Saturday, August 27, 2016

IoT Security


IoT technology is growing at a dangerously fast pace. Digitally connected devices are touching every aspect of our lives, including our homes, offices or cars. But, as with every good thing, there is a downside of IoT also.

With the increase in the number of digitally connected devices, more and more data is being collected. And, that in turn is increasing the attack vectors. Attackers are exploiting vulnerabilities in IoT devices to steal our sensitive data and invade our privacy.





But, can we prevent that? Can we ensure the security of the sensitive data collected from us by the IoT devices?

Let’s understand in more detail what the security concerns of IoT devices are and how best we can address them.


Security Concerns of IoT Devices


Cybercriminals can attack the IoT devices in a number of ways. They can exploit vulnerabilities of insecure web interfaces, cloud interfaces, lack of encryption or they can take advantage of weak authentication mechanism to enumerate user accounts and steal sensitive data or make DoS attacks.

Let’s understand each of them in more detail.


Insecure Authentication


If the authentication mechanism is not secure enough, attackers can exploit that to gain unauthorized access of user accounts and steal sensitive data. There are a number of ways that can happen. For example,

  • If default usernames and passwords are not changed properly, attackers can take advantage of that to gain unauthorized access of user accounts.
  • Attackers can take advantage of weak passwords to gain unauthorized access of the devices.
  • If the collected user credentials are not encrypted properly, attackers can take advantage of that and capture them for malicious purposes.
  • Attackers can enumerate user accounts to access the IoT devices.

No doubt, this can lead to data loss or data corruption. It can even result in denial of access or complete device takeover.

Prevention


We can take a couple of steps to prevent this type of attacks:


  • Make sure to change default credentials at the time of initial setup of the devices.
  • Passwords need to be kept sufficiently strong. Users should not be allowed to set weak passwords.
  • Credentials, whenever they are collected from users, should be encrypted using sufficiently strong encryption algorithm. Plaintext credentials should never be transmitted across the network.
  • Account lockout should be implemented, so that user account gets locked immediately after a certain number of failed login attempts.
  • We need to make sure password recovery mechanisms are made secure.
  • We need to make sure, when a device is plugged into the network, it authenticates itself before it starts sending or receiving data.


Vulnerable Web Interfaces, Mobile Interfaces and Cloud Interfaces


Attackers can exploit insecure web interfaces, mobile interfaces and cloud interfaces to steal sensitive data in a number of ways:

  • Attackers can exploit security vulnerabilities in the mobile, web or cloud interfaces to perpetrate SQL Injection, Cross Site Scripting or CSRF attacks and steal sensitive user data.
  • If the web interface does not properly implement HTTPS, attackers can exploit that to steal transmitted unencrypted sensitive data.
  • Attackers can exploit vulnerabilities in the mobile app, cloud interfaces or web interfaces to enumerate user accounts and gain unauthorized access of the devices.
  • Attackers can use the insecure mobile, web or cloud interfaces to gain unauthorized access to user accounts exploiting weak passwords or default credentials.

Prevention


Couple of steps can be takes to prevent this:

  • Web, Cloud and mobile interfaces should be properly tested so that they do not contain any SQL Injection, XSS or CSRF vulnerabilities.
  • Web interfaces should implement HTTPS wherever possible.
  • Web Application Firewalls should be used to protect the web interfaces.
  • Web, cloud and mobile interfaces should make sure weak passwords are not allowed and default credentials are changed during the initial setup.
  • Web, cloud and mobile interfaces should also implement account lockout mechanism so that it creates much difficulty for the attackers to enumerate user accounts.
  • 2 Factor Authentication should be implemented wherever possible.
  • Web, mobile or cloud interfaces should use proper transport encryption for transmitted data.
  • It is always better to implement firewalls and IPS.


Vulnerable Network Services


Attackers can exploit vulnerable network services in the following way:

  • Attackers can exploit security vulnerabilities in the network services to perpetrate attacks like buffer overflow or DoS attacks.
  • Attackers can take advantage of open ports to collect information on the devices, so that they can plan for more attacks.
  • Attackers can even exploit open ports via UPnP or exploit UDP services.

Prevention


We can prevent this type of attacks in a number of ways:

  • We need to ensure only the necessary ports are open and exposed outside.
  • We need to make sure network ports or services are not exposed to the internet via UpnP.
  • A number of automated tools can be used to make sure the vulnerabilities in the network services are detected and mitigated.


Lack of Transport Encryption


If the data in transit are not encrypted properly, attackers can take advantage of that to steal sensitive data.

  • Usually, local network traffic does not get exposed outside the network. But, if the wireless network is not configured properly, it can make the traffic visible to anyone within the range of the wireless network. And, that can lead to complete compromise of the devices or user accounts.
  • If proper encryption protocols like SSL/TLS are not used, attackers can easily capture the data in transit and exploit that for malicious purposes.

