networks

All organizations face cyberthreats, but large enterprises face a particularly challenging set of problems. By their nature, larger organizations have many more devices and network points of access to secure. This creates an often unwieldy attack surface to protect.

In addition, larger organizations are often subject to regulatory compliance that requires data and systems controls across their infrastructure. They must also deal with the issue of scale. IT products and services that work well for small and midsize companies may not scale to meet the volumes of data and equipment that must be protected in a large enterprise.

Enter Juniper Networks' JSA Series Secure Analytics, a security analytics and analysis platform designed to meet the needs of larger enterprises.

Analysis for multiple security domains

The JSA Series includes modules to support multiple types of security analytics and analysis. These include models to handle log analysis, threat analysis and compliance reporting.

Log analytics provides tools to collect logs from across an organization and centrally store and analyze their content. This enables both real-time alerting and forensic analysis of events that have occurred in the past.

The threat analytics module spans areas typically covered by network operations and security analytics. By collecting and analyzing information from multiple sources, the module can identify suspicious activities across a range of event types. This kind of broad analytics capability is essential for detecting advanced threats that can occur as a series of steps over extended periods of time. Threat analytics builds on the Secure Analytics platform's capabilities with regard to collecting security logs, host and application logs as well as network application flow logs.

The compliance module helps infosec professionals demonstrate enforcement of policies and procedures required by various regulations. The platform supports reporting for Payment Card Industry Data Security Standard, HIPAA and other broadly applicable regulations.

Analyzing enterprise scale security data

Large enterprises must address the needs of multiple sites of various sizes and with varying types of security requirements. The JSA Series spans a range of deployment options to meet those needs. The product family is available in four different versions.

The JSA3800 and JSA5800 are appliances designed for larger enterprises, while the JSA7500 is designed for carriers and other enterprises with exceptionally large volumes of data. For lightweight deployments, the virtual appliance version may be sufficient, for example.

Because the JSA Series platform employs a distributed architecture, it is possible to start with one appliance and add others as demand grows. In addition to meeting scalability demands, appliances can be configured in hot standby mode to enable rapid failover from a primary appliance to the hot standby.

The JSA Series can be purchased directly from Juniper Networks or through a channel partner. Juniper Networks offers professional services to help with planning, building and deploying the JSA Series.

Conclusion

Security analysis and analytics is challenging, and it becomes even more difficult at enterprise scales. Attackers, meanwhile, may be willing to work slowly in order to avoid detection. And since larger organizations tend to be geographically diverse, multiple data centers and offices require security controls -- such as security analytics and analysis -- to be available to local and remote networks. Enterprises also need continuous security protection from high availability controls that will scale to meet the demands of an enterprise.

Juniper's Secure Analytics platform is designed to meet all of these needs, with components to ingest and analyze a range of data as well as supporting additional compliance requirements. While it may be more than some organizations require -- particularly small and midsize enterprises -- the JSA Series is the kind of product that large enterprises could easily turn to for security analytics and analysis.

Next Steps

Part one of this series explains the basics of security analytics products

Part two examines the use cases for security analytics

Part three looks at how to procure security analytics products

Part four compares the best security analytics products on the market

This was first published in September 2016


SearchSecurity: Security Wire Daily News

For quite a while now, Rapid7 researchers Tod Beardsley and Deral Heiland have been looking for vulnerabilities in various Network Management Systems (NMSs).

With the help of independent researcher Matthew Kienow, they found over a dozen vulnerabilities affecting nine different NMS products: Castle Rock SMNPc, CloudView NMS, Ipswitch WhatsUp Gold, ManageEngine OpUtils, Netikus EventSentry, Opmantek NMIS, Opsview Monitor, Paessler PRTG, and Spiceworks Desktop.

What are Network Management Systems?

Network Management Systems are used for discovering, managing and monitoring various devices on a network (e.g. routers, switches, desktops, printers, etc.). They usually use the Simple Network Management Protocol (SNMP) to format and exchange management messages, and it’s exactly through this protocol that these systems can be attacked.

