Time to snmp check all that gear !

dbit · 23-04-2015 10:02am #1

https://0x41.no/hacking-networks-with-snmp/

syklops · 23-04-2015 12:07pm

No offence to the author but is it 1999 again?

If attacks via SNMP are new to you, or if you are not regularly scanning your equipment anyway, then you shouldn't be in charge of your company's computer network.

Even the always behind PCS-DSS v3.0 requires SNMP v3 is enabled over SNMP v2c or v1.

dbit · 23-04-2015 12:29pm

Lolz how many software vendors do you know of selling front line enterprise software that is fully PCS-DSS v3.0 compliant ?? ( I mean in full and up to date as per the requirements)

Firstly some of the techniques outlined in that have only just been engineered both for underlying technology and for encryption algorithms.
I do follow what you are saying Syklops , I think back to my filed engineering days and i dont think i can recall a single site that took any form of precautions with SNMP. Up until 3-4 years ago even isp's had it open on cpe's for christ sake.

Second : - admins hate change !

syklops · 23-04-2015 2:02pm

dbit wrote: »

Lolz how many software vendors do you know of selling front line enterprise software that is fully PCS-DSS v3.0 compliant ?? ( I mean in full and up to date as per the requirements)

Very few but I think you missed my point. PCI-DSS is always behind the times but in its most recent iteration even it required SNMP v3. As we discussed in another thread yesterday, being compliant != being secure. The point I was trying to make(badly), is that enabling SNMP v3 is not new advice.

Firstly some of the techniques outlined in that have only just been engineered both for underlying technology and for encryption algorithms.

I understand these are new techniques, but my criticism is more with the recommendations for protecting your gear, namely:

1. BCP 38/RFC 2827
2. SNMPv3
3. Filtering
4. Test your stuff.

BCP 38/RFC 2827 is useful advice. Recommendation 2-4 you should be doing already was my point.

Second : - admins hate change

“The illiterate of the 21st century will not be those who cannot read and write, but those who cannot learn, unlearn, and relearn. ” - Alvin Toffler.

dbit · 23-04-2015 2:03pm

I love your posts lolz.

dbit · 23-04-2015 2:15pm

Do you think that the boards audience , and i mean all of them are fully secure in relation to SNMP ? Id bet not . SME's in particular tend to have a config once and leave it there for ever appraoch , for external IT support vendors and such . Sorry if i am spamming the forum . I just feel this stuff is topical and good for banter.

syklops · 23-04-2015 2:32pm

dbit wrote: »

Do you think that the boards audience , and i mean all of them are fully secure in relation to SNMP ? Id bet not . SME's in particular tend to have a config once and leave it there for ever appraoch , for external IT support vendors and such .

The entire boards audience? No of course not. I do believe the regular subscribers to the InfoSec forum are however aware of the problems with running SNMPv2 or below.

Sorry if i am spamming the forum . I just feel this stuff is topical and good for banter.

I don't think you're spamming the forum, you are right it is good for banter, but I'm not sure how topical upgrading to SNMP v3 or filtering your sh1t is.

dbit · 23-04-2015 2:46pm

Moreover the older gear prolly will require firmware upgrades to on-board the new protocols anyway. and in addition i don't think freelancing cowboys that config and forget will read much in here . ( Presumption on my behalf let it beat me if so desires)

Filters, most of the freelancers would look for rizla brand name at the mention of filters lols.

BoB_BoT · 23-04-2015 3:52pm

In fairness you can't entirely blame configure and forget on behalf of the guys who set up a network and intended it to be monitored, an awful lot of companies decided to "save costs" that they would revert to a break/fix contract. Sure you know yourself proactive/managed maintenance is "overpriced" and "unnecessary"....

dbit · 23-04-2015 3:56pm

BoB_BoT wrote: »

In fairness you can't entirely blame configure and forget on behalf of the guys who set up a network and intended it to be monitored, an awful lot of companies decided to "save costs" that they would revert to a break/fix contract. Sure you know yourself proactive/managed maintenance is "overpriced" and "unnecessary"....

Yup have worked for a few over the years wont name and shame. There is no body in Ireland that audits the infosec of SME's , I have never seen validation checks or software reviews nothing, nadda, zip coming from any where to try shore up all these pivot points that a hacker, typically will use to launch targeted attacks .

Keyzer · 27-04-2015 1:03pm

dbit wrote: »

Yup have worked for a few over the years wont name and shame. There is no body in Ireland that audits the infosec of SME's , I have never seen validation checks or software reviews nothing, nadda, zip coming from any where to try shore up all these pivot points that a hacker, typically will use to launch targeted attacks .

