Category Archives: Network

How to detect and prevent issues with vulnerable LoRaWAN networks

IOActive researchers found that the LoRaWAN protocol – which is used across the globe to transmit data to and from IoT devices in smart cities, Industrial IoT, smart homes, smart utilities, vehicle tracking and healthcare – has a host of cyber security issues that could put network users at risk of attack. Such attacks could cause widespread disruption or in extreme cases even put lives at risk. Session Keys and Functions in LoRaWAN v1.0.3 Vulnerable … More

The post How to detect and prevent issues with vulnerable LoRaWAN networks appeared first on Help Net Security.

What is Network Penetration Testing?

Estimated reading time: 2 minutes

Network Penetration Testing, also known as pen testing or ethical hacking, refers to the practice of identifying vulnerabilities in networks, systems, hosts or other related devices in a controlled environment. The objective of Network Penetration Testing is to identify and plug gaps in a network’s security apparatus before external actors like hackers find them.

Much like white hat hackers, network penetration tests are a type of external audit deployed by organizations from different sectors. Though similar to vulnerability assessments, there is a major difference: network penetration testing is not dependent on a signature-based approach which could be outdated and unable to discover real-world vulnerabilities. Network penetration testing simulates how a real-world attack on the network may happen. In that sense, it provides organizations with a perspective from the eye of the hacker and hence enables a better understanding of its own security posture.

To ensure there is standardization in approach, network penetration testing normally follows the globally-accepted Penetration Testing Execution Standard (PTES) which was developed in 2009. The methodology generally consists of the below steps –

Pre-engagement interactions

At this stage, the scope of the testing is outlined and finalized. Other pre-engagement interactions are also conducted to fully finalize on aspects of testing, analysis and results.

Intelligence Gathering

This stage is primarily involved in information gathering for the purpose of gaining knowledge about the network or system to be penetrated and its respective connections.

Threat Modeling

In this stage, vulnerabilities are identified within the network through automated scans or deep-dive manual techniques.

Vulnerability Analysis

This stage involves the documentation and analysis of vulnerabilities within the network to formulate an attack plan.

Exploitation

This is the stage where the actual exploitation attempt takes placed on the basis of the analysis of the vulnerabilities discovered.

Post Exploitation

In the Post Exploitation phase, further analysis is done of the exploited network to identify other means of access.

Reporting in Network Penetration Testing

This is a fact-finding stage where findings are analyzed and compiled into a report for action to be taken.

The cybersecurity industry is undergoing a paradigm shift where the focus for enterprises is rapidly shifting from threat detection to threat prevention. In such a scenario, it is imperative that enterprises have regular network penetration tests to gain a better understanding of their security posture. It is not enough anymore to depend on cybersecurity solutions alone; efforts must be taken to test and ensure cybersecurity stays up-to-date against ever-changing threats.

Red Team Assessments by Seqrite

In this regard, enterprises can consider Red Team Assessments which have been recommended by the Reserve Bank of India, India’s central bank, for banking institutions. In a red team exercise, highly trained security consultants attempt to breach the security of the organization to expose potential physical, hardware, software and human vulnerabilities.

A comprehensive Red Team exercise exposes vulnerabilities and risks regarding

  • Networks, applications, switches, mobile devices
  • Social engineering (onsite, telephone, email/text, chat)
  • Physical attacks (pen-drive bypass, camera evasion, alarm bypass, Wi-Fi attack etc.)

Red Team Audits are one among various services offered by Seqrite to enable organizations to proactively protect IT assets and respond to cybersecurity threats. Other services offered include Technical Audits, Compliance Audits, Security Management and Security Consulting.

The post What is Network Penetration Testing? appeared first on Seqrite Blog.

SNAKE Ransomware Targeting Entire Corporate Networks

Security researchers have observed samples of the new SNAKE ransomware family targeting organizations’ entire corporate networks. Discovered by MalwareHunterTeam and analyzed by Vitali Kremez, SNAKE is written in Golang and contains a high level of obfuscation. Upon successful infection, the ransomware deletes the machine’s Shadow Volume Copies before terminating various processes associated with SCADA systems, […]… Read More

The post SNAKE Ransomware Targeting Entire Corporate Networks appeared first on The State of Security.

What are the different techniques of intruding networks?

Estimated reading time: 2 minutes

Network performance is the key indicator of an enterprise’s productivity and health in these connected times. It is the prerequisite of every business enterprise to maintain a smooth network workflow; however, that is easier said than done. Enterprise networks are susceptible to unauthorized activities in the form of targeted intrusions through vulnerabilities and backdoors.

When such vulnerabilities are exploited, unsolicited access to the network occurs which can have a range of unpleasant consequences for businesses. These intrusions can have harmful effects on business health such as high utilization of resources to loss of enterprise data.

Cybersecurity teams deployed by enterprises are required to proactively detect and respond to network intrusions. It is imperative that these teams have a detailed understanding of how network intrusions and other types of attacks occur so that detection and prevention systems can be set up with the same in mind.

This understanding begins with identifying the type of attack vector. Network intrusions happen through a variety of techniques some of which are –

Asymmetric Routing

In this type of method, intrusions happen via various routes to the target device. To avoid detection, the intrusive packets bypass sensors to reach their target.

Taking advantage of vulnerabilities in networks

In many cases, networks are infiltrated through existing software with attackers either taking advantage of vulnerabilities or using stolen credentials. Since most enterprises use operating systems or other software, attacks can use these vectors for infiltration.

