Authentication Bypass Vulnerability in Citrix NetScaler

Please contact our Operations Center if we can assist you with addressing this critical Citrix Netscaler security issue requiring updates.

Sincerely,

Centrinet Support Team

support@centrinetcorp.com

678.373.0450

Authentication Bypass Vulnerability in Citrix NetScaler ADC and NetScaler Gateway Management Interface

DESCRIPTION OF PROBLEM

A vulnerability has been identified in the management interface of Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway that, if exploited, could allow an attacker with access to the NetScaler management interface to gain administrative access to the appliance.

This vulnerability has been assigned the following CVE number:

  • CVE-2017-14602: Authentication Bypass Vulnerability in Citrix NetScaler ADC and NetScaler Gateway Management Interface

This vulnerability affects the following product versions:

  • Citrix NetScaler ADC and NetScaler Gateway version 12.0 earlier than build 53.13 (except for build 41.24)
  • Citrix NetScaler ADC and NetScaler Gateway version 11.1 earlier than build 55.13
  • Citrix NetScaler ADC and NetScaler Gateway version 11.0 earlier than build 70.16
  • Citrix NetScaler ADC and NetScaler Gateway version 10.5 earlier than build 66.9
  • Citrix NetScaler ADC and NetScaler Gateway version 10.5e earlier than build 60.7010.e
  • Citrix NetScaler ADC and NetScaler Gateway version 10.1 earlier than build 135.18

MITIGATING FACTORS

In order to exploit this vulnerability, an attacker would require access to the management interface of the NetScaler. In situations where customers have deployed their NetScaler ADC and NetScaler Gateway appliances in line with industry best practice, network access to this interface should already be restricted.


WHAT CUSTOMERS SHOULD DO

This vulnerability has been addressed in the following versions of Citrix NetScaler ADC and NetScaler Gateway:

  • Citrix NetScaler ADC and NetScaler Gateway version 12.0 build 41.24 and build 53.13 and later
  • Citrix NetScaler ADC and NetScaler Gateway version 11.1 build 55.13 and later
  • Citrix NetScaler ADC and NetScaler Gateway version 11.0 build 70.16 and later
  • Citrix NetScaler ADC and NetScaler Gateway version 10.5 build 66.9 and later
  • Citrix NetScaler ADC and NetScaler Gateway version 10.5e build 60.7010.e and later
  • Citrix NetScaler ADC and NetScaler Gateway version 10.1 build 135.18 and later

Citrix strongly recommends that customers impacted by this vulnerability upgrade to a version of the Citrix NetScaler ADC or NetScaler Gateway that contains a fix for this issue as soon as possible.

These versions are available on the Citrix website at the following addresses:

https://www.citrix.com/downloads/netscaler-adc/
https://www.citrix.com/downloads/netscaler-gateway/

In line with industry best practice, Citrix also recommends that customers limit access to the management interface to trusted network traffic only.

https://support.citrix.com/article/CTX227928

10 Website Security Best Practices You Can Implement Today

According to a recent Global Security Study from Citrix conducted by the Ponemon Institute, 69 percent of respondents believe some of their organization’s existing security solutions are outdated and inadequate. This is particularly problematic when looking at the state of cybersecurity where many vulnerabilities could be fairly easily eliminated. In order to help businesses strengthen their security profile and reduce vulnerabilities, here are 10 website security best practices that can be implemented today.

BEST PRACTICE #1: ENCRYPTION VIA HTTPS IMPLEMENTATION

While HTTP was conceived as a means to transfer information on the internet, HTTPS provides some important security aspects for businesses and their end users. Overall, the HTTPS authentication spec defines a series of mechanisms to identify users and parties (via credentials).

The main benefit of HTTPS is that it makes your site more secure for your users when they provide any sort of information such as PCI via encryption. Because attackers don’t have the encryption key, it prevents “man in the middle” attacks. HTTPS implementation provides a number of website security benefits, including ensuring to site visitors that:

  • The site they are on is actually the site the URL says it is
  • The content on the site has not been changed in any way by anybody other than the site owner
  • Any information shared between the visitor and the site through a contact form or reservation signup will not end up in the hands of a third party
  • The visitor’s browser history is not being tracked by some unauthorized third party
  • Any payment gateways on the site are secure

You might also like:The Only Checklist You’ll Need to Uncover Your IT Security Risks

BEST PRACTICE #2: SECURE SOCKET LAYER (SSL) CERTIFICATES

Secure socket layer (SSL) is the protocol that HTTPS uses so that the installation of an SSL certificate on your site enables the use of HTTPS. Obviously, all SSL certificates will encrypt data that are sent from a customer’s browser to a company’s server. Encryption ranges anywhere from 128-bit to the recommended 256-bit. In today’s increasingly treacherous online world, the higher the encryption, the better.