“These systems are attractive targets for attackers looking to learn more about new environments. A compromised NMS can serve as a treasure map, leading attackers to the most valuable — and perhaps non-obvious — targets, such as the printer that is responsible for payroll runs, or HR’s central server containing personally identifiable information on the employee base,” the researchers noted.

“Besides, why spend time and risk detection by scanning the network from a compromised system controlled by the attacker, when one could just piggyback on a working NMS that’s already designed to monitor the entire network population?”

The vulnerabilities

The vulnerabilities they found can all be exploited through three distinct attack vectors:

  • XSS attacks over SNMP agent-provided data
  • XSS attacks over SNMP trap alert messages (which are sent by SNMP agents to notify the network manager of any status change)
  • Format string processing on the NMS web management console (practically all modern NMSs are managed through them).

The first type of attack can be mounted by introducing a new device on the network. The NMS “discovers” it, and identifies it via SNMP data supplied by it. This data is displayed in the systems’ web-based console and can trigger an XSS attack. This type of attack requires a local attacker to be able to add a malicious device to the network.

The second type can be mounted by injecting Flash into easily spoofed SNMP trap messages that will be delivered to the management console, allowing an XSS attack string to be embedded in it. The attacker must occupy a position on the network.

XSS attack on Network Management Systems over SNMP trap alert messages

The third one can also be launched via spoofed and specially crafted trap alert messages.

For more details about each of the vulnerabilities, consult this blog post.

The good news is that all the found flaws have already been patched, and users of the aforementioned products can download security updates with the fixes.


Help Net Security

A popular brand of smart electrical sockets is plagued by several serious vulnerabilities that expose networks to remote attacks, Bitdefender researchers reported on Thursday.

The affected vendor has not been named since it has yet to release patches for the vulnerable product. The fix is expected to become available sometime in the third quarter of 2016.

Smart electrical sockets allow users to create on/off schedules for their devices, monitor energy usage and prevent overheating. In many cases, these products can be controlled remotely using a mobile application.

The product analyzed by Bitdefender researchers Dragos Gavrilut, Radu Basaraba and George Cabau is a smart socket that is installed, configured and controlled using iOS and Android apps available on the App Store and Google Play.

During the setup process, the user is instructed to provide the Wi-Fi credentials needed by the device to connect to the local wireless network. The device is also registered with the vendor’s server through a UDP message containing the device’s name, model and MAC address.

Experts discovered several vulnerabilities, including the fact that the socket’s hotspot is protected by weak, default credentials, and users are not warned about the risks of leaving them unchanged.

Vulnerabilities found in smart socketsAnother problem is related to the fact that the mobile app transfers Wi-Fi credentials in clear text, allowing an attacker to intercept the information. Furthermore, communications between the device and the application go through the manufacturer’s server without being encrypted – the data is only encoded and it can be easily decoded.

According to researchers, the security weaknesses plaguing the product can be exploited by a remote attacker who knows the MAC and default password to take control of the device. This includes making configuration changes (e.g. modifying schedules) and obtaining user information.

While some might argue that a smart socket does not store any sensitive information, the product analyzed by the security firm includes an email notification feature that requires the user to provide their email username and password. If an attacker gains access to the device, they can steal the victim’s email credentials and hack their account.

Experts also found that due to the lack of password sanitization, attackers can inject arbitrary commands into new password requests. This allows them not only to overwrite the root password, but also to open the embedded Telnet service and remotely hijack the device. The method can also be used to install malicious firmware, which gives hackers persistent access to the socket and from there to all the other devices on the local network.

“This type of attack enables a malicious party to leverage the vulnerability from anywhere in the world”, said Alexandru Balan, chief security researcher at Bitdefender. “Up until now most IoT vulnerabilities could be exploited only in the proximity of the smart home they were serving, however, this flaw allows hackers to control devices over the Internet and bypass the limitations of the network address translation. This is a serious vulnerability, we could see botnets made up of these power outlets.”