Common Gateway Interface (CGI) scripts

Infiltrators can use the Common Gateway Interface (CGI) scripts to secure network files. CGI scripts are used in networks to support connections between servers and clients on the Web but attackers can manipulate scripts without input verification to access files not meant for the Web.

Protocol Specific Attacks

Devices using common network protocols like TCP, ARP, IP, UDP, ICMP etc. can leave backdoors open for intrusions, e.g. man-in-the-middle attacks

Network intrusions can commonly be covered up by their controllers to ensure that enterprises are unable to detect them. Attackers use various techniques such as deleting access logs, encrypting stolen data or installing rootkits to ensure cybersecurity teams are unable to detect their activities.

The most effective way for enterprises to prevent and act against network intrusions is to employ an Intrusion Prevention/Detection System. An Intrusion Detection System (IDS) monitors all incoming and outgoing network activity and identifies any signs of intrusion in systems that could jeopardize the business. An Intrusion Prevention System (IPS) is a step ahead of IDS with its capabilities. The system detects and blocks anomalies on a company’s network. An IPS is an active control mechanism that monitors the network traffic flow. It identifies and averts vulnerability exploits in the form of malicious inputs that intruders use to interrupt and gain control of an application or system

Benefits of Seqrite’s UTM solution

Seqrite’s Unified Threat Management (UTM) offers a one-stop solution for all enterprise security needs which includes intrusion detection and prevention as a standard feature.

UTM’s in-built IDS and IPS components keep enterprises safe by:

  • Monitoring, evaluating and catching threats in real-time
  • Preventing Denial of Service (DoS)/Distributed Denial of Service (DDoS) attacks
  • Preventing the discovery of open ports by attackers

Seqrite UTM’s IPS acts as a security barrier against unwanted intrusions into enterprise networks and forestalls a broad range of DoS and DDoS attacks before they penetrate the network.

The post What are the different techniques of intruding networks? appeared first on Seqrite Blog.

Firewalls and the Need for Speed

I was looking for resources on campus network design and found these slides (pdf) from a 2011 Network Startup Resource Center presentation. These two caught my attention:



This bothered me, so I Tweeted about it.

This started some discussion, and prompted me to see what NSRC suggests for architecture these days. You can find the latest, from April 2018, here. Here is the bottom line for their suggested architecture:






What do you think of this architecture?

My Tweet has attracted some attention from the high speed network researcher community, some of whom assume I must be a junior security apprentice who equates "firewall" with "security." Long-time blog readers will laugh at that, like I did. So what was my problem with the original recommendation, and what problems do I have (if any) with the 2018 version?

First, let's be clear that I have always differentiated between visibility and control. A firewall is a poor visibility tool, but it is a control tool. It controls inbound or outbound activity according to its ability to perform in-line traffic inspection. This inline inspection comes at a cost, which is the major concern of those responding to my Tweet.

Notice how the presentation author thinks about firewalls. In the slides above, from the 2018 version, he says "firewalls don't protect users from getting viruses" because "clicked links while browsing" and "email attachments" are "both encrypted and firewalls won't help." Therefore, "since firewalls don't really protect users from viruses, let's focus on protecting critical server assets," because "some campuses can't develop the political backing to remove firewalls for the majority of the campus."

The author is arguing that firewalls are an inbound control mechanism, and they are ill-suited for the most prevalent threat vectors for users, in his opinion: "viruses," delivered via email attachment, or "clicked links."

Mail administrators can protect users from many malicious attachments. Desktop anti-virus can protect users from many malicious downloads delivered via "clicked links." If that is your worldview, of course firewalls are not important.

His argument for firewalls protecting servers is, implicitly, that servers may offer services that should not be exposed to the Internet. Rather than disabling those services, or limiting access via identity or local address restrictions, he says a firewall can provide that inbound control.

These arguments completely miss the point that firewalls are, in my opinion, more effective as an outbound control mechanism. For example, a firewall helps restrict adversary access to his victims when they reach outbound to establish post-exploitation command and control. This relies on the firewall identifying the attempted C2 as being malicious. To the extent intruders encrypt their C2 (and sites fail to inspect it) or use covert mechanisms (e.g., C2 over Twitter), firewalls will be less effective.

The previous argument assumes admins rely on the firewall to identify and block malicious outbound activity. Admins might alternatively identify the activity themselves, and direct the firewall to block outbound activity from designated compromised assets or to designated adversary infrastructure.

As some Twitter responders said, it's possible to do some or all of this without using a stateful firewall. I'm aware of the cool tricks one can play with routing to control traffic. Ken Meyers and I wrote about some of these approaches in 2005 in my book Extrusion Detection. See chapter 5, "Layer 3 Network Access Control."

Implementing these non-firewall-based security choices requries a high degree of diligence, which requires visibility. I did not see this emphasized in the NSRC presentation. For example:


These are fine goals, but I don't equate "manageability" with visibility or security. I don't think "problems and viruses" captures the magnitude of the threat to research networks.

The core of the reaction to my original Tweet is that I don't appreciate the need for speed in research networks. I understand that. However, I can't understand the requirement for "full bandwidth, un-filtered access to the Internet." That is a recipe for disaster.

On the other hand, if you define partner specific networks, and allow essentially site-to-site connectivity with exquisite network security monitoring methods and operations, then I do not have a problem with eliminating firewalls from the architecture. I do have a problem with unrestricted access to adversary infrastructure.

I understand that security doesn't exist to serve itself. Security exists to enable an organizational mission. Security must be a partner in network architecture design. It would be better to emphasize enhance monitoring for the networks discussed above, and think carefully about enabling speed without restrictions. The NSRC resources on the science DMZ merit consideration in this case.