BEST PRACTICE #3: MULTIFACTOR AUTHENTICATION (MFA) WITH SINGLE SIGN-ON (SSO)

Multifactor authentication (MFA) is a security practice that goes beyond the basic requirement of website users to provide an additional form of authentication to log in along with their standard user name and password. This is normally accomplished through SMS message, voice message, or a one-time code generated via an application on a user’s mobile phone.

MFA also can and should include more advanced website security methods, such as biometrics, GPS location, or a hardware token, but those can take more time and effort to implement. There are numerous MFA solutions available that can be incorporated into website security for customer and end-user access to a variety of services or applications. The addition of single sign-on (SSO) enables web users who need access to cloud applications, networks, and other business systems via the web to use a single sign-on rather than multiple sign-on steps as they access other connected systems.

BEST PRACTICE #4: UPDATE PLATFORMS AND SCRIPTS

Keep installed platforms and scripts up to date to eliminate security loopholes that allow malicious hackers to take control of the website. Without regular maintenance to all components of a platform, urgent fixes for major user-facing problems can become a large undertaking very quickly. System administrators must subscribe to manufacturer support and product announcements to be aware of current available patches and have a protocol in place to implement them immediately.

BEST PRACTICE #5: INSTALL SECURITY PLUG-INS

According to the most recent survey, WordPress CMS is used by 59 percent of websites with a CMS, from those of individuals to those of the largest enterprises. The most common way that hackers enter a WordPress site is through outdated plug-ins or an outdated WordPress install. Consequently, it’s imperative to install security plug-ins, wherever and whenever possible to actively prevent hacking attempts.

BEST PRACTICE #6: DILIGENCE, POLICIES, AND FIREWALLS FOR XSS ATTACK PREVENTION

It’s imperative that any code you use on your website for functions or fields that allow input is as explicit as possible in order to prevent cross-site scripting (XSS) attacks. XSS attacks consist of attackers injecting malicious JavaScript code that infects web pages and makes use of coding vulnerabilities.

While diligence in the coding process is the most important preventive measure, web application firewalls (WAFs) also play an important role in mitigating reflected XSS attacks. In addition, a robust Content Security Policy (CSP) allows specification of the domains that a browser should consider valid sources of executable scripts when on your page.

BEST PRACTICE #7: IMPLEMENT PASSWORD MANAGERS

More than just having password generators, businesses should implement password managers that can provide a wealth of important features, including:

  • Password generator
  • Local-only key encryption with AES-256
  • Automatic cloud credential backup
  • Master key only visible to administrator
  • Active Directory, LDAP, federated ID management, SIEM, and ticketing system integration
  • Compliance report generation
  • Employee provisioning and deprovisioning
  • Key self-destruct settings
  • FISMA, FIPS, HIPAA, PCI, compliance; SOC-2 certification
  • Security audit capabilities
  • 128-bit SSL for server communication
  • SHA-512 hashing

While all of these features may not be included in a single password manager solution, most are available in the more robust offerings.

BEST PRACTICE #8: LOCK DOWN DIRECTORY AND FILE PERMISSIONS

Locking down your directory and file permissions can be somewhat involved depending on the size of your business and whether or not you have a qualified systems administrator. While file server resource managers (FSRMs) are designed to enable administrators to perform these functions, there are automated tools available that simplify the process in large organizations.

BEST PRACTICE #9: IMPLEMENT MOBILE DEVICE AND MOBILE APPLICATION MANAGEMENT

Solutions to manage access to corporate applications and data where BYOD (“bring your own device”) policies are in place require mobile device management (MDM) and mobile application management (MAM) tools to control approved application installation lists, as well as approved Wi-Fi access points. IT can also require users to employ PINs to access their devices.

