Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Time to snmp check all that gear !

Comments

  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    No offence to the author but is it 1999 again?

    If attacks via SNMP are new to you, or if you are not regularly scanning your equipment anyway, then you shouldn't be in charge of your company's computer network.

    Even the always behind PCS-DSS v3.0 requires SNMP v3 is enabled over SNMP v2c or v1.


  • Closed Accounts Posts: 1,322 ✭✭✭dbit


    Lolz how many software vendors do you know of selling front line enterprise software that is fully PCS-DSS v3.0 compliant ?? ( I mean in full and up to date as per the requirements)

    Firstly some of the techniques outlined in that have only just been engineered both for underlying technology and for encryption algorithms.
    I do follow what you are saying Syklops , I think back to my filed engineering days and i dont think i can recall a single site that took any form of precautions with SNMP. Up until 3-4 years ago even isp's had it open on cpe's for christ sake.

    Second : - admins hate change !


  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    dbit wrote: »
    Lolz how many software vendors do you know of selling front line enterprise software that is fully PCS-DSS v3.0 compliant ?? ( I mean in full and up to date as per the requirements)

    Very few but I think you missed my point. PCI-DSS is always behind the times but in its most recent iteration even it required SNMP v3. As we discussed in another thread yesterday, being compliant != being secure. The point I was trying to make(badly), is that enabling SNMP v3 is not new advice.
    Firstly some of the techniques outlined in that have only just been engineered both for underlying technology and for encryption algorithms.

    I understand these are new techniques, but my criticism is more with the recommendations for protecting your gear, namely:

    1. BCP 38/RFC 2827
    2. SNMPv3
    3. Filtering
    4. Test your stuff.

    BCP 38/RFC 2827 is useful advice. Recommendation 2-4 you should be doing already was my point.


    Second : - admins hate change

    “The illiterate of the 21st century will not be those who cannot read and write, but those who cannot learn, unlearn, and relearn. ” - Alvin Toffler.


  • Closed Accounts Posts: 1,322 ✭✭✭dbit


    I love your posts lolz.


  • Closed Accounts Posts: 1,322 ✭✭✭dbit


    Do you think that the boards audience , and i mean all of them are fully secure in relation to SNMP ? Id bet not . SME's in particular tend to have a config once and leave it there for ever appraoch , for external IT support vendors and such . Sorry if i am spamming the forum . I just feel this stuff is topical and good for banter.


  • Advertisement
  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    dbit wrote: »
    Do you think that the boards audience , and i mean all of them are fully secure in relation to SNMP ? Id bet not . SME's in particular tend to have a config once and leave it there for ever appraoch , for external IT support vendors and such .

    The entire boards audience? No of course not. I do believe the regular subscribers to the InfoSec forum are however aware of the problems with running SNMPv2 or below.
    Sorry if i am spamming the forum . I just feel this stuff is topical and good for banter.

    I don't think you're spamming the forum, you are right it is good for banter, but I'm not sure how topical upgrading to SNMP v3 or filtering your sh1t is.


  • Closed Accounts Posts: 1,322 ✭✭✭dbit


    Moreover the older gear prolly will require firmware upgrades to on-board the new protocols anyway. and in addition i don't think freelancing cowboys that config and forget will read much in here . ( Presumption on my behalf let it beat me if so desires)

    Filters, most of the freelancers would look for rizla brand name at the mention of filters lols.


  • Registered Users, Registered Users 2 Posts: 1,835 ✭✭✭BoB_BoT


    In fairness you can't entirely blame configure and forget on behalf of the guys who set up a network and intended it to be monitored, an awful lot of companies decided to "save costs" that they would revert to a break/fix contract. Sure you know yourself proactive/managed maintenance is "overpriced" and "unnecessary"....


  • Closed Accounts Posts: 1,322 ✭✭✭dbit


    BoB_BoT wrote: »
    In fairness you can't entirely blame configure and forget on behalf of the guys who set up a network and intended it to be monitored, an awful lot of companies decided to "save costs" that they would revert to a break/fix contract. Sure you know yourself proactive/managed maintenance is "overpriced" and "unnecessary"....

    Yup have worked for a few over the years wont name and shame. There is no body in Ireland that audits the infosec of SME's , I have never seen validation checks or software reviews nothing, nadda, zip coming from any where to try shore up all these pivot points that a hacker, typically will use to launch targeted attacks .


  • Registered Users, Registered Users 2 Posts: 4,331 ✭✭✭Keyzer


    dbit wrote: »
    Yup have worked for a few over the years wont name and shame. There is no body in Ireland that audits the infosec of SME's , I have never seen validation checks or software reviews nothing, nadda, zip coming from any where to try shore up all these pivot points that a hacker, typically will use to launch targeted attacks .

    Why would any SME be subject to an audit other than for regulatory or compliance requirements? You think SME's should proactively conduct audits by third parties?