Prevention


  • We need to make sure communications between the devices and the internet are encrypted using proper encryption protocols like SSL/TLS.
  • It is always better to use accepted encryption standards and avoid proprietary encryption protocols.
  • It is always better to use firewalls with the devices.


Privacy Concerns


Due to lack of proper protection of data, attackers can capture sensitive and personal data collected by the devices, which no doubt raises privacy concerns. To prevent this, we can take a couple of steps:

  • We need to identify all the data types that are being collected by the devices, mobile app, web interfaces or cloud interfaces. We need to make sure to only collect data that is necessary.
  • Collected data should be properly protected using encryption while at rest or in transit.
  • Only authorized individuals should have access to personal data.
  • We need to make sure proper data retention policy is in place and individuals are given a choice to collect data beyond what is necessary for the operation of the devices.


Insufficient Security Configurability


This vulnerability exists if the devices have limited or no ability to alter security controls or the web interfaces have no options for creating granular user permissions and cannot enforce use of strong passwords. Attackers can take advantage of this to exploit the vulnerabilities in the devices to steal sensitive data or make more attacks.

Prevention


We can take a couple of steps to address this.

  • We need make sure normal users are separated from administrative users and principle of least privileges is enforced. Password security options should be made available.
  • Encryption options should be made available to encrypt sensitive data collected by the devices.
  • We should enable logging of security events.
  • Users should be notified about security events.


Insecure Software/Firmware


IoT devices should have the ability to be updated when vulnerabilities are discovered. But, if the update files are not protected, they can be captured by attackers and exploited for malicious purposes. Attackers can capture unencrypted update files or can perform their own malicious updates via DNS Hijacking.

This type of attacks can happen because of a number of reasons, like:

  • update files are not encrypted
  • updates are not verified before they are applied
  • firmware contains sensitive information like hardcoded credentials
  • there is no proper update functionality

Prevention


We can prevent this in a number of ways:

  • All the devices should have the ability to be updated.
  • Update files should be encrypted.
  • Update files should not contain any sensitive data.
  • We need to make sure updates are signed and verified before they are applied.
  • We should ensure the update server is secure.
  • We need to make sure, when power is first introduced to the devices, the authenticity and integrity of the software on the devices are verified using cryptographically generated digital signatures.


Poor Physical Security


Attackers can exploit physical access of the system also to perpetrate attacks. They can use USB ports, SD cards or other storage means to access the Operating Systems and data stored in the devices and exploit that for malicious purposes.

Prevention


We can make sure the following:

  • We need to make sure data storage medium cannot be easily removed.
  • Only the external ports and USB ports that are necessary should be used.


No doubt, with sufficient efforts we can address these security concerns and make our devices more secure. So, be aware of various security concerns and prevention mechanisms, so that devices and collected data are protected in a better way. And, stay safe, stay secured.

Wednesday, August 17, 2016

Network Segmentation and VLAN


We all know, absolute security is a myth. And, many a times, even though we try to enforce security to our best, attackers manage to gain unauthorized access to the network. Attackers, once they gain unauthorized access to a network, try to move across the network, so that they can gain access to the required systems to obtain sensitive data.

So, once the attackers manage to gain unauthorized access to the network in spite of all the security measures, the best way to thwart them is to restrict their movements across the network. And, that is the main motivation behind network segmentation.


Network segmentation is splitting the network into smaller sub-networks, mainly for the purpose of boosting performance and improving security. If attackers manage to gain unauthorized access to a network, network segmentation can limit further movement of the attackers across the network.




Advantages of Network Segmentation


There are a number of advantages of using network segmentation. A number of them are mentioned below:



Reducing Congestion

More the number of devices in a network, more is the collision while transmission of data. And so, if the number of devices in a network keeps increasing, the performance of the network reduces. One way to reduce the collision is to reduce the number of devices in the sub-network, so that the chances of collision reduces.

Using network segmentation, a network can be split into different smaller sub-networks, so that the number of devices in a single sub-network reduces. And thus, there will be less chance of collision within a sub-network, which in turn can increase the performance of the network.


Controlling Network Access

Network segmentation can be used to control what all users should access which part of the network. For example, in an organization, different groups of employees like HR, server administrators, executives etc may need to access their own segregated networks. Even third-parties also should have their own segregated network, so that attackers cannot gain access to sensitive data within the network via a less protected and compromised third-party site.

Network segmentation can be used to segregate a network into different zones, so that certain group of users have access to certain zone of the network only.


Enforcement of Policy

PCI-DSS (Payment Card Industry Data Security Standard) and similar standards provide guidelines for separating cardholders data from the rest of the network, so that even if a part of the network gets compromised, attackers cannot gain access to cardholders sensitive data so easily. Segmenting the network can provide multiple zones, with varying security level, which in turn can help in rigorous enforcement of the policy.