BEST PRACTICE #10: IMPLEMENT BACKUP AND DISASTER RECOVERY MEASURES

Perform frequent backups, keep a copy of recent backup data off premises, and test backups by restoring your system to make sure the process works.

Best practice standards and adherence for website security and mobile applications is only the beginning of an enterprise cybersecurity strategy. It’s important to remember that effective website security is an ongoing and evolving process that requires diligence, as well as the use of integrated forward-thinking tools that protect data, users, and customers.

5 Essential Cybersecurity Training Courses and Certifications

Maintaining the highest level of info security for your organization and your customers depends heavily on your workforce. You need skilled employees who can prepare for, recognize, and handle cybersecurity threats.

But keeping up with the latest training courses and certifications for cybersecurity pros can be a challenge. There’s no centralized organization or one specific path to follow. You must be prepared to sift through the options and prioritize based on your business needs.

That’s why we’ve put together a list of essential cybersecurity training and certification programs. It will serve as a guide in making sure new hires have the right background and qualifications and in directing your ongoing education efforts.

TAKE ADVANTAGE OF MOOCS AND FREE ONLINE COURSES

You’ve probably heard of Massive Open Online Courses, or MOOCs, designed to reach many people via the internet. These training programs are also a great way to stay up to date with the latest in cybersecurity strategies.

And you shouldn’t be concerned that these options lack substance or current information. Open courses from the Electrical Engineering and Computer Science Department at MIT feature lectures, reading, and assignments from classes on Network and Computer Security and Computer Systems Security. On the popular learning site Udemy, you’ll find a Cyber Security course delivered via video by an instructor from DeVry University.

You might also like:The Only Checklist You’ll Need to Uncover Your IT Security Risks

GET CERTIFIED WITH AN ACCREDITED PROGRAM

Industry certifications requiring a passing exam score ensure that IT professionals meet a certain standard and prove their knowledge. Independent organizations like ISACA and (ISC)2 offer several vendor-neutral certificates that measure the latest best practices in cybersecurity.

Certified Information and Security Manager (CISM)

Ranked as one of the most sought-after IT certifications, CISM covers the governance and management of info security programs, managing risk to an acceptable level, and detecting and responding to incidents to minimize business impact.

Certified in Risk and Information Systems Control (CRISC)

Measures the identification and assessment of risk in IT systems, strategies for response and mitigation, and avenues for monitoring and reporting.

Certified Information Systems Security Professional (CISSP)

A globally recognized standard in infosec, the CISSP ensures knowledge and understanding of new cybersecurity threats, technologies, regulations, and standards.

ADD A GRADUATE-LEVEL CERTIFICATE

For IT pros with a bachelor’s degree, more colleges and universities are beginning to offer graduate certificates. Compared to a graduate degree, these course offerings can provide a quicker path to a professional credential.

For example, Harvard University offers a Cybersecurity Certificate. Students complete four courses—including two electives—within a three-year period. Often these classes can be completed online, and in many cases, can also be applied toward a master’s degree.

While you and your company can’t go wrong with any of these cybersecurity training programs, these options may not be enough. Cyber threats are approaching from all directions and can impact every business process. Ensure your business is safe.

Partnering with an established company that provides enterprise risk management means that you’re prepared for the latest security threats to people, processes, technology, and facilities.

One proven strategy is to boost your existing workforce with added human capital. Work with highly trained temporary employees with security technology backgrounds, and consulting support when you need it, to handle compliance and regulatory tasks.

Keeping your organization on track for its business goals while fending off growing security risks can be an overwhelming job. Contact us today to find out how we can work together to keep your enterprise protected.

Best Practices in IT Security Services

In just the past few years, spending on cybersecurity initiatives has soared. For example, Bank of America now boasts a “whatever it takes” attitude toward budgeting for IT security services and cybersecurity. That’s because it’s crucial for businesses to keep data secure while maintaining a network with maximum availability, productivity, and efficiency.

But what about other organizations that don’t have unlimited funds to throw at the problem? Adhering to IT security best practices doesn’t require a blank check, but it does take advance planning and attention to detail. If you’re an IT director looking to bolster security and keep cybercriminals out, then make sure you’ve incorporated each of these security features into your plan.

HANDLE THE BASICS.

