Authentication Bypass Vulnerability in Citrix NetScaler

Please contact our Operations Center if we can assist you with addressing this critical Citrix Netscaler security issue requiring updates.

Sincerely,

Centrinet Support Team

support@centrinetcorp.com

678.373.0450

Authentication Bypass Vulnerability in Citrix NetScaler ADC and NetScaler Gateway Management Interface

DESCRIPTION OF PROBLEM

A vulnerability has been identified in the management interface of Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway that, if exploited, could allow an attacker with access to the NetScaler management interface to gain administrative access to the appliance.

This vulnerability has been assigned the following CVE number:

  • CVE-2017-14602: Authentication Bypass Vulnerability in Citrix NetScaler ADC and NetScaler Gateway Management Interface

This vulnerability affects the following product versions:

  • Citrix NetScaler ADC and NetScaler Gateway version 12.0 earlier than build 53.13 (except for build 41.24)
  • Citrix NetScaler ADC and NetScaler Gateway version 11.1 earlier than build 55.13
  • Citrix NetScaler ADC and NetScaler Gateway version 11.0 earlier than build 70.16
  • Citrix NetScaler ADC and NetScaler Gateway version 10.5 earlier than build 66.9
  • Citrix NetScaler ADC and NetScaler Gateway version 10.5e earlier than build 60.7010.e
  • Citrix NetScaler ADC and NetScaler Gateway version 10.1 earlier than build 135.18

MITIGATING FACTORS

In order to exploit this vulnerability, an attacker would require access to the management interface of the NetScaler. In situations where customers have deployed their NetScaler ADC and NetScaler Gateway appliances in line with industry best practice, network access to this interface should already be restricted.


WHAT CUSTOMERS SHOULD DO

This vulnerability has been addressed in the following versions of Citrix NetScaler ADC and NetScaler Gateway:

  • Citrix NetScaler ADC and NetScaler Gateway version 12.0 build 41.24 and build 53.13 and later
  • Citrix NetScaler ADC and NetScaler Gateway version 11.1 build 55.13 and later
  • Citrix NetScaler ADC and NetScaler Gateway version 11.0 build 70.16 and later
  • Citrix NetScaler ADC and NetScaler Gateway version 10.5 build 66.9 and later
  • Citrix NetScaler ADC and NetScaler Gateway version 10.5e build 60.7010.e and later
  • Citrix NetScaler ADC and NetScaler Gateway version 10.1 build 135.18 and later

Citrix strongly recommends that customers impacted by this vulnerability upgrade to a version of the Citrix NetScaler ADC or NetScaler Gateway that contains a fix for this issue as soon as possible.

These versions are available on the Citrix website at the following addresses:

https://www.citrix.com/downloads/netscaler-adc/
https://www.citrix.com/downloads/netscaler-gateway/

In line with industry best practice, Citrix also recommends that customers limit access to the management interface to trusted network traffic only.

https://support.citrix.com/article/CTX227928

IT Security Best Practices: Securing Cloud Access Control

Did you know that phishing attacks targeting cloud storage services make up nearly 23 percent of all security attacks, an increase of 125 percent over the past four years? It’s a strategy fraudsters are using as they try to gain access to valuable login credentials for business cloud storage accounts.

And the problem isn’t limited to unauthorized access of vital accounts. Phishing schemes are also the most common way to deliver ransomware to systems belonging to businesses, government agencies, schools, and other critical infrastructure.

It’s an IT security challenge that will become more difficult in the next few years. That means that you, as a cybersecurity leader, must plan and implement best practices to keep your company (and individual employees) from falling victim to these schemes.

As you review these IT security best practices for cloud access control, consider how you’re currently handling them for your company and what changes you might make.

MAINTAIN THE PRINCIPLE OF LEAST PRIVILEGE FOR USER ACCOUNTS

Privileged user accounts give key employees greater access to sensitive data and allow them to make high-level changes to network systems. Because this access is so far-reaching, these credentials are targeted more heavily by hackers looking to bypass firewalls and intrusion prevention protocols.

By incorporating the principle of least privilege—and giving employees the lowest level of user rights that still allows them to perform all necessary job functions—you’re protecting both your business systems and your workers.

You might also like:The Only Checklist You’ll Need to Uncover Your IT Security Risks

You’ll also want to limit the number of privileged user accounts to the minimum necessary, assign privileges by roles rather than to individuals, and log all access attempts and all executed changes from these accounts. Don’t forget to create specific procedures and guidelines to handle employee departures—including suspending account access and retrieving any access tokens and company-owned IT equipment.

REQUIRE MULTI-FACTOR AUTHENTICATION

You can limit unauthorized access to cloud applications by requiring every user to enable multi-factor authentication (MFA). Instead of simply entering a username and password—which could be stolen more easily—MFA includes at least two independent credentials.

