Cisco Blogs


Cisco Blog > Security

SNMP: Spike in Brute-force Attempts Recently Observed

Simple Network Monitoring Protocol (SNMP) has been widely deployed as an important network management tool for decades, is a key component of scalable network device management, and is configurable in nearly all network infrastructure devices sold today. As with any management protocol, if not configured securely, it can be leveraged as an opening for attackers to gain access to the network and begin reconnaissance of network infrastructure. In the worst case, if read-write community strings are weak or not properly protected, attackers could directly manipulate device configurations.

Cisco has recently seen a spike in brute-force attempts to access networking devices configured for SNMP using the standard ports (UDP ports 161 and 162). Attacks we’ve observed have been going after well known SNMP community strings and are focused on network edge devices. We have been working with our Technical Assistance Center (TAC) to assist customers in mitigating any problems caused by the brute-force attempts.

While there’s nothing new about brute-force attacks against network devices, in light of these recent findings, customers may want to revisit their SNMP configurations and ensure they follow security best practices, including using strong passwords and community strings and using ACLs to restrict access to trusted network management endpoints.

Cisco has published a number of best practices documents for securing the management plane, including SNMP configuration:

Tags: , , , , ,

Energy Networking Convergence Part 2: Cyber & Physical Security

This is the second of a four part series on the convergence of IT and OT (Operational Technologies) by Rick Geiger

Physical Security has evolved from serial communication to modern systems that are largely, if not completely, IP networked systems.  The unique requirements of physical security have often lead to shadow IT departments within the physical security department with networks and servers procured and operated by the physical security department with little or no involvement from IT.

Intersections with IT and the corporate network began with the interconnection of physical security systems and the placement of physical security appliances on the corporate network to avoid the cost of wiring that would duplicate existing networks.  At one time IT may have been persuaded that these “physical security appliances” didn’t need to be managed by IT.  But that persuasion was shattered by malware infections that revealed far too many “physical security appliances” to be repackaged PCs with specialized interface cards.

HAK22620 - for webIT departments scrambled to locate and remove these vulnerable devices and either outright banned them from the corporate network or insisted that they be managed by IT.  A hard lesson was learned that just as the organization, including IT, required physical security, video surveillance and badge access control, the physical security department needed the cyber security expertise of IT to protect the communication and information integrity of networked physical security systems.

Convergence is sometimes regarded as the use of physical location as a criteria for network access.  Restricting certain network access to a particular location and/or noting any discrepancies between the location source of a login attempt and the physical location reported by the badge access system.  For example, the network won’t accept a login from Asia when that user badged into a building in Philadelphia.

The need and opportunity for Cyber and Physical security convergence is much broader than network access.  Physical Security systems need Cyber Security protection just as Cyber Systems need Physical Security protection.

What are, at a very high level, the primary activities of Physical Security on a day to day basis?

  • Protect the perimeter
  • Detect breaches
  • Situational awareness
  • Standard operating procedures define for anticipated events
  • Forensic to gather, preserve and analyze evidence & information

Physical security personnel often have a law enforcement or military background, and approach these activities from that point of view.

HAK22891-webOver time, the technology of physical security has evolved from walls, guns and guards to sophisticated microprocessor based sensors, IP video cameras with analytics, and network storage of video & audio.  Although there are many examples of close collaboration between IT and Physical Security, there may also be tension.  Physical Security departments defend their turf from what they perceive as the encroachment of IT by claiming that they are fundamentally different.

A quick look at the Physical Security systems quickly reveals something that looks very familiar to IT. Networked devices, servers, identity management systems, etc. are all familiar to IT.