Why would any SME be subject to an audit other than for regulatory or compliance requirements? You think SME's should proactively conduct audits by third parties?

Here's the bottom line (cos stone cold said so) - no one gets audited unless they have to.

dbit · 27-04-2015 1:05pm

Well i would see that in the near future even the small fish need controlling as more often than not the smaller associates are attacked to gain access to the larger corporate target. Leap frog or island hoping.

Keyzer · 27-04-2015 1:57pm

dbit wrote: »

Well i would see that in the near future even the small fish need controlling as more often than not the smaller associates are attacked to gain access to the larger corporate target. Leap frog or island hoping.

If you truly believe that then you're living in a dream world.

The vast majority of companies, SME's included, don't give a toss about cyber/info sec unless they are mandated by a government/regulatory/audit requirements.

I see things changing in the financial services sector where there seems to be some focus of late in this regard (which is a positive thing).

As for industry as a whole, info sec is way down the list of priorities.

dbit · 27-04-2015 2:05pm

So you don't think the irish gov will come up with something to protect larger multinational corporates, that are penetrated by access discovered through a flaky SME's. The new insurance tactics coming in the near future are going to surprise you then my friend . New data protection laws are coming from Europe and i think you may see what I'm talking about coming to fruition then .

http://www.computerweekly.com/news/2240031775/UK-data-protection-regulations-get-stricter
http://www.computerweekly.com/news/2240114258/Big-changes-due-in-revised-EC-data-protection-rules
http://www.computerweekly.com/news/2240114326/EC-proposes-a-comprehensive-reform-of-data-protection-rules

and the sinker :-
http://www.computerweekly.com/news/1390690/Data-Protection-Act-Penalties-limited-but-expect-more-audits

So i take by this that insurance firms wont even look at you unless you have reached "A level of protection"
And the other links imply that if a breech is detected by an associate with literally no protection and operating in the EU that they are then fully punishable by the new data laws in the pipeline.

dbit · 27-04-2015 2:17pm

with £500,000. price tag coming for guilty parties( And that's just for basic data leaks on usr and pswd's ) and lack of data protection Im detecting a sea change on the horizon .

dbit · 27-04-2015 2:19pm

On the plus side , infosec should get a whole lot noisier in terms of jobs and consultancies ?

syklops · 27-04-2015 2:31pm

dbit wrote: »

On the plus side , infosec should get a whole lot noisier in terms of jobs and consultancies ?

Consultancy is not the silver bullet it is considered to be. I've done 10 and 15 day engagements which would have paid for an extra sys admin or an extra analyst for 6 months which would do more in the long term than me pointing out the obvious for 3 weeks.

dbit · 27-04-2015 2:42pm

Yes but those harsh laws coming, are going to induce some quirks in how we the "Irish" address and engage with this new law platform. If the blaze attitude that we currently adopt in Ireland continues its going to cost millions , shut down companies and hinder others in ways i don't want to think of .

Infosec staffing on the corprate side is not as big a worry as it is for the non policed data portals that exist all over Europe never mind Ireland (Namely SME's).

Consultancy is not the win either im not saying that at all , Im trying to say that the SME's are the launch pads from where today evil doers have free reign . The industry recognizes this and is taking action to address it .

Keyzer · 27-04-2015 2:48pm

dbit wrote: »

So you don't think the irish gov will come up with something to protect larger multinational corporates, that are penetrated by access discovered through a flaky SME's. The new insurance tactics coming in the near future are going to surprise you then my friend . New data protection laws are coming from Europe and i think you may see what I'm talking about coming to fruition then .

http://www.computerweekly.com/news/2240031775/UK-data-protection-regulations-get-stricter
http://www.computerweekly.com/news/2240114258/Big-changes-due-in-revised-EC-data-protection-rules
http://www.computerweekly.com/news/2240114326/EC-proposes-a-comprehensive-reform-of-data-protection-rules

and the sinker :-
http://www.computerweekly.com/news/1390690/Data-Protection-Act-Penalties-limited-but-expect-more-audits

So i take by this that insurance firms wont even look at you unless you have reached "A level of protection"
And the other links imply that if a breech is detected by an associate with literally no protection and operating in the EU that they are then fully punishable by the new data laws in the pipeline.

Quoting a load of articles from 2010 to 2012 which are applicable to the UK doesn't help in convincing me.

Regardless, even if any of this were to happen, it would be a huge financial burden and take years for some SME companies to get to a point where they are "ready" to be audited against such standards/laws at which point said laws/standards would be obsolete and replaced.

Have you ever read the EU Data Directive or the Irish Data Protection Act? I've worked in IT and Info Sec for over 15 years and would find it a challenge to understand the language used. Imagine how difficult it would be for a small to medium size company with no dedicated Info Sec dept. where IT rolls up to a CFO or Head of Finance?