These credentials could be something you know, such as a password; something you have, such as a security token; or something you are, such as a thumbprint, a retina scan, or some other biometric marker. If one factor is weakened—say a password is stolen—there’s another line of defense that might not be so easy to breach.

In a perfect world, access to any user account in the cloud would require MFA. But at the least, users with admin privileges—especially those with access to management consoles and other sensitive data—should use approved multi-factor authentication.

ENFORCE CONDITIONAL ACCESS CONTROLS

When you set up conditional access policies for users and devices, you can prevent many problems with stolen and phished credentials. This proactive strategy lets you set specific conditions for users to gain access to applications. It’s also a way to restrict access to those using approved devices and trusted networks.

For example, user access may depend on membership in selected groups, or the device platform used—like iOS, Android, and Windows. The location of the user may also trigger higher-level controls—requiring multi-factor authentication, or blocking access on untrusted networks.

When you use device-based conditional access, you can deny access to users on devices that fall short of your security standards. That means unknown or unmanaged devices, attempts to gain access via unsecured wireless networks, or those without sufficient security controls.

SECURE CRYPTOGRAPHIC KEYS

Most admin accounts require the use of cryptographic keys for access. Often these keys are generated when a new user is created. Because of the power of these keys, you’ll need procedures to manage and monitor their use.

If you have business processes operating in the cloud, as part of an IT security plan, you’ll want to safeguard your keys both internally and in the cloud. Most experts recommend employing a hardware security module (HSM) to control cryptographic keys.

Designed to meet strict regulatory standards, HSMs stand alone in securely storing cryptographic keys while also managing their lifecycle. And with the option of a cloud-based HSM, you may have lower overhead and configuration costs because the physical hardware is maintained by the data center.

As more business applications move to the cloud, take particular care in safeguarding user accounts—especially those with administrative access. It could mean the difference between a thriving company and one that’s no longer in business.

Using security framework, such as Centrinet’s SAFER IT, ensures that organizations are following best practices for IT security. Credentials like passwords and tokens are Safeguarded, business procedures are Adapted for maximum security, IT-managed objects are Fortified, and best practices for user accounts are Enforced. Access to sensitive systems and data is Regulated, high-level standards are Imposed, and Trusted systems get regular checks.

Does your IT security plan cover cloud access control? If not, your business data could be at risk. Working with a company like Centrinet ensures you have a comprehensive security strategy no matter where your data lives.

5 Essential Cybersecurity Training Courses and Certifications

Maintaining the highest level of info security for your organization and your customers depends heavily on your workforce. You need skilled employees who can prepare for, recognize, and handle cybersecurity threats.

But keeping up with the latest training courses and certifications for cybersecurity pros can be a challenge. There’s no centralized organization or one specific path to follow. You must be prepared to sift through the options and prioritize based on your business needs.

That’s why we’ve put together a list of essential cybersecurity training and certification programs. It will serve as a guide in making sure new hires have the right background and qualifications and in directing your ongoing education efforts.

TAKE ADVANTAGE OF MOOCS AND FREE ONLINE COURSES

You’ve probably heard of Massive Open Online Courses, or MOOCs, designed to reach many people via the internet. These training programs are also a great way to stay up to date with the latest in cybersecurity strategies.

And you shouldn’t be concerned that these options lack substance or current information. Open courses from the Electrical Engineering and Computer Science Department at MIT feature lectures, reading, and assignments from classes on Network and Computer Security and Computer Systems Security. On the popular learning site Udemy, you’ll find a Cyber Security course delivered via video by an instructor from DeVry University.

You might also like:The Only Checklist You’ll Need to Uncover Your IT Security Risks

GET CERTIFIED WITH AN ACCREDITED PROGRAM

Industry certifications requiring a passing exam score ensure that IT professionals meet a certain standard and prove their knowledge. Independent organizations like ISACA and (ISC)2 offer several vendor-neutral certificates that measure the latest best practices in cybersecurity.

Certified Information and Security Manager (CISM)

Ranked as one of the most sought-after IT certifications, CISM covers the governance and management of info security programs, managing risk to an acceptable level, and detecting and responding to incidents to minimize business impact.

Certified in Risk and Information Systems Control (CRISC)

Measures the identification and assessment of risk in IT systems, strategies for response and mitigation, and avenues for monitoring and reporting.

Certified Information Systems Security Professional (CISSP)

A globally recognized standard in infosec, the CISSP ensures knowledge and understanding of new cybersecurity threats, technologies, regulations, and standards.

ADD A GRADUATE-LEVEL CERTIFICATE

For IT pros with a bachelor’s degree, more colleges and universities are beginning to offer graduate certificates. Compared to a graduate degree, these course offerings can provide a quicker path to a professional credential.