Related Reading: Security Pros Show Extensive Distrust of IoT Security

Related Reading: The IoT Sky is Falling - How Being Connected Makes Us Insecure

view counter

Previous Columns by Eduard Kovacs:

Tags:


SecurityWeek RSS Feed

The commonly held belief that ICS/SCADA systems are immune to cyber attacks because they are disconnected from the Internet and the corporate network by an “Air Gap” is no longer true or feasible in an interconnected world. While many organizations will readily admit that the traditional air gap is disappearing, some still believe this is a viable security measure. 

In theory, an air gap sounds like a good strategy. In practice, things are never that simple. Even in cases where an organization has taken every measure possible to isolate their ICS network and disconnect it from the outside world, we have seen cyber threats compromise the perimeter. Meanwhile, even if it were possible to completely air gap an ICS network, insiders still pose a threat.

Whether an organization implements an air gap or not, here are several reasons why ICS networks are at risk. 

The Need to Exchange Files 

Even in air gapped OT environments, files must be exchanged with the outside world. Some examples include software patches, and files from third parties like system integrators, contractors, etc. An adversary can take advantage of this by tricking employees into installing fake software updates and patches, or transferring files that will introduce malware into industrial networks. Earlier this month, ransomware authors distributed a malicious file called ‘Allenbradleyupdate.zip’ that was masquerading as a legitimate update from Rockwell Automation. The ransomware, if successfully installed, keeps the victim’s computer and its contents hostage unless a ransom is paid to the attackers. The threat of control system owners and operators being tricked into installing malware and compromising the ICS network is very real.

Compromised Personal Devices 

ICS/SCADA EnvironmentMany employees connect personal devices to the ICS network, whether it is to charge a mobile phone or transfer files using a USB. Compromised personal devices can introduce malware and expose the network to cyber threats. In a 2011 study, DHS staff deliberately dropped data disks and USB drives in federal agency and contractor parking lots. According to the report, 60 percent of those devices (which could have easily contained malicious code) were inserted into company or agency computers.

In a more recent example, Nintendo issued a limited release of the popular "Pokemon Go" app. Exploiting pent-up demand for the app, attackers seeded third-party app stores with fake versions of the app that took control of the victim’s device. ICS employees are not immune from downloading fake apps and then connecting their infected personal devices to the network, enabling malware to spread and compromise additional assets.

Vulnerabilities and Human Error

Like all networks, ICS environments are susceptible to software and hardware vulnerabilities, as well as design flaws. Since they were not designed with security in mind, they may be at even greater risk than IT networks. Newly discovered vulnerabilities in operational technologies are routinely reported by vendors and security researchers. Yet in most ICS networks, systems aren’t regularly patched.

In some cases, flaws in the network’s architecture or configuration create vulnerabilities that can be exploited by hackers. For example, a temporary remote access connection established for an integrator, if left open, poses a serious security risk. In addition, employees that need to remotely connect to ICS networks, but are not provided with a secure access mechanism, may resort to “creative alternatives” to get their work done. These unintended connections can become infiltration points and expose the industrial network.

The Insider Threat

Since there is no authentication or authorization within ICS networks, trusted insiders (employees, integrators, contractors) within the network have unfettered access to its critical assets. Whether they commit unintentional errors or are disgruntled and willfully cause disruptions, the results can be just as damaging as threats posed by external adversaries (maybe even more so). Even if a network is completely isolated by an air gap, it is not immune to insider threats. The only way to secure this attack vector is through continuous monitoring and better access control.

