Strengthening Small Business Cybersecurity

 In an ever-expanding world of cyberspace, the prevalence of cyber-attacks grows daily. Allocating budgetary resources to network and cybersecurity remains a pressing concern for many businesses, often accompanied by the question: "Who would target us, and why?!"

Small businesses face the challenge that lies in establishing robust protective measures. Where should one begin, and what are the most viable approaches for IT and security engineers to safeguard the business while fostering growth? Identifying those responsible for delineating a secure network is paramount.

In today's environment, security is intrinsically linked to business continuity. The repercussions of a breach—whether financial, reputational, or legal—can be devastating to enterprises of any size. The last thing any business desires is the loss of revenue or customers. We recall the significant impact on SolarWinds, whose stock value plummeted by 22% following the revelation of a breach according to Washingtonpost.com.

As IT and network security professionals, it is important to think creatively and break free from limitations and obstacles whether financial or administrative to provide a better service to your customers and a more secure IT environment that can help business continuity. 

To make things fall into place and have a starting point, let us develop a working model that can simplify a high-level policy to follow which can improve day-to-day responsibility and improve security, let’s name it "TSSA” which encompasses the following components:

 

· Training and Spreading Awareness: Collaborate with other organisations to educate new hires about email security like phishing and spam risk, the training levels should differ according to the employee job roles in the company, this implies that IT should also get the training and set their network safety policies to protect and reduce incidents.

· Scanning: utilize open-source tools such as Nikto and Nmap which are very useful and require no license to start your scan to networks and systems and create network vulnerability assessment reports to work on fixing these issues in a later step.

· Securing: Following the scanning step, we identified some of the vulnerabilities and followed the resulting report which should include a list of open ports that represent open services that can be potential risks and must close any unused port, then we have the vulnerabilities we found during the scan which might be a list for an outdated software that requires patching, or a risky software version identified and listed in CVE databases.

· Auditing: conduct periodic auditing which can be decided how often to do according to the network size and type to dissect and identify the auditing aspects, to start with reviewing access, privileges, open ports, and allowed access to the internet for servers and maybe even users and related aspects.

TSSA Cycle

Spreading awareness should be an ongoing process that includes regularly sending internal emails to educate users about the latest threats and phishing examples subscribing to security emails from the services you have which is also a good way to stay alert on news and updates. Users should be advised on how to avoid clicking on links from unknown senders and to exercise caution with links from known senders when the emails appear unusual or unexpected.

 

According to the NCSC, A financial sector company of around 4,000 employees received 1,800 emails that contained several variants of malware. The email claimed to be an invoice that needed urgent attention, which was relevant to the role of some of the recipients. It was not targeted at individual users with personal information, but was well written, with good spelling and grammar.

It takes one malware to cause chaos, so using threat modeling like STRIDE to model the threats targeting your business, what your assets are, knowing how they can be targeted, and how to prevent these attacks and close and safeguard your systems is crucial.

 

In conclusion, cyber security is an expanding universe of the IT world we are living in, we need to set a starting point and work proactively to protect and enhance network and systems security regardless of the financial, administrative, or whatever blockers and change the focus to working with the available resources or even create your tools with python cyber security libraries or through the use of open source tools. 

Python-Jinja template configuration generator for Cisco devices and printout configs to external text files

 In this post, I worked on collecting a code that works with Jinja template.

the nice thing in working with Jinja is that you can have baseline configs that will be used to all devices and also have variables that will be changed according to your need.

for example: in each device which can be a router, you will have:

1. southbound links to switches and let's assume an interface used for this G1/0/48

2. you have NTP servers to be configured on these routers

3. hostnames

4.routing protocol

.......etc.

all these can be variable in Jinja template which we can use along with python to generate configs. and maybe even later we can use to push to network nodes.

this can automate our work, on the longterm this can make our job easier and more consistent.

let's start by making a directory which we can call routers_configs

in this directory we will have three files:

1. jinja file which is our router configs template and it should have the following:

file name is >> cisco_template.j2

as you can see in template below, you can have a complete configuration file ready and change the parts that you want them to be replaced from your CSV file with the {{ variable }} as below>>

hostname {{ router_name }}

ntp server {{ ntp_ip }}

interface loopback 0

ip address {{ ip_address }} 255.255.255.255

router {{ routing_pro }}

int gig {{ int_number }}

2. devices information, which can be a CSV file where you have saved your new devices list and information that you will add to these devices. 

the file can be used as below with comma to separate the rows.

router-bgd, 192.68.1.2, 2.2.2.2, ospf 1, 1/0/48

router-suly, 172.16.1.1, 1.1.1.1, ospf 1, 1/0/48

rtr-erbil, 10.0.0.1, 1.1.1.1, ospf 1, 1/0/48

router-bgd2, 192.68.1.3, 2.2.2.2, ospf 1, 1/0/48

router-suly2, 172.16.1.2, 1.1.1.1, ospf 1, 1/0/48

rtr-erbil2, 10.0.0.2, 1.1.1.1, ospf 1, 1/0/48

3. file is the python code that we will use to render the information in these two files and printout the configs to an external text files for each device. and we will name the file as ciscojinja.py

import csv

from jinja2 import Environment, FileSystemLoader

#these must always added

file_loader = FileSystemLoader('.') #check this directory to find jinja template

#load environment

env = Environment(loader=file_loader)

template = env.get_template('cisco_template.j2') #find the jinja file and get it

with open ('info.csv') as info_source:

csv_file = csv.reader(info_source)

for row in csv_file:

csv_router_name = row[0]

csv_ip = row[1]

csv_ntp_server = row[2]

routing_protocol = row[3]

interface_slot = row[4]

output = template.render(router_name=csv_router_name, ip_address=csv_ip,

ntp_ip=csv_ntp_server,

routing_pro=routing_protocol,

int_number=interface_slot) #these names must be compatible with jinja template names

with open(csv_router_name + '.txt', 'w') as configs:

configs.write(output)

when you run the python code, you will notice that other text files will be generated that contain configuration rendered from the CSV data. check below:

you can copy these and iterate to what else you need. next will be added more jinja templates to specific parts of configs, for example: jinja template for bgp configs only or ospf only or ACL's and prefixes.

Hope this is helpful.

Python code to fetch info from Palo Alto Firewall (PANOS) using Netmiko

In this post, I will be using the python code below to login a my Palo Alto Firewall using NETMIKO.
the code defines two functions that we will use to get the information we need from the Firewall.

note that you can replicate the function to add other (net_connect.send_commands)

then print out, or even more that you can also add more IP addresses 

for example: pan2_ip and pan3_ip then you will only need to use the last two lines of the code:

pan2_ip= get_int(pan2_ip)

print(pan2_ip)

import netmiko

pan_ip= '192.168.1.250'

username='python'

password='python1234'

device_type='paloalto_panos' #this must be one of the types supported by Netmiko

port='22'

#get the system information of the PANOS

def get_info(ip):

net_connect = netmiko.ConnectHandler(ip=ip, device_type=device_type, username=username,password=password, port=port)

return net_connect.send_command('show system info')

pan_info= get_info(pan_ip)

print(pan_info)

#get the IP information of the PANOS

def get_int(ip):

net_connect = netmiko.ConnectHandler(ip=ip, device_type=device_type, username=username,password=password, port=port)

return net_connect.send_command('show interface all')

pan_ip= get_int(pan_ip)

print(pan_ip)

#end

Creating Ping tool that run on Linux using shell script

 

Code below can be created using shell script on a Linux or MAC machines, you can use it to ping list of IP addresses, and you can also add some other features like running the script from time to time and email the result to your business email.