Limiting Network Problems

As network segmentation segments the network into different sub-networks, a local failure in one part of the network does not affect the other parts of the network.


Improved Security

As network segmentation controls the access of different parts of the network, it can restrict the lateral movement of the attackers across the network, in case the attackers manage to gain unauthorized access of a part of the network, thus increasing the security of the sensitive part of the network.



Different ways of segmenting a network


A network can be segmented using bridges, routers and switches. Let’s understand how that can be done.


Network Segmentation using Bridges





Bridging is a technology using which two or more local area networks that use same protocols, like Ethernet or token ring, can be aggregated together. A bridge monitors each message on a LAN. It passes the messages that are destined within the same LAN and forwards those which are destined for a different interconnected LAN.

Bridges learn which addresses are in which network and develops a table, using which it decides on whether a message should be forwarded to a different interconnected LAN. They work in layer 2 of the OSI reference model.


Advantages of network segmentation using bridges

Bridges can segment traffic in a network, and thereby reducing the traffic seen in each sub-network. This improves network response time. It can also compensate for speed discrepancies of two different networks using its buffering capabilities.


Network Segmentation using Routers





When we need to aggregate two or more networks that use different protocols, we can use routers. A router can interconnect two or more networks, enabling communication between them.

Routers function in layer 3 of the OSI reference model. It looks at the destination IP address of each network packet passing through it and consults a table to determine in which network it should be forwarded. Routers can also implement broadcast filters and logical firewalls.


Advantages of network segmentation using routers

There are a number of advantages of using routers in segmenting a network :

  • Routers can interconnect two or more networks that use different protocols.
  • Routers can control broadcasts within the network.
  • Routers can filter inbound and outbound packets between LAN and WAN segments.
  • Routers can fragment large packets into smaller pieces and send them across the network, while bridges discard those.



Network Segmentation using Switches





Switches, like bridges, can enable two or more networks to be interconnected together. But, switching is performed in hardware, instead of software, which makes the communication between the interconnected networks much faster.

A switch learns about the Ethernet addresses of devices of each network, and based on that it creates a table. It examines the source and destination hardware addresses of each fragment passing through it and forwards them to appropriate sub-network consulting the table.

Basic switches function in layer 2 of the OSI reference model. But, there can be layer 3, layer 4 or layer 7 switches also.


Advantages of network segmentation using switches

Switching technology enables a network to be separated into different collision domains, which can improve the network performance significantly. Switches can connect different network types like Ethernet and Fast Ethernet.

Moreover, switches can be used to create VLANs, which can increase security of a network to a great extent.


What is VLAN





As discussed earlier, switches can segment a network into different interconnected smaller networks. A basic switch work in layer 2 of the OSI reference model. If we look closely, here is how it works :
When a frame destined for a MAC address enters a switch, such that the destination MAC address is not present in the MAC table of the switch, the switch broadcasts the frame to devices connected to all the ports, except for the port in which the frame was received. The device with the specific MAC address responds to the switch. The switch then stores the MAC address in its MAC table, so that next time a frame arrives with the same destination MAC address, the switch can forward it accordingly. This MAC table is usually stored in a temporary memory in the switch and is rebuilt every time the switch is powered on.


But, broadcast messages like this can eat up considerable bandwidth in a network and raise security concerns also. An attacker can take advantage of the broadcast messages to learn the MAC address of a sensitive device and perpetrate attacks thereafter. And, to prevent that VLANs are used.


Using a smart switch, a network can be segmented into multiple VLANs, such that broadcasts can propagate inside a VLAN, but not outside of it.

A VLAN uses a set of ports of a switch and creates a virtual network, such that devices within the virtual network can talk to each other, but they cannot communicate outside the network. For example, if server 1, server 2 and server 3 of a company are connected to ports 1, 3 and 5 of a switch, and we create a VLAN taking those ports, then the devices connected to those three ports can communicate with each other. But, they cannot communicate to any other device which is not part of the VLAN.


So, if a computer sends a broadcast message requesting the MAC address of server 1, server 2 or server 3 and that computer is not part of the VLAN, then it will not be able to get MAC address of those servers. As a result, VLANs can enhance security of the devices in the network to a great extent.


As I said, absolute security is a myth. But, we can always try our best to thwart the attackers as much as possible. So, be aware of various security measures and stay safe, stay secured.

Monday, August 1, 2016

Web Application Firewalls



If a firewall filters traffic based on IP addresses, ports or connection state alone, it will not be possible to detect intrusions like whether an unwanted protocol is trying to bypass the firewall in an allowed port or any protocol is being abused. Many a times, we need to understand application layer protocols like HTTP, FTP, DNS etc and filter traffic based upon that. Web Application Firewalls are developed for that purpose.