Don’t neglect common security controls like firewalls, network-based antivirus protection, intrusion detection systems, and remote-access virtual private networks (VPNs). These basic protections lay the foundation for IT security and repel known cybersecurity threats.

Block unsafe traffic.

As the first line of defense, firewalls filter network traffic—both coming and going—using IP addresses, domain names, protocols, and ports.

Extend remote access.

Many organizations need a way to securely allow access to employees and contractors beyond the office walls. Remote-access VPNs create encrypted passageways that extend the network without compromising security.

Detect and respond to security threats.

Intrusion detection systems (IDSs) operate on networks or individual devices, monitoring traffic and alerting administrators about potential threats. Best-in-class IDSs are reactive, identifying suspicious or malicious traffic sources and responding to threats using predefined actions.

You might also like:The Only Checklist You’ll Need to Uncover Your IT Security Risks

Comply with industry standards.

Most businesses face at least one set of compliance standards—like PCI DSS or HIPAA—to maintain the safety and integrity of consumer data. Instead of viewing these requirements as an unnecessary hassle, use the guidelines to find and close gaps in your IT security services.

Protect against the human factors.

Some of the biggest cracks in your IT security plan can result from the unknowing actions of employees. That’s why you need to set your workers up for success with consistent policies and regular education.

Just right access.

Every employee—from the CEO to the receptionist—should have the right amount of access needed to complete daily tasks. By updating passwords and removing user names for inactive accounts, you’ll know that unauthorized users will have a harder time accessing vital systems.

Promote regular training.

Educating workers about the latest cybersecurity threats can be a challenge. Look for ways to provide daily training tips that will keep information top of mind.

Boost awareness of social engineering tactics.

Most employees are honest and may not realize that fraudulent requests may come via trusted channels—like someone impersonating an IT department worker or even your CEO. Teach your people to be very cautious when giving up user names, passwords, or other sensitive information—especially via email or over the phone.

PREPARE FOR THE WORST.

Preventative measures keep data safe until they don’t. Know what you’ll do when disaster strikes and give the people in your organization opportunities to test those strategies in real life.

Maintain a data breach response plan.

Because so many organizations have experienced cybersecurity breaches, you can’t assume it won’t happen to your company. Take the time now to think about what steps you would take to limit the damage and prevent vulnerabilities—and have that plan ready to go.

Practice disaster recovery.

While most organizations maintain secure data backups and disaster plans, not as many take the next step and put those plans into action. Stage mock scenarios and you will quickly find out what worked and will expose any weaknesses.

PROACTIVELY MANAGING THREATS.

How does your company’s plan measure up? Managing IT security services requires plenty of planning, foresight, and manpower. If you have the first two handled, but are running short on staff, you may want to consider outsourcing cybersecurity measures.

Partnering with an established IT consulting firm means you’ll have access to best-in-breed tools and applications to keep networks running at a high level without compromising security. It can be a cost-effective way to deploy organizational resources while freeing up your in-house team to focus on business development projects.

The Enterprise IT Security Services You Need to Stay Competitive

According to the IDG 2017 Global State of Information Security Survey, 62 percent of the 10,000 respondents use managed security services for cybersecurity and privacy. This shows that enterprises understand the need for end-to-end security and well-defined policies that align with their business objectives. Of course, this journey must start with creating a plan of action for responding to each type of threat and the specific IT security services needed to do so.

IT services should be chosen to enable a comprehensive response strategy to different threats. Although foundational, this goes beyond patch management, data backup, and full disk encryption. By using policy-based solutions like next-generation firewalls, behavioral firewalls, and other network security devices, enterprises can obtain the desired level of security.

FIREWALLS AND VPNS

Next-generation firewalls can help protect the enterprise from attacks outside the perimeter of the network while VPNs provide security with data transmissions inside and outside those parameters. An integrated firewall/VPN client can automatically enforce security on a more granular level with enterprises’ data transmissions on a remote office/branch office and user level. The many features of VPNs and next-gen firewalls enable administrators to:

  • Enforce centrally managed client security policies
  • Implement rule-based access control on clients
  • Specify different policies for different user groups

Related Content:The Only Checklist You’ll Need to Uncover Your IT Security Risks

Organizations with different types of remote-access VPN users—such as salespeople and IT staff—can tailor desktop security policies to the varying needs of their users via the cloud. Other important services for access to cloud applications include:

  • Single sign-on
  • Multifactor authentication
  • Role-based access controls
  • Behavioral firewalls
  • Privileged identity management tools

These can all help rapidly and systematically restrict access to users if required and can define security policies by individual, group, or organization. Then there are other IT security services such as endpoint detection and response solutions, network security monitoring, and advanced security analytics. These services work to provide monitoring and analysis of endpoints, traffic, and log analysis of internal machines and security event/incident management and monitoring.

