer on the application level.

  • Stream model — metric transportation.

  • Time Series model — metric storage.

The metrics standard defines three metric transformations that can happen in between the Event and Stream models:

  • Temporal reaggregation reduces the number of high frequency metrics being transmitted by changing the resolution of the data.

  • Spatial reaggregation reduces the number of high frequency metrics being transmitted by removing some unwanted attributes and data.

  • Delta-to-cumulative reduces the size of high frequency metrics being transmitted via a move from absolute numbers (cumulative) to changes between different values (delta).

We will talk about the Stream and Time Series models in the third part of our blog series, where we will discuss signal transportation and storage. For now, let’s focus on the Event model, which is related to instrumentation.

 

 

The process of creation for every metric in OpenTelemetry consists of three steps:

  • Creation of instruments that will generate measurements – particular data points that we evaluate.

  • Aggregation of measurements into a View – a representation of a metric to output from the instrumented software system.

  • Metric output – the transportation metrics to storage using a push or pull model.

The OpenTelemetry measurements model defines six types:

  1. Counter – non-negative, continually increasing monotonic measurement that receives increments. For example, it may be a good fit for counting the overall number of requests the system has processed.

  2. UpDownCounter – the same as the Counter, but non-monotonic, allowing negative values. It may be a good fit for reporting the amount of requests being currently processed by the system.

  3. Histogram – multiple statistically relevant values distributed among a list of predefined buckets. For example, we may be interested not in particular response time but in the percentile of response time distribution, it falls into (a Histogram would be useful here).

  4. Asynchronous Counter – the same as the Counter, but values are emitted via a registered callback function, not a synchronous function call.

  5. Asynchronous UpDownCounter – the same as the UpDownCounter, but values are emitted via a registered callback function, not a synchronous function call.

  6. Asynchronous Gauge – a specific type for values that should be reported as is, not summed. For example, it may be a good fit for reporting the usage of multiple CPU cores – in this case, you will likely want to have the maximum (or average) CPU usage, not summed usage.

Through Aggregations in OpenTelemetry, measurements are being aggregated into end metric values that afterward will be transported to storage. OpenTelemetry defines the following measurements as Aggregations:

  • Drop – full ignore of all measurements.

  • Sum – a sum of measurements.

  • Last Value – only the last measurement value.

  • Explicit Bucket Histogram – a collection of measurements into buckets with explicitly predefined bounds.

  • Exponential Histogram (optional) – the same as the Explicit Bucket Histogram but with an exponential formula defining bucket bounds.

A developer can define their own aggregations, but in most cases, the default ones predefined for each type of measurement will suit the developer’s needs.

After all aggregations have been done, additional filtering or customization can be carried out on the View level. To summarize, an example of a simple metric creation is the following (in GoLang):

import “go.opentelemetry.io/otel/metric/instrument”
counter := Meter.SyncInt64().Counter(
“test.counter”,
instrument.WithUnit(“1”),
instrument.WithDescription(“Test Counter”),
)

// Synchronously increment the counter.
counter.Add(ctx, 1, attribute.String(“attribute_name”, “attribute_value”))

Here we create a simple metric consisting of one counter-measurement. As you can see, many details we discussed are hidden but can be exposed if the developer needs them.

In the next part of our blog series, we will talk about metrics transportation, storage, and visualization.

Traces and spans

As we discussed previously, traces represent an execution path inside a software system. The execution path itself is a series of operations. A unit of operation is represented in the form of a span. A span has a start time, duration, an operation name, and additional context attached to it. Spans are interconnected via context propagation and can be nested (one operation can consist of multiple smaller operations inside itself). The resulting hierarchical tree structure of spans represents the trace – an entire execution path inside a software system.

The internal span structure can be visualized like this:

Here is an example of the simplest span creation (in GoLang):

import “go.opentelemetry.io/otel/trace”

var tracer = otel.Tracer(“test_app”)

// Create a span
ctx, span := tracer.Start(ctx, “test-operation-name”,
trace.WithSpanKind(trace.SpanKindServer))

testOperation()

// Add attributes
if span.IsRecording() {
span.SetAttributes(
attribute.Int64(“test.key1”, 1),
attribute.String(“test.key2″,”2”),
)
}

// End the span
span.End()

Now we have our first trace.

A trace can be distributed through different software microservices. In this case, so as not to lose the interconnection, OpenTelemetry SDK can automatically propagate context through the network according to the protocol being used. One example is the W3C Trace Context HTTP headers definition. However, not all language SDKs support automatic context propagation, so you may have to instrument it manually depending on the language you use.

Detailed documentation about traces with format explanations can be found here.

Signal interconnections

The ability to interconnect different types of signals makes an observability framework powerful. For example, it allows you to identify a service response that took too long via metrics and, in one click, jump to the correlating trace of this response execution to identify what part of the system caused the slow processing.

Signals in OpenTelemetry can be interconnected in a couple of ways. One is the use of Exemplars – specific values supplied with trace, logs, and metrics. These consist of a particular record ID, time of observation, and optional filtered attributes specifically dedicated to allowing a direct connection between traces and metrics. Detailed documentation about Exemplars can be found here.

Another approach to signal interconnection is the association of the same metadata with the use of Baggage and Context. Baggage is a specific value supplied with traces, logs, and metrics that allows you to annotate it and consists of user-defined pairs of keys and values. By annotating corresponding metrics and traces with the same values in Baggage, the user can correlate them. Detailed documentation about Baggage can be found here.