I like using Bash scripts because they require nothing but a Linux machine, unlike Python which requires the installation of the Python and knowledge will be required to know how to write/run the code.

steps:

Open Terminal and use $vi pingtool.sh

#!/bin/bash
#this a ping tool that sends 1 icmp packet to remote host and return is host is up or down
for i in 4.4.2.2 google.com facebook.com bbc.com playstationstore.com  #add more hosts here if needed
do
echo -e "\033[0;36m The Script is Running.......Please wait"
echo -e "\033[0;36m CHECKING $i STATUS"
ping -c 1 $i > /dev/null 2>&1
if [ $? -gt 0 ]; then #if execution failed and return code of the command was not 0 return below message
echo -e "\033[1;31m NOT REACHABLE SITE MIGHT BE DOWN"
else
echo -e "\033[1;32m HOST $i IS UP"
fi
done
echo -e "\033[0;36m &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&"
echo -e "\033[0;36m &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&"
echo -e "\033[0;36m &&&&&&&&&&& ALL CHECKS ARE DONE &&&&&&&&&&&&"
echo -e "\033[0;36m &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&"
echo -e "\033[0;36m &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&"

Now, to run the script above, you just need to use the following:

./pingtool.sh

if you face problem with running this then try to give the script permissions to be executable which is by using $chmod u+x pingtool.sh

let's run it:

Note: if you want to edit the host list, then you can vi pingtool.sh and add or remove hosts, save and exit.

Authenticate and Login to Palo Alto firewall using Public Key authentication generated on Linux or MAC

In this post we are going to talk about how to login to the firewall using public key generated from your Linux machine (Network Jumper box) which can be useful in case you want to push scripts to the firewall without the need to authenticate with username and a password, let's go:

1. generate the key

samer@Samers-MacBook-Pro ~ % ssh-keygen

Generating public/private rsa key pair.

Enter file in which to save the key (/Users/samer/.ssh/id_rsa):

/Users/samer/.ssh/id_rsa already exists.

Overwrite (y/n)? y

Enter passphrase (empty for no passphrase): press enter

Enter same passphrase again: press enter 

Your identification has been saved in /Users/samer/.ssh/id_rsa

Your public key has been saved in /Users/samer/.ssh/id_rsa.pub

here you have created the key on your machine, and you can check it using the command $ls ~/.ssh/ which will view the existence of the generated keys in your hidden directory  of ssh.

samer@Samers-MacBook-Pro ~ % ls ~/.ssh
id_ed25519 id_ed25519.pub id_rsa id_rsa.pub known_hosts

 now you need to copy the public key to the server or firewall or router you want to access and you can do this using:

1. SCP or....

2. importing it on the firewall using GUI.

press OK, then COMMIT.

now you can check access and as you can see below image, the user we used to access was api, if you don't specify the user, the terminal will use your machine name which is in this case "samer" and authentication will fail so we will use the same user "api" but no password will be prompted:

so the main idea here is that as network automation is important and it is recommended that you use LINUX machine as jumping box to do your scripts/codes to do your automation and programming tasks.

so it is better to use the SSH generated keys to login to devices, this will make running automated tasks easier and does not require user/password entering. (for example: no need to input password for netmiko while running a python script).

running CRON-TAB tasks that will also make access easier while it is still secure.

hope this was helpful.

Using GET to fetch PaloAlto Firewall configured network objects using CURL or Postman API

 you can use curl from your terminal for example:

samer@Samers-MacBook-Pro ~ % curl -X GET 'http://192.168.1.250/api/?type=op&cmd=<show><system><info></info></system></show>' -u "api:password@199"

note that the -u the two words api and password@199 are username and password to authenticate the session while trying to fetch data from firewall while using CURL.

or, you can use the Postman app.

How to change Cisco FTD Command Line from ">" to the classic command line of Cisco ASA?

 This is going to be very short post.

simply, when you login to the FTD and you see the command prompt as ">", issue the following command.

> system support diagnostic-cli

after this, you will be changed to the classic command prompt of Cisco ASA.