BACKUP AND RECOVERY

Finally, backup and recovery services are a crucial part of end-to-end IT security services. Cloud backup and recovery has become a part of most enterprises where full, differential, or incremental backups are utilized. The choices of public, private, or hybrid cloud backup is dependent on the security needs as well as the TCO parameters that the business has set.

Hybrid cloud backup is the combination of both cloud backup and on-premises or private cloud backup. Hybrid cloud data recovery utilizes VM image backups that are copies of the current VM or a physical server (V2V and P2V, respectively) as part of the backup process. The local storage appliance stores these images in the event of the primary server going down.

This enables server consolidation where a single server can act as a standby for multiple virtual and physical servers. In this case, hosted disaster recovery services can provide high availability to the production server environments as part of their backup infrastructure. Ultimately, the VM images are moved to the cloud provider, which can provide the backup from a choice of strategically placed data centers.

IT SECURITY IN THE DIGITAL AGE

In the digital age, enterprises must prepare for the inevitability of cyberattacks that can compromise the business in monumental ways. The implementation of end-to-end IT security services, along with the policies that govern their use, provide granular and graduated responses that enable businesses to circumvent attacks. The goal is to give them more options and flexibility so that the entire business does not have to come to a grinding halt to keep threats at bay.

How to Craft an Enterprise-Level IT Security Strategy

Across the nation, corporations are still haunted by some of the largest IT security incidents in history, such as the attack on Yahoo, the hack of the Democratic National Committee, and the difficult-to-forget Target breach. If your enterprise is like most, these types of incidents move IT leadership to action, checking to ensure that security protocols are still in place and followed. But what if you could do more to safeguard your cyber assets?

For a growing number of enterprises, a full-scale IT security strategy has become a necessity. It’s no longer enough to adopt a reactive security position. As cybersecurity threats continue to escalate and grow increasingly sophisticated, now is the time to be proactive and strategic about protecting your enterprise.

Luckily, in this age of hypervigilance over cybersecurity, there are plenty of well-established best practices to help get your IT security strategy started. Here are seven of them:

1. AUDIT YOUR CURRENT CYBERSECURITY EFFORTS.

First, take the time to assess the organization’s current state of IT security. Include key stakeholders who have the technical skills and knowledge to fully assess the risk environment and the company’s position.

Be sure to evaluate the entire security framework. Consider how well-protected the enterprise is against threats, both internal (careless employees, poor data security protocols, etc.) and external (stolen credentials, denial-of-service attacks, etc.). Determine what is working—and what is falling short.

This initial audit should be a starting point for a more in-depth review. When necessary, partner with an experienced IT security consultant for a comprehensive audit.

Related Content:The Only Checklist You’ll Need to Uncover Your IT Security Risks

2. DEFINE YOUR SECURITY GOALS.

Following your audit, assess what needs to change to achieve a higher level of security. Are you effectively protecting data, discouraging high-profile cyberattacks, staying in compliance, and safeguarding the company reputation? If not, define these goals and start working out a way to get there.

3. CREATE A SECURITY ROADMAP.

With your security goals in mind, create a roadmap that will guide you from your current security position to your ideal one. What steps need to be taken to achieve each of your goals? Which departments, stakeholders, or partners need to be involved? It can be helpful to gain leadership approval of your roadmap, and then share it with the appropriate department heads, to ensure everyone understands his or her role and is on the same path toward success.

4. CULTIVATE A MORE SECURE CULTURE.

The most stringent security policies will still be ineffective if your people don’t take cybersecurity seriously. That’s why it is vital to encourage a more secure culture throughout the entire organization, from entry-level employees to your leadership team.