    Here's the bottom line (cos stone cold said so) - no one gets audited unless they have to.


  • Advertisement
  • Closed Accounts Posts: 1,322 ✭✭✭dbit


    Well i would see that in the near future even the small fish need controlling as more often than not the smaller associates are attacked to gain access to the larger corporate target. Leap frog or island hoping.


  • Registered Users, Registered Users 2 Posts: 4,331 ✭✭✭Keyzer


    dbit wrote: »
    Well i would see that in the near future even the small fish need controlling as more often than not the smaller associates are attacked to gain access to the larger corporate target. Leap frog or island hoping.

    If you truly believe that then you're living in a dream world.

    The vast majority of companies, SME's included, don't give a toss about cyber/info sec unless they are mandated by a government/regulatory/audit requirements.

    I see things changing in the financial services sector where there seems to be some focus of late in this regard (which is a positive thing).

    As for industry as a whole, info sec is way down the list of priorities.


  • Closed Accounts Posts: 1,322 ✭✭✭dbit


    So you don't think the irish gov will come up with something to protect larger multinational corporates, that are penetrated by access discovered through a flaky SME's. The new insurance tactics coming in the near future are going to surprise you then my friend . New data protection laws are coming from Europe and i think you may see what I'm talking about coming to fruition then .

    http://www.computerweekly.com/news/2240031775/UK-data-protection-regulations-get-stricter
    http://www.computerweekly.com/news/2240114258/Big-changes-due-in-revised-EC-data-protection-rules
    http://www.computerweekly.com/news/2240114326/EC-proposes-a-comprehensive-reform-of-data-protection-rules

    and the sinker :-
    http://www.computerweekly.com/news/1390690/Data-Protection-Act-Penalties-limited-but-expect-more-audits

    So i take by this that insurance firms wont even look at you unless you have reached "A level of protection"
    And the other links imply that if a breech is detected by an associate with literally no protection and operating in the EU that they are then fully punishable by the new data laws in the pipeline.


  • Closed Accounts Posts: 1,322 ✭✭✭dbit


    with £500,000. price tag coming for guilty parties( And that's just for basic data leaks on usr and pswd's ) and lack of data protection Im detecting a sea change on the horizon .


  • Closed Accounts Posts: 1,322 ✭✭✭dbit


    On the plus side , infosec should get a whole lot noisier in terms of jobs and consultancies ?


  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    dbit wrote: »
    On the plus side , infosec should get a whole lot noisier in terms of jobs and consultancies ?

    Consultancy is not the silver bullet it is considered to be. I've done 10 and 15 day engagements which would have paid for an extra sys admin or an extra analyst for 6 months which would do more in the long term than me pointing out the obvious for 3 weeks.


  • Closed Accounts Posts: 1,322 ✭✭✭dbit


    Yes but those harsh laws coming, are going to induce some quirks in how we the "Irish" address and engage with this new law platform. If the blaze attitude that we currently adopt in Ireland continues its going to cost millions , shut down companies and hinder others in ways i don't want to think of .

    Infosec staffing on the corprate side is not as big a worry as it is for the non policed data portals that exist all over Europe never mind Ireland (Namely SME's).

    Consultancy is not the win either im not saying that at all , Im trying to say that the SME's are the launch pads from where today evil doers have free reign . The industry recognizes this and is taking action to address it .


  • Registered Users, Registered Users 2 Posts: 4,331 ✭✭✭Keyzer


    dbit wrote: »
    So you don't think the irish gov will come up with something to protect larger multinational corporates, that are penetrated by access discovered through a flaky SME's. The new insurance tactics coming in the near future are going to surprise you then my friend . New data protection laws are coming from Europe and i think you may see what I'm talking about coming to fruition then .

    http://www.computerweekly.com/news/2240031775/UK-data-protection-regulations-get-stricter
    http://www.computerweekly.com/news/2240114258/Big-changes-due-in-revised-EC-data-protection-rules
    http://www.computerweekly.com/news/2240114326/EC-proposes-a-comprehensive-reform-of-data-protection-rules

    and the sinker :-
    http://www.computerweekly.com/news/1390690/Data-Protection-Act-Penalties-limited-but-expect-more-audits

    So i take by this that insurance firms wont even look at you unless you have reached "A level of protection"
    And the other links imply that if a breech is detected by an associate with literally no protection and operating in the EU that they are then fully punishable by the new data laws in the pipeline.

    Quoting a load of articles from 2010 to 2012 which are applicable to the UK doesn't help in convincing me.

    Regardless, even if any of this were to happen, it would be a huge financial burden and take years for some SME companies to get to a point where they are "ready" to be audited against such standards/laws at which point said laws/standards would be obsolete and replaced.

    Have you ever read the EU Data Directive or the Irish Data Protection Act? I've worked in IT and Info Sec for over 15 years and would find it a challenge to understand the language used. Imagine how difficult it would be for a small to medium size company with no dedicated Info Sec dept. where IT rolls up to a CFO or Head of Finance?