Conclusion

We covered the pillars of OpenTelemetry and some details of application instrumentation. But we don’t just need to instrument our applications – we should also introduce tooling for the aggregation, storage, and visualization of the signals we supply. In the third part of this series, we will discuss tooling and the OpenTelemetry collector component in detail.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Nord Security
The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

如何避免成為瀏覽器漏洞的受害者

JumpCloud’s Universal Chrome Browser Patch Management

Browsers are the gateway to online productivity. 

Without them, we would not be able to get work done. To that end, they are also one of the biggest attack targets for bad actors. If we are not careful, and do not make a conscious effort to upkeep web browser security, hackers can easily exploit browser vulnerabilities. 

What makes browsers especially appealing to these individuals? Browsers access, collect, and hold lots of sensitive data — from personal credentials to company information — that cyber hackers can sell on the dark web and use to blackmail companies.

According to Atlas VPN, Google Chrome, the world’s most popular browser, has the highest number of reported (303) vulnerabilities year to date. Google Chrome also has a total of 3,159 cumulative vulnerabilities since its public release. 

In this article, we’ll dive into the topic of browser vulnerabilities, the importance of patch management, and how to streamline protection.

Atlas VPN top web browsers by vulnerability graph
Image courtesy of Atlas VPN

A Closer Look at Google Chrome’s Latest Vulnerabilities

On November 8, 2022, the Center for Internet Security (CIS) reported finding multiple vulnerabilities in Google Chrome. 

The most severe vulnerability within this group could potentially allow for arbitrary code execution in the context of the logged on user. What does that mean? 

Depending on a user’s privileges, an attacker could install programs and view, change, or delete data. The bad actor could even create new accounts with full user rights! 

Of course, users whose accounts have minimal user rights on the system would be less impacted than those with administrative user rights.

Multi-OS systems were affected, including:

  • Google Chrome versions prior to 107.0.5304.110 for Mac
  • Google Chrome versions prior to 107.0.5304.110 for Linux
  • Google Chrome versions prior to 107.0.5304.106/.107 for Windows

First and foremost, CIS recommends applying appropriate updates provided by Google to vulnerable systems immediately after appropriate testing. See here for all the other CIS recommended actions. 

The Need for Browser Patching 

Here are the key reasons you should regularly update or patch your browsers:

  • Enhance Security: Prevention of spyware, malware, and other viruses that could give someone access to your data or trick you into handing it over.
  • Improve Functionality: Outdated browsers might not work (well) or support new apps or software.
  • Boost User Experience: Older browsers usually do not support the latest and greatest code and will have trouble loading component files in the website. This might cause a website to freeze, crash or take forever to work.

For IT admins, security aspects are probably the most important reason to patch browsers. Keeping browsers updated with the latest version (i.e., downloading and installing all provided patches) goes a long way toward preventing cyber attacks and bad actors from exploiting known vulnerabilities. 

How to Create Default Chrome Browser Patch Policies

One of the easiest ways to stay on top of patches, and reduce browser vulnerability risk, is to use the JumpCloud Directory Platform. 

The latest capability addition to our Patch Management solution provides a universal policy to keep Google Chrome up to date for macOS, Windows, and Linux. 

A universal policy saves time by automatically scheduling and enforcing Chrome security patches on a large number of managed devices.

Screenshot of JumpCloud Policy Management Console&nbsp;
JumpCloud Policy Management Console 

The platform’s four universal preconfigured default Chrome browser patch policies allow admins to deploy browser updates with different levels of urgency. Admins also have the option to configure a custom universal policy; this feature allows for easy modification of existing policy settings to tailor update experiences to organizational needs. 

The four JumpCloud default Chrome browser patch management policies control how and when a Chrome update is applied. The recommended deployment strategies include:

  • Day Zero: Deploy automated upgrades inside your IT Department the first day an update is available.
  • Early Adoption: Deploy automated upgrades to early adopters outside of IT.
  • General Adoption: Deploy automated upgrades to general users in your company.
  • Late Adoption: Deploy automated upgrades to remaining users in your company.

Once you have created a Chrome browser patch policy, you can assign it to any devices, policy groups, or device groups. A policy group helps quickly and efficiently roll out existing policies to large numbers of similar devices. 

Capabilities of JumpCloud Browser Patch Management

JumpCloud’s new Browser Patch Management also introduces the following features:

  • Enforce Chrome updates and browser relaunch. 
  • Enforce or disable Chrome Browser Sign In Settings.
  • Restrict sign-in to a regex pattern to ensure users sign in via company email accounts.
  • Automate device enrollment into Google Chrome Browser Cloud Management, which unlocks limitless capabilities for browser and extension control within the Google Admin console. 

Dive deeper into the new Universal Chrome Browser Patch Management Release by exploring the release notes for this feature in the JumpCloud Community. 

Learn More About JumpCloud

The good news? Browser patching and patch management are included in JumpCloud’s affordable A La Carte pricing package. 

Try JumpCloud for free for up to 10 devices and 10 users. 

Complimentary support is available 24×7 within the first 10 days of acco
unt creation.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.


About JumpCloud
At JumpCloud, our mission is to build a world-class cloud directory. Not just the evolution of Active Directory to the cloud, but a reinvention of how modern IT teams get work done. The JumpCloud Directory Platform is a directory for your users, their IT resources, your fleet of devices, and the secure connections between them with full control, security, and visibility.