And how is this all going to be enforced?

Keyzer · 27-04-2015 2:50pm

dbit wrote: »

The industry recognizes this and is taking action to address it .

Back that up please...

dbit · 27-04-2015 3:02pm

Keyzer wrote: »

Back that up please...

Did you read any of the links I posted ? and the new data protection law reforms ag teacht anois ?

These laws are being modeled to target third and second party induced breeches and heavy penalties for even slight infringement .(Not excluding first party)

dbit · 27-04-2015 3:07pm

Keyzer wrote: »

Quoting a load of articles from 2010 to 2012 which are applicable to the UK doesn't help in convincing me.

Regardless, even if any of this were to happen, it would be a huge financial burden and take years for some SME companies to get to a point where they are "ready" to be audited against such standards/laws at which point said laws/standards would be obsolete and replaced.

Have you ever read the EU Data Directive or the Irish Data Protection Act? I've worked in IT and Info Sec for over 15 years and would find it a challenge to understand the language used. Imagine how difficult it would be for a small to medium size company with no dedicated Info Sec dept. where IT rolls up to a CFO or Head of Finance?

And how is this all going to be enforced?

The uk laws are laws that we inherited to instantiate our own laws ? Why the confusion ?

It is challenging to read i can understand your frustration .

The bottom line of what i am trying to convey is that the SME's are going to be held liable on the back of the EU laws for data protection . IT will only get worse before it gets better .

they may be housed on a UK site but they are referencing the New EU data policies.

dbit · 27-04-2015 3:29pm

To put a number on it for gauging purposes SME's defined in the policy sets as :-

but smaller companies (SMEs) with up to 250 employees will be exempt from this requirement and many of the requirements they are burdened with under existing rules.

I see it like this :-

Hello MR customer yes you setting up your business and you handle public data ? is that correct ? Are you also insured and in adhereance to the data protection laws ?

I understand from this that if you are in the 250+ sme category and you are not compliant , nor have you appointed an info sec officer and a breech occurs its curtains for your business as per the penalties implied .

"The new privacy framework provides a single set of European rules on data protection that are valid across all member states and establishes each national data protection authority as a one-stop-shop for businesses and citizens in each member state"

dbit · 27-04-2015 3:40pm

Maybe this will suit you better Keyzer, its shorter, and has all of the outlined expectations listed , Requirements with clear defining on the fines and rules around defining your own categories/thresholds .

http://www.efc.ie/images/uploads/New_EU_Data_Protection_Regulations.pdf

Again it also flags what im saying to be an enforced reform for 2015 sometime.

Im not looking to make an enemy here and i think i have done my best to backup my points. This one talks on the data protection officer roles being required and that the 250 user count could be moot based on how many data objects are managed by you from the public domain.

Keyzer · 09-05-2015 9:22pm

A healthy debate/argument doesn't mean enemies are made.

I've read through the data protection act a couple of times as a point of reference for client related work so I'm somewhat familiar with the material.

I get where you're coming from and, believe it or not, I agree with your sentiment completely. Its high time information security is taken seriously globally, not just in Ireland.

That said, I'm still dubious as to how all of this proposed legislation will be enforced but lets see what happens nonetheless. If anything, it should mean a rise in information security type roles.

syklops · 09-05-2015 11:40pm

Keyzer wrote: »

A healthy debate/argument doesn't mean enemies are made.

I've read through the data protection act a couple of times as a point of reference for client related work so I'm somewhat familiar with the material.

I get where you're coming from and, believe it or not, I agree with your sentiment completely. Its high time information security is taken seriously globally, not just in Ireland.

That said, I'm still dubious as to how all of this proposed legislation will be enforced but lets see what happens nonetheless. If anything, it should mean a rise in information security type roles.

The only times I have seen irish companies taking InfoSec seriously was either when they wanted to become PCI compliant because their bank was penalising them for not being so, or when they wanted to reduce the possibilities of being infected with a cryptolocker type infection. Both times they were concerned about one thing only - $$$.

The monetary loss created by brand damage due to an incident is something thats not valued, nor is the loss in man power, productivity or important data. It seems these things have less of a quantifiable value, than an actual bill from the bank and accompanying letter reminding the bill could be smaller, or the necessity to write a cheque to some unknown data 'terrorist', holding their data for ransom.

This leads me to believe there is only one way to enforce any new data protection laws and thats by hitting companies who flaunt those laws where they feel it the most - their wallets. I fear, however, that the Data Protection Commission doesn't have the teeth for this kind of action and so I forsee much hand wringing when it comes to actually penalising companies.

Time to snmp check all that gear !

Comments