For example, Harvard University offers a Cybersecurity Certificate. Students complete four courses—including two electives—within a three-year period. Often these classes can be completed online, and in many cases, can also be applied toward a master’s degree.

While you and your company can’t go wrong with any of these cybersecurity training programs, these options may not be enough. Cyber threats are approaching from all directions and can impact every business process. Ensure your business is safe.

Partnering with an established company that provides enterprise risk management means that you’re prepared for the latest security threats to people, processes, technology, and facilities.

One proven strategy is to boost your existing workforce with added human capital. Work with highly trained temporary employees with security technology backgrounds, and consulting support when you need it, to handle compliance and regulatory tasks.

Keeping your organization on track for its business goals while fending off growing security risks can be an overwhelming job. Contact us today to find out how we can work together to keep your enterprise protected.

What You Must Do to Ensure Enterprise-Level HIPAA IT Compliance

For enterprises that handle consumer healthcare information, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) has become one of the most important regulations around data security. A lack of understanding of or commitment to HIPAA requirements has proven to be costly for a variety of organizations. For example, CardioNet, a provider of remote mobile care for patients at risk for cardiac arrhythmias, was recently ordered to pay $2.5 million in noncompliance fees for not fully implementing safeguards for electronic protected health information (ePHI).

CardioNet was reported to the government agency that handles HIPAA complaints after an employee laptop was stolen, endangering the personal health data of nearly 1,400 individuals. The $2.5 million penalty will no doubt be a blow to the organization; meanwhile, the damage to its reputation will likely be felt for years to come.

The CardioNet example illustrates how important it is that enterprises meet the strict—and, at times, complex—security and privacy standards set forth by HIPAA. But with so many other cybersecurity concerns to contend with, you may be wondering where to start. Here, we explain what your enterprise must do to ensure HIPAA IT compliance:

You might also like:The Only Checklist You’ll Need to Uncover Your IT Security Risks

MEET BOTH SECURITY RULE AND PRIVACY RULE STANDARDS

The U.S. Health and Human Services (HHS) website explains that organizations must meet two key standards:

  1. The HIPAA Privacy Rule, which establishes national standards for the protection of certain health information
  2. The HIPAA Security Rule, which establishes a national set of standards to protect certain health information that is held or transferred in electronic form

The Privacy Rule applies to private health information in any form, while the Security Rule specifically covers ePHI. The latter was designed to protect people’s health information while providing a path forward for organizations looking to adopt newer technologies and techniques for handling such data, including electronic health records, digital pharmacy and laboratory systems, and computerized physician order entry (CPOE) systems.

To comply with both the Privacy and the Security Rules, you must meet a list of requirements, including:

  • Ensure the confidentiality, integrity, and availability of all ePHI that your enterprise creates, receives, maintains, or transmits
  • Identify and protect against potential threats to the security or integrity of the information
  • Protect against reasonably anticipated, impermissible uses or disclosures
  • Ensure compliance by all employees

To effectively protect patient data, HHS expects organizations to conduct frequent risk analysis to identify potential threats and evaluate their likelihood and impact.

MEET ALL APPLICABLE SAFEGUARDS

The Security Rule is the key to ensuring enterprise-level HIPAA IT compliance. The rule is divided into three different safeguard categories: administrative safeguards, physical safeguards, and technical safeguards. In turn, each safeguard category is divided into standards that are meant to guide an organization toward compliance.

It’s important to note that some implementation standards are mandatory, while others are “addressable,” or recommended. Generally, it’s best to err on the side of caution, but your organization may decide against implementing certain “addressable” standards.

Here is a brief overview of each of the Security Rule safeguard categories:

  • Administrative safeguards govern a company’s workforce and how it handles IT security. Standards cover the following areas:
    • Security management process
    • Security personnel
    • Workforce security
    • Information access management
    • Security awareness and training
    • Security incident procedures
    • Contingency planning
    • Evaluation
    • Business associate contracts and other arrangements
  • Physical safeguards focus on physically protecting electronic systems and data from unauthorized access, environmental dangers, and other outside threats. Standards include:
    • Facility access controls
    • Workstation use and security
    • Device and media controls
  • Technical safeguards protect the data itself and limit access to it. Standards include:
    • Access control
    • Audit controls
    • Person/entity authentication
    • Transmission security

MEET RISK ANALYSIS REQUIREMENTS

The Office for Civil Rights (OCR) also requires organizations to conduct and document risk analyses to identify what steps they need to take to meet the HIPAA Security Rule and to ensure that all ePHI is being properly protected. The risk analysis can be a self-evaluation or can be done by a third-party consulting firm.

The OCR offers general guidelines on those elements of a risk analysis that must be evaluation and documented; however, a full risk assessment will be different for many organizations. It’s important for organizations to realize that risk analyses are in fact required, and documentation of your analysis would be one of the first items requested during a HIPAA audit.