    And how is this all going to be enforced?


  • Registered Users, Registered Users 2 Posts: 4,331 ✭✭✭Keyzer


    dbit wrote: »
    The industry recognizes this and is taking action to address it .

    Back that up please...


  • Closed Accounts Posts: 1,322 ✭✭✭dbit


    Keyzer wrote: »
    Back that up please...

    Did you read any of the links I posted ? and the new data protection law reforms ag teacht anois ?

    These laws are being modeled to target third and second party induced breeches and heavy penalties for even slight infringement .(Not excluding first party)


  • Advertisement
  • Closed Accounts Posts: 1,322 ✭✭✭dbit


    Keyzer wrote: »
    Quoting a load of articles from 2010 to 2012 which are applicable to the UK doesn't help in convincing me.

    Regardless, even if any of this were to happen, it would be a huge financial burden and take years for some SME companies to get to a point where they are "ready" to be audited against such standards/laws at which point said laws/standards would be obsolete and replaced.

    Have you ever read the EU Data Directive or the Irish Data Protection Act? I've worked in IT and Info Sec for over 15 years and would find it a challenge to understand the language used. Imagine how difficult it would be for a small to medium size company with no dedicated Info Sec dept. where IT rolls up to a CFO or Head of Finance?

    And how is this all going to be enforced?


    The uk laws are laws that we inherited to instantiate our own laws ? Why the confusion ?

    It is challenging to read i can understand your frustration .

    The bottom line of what i am trying to convey is that the SME's are going to be held liable on the back of the EU laws for data protection . IT will only get worse before it gets better .

    they may be housed on a UK site but they are referencing the New EU data policies.


  • Closed Accounts Posts: 1,322 ✭✭✭dbit


    To put a number on it for gauging purposes SME's defined in the policy sets as :-


    but smaller companies (SMEs) with up to 250 employees will be exempt from this requirement and many of the requirements they are burdened with under existing rules.



    I see it like this :-

    Hello MR customer yes you setting up your business and you handle public data ? is that correct ? Are you also insured and in adhereance to the data protection laws ?

    I understand from this that if you are in the 250+ sme category and you are not compliant , nor have you appointed an info sec officer and a breech occurs its curtains for your business as per the penalties implied .


    "The new privacy framework provides a single set of European rules on data protection that are valid across all member states and establishes each national data protection authority as a one-stop-shop for businesses and citizens in each member state"


  • Closed Accounts Posts: 1,322 ✭✭✭dbit


    Maybe this will suit you better Keyzer, its shorter, and has all of the outlined expectations listed , Requirements with clear defining on the fines and rules around defining your own categories/thresholds .

    http://www.efc.ie/images/uploads/New_EU_Data_Protection_Regulations.pdf

    Again it also flags what im saying to be an enforced reform for 2015 sometime.

    Im not looking to make an enemy here and i think i have done my best to backup my points. This one talks on the data protection officer roles being required and that the 250 user count could be moot based on how many data objects are managed by you from the public domain.


  • Registered Users, Registered Users 2 Posts: 4,331 ✭✭✭Keyzer


    A healthy debate/argument doesn't mean enemies are made.

    I've read through the data protection act a couple of times as a point of reference for client related work so I'm somewhat familiar with the material.

    I get where you're coming from and, believe it or not, I agree with your sentiment completely. Its high time information security is taken seriously globally, not just in Ireland.

    That said, I'm still dubious as to how all of this proposed legislation will be enforced but lets see what happens nonetheless. If anything, it should mean a rise in information security type roles.


  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    Keyzer wrote: »
    A healthy debate/argument doesn't mean enemies are made.

    I've read through the data protection act a couple of times as a point of reference for client related work so I'm somewhat familiar with the material.

    I get where you're coming from and, believe it or not, I agree with your sentiment completely. Its high time information security is taken seriously globally, not just in Ireland.

    That said, I'm still dubious as to how all of this proposed legislation will be enforced but lets see what happens nonetheless. If anything, it should mean a rise in information security type roles.

    The only times I have seen irish companies taking InfoSec seriously was either when they wanted to become PCI compliant because their bank was penalising them for not being so, or when they wanted to reduce the possibilities of being infected with a cryptolocker type infection. Both times they were concerned about one thing only - $$$.

    The monetary loss created by brand damage due to an incident is something thats not valued, nor is the loss in man power, productivity or important data. It seems these things have less of a quantifiable value, than an actual bill from the bank and accompanying letter reminding the bill could be smaller, or the necessity to write a cheque to some unknown data 'terrorist', holding their data for ransom.

    This leads me to believe there is only one way to enforce any new data protection laws and thats by hitting companies who flaunt those laws where they feel it the most - their wallets. I fear, however, that the Data Protection Commission doesn't have the teeth for this kind of action and so I forsee much hand wringing when it comes to actually penalising companies.


Advertisement