Establishing a set of organization-wide best practices for cybersecurity can help kick-start a more secure culture. How should employees handle passwords? How will data be backed up? Who will have access to sensitive information? These are the types of questions that should have well-established answers. Create your company’s best practices and publish them in a place where everyone can gain easy access.

Then, ensure that cybersecurity is a key part of training for new employees. If necessary, provide refresher training for all employees once a year or so to remind them of existing cybersecurity policies and to introduce new ones.

5. WATCH FOR EMERGING THREATS.

New cybersecurity threats emerge all the time, and hackers grow increasingly sophisticated every year. That is why it’s important to keep an eye on emerging trends and threats that may impact your network. Even now, your organization’s use of BYOD devices or IoT technology could be exposing the network, or shadow IT systems may be gathering vital information on your customers. It’s important to be aware of these new threats so that you can account for them in your planning.

6. INVEST IN CYBERSECURITY.

Today, there is no denying that enterprises must dedicate a portion of their budgets to cybersecurity. Research shows that the average cost of a single data breach now averages $4 million—and that figure grows every year. For some companies, a cyberattack hurts the bottom line (and their reputation) so much that they cannot recover.

But a proactive investment in cybersecurity can shield you from many of the leading cybersecurity risks. A comprehensive approach should include tools such as anti-virus software, firewalls, and cybersecurity training for employees and associates.

7. SCHEDULE ONGOING ASSESSMENTS.

Unfortunately, an initial audit isn’t going to keep your organization secure forever. Be sure to hold regular audits and assessments to continually check for new vulnerabilities and ensure the company is still protected and compliant.

Internal audits are helpful every year or so, while an external assessment can help you gain a more full-fledged picture of your security position. Partnering with a cybersecurity consultant can help you stay up to date on new threats, without having to constantly worry about whether you’re vulnerable.

ADDRESS CYBERSECURITY HEAD ON

IT security threats evolve quickly, and it’s important to stay vigilant of hackers, spyware, and viruses. Centrinet protects your enterprise from cybersecurity threats while ensuring optimal uptime, productivity, and efficiency. We constantly monitor and manage your network using leading tools and partnerships to ensure you are not only well-protected but also achieving the IT performance levels you need in order to be successful.

5 Things to Consider When Creating a High-Availability Architecture Strategy

Handling increased system load, decreasing downtime, and eliminating single points of failure are all crucial needs of any SMB or enterprise IT infrastructure. High-availability architecture is one method that addresses these needs. Since every business is different, the right approach requires careful development of a strategy that is tailored to the business. Here are 5 things to consider when creating that strategy.

Read more

It’s Your Cloud: On Privacy and Security

There has been a lot in the news lately about privacy and hacking. Everyone has read about whether Apple should help the FBI gain access to a locked iPhone that was used by terrorists.  We also learned about the ransomware attack on a Hollywood hospital that paid $17000 to get back control of their computer systems.

 

Regardless of whether Apple provides a backdoor to gain access to an iPhone or if another company’s network gets hacked, one thing is certain: Read more

Integrate the Cloud into Your Business – The Next Web

Don’t miss this great post from San Francisco based blogger Ritika Puri, published last month on TheNextWeb.com.

The benefits of the cloud are clear: these technologies help companies scale efficiently, reduce costs, reinforce security and provide faster services to customers. With many new players entering the cloud market, businesses have a range of options to build their ideal configurations. You can implement the cloud in full or in part. You can even stage your transition to the cloud over a number of years. You’re in control.

Even still, the decision-making process can be challenging. How do you manage initial costs? How do you ensure the same security levels as your on-premise systems. How do you know whether you’re choosing the right provider? Your due diligence process should start with the following questions.

Click here to read the rest of the article: Full Article 

White Paper: HR Firm Gets Shelter from the Storm with Centrinet’s IT Hosting

Resource Alliance, a leading national human resources solutions company, contacted Centrinet after a storm hit in late 2014, causing severe damage and power outages. The outages shut down their main server, prompting them to contract Centrinet for a long overdue environment overhaul. They had been experiencing performance issues with outdated end user devices and failing servers, and were in immediate need of a tailor-made solution.

Learn how Centrinet built a tailored solution to modernize Resource Alliance’s IT – and provide secure and reliable access to their critical business data – all while ensuring oversight and 24/7 IT support for the entire environment.

To read the full white paper, and learn the step-by-step details of the environment build, click here.