Connected Technologies and IIoT

As we advance into the next phase of modern manufacturing, connected technologies are increasingly being deployed in the manufacturing sector. Sometimes called the industrial internet of things (IIoT), connected technologies offer many benefits. Smart sensors are being used to automatically improve performance, safety, reliability and energy efficiency. These technologies enable operational managers to check on machines, schedules, inventories, etc. at any time, no matter where they are. This is especially valuable for remote locations, subcontracted manufacturing plants or suppliers’ factories. To take advantage of connected technologies, facilities operators must open their networks, which eliminates the air gap and exposes them to external threats.

Whether ICS networks are air gapped or not, they remain vulnerable to security threats. The single biggest roadblock to ICS security today is the lack the visibility and control into activity that is occurring at the control layer, namely access and changes made to industrial control devices. To detect and respond to security incidents in operational systems before damage can be done requires a new class of monitoring tools that are purpose-built for ICS, not IT, environments. 

Related: Learn More at the 2016 ICS Cyber Security Conference

view counter

Barak Perelman is CEO of Indegy, an industrial cyber-security firm that improves operational safety and reliability for industrial control networks by providing situational awareness and real-time security.

Previous Columns by Barak Perelman:

Tags:


SecurityWeek RSS Feed

Conficker data highlights infected networks
Robert Lemos, SecurityFocus 2009-12-16

Conficker may be under control, but the malicious family of programs is resident on more than 6.5 million computers worldwide, with more than 5 percent of some network's Internet addresses showing signs of infection.

On Wednesday, the ShadowServer Foundation took the wraps off a revamped statistics page, showing how far the three main variants of Conficker have spread and the degree to which the world's networks are infected. More than 12,000 networks, as represented by their autonomous system numbers (ASNs), show signs of infection by Conficker. The ShadowServer Foundation limited their displayed data to the top 500 networks.

"Our major goal is to show how far and wide Conficker has spread and where Conficker really has a foothold," said André DiMino, founder and director of the ShadowServer Foundation.

The team of volunteer researchers, which helped to establish the Conficker Working Group early this year, collects data from its member organizations.

The ShadowServer data groups Conficker into two classes. Conficker A+B consists of the first two variants of the program, which attempt to spread automatically. Conficker C, a variant that appeared in March, has no way to propagate unless it is updated. Overall, the number Internet addresses showing signs of infection by Conficker A+B are increasing, while signs of Conficker C infection are decreasing.

The data shows that, while large countries -- such as China -- have a large number of Conficker-infected machines, proportionally only 1 percent of the IP space of the country's largest network shows signs of infection. On the other hand, large networks in countries such as Vietnam, Indonesia and Ukraine have more than 5 percent of their address space showing signs of infection.

Conficker, also known as Downadup and Kido, has surprised many security experts with its success in propagating across the Internet. First discovered in November 2008, the worm initially spread using a vulnerability in Microsoft Windows and contacted 250 random domains to check for updates. By April, Conficker had morphed into a botnet that maintained peer-to-peer connections, but no longer spread automatically. Where the first versions of the program contacted 250 random domains, the latest version generates 50,000 random domains every day and contacts 500 of them for updates.

Since early this year, the Conficker Working Group has preregistered the domains to block the software from updating itself.

"Every day the security companies spend time and money to register domains," said Tom Cross, a security researcher with IBM's X-Force. "They are doing it altruistically. If they give up because no one cares, and they stop registering those domains, then the bot masters can start using the botnet again."

Yet, despite having infected 6.5 million systems, Conficker is a threat that is largely contained, said DiMino. In early October, the number of Internet protocol (IP) addresses showing signs of infection peaked at slightly more than 7 million, falling since then. Some countries -- such as Brazil -- have focused on identifying and cleaning compromised systems. The ShadowServer data shows that the country has had some success.

"Everyone is talking about Brazil (as a major source of Conficker traffic), but they have been working hard at reducing Conficker," DiMino said.

The ShadowServer Foundation will provide an in-depth report for free to any network operator that contacts them. The reports list the specific IP addressed from which Conficker traffic has been detected.

If you have tips or insights on this topic, please contact SecurityFocus.


SecurityFocus News