CONDUCT REGULAR REVIEWS

Of course, HIPAA compliance isn’t a one-and-done task. It’s a process that requires regular audits and review, constant vigilance, and ongoing training of new and existing employees.

At an enterprise-level organization, achieving HIPAA IT compliance will require dedicated resources and complete buy-in from the top down. The good news is that thousands of organizations nationwide are successfully meeting HIPAA requirements and, in turn, helping to keep their IT data extremely secure. Working through the HIPAA safeguards and standards may help to heighten your level of IT security enterprise-wide—a goal that all companies could benefit from today.

To get started, you and your team can easily find helpful HIPAA checklists online. However, to ensure ongoing compliance and to meet the requirements for risk analysis, consider partnering with an IT consulting firm that can provide insight into your IT security position and what needs to be done to ensure all applicable HIPAA rules and standards are met.

Welcome to the Centrinet Team!

Screen Shot 01-26-16 at 09.49 AM

Mindy Sullivan, Director of Operations

 

Please welcome the newest member to our team, Mindy Sullivan. Mindy has over eight years of experience in the software and technology industry, with a strong foundation in healthcare and SaaS.

In her free time Mindy enjoys going on adventures with her family, especially adventures in the great outdoors like traveling and camping.

Mindy is experienced in leading highly diverse teams, and will be bringing that skill and background to her role as our new Director of Operations

Welcome to the team Mindy!

 

Work From Anywhere – Literally.

I wake up to a city very different than Atlanta, to the sound of roosters crowing and the sight of guards changing shifts.  My new home is Kampala Uganda, where my husband has accepted a position with a non-profit organization for the next two years. Last year, if someone had asked me if I’d be living in Uganda and still working for a U.S. based company – I would’ve thought they were crazy.

Although my life is very different now, one thing that offers stability and helps me feel at home is my remote desktop. Each morning I log in and connect with my coworkers on the other side of the planet. I’m able to easily stay on top of everything – from collaborating with colleagues, to client and vendor meetings. I was surprised to find such ease of use and strong connectivity, despite the (sometimes) weakened Internet signal.

Of course issues do arise, but as they do our Centrinet support team quickly finds a solution and I’m up and running again within the hour. I’ve witnessed this hustle first-hand back when I operated out of the Atlanta office, true teamwork and collaboration to provide client solutions. Every day I’m astounded by their knowledge, especially when they reach a solution based off of my descriptions. To be honest I am not a technical person, I wouldn’t even call myself an amateur. I excel at planning and operational tasks, but the technical language is completely foreign to me. So it’s a real testament to their skill that I can call our team, give them a crazy description, and they’re able to come up with a solution to the issue!

Seamless access to Centrinet data and applications is critical to my daily operations. In today’s technological environment, most of us expect to have the same user experience, in and out of the office. A good Work From Home policy must allow employees access to a quality user experience from any environment.

Here at Centrinet we’ve been providing successful Work From Home policies for our enterprise clients since 2005 – from a wide range of sectors and industries. We make sure to always provide the best user experience, whether you are working from the office, or from Kampala Uganda!

To learn more please contact us today.

Liquidware Labs Partner Solutions Brief

Our valued partner – Liquidware Labs – recently released a solutions brief on The Vital Role of  Robust Metrics in VDI Maintenance. The brief highlights the importance of their Stratusphere UX to support the delivery of managed VDI services. As only one of three Liquidware Lab Acceler8 partners to have achieved the Center of Excellence designation (COE), we have a deep understanding of deploying successful and effective desktop virtualization projects utilizing Liquidware Labs solutions.

From the beginning we recognized the need to find innovative and purpose-built VDI tools in order to maintain our standards of customer service. This search initially led us to Liquidware Labs Stratusphere, which provided the full range of desktop visibility across physical, virtual and RDSH desktops. New trends, and changing VDI environments, brought us to adopt Stratusphere UX for health checks and performance monitoring.

“With Stratusphere UX, we are sure we are doing the right thing by our customers. We are 100% positive that we are deploying products that don’t introduce problems, headaches, etc. That way we save time and effort for both our consultants, and especially for our clients, as we fast-track them to the right path.” – Dario Ferreira, Executive Vice President of Centrinet

Read the full solutions brief here.

About Liquidware Labs

Liquidware Labs is the leader in User Experience Management for next generation desktops. Analysts have described Liquidware Labs Stratsuphere and ProfileUnity solutions as the industry’s first “On-Ramp to VDI”. Liquidware Labs enables organizations to cost-effectively plan, migrate, and manage their next generation desktop infrastructure using the industry’s best practices.

Centrinet is one of only three partners worldwide to have achieved the Center of Excellence (COE) designation from Liquidware Labs. As a designated COE we demonstrate the highest level of knowledge in desktop virtualization, and have integrated Liquidware Labs technologies into our delivery to ensure superior service to our clients.