Posts Tagged ‘encryption’

Editor’s Note: This is part two in a three-part series on remote access in harsh environments. Part one of series details the emergence of harsh environment threats. 

By Patrick Oliver Graf, General Manager NCP engineering

Risks of Outdoor Access Points

Another common weak spot for all SCADA systems is their insufficiently secured remote access functionality. Through it, an attacker might be able to access and manipulate these components via a telnet or http connection. A lot of producers further facilitate hacking by “protecting” their systems with standard passwords the user can’t change — yet, it’s relatively easy for an attacker to figure out these hard-coded passwords.

On top of this, hackers particularly like systems that transfer data via wireless LAN connections. In fact, many companies currently use such outdoor Wi-Fi networks on their premises. And while security experts repeatedly advise Wi-Fi network users to secure their connections with encryption protocols, like WPA2, even this does not ensure absolute security. Moreover, it’s easy as searching for the Internet to find instructions and tools for hacking such access points. Generally, it takes just several hours to hack encrypted Wi-Fi networks. But especially with outdoor Wi-Fi systems, it is fairly easy for a hacker to record and assess data traffic with hardly any risk at all.

And the major problem is that a successful attack on controlling and regulating devices frequently makes other areas of the targeted corporate network vulnerable. This happens because there is no absolute separation between regulation and control networks and the corporate intranet. To put it bluntly, hackers who manage to access a PLC are also able to use the industrial Ethernet infrastructure and work their way through to customer or financial data.

 Stay tuned for the final post in this series in which Patrick offers a solution for dealing with harsh environment threats. 

*Editor’s Note: These columns originally appeared in TechTarget’s SearchEnterpriseWan.com

By Rainer Enders, CTO of Americas for NCP engineering

The simplest way to do this is to act like a hacker. Snoop around the network traffic, either on the device itself or a port on the network. In the case of IPsec, for example, you would see encapsulating security payload (ESP) frames (Protocol 50).  Yet, when you look inside the packet payload, you will only see garbled characters — no clear text at all. Network snooping tools are easily available on the Internet and are simple to use. Of these, Wireshark is probably the most popular tool. You may find this resource on how to do penetration testing on your VPN useful.

Can I compare performance metrics of an MPLS VPN to another network?

This is a very complex question that is difficult to answer without knowing the specifics. Performance assessments can range in effort and complexity. It is ultimately important to understand the underlying requirements, which will determine the parameters that are relevant to performance. So, first you want to define “performance:”  What are the relevant parameters, such as throughputlatencypacket loss and jitter? Once you measure the aforementioned metrics of your Layer 2 and Layer 3 MPLS VPN networks, you should be able to compare them evenly.

Help Net Security, Securing Android for the Enterprise
Infosec Island, How to Re-Awaken Your Inner Hacker
InfoWorld, New year, same old security passwords
eWeek, Enterprises Need Encryption to Secure Private Data

Next week is Black Hat in Las Vegas, which is one of the world’s biggest shows for techies and hackers. We were lucky to catch up with Travis Carelock, technical director for the show, to chat with him about this year’s show.

VPN Haus: What are the expected trends at the this year’s show? What topics and sessions are getting a lot of buzz?

Travis Carelock: We are very excited about our keynotes.  We are very fortunate to have highly respected individuals from both the public and private sectors.  Ambassador Cofer Black, was director of the CIA’s Counterterrorist Center during the 9/11 attacks.  He has since gone on to have a very successful career in the private world serving the information security sphere.   His reflections over the last decade will provide attendees with an amazing view of the frontlines from someone who lived it. Our second keynote, Peiter “Mudge” Zatko of DARPA.  He is an infamous  “old school hacker” from the L0pht days.  Mudge will tell us what the government can learn from a hacker, and because turn about it always fair play, what a hacker can learn from the government.

At Black Hat we have always delivered content centered on the latest attacks and zero days in many of IT’s most ubiquitous systems. However, one of the most surprising trends this year is all the attack vectors that are “outside” of the norm.  We have some fascinating presentations on attacking SCADA systems, mobile device management systems, embedded webservers, wireless medical devices, laptop batteries, banking cards, USB devices, and even with UAVs (that’s right Unmanned Aerial Vehicles).  The obvious trend is the ever-increasing complexity of our modern world.  As more devices become “smarter” with code, hardware and features, history has told us that the unintended attack vectors will increase as well.  The IT/Security department must broaden its scope to include this brave new world.

VPN Haus: How should Black Hat attendees secure their data, if they plan to tap into their corporate networks at the show? Do you recommend attendees bring their own VPNs?

Carelock: The three most important words Black Hat attendees need to remember in regards to their data is encryption, encryption, and ENCRYPTION!  Realistically, users have not been able to store or send their data in cleartext and still maintain a reasonable expectation of security for many, many years now.  If it is data on your hard drive, then it should be encrypted.  If you are connecting back to your corporate network and passing the very lifeblood of your business (its data) through an unknown or hostile network, it HAS to be encrypted.  Personally, if it is possible, I would suggest even using your VPN connection in a “bridge mode” with no split tunneling, and do all your Internet surfing using your corporate infrastructure via the VPN tunnel.

Stay tuned for next week, when we talk to Travis about security issues that can emerge at Black Hat.

Editor’s Note: This post is part of the Forward Thinking series, which features expert opinions on the top security trends of 2011. Today’s post features Martin Hack, EVP at NCP engineering.

By Martin Hack, EVP at NCP engineering

This year’s threat landscape will build upon some of the major network security threats of 2011 with a few new twists and turns. Over the next two posts, I’ll outline these issues and provide tips to avoid falling prey to these dangers.

1.      Bring Your Own Devices – this is no longer a trend, it’s becoming more and more of a standard. Companies once purchased laptops and bevy of mobile devices to be doled out as corporate devices – for business use only, but now that’s turned into an allowance for employees to subsidize their personal devices for business use. With this development, IT departments are suddenly bombarded with multiple devices and platforms to manage. In 2011, be prepared for a highly dynamic environment with a garden variety of devices turning up from employees. The best way of handling such a diversity of devices would be to be prepared with a remote access management framework that doesn’t result in a nightmare scenario of having to manually configure each device individually.

Turning back the clock and going back to the days of corporate-only devices isn’t an option. The cat is out of the bag and employees are now accustomed to only carrying one device. This is from the top down. Executives have started doubling their personal devices as corporate devices and the effect has trickled down.

2.      The Melding of Business and Personal – the trend of work-life integration has been ongoing for years. However, the BYOD policy has rapidly accelerated this and 2011 will open mobile devices to even more threats. When their device doubles for work and personal, employees are more likely to check their Facebook account while also having a session open that connects to their work server. The attack surface for this type of behavior is still unfolding, but its potential is staggering. An attacker could create a free, popular Facebook application that is loaded with malware. The application could scan for smartphones that are connected to corporate networks and then unleash a Trojan onto the backend.

In his next post, Martin will explain how to protect against threats from the melding of business and personal and share his final prediction for 2011 network security trends.