A Web Application Firewall or WAF is an appliance, server plugin or filter that monitors the incoming and outgoing traffic from an application or service and filters them as per some predefined rules. Web Application Firewall can look through certain traffic upto layer 7 of the OSI reference model and filter traffic based on that.





Types of Web Application Firewalls


There are mainly two types of Web Application Firewalls :

  • Network-based Web Application Firewalls
  • Host-based Web Application Firewalls



Network-based Web Application Firewalls


Network-based Web Application Firewalls act on the application layer of the OSI reference model and can inspect the contents of traffic and block specific traffic such as certain websites. It can also look through the traffic to detect presence of malware or possible network intrusions, offload encryption from internal servers, manage and consolidate authentication and block traffic which violates policies.


Network-based Web Application Firewalls are also known as Proxy-based Firewalls.


A Forward Proxy server intercepts all the traffic from or to an internal network behind it and can filter them based on policies. For an allowed traffic, it changes the source IP address of the outgoing traffic to its own IP address and sends it to external servers. The external server sends the response to the Forward Proxy server and the Forward Proxy server then forwards the packets to appropriate internal client. A Reverse Proxy, on the other hand, intercepts all the traffic coming from external clients to the internal servers behind it. The outside requesting clients cannot see the IP address of the requested internal server behind the Reverse Proxy Server, thus providing security. You can find more on how Forward Proxy Servers and Reverse Proxy Servers work here : How do Proxy servers work ?


Just like Proxy servers, a Proxy-based Web Application Firewall intercepts the traffic between the requesting clients and requested servers and filters them as per some predefined set of rules. It can use stateful inspection technology or Deep Packet Inspection (What is Deep Packet Inspection ? ) to monitor and analyze the incoming and outgoing network traffic. It can understand a number of application layer protocols like HTTP and FTP and detect signs of malware or network intrusions.

A Proxy-based Firewall prevents the outside network to directly communicate with the inside network. Information packets do not pass through the Proxy Firewalls. Instead, the Web Application Firewall acts as an intermediary. A Proxy-based Firewall has its own IP address. The outside computers first make a connection to the Proxy-based Firewall and the firewall makes a separate connection to the requested computers after carefully inspecting the network packets. And thus, it can provide strong security.


A Proxy-based Firewall can also help in the following ways :

  • Caching – It can cache regularly requested web contents and thus reduce the load on the web servers by reducing repeated requests to back end servers.
  • Compression – Proxy-based Web Application Firewall can compress certain web contents that can be decompressed later by the browser.
  • SSL Acceleration – Proxy-based Web Application Firewalls can speed up SSL processing and reduce the burden on back-end web servers by using hardware based SSL decryption.
  • Load Balancing – Proxy-based Web Application Firewalls can distribute the incoming requests to multiple servers behind it and thus improve performance and reliability.
  • Connection Pooling – Proxy-based Web Application Firewalls can reduce back end server TCP overhead by allowing multiple requests to use the same back-end connection.



Host-based Web Application Firewalls


A Host-based Web Application Firewall can examine the information that pass through the system calls through the network stack and filter traffic based on that. It can hook into socket calls and filter the connections between the application layer and the lower layers in the OSI reference model based on some predefined rules. It applies the filtering rules on a per process basis instead of per port basis.

Host-based Web Application Firewalls can examine the process ID of data packets and match them against a pre-defined rulesets for that process. They can also have complex rulesets for the standard services, such as sharing services.

AppArmor, TrustedBSD MAC Framework are examples of some commonly used Host-based Web Application Firewalls.

The benefits of an application layer firewall is, as already said, it can understand certain application layer protocols like FTP, HTTP, DNS or web browsing and filter network traffic of an unwanted protocol. It can also look through non-standard ports to detect if any protocol is being abused.

Host-based Web Application Firewalls can protect against threats like SQL Injection, Cross Site Scripting or XSS, Session Hijacking, Parameter or URL tampering, buffer overflows etc.



Some commercial Web Application Firewalls and vendors



A list of some commercially used Web Application Firewalls is mentioned below :

  • Barracuda Networks – SPAM Firewalls
  • Breach Security – WebDefend and ModSecurity Pro Firewalls
  • Deny All – rWeb Firewalls
  • F5 – Web Application Firewalls
  • Imperva – SecureSphere Firewalls
  • Citrix – Application Firewalls
  • Applicure – DotDefender
  • Armorlogic – Profense
  • Bee-Ware – iSentry
  • BinarySec – Application Firewalls
  • BugSec – Web Application Firewalls
  • eEye Digital Security – SecureIIS
  • Fortify Software – Xwall, Sentry
  • Microsoft – ISA Server
  • Visonys – Airlock
  • MWEB Security – Webapp Secure
  • Xtradyne – Application Firewalls



So, be aware of various security vulnerabilities and their defenses, so that you can protect your systems in a better way. And stay safe, stay secured.