Network Critical - The Window to your Network

Losing by Default


In sports if one team does not have enough players to field a team they lose by default. In a court of law, if the defendant or the plaintiff does not show up they lose by default. This is the easiest win for the victorious party. Not a drop of sweat was produced. There was no risk of injury or embarrassment. The only thing the victors had to was show up and they get to notch a “W” on their record or take home the trophy.

This is also the most disappointing loss for the party on the other side. They may have had other priorities. They may have forgotten the date of the contest. They may have been stuck in traffic. No matter the reason, they still lose. In amateur sports the loss is mostly pride and bragging rights at the local pub. In court, the loss could be costly in property or currency. In many cases, the loss could have been prevented had the loser been more diligent in managing their calendar or more focused and committed to the contest.

What does this have to do with cyber security or data breaches? The moral of this story is that cyber criminals are being handed default wins every day. They must be saying, “I can’t believe how easy this is!” It is easy because those in charge of safeguarding their critical network infrastructure and its contents are not as focused, diligent and committed as they could be/should be. Here is one important example that is exploited often but is easy and inexpensive to fix.

Default Username and Password
Default username and passwords are used by manufacturers to allow initial access to system hardware and software for the purpose of initial configuration or to restore after resetting the system to its factory default settings.

A Tripwire study concluded that 30% of IT professionals and 46% of users do not change passwords from the manufacturers default setting. This is a dangerous practice as all of the manufacturers default settings are available on the internet to anyone who knows how to search “default settings!”

What is worse is that these initial user name and password settings generally provide full administrative access privileges. This means that with these passwords the hacker will have total access to the system, be able to change settings IP addresses.

An Interesting Conundrum
Computing and networking is no longer the singular domain of the IT department. With BYOD, multiple device access, and a panoply of applications running in the business world, network access is the required of nearly every worker. So, the company that believes the network is secure because the IT department is skilled and savvy is wrong. Every employee who has access to email, web and other corporate applications needs to be educated on network security protocol and be diligent with their access privileges.

Changing from default settings to a strong user name and password immediately upon accessing any new device is a critical step in keeping hackers our of the network. The conundrum is this…a simple password is easy to remember, easy to enter and, therefore convenient for the user. A strong password is hard to remember, difficult to remember and a pain in the backside for the user. So, what will the typical user do when forced to create strong passwords? They will write the password down on a post it note or enter it in the notes section of their device. In other words they will make the password easy for hackers to find. Thus the strong password now becomes a weak password.

Solutions?
There are password technologies such as Single Sign On and LDAP that can assist users with access while providing strong password protection. Network security training on a consistent basis with all employees (not just computer related functions) is another important step. Employees need to understand that strong passwords are inconvenient but necessary and entering passwords in notes, pretty much defeats their purpose.

Regardless of password strength, changing from the default password to a new, unique password is still better than taking no action. No one should allow a globally published default password to control access to the corporate network.

Final Note
Regardless of how good your password policy, how hard you train employees, and how severe of the consequences for policy violation, there will be a sub-set of employees who opt for the convenient rather than the secure option. It is important for networks to have perimeter network protection such as Next Generation Firewalls with Intrusion Prevention, Data Loss Protection and other access security appliances protecting the network.

Posted: 28/04/2017 14:49:12 by Network Critical with 0 comments

Enter The Drag-n


Do you remember the 1973 Bruce Lee movie Enter The Dragon? The movie opens with a martial arts competition. The competition is fierce and brutal. During the competition, our hero discovers a dark underbelly of unsavory activity. As the fight to clean up the mess progresses, more and more challenges confront the good guys. The stakes are high and there is no room for failure.

This scene may also sound familiar if you have ever tried to deploy security or analysis appliances with TAPs using Command Line Interface (CLI) or a typical GUI with a hierarchical structure. At first, things don’t seem so bad. Perhaps you are attaching a sniffer to look at email traffic. No problem. You enter the string of commands to filter all traffic except email, connect the appliance, and done. Everything is working well until your boss comes in and says, “We need to monitor web traffic more closely.” Then he comes back in a half hour and says, “I am concerned about ransomware vulnerability. We also should add on some Data Loss Protection and Intrusion Prevention Systems. Complete network security is our top priority!”

You call your local VAR and purchase some of the best performing security appliances. Now, it is time to deploy and you realize you have already filtered out all the traffic downstream from the email analysis device you just installed. Now, none of the new appliances can see any of the packets they need to do their job. No problem, just reprogram the TAP.

This is where things become very interesting. With hierarchical devices, once you have filtered certain types of packets, you can not get them back. So now you have to take all your appliances and write a detailed mathematical plan. What appliances need to see what packets? Then create the hierarchy so that packets that are filtered out early are never required by another appliance downstream. Also, you don’t want to send too much information to the upstream appliances reducing their efficiency. This is a difficult and time consuming task that gets more complex as more appliances are needed.

You are smart, however, and work your way through it with a well thought out and very detailed filtering and port-mapping plan. After you deploy it and test for accuracy you will find some issues where you have blocked data that should have been passed. You re-write the plan and fix the bugs. Turn it all up and it works! As you are celebrating with a half-caf latte, your boss comes in and has an idea. “Here is a data sheet on a new appliance that actually learns traffic patterns and can help prevent attacks before they cause network damage. I want you to add that to our security stack.” You suddenly realize that you have to re-write your filter and port map plan from the beginning because the hierarchy must be pure end-to-end.

Enter the Drag ’n…or Drag-n-Vu™ that is. Network Critical has defeated the dreaded hierarchy. Through years of brutal research and development, Network Critical engineers have created a TAP and Packet Broker deployment plan that does all the math for you in the background. This new program provides independence from complex hierarchical commands with the simplicity of drag and click mapping.

With Drag-n-Vu™, there are no commands. There is no hierarchy. Instead, there is a clear visual map of the ports. The network administrator simply decides which network tool plugs into which port, then drags the cursor from the input ports to the output ports. Filters are simply created and stored so they can be dragged and dropped to whatever port combinations are needed. Best of all, the filters are independent. For example, if http traffic is filtered out in map number one but required in map number two…no problem. Different traffic types can be filtered and reused anywhere in the process and as many times as needed. This ingenious new development not only simplifies deployment planning and installation, it also allows for simple and fast changes. In the tech world, changes happen quickly so it is critical to be able to be able to adapt to changes with utmost efficiency.

Drag-n-Vu™ also improves accuracy, reducing the potential for mapping errors that can drop links or create bottlenecks. With simple drag and drop deployment, it is easy to see what traffic is going where so the plan is deployed with complete confidence the first time. In fact, the process is so simple, it actually can be managed by network administrators, freeing up engineers for other more complex tasks. This saves OPEX in a budget-conscious world.

Since the entering of the Drag-n-Vu™ by Network Critical, the dark and looming menace of hierarchical port mapping and filtering has been defeated. The bright and colorful graphical user map from Network Critical is the bright star of security and appliance deployment. You can see the trailer to the Drag-n-Vu™ movie at www.networkcritical.com.

Posted: 12/04/2017 21:10:52 by Network Critical with 0 comments