At a very high level, the primary activities of Cyber Security can be grouped into a set of activities that are very similar to Physical Security.  The common process that both need to follow is a regular review of Risk Assessment:

  • What are the possible threats
  • What is the probability of occurrence of each threat
  • What are the consequences of such occurrence
  • What are cost effective mitigations — as well as mitigations required by compliance

The Risk Assessment process is an integral part of NERC-CIP V5, which requires a review at least every 15 months of “…cyber security policies that collectively address…” CIP-004 through CIP -011.  Implementation is required to be done “..in a manner that identifies, assesses, and corrects deficiencies…

Many of the activities Cyber and Physical Security overlap and need to align:

  • The use of IT Technology in Physical Security systems
  • Overlapping Identity Management
  • Device Identity management
  • Requirement for IT process maturity
  • IT security required for Physical Security systems
  • Physical Security required for IT Systems
  • Consistent future strategy & direction

The bottom line is that the activities of Physical and Cyber security have many parallels with opportunities to learn from each other and collaborate in threat assessment and risk assessment strategies and coordinated implementation and operation.  NERC-CIP V5 has mandatory requirements for both Physical and Cyber security.  Modern security, both Physical and Cyber, need to move beyond reacting to events that have already occurred, to agility and anticipation.

What does this mean for Cisco?

Cisco has a portfolio of leading edge Cyber and Physical Security solutions.  Cisco’s Advanced Services offerings help our customers develop and deploy a collaborative, unified approach to Physical and Cyber security.  NERC-CIP V5 is a compelling event for the electric utility industry.  The transition period is underway with completion required by April 2016.  Are you up to date on Cisco’s solutions and capabilities? We are here to help!

Tags: , , , ,

Summary: Extended By Popular Demand: The Cisco IoT Security Grand Challenge

June 16, 2014 at 8:49 am PST

Since its announcement at the RSA 2014 conference, the security community has been actively involved in the Cisco IoT Security Grand Challenge. The response has been so great that we’ve decided to extend the deadline by two more weeks -- so you now have until July 1st, 2014 to make your submission! Visit www.CiscoSecurityGrandChallenge.com for full details about the challenge and prepare your response. Good luck!

Read the full blog for more information.

Tags: , , , , , , , , , , ,

Extended By Popular Demand: The Cisco IoT Security Grand Challenge

June 16, 2014 at 5:00 am PST

Since its announcement at the RSA 2014 conference, the security community has been actively involved in the Cisco IoT Security Grand Challenge, an industry-wide initiative to bring the best and brightest security minds to the table to help us find innovative IoT security solutions. Thus far, we’ve had dozens of wonderful submissions and they’re still coming in.

Cisco_extension-banner

The initial deadline to make a submission was this coming Tuesday, June 17th. However, the challenge has been so popular that we’ve decided to extend the deadline by two more weeks, to July 1st, to give you an opportunity to complete your best work. After all, we all benefit by ensuring that the things we connect are secure. And with billions of objects networked all over the world, many of which will reside in insecure locations, security is arguably more important for IoT than it has been for any other technology in history.

Cisco will select up to six winners, each of whom will be awarded between $50,000 and $75,000 USD. The winners will be announced, and will have an opportunity to present their winning submission, at the IoT World Forum in Chicago, October 14-16, 2014!

Interested in participating? Visit www.CiscoSecurityGrandChallenge.com for full details about the challenge and prepare your response. Good luck!

Tags: , , , , , , , , , ,

Cisco Meraki, Now with ISE!

We’ve been hearing from some of our customers that they are interested in using Cisco Meraki in their branches alongside their Cisco infrastructure in their main offices, but were worried about having to deal with too many segregated policy management systems.

Good news: Interoperability between Cisco Meraki and ISE is here. Administrators can now define a single user access policy across on-premise and cloud-managed networks.With this interoperability, Cisco infrastructure customers can now deploy Cisco Meraki in their branches in the same network as other Cisco equipment, with all devices across the network managed under ISE for unified access policy management.

Read more about the Cisco Meraki and ISE interoperability in the blog post: Got ISE?

To get a free Meraki wireless access point and learn more about the solution, join one of our online webinars. See the  complete schedule and choose from a range of webinars featuring Meraki customers, product and solution overviews, and topics like BYOD.

Tags: , , , , , , , , , , , , , , , , , , , , , , , ,