Thursday, June 25, 2015

Break the PSK Habit!

Many are guilty (I know I am), or have inherited it from a predecessor, setting a WPA/WPA2 (even worse, WEP) personal mode password or PSK on your wireless network.  This is surely the easiest way to get wireless security up and going for both yourself and the people/clients you are providing access to.  However, it is far from secure.  Enter WPA2-enterprise mode; don’t let the term fool you. Just because it says enterprise doesn’t mean it’s for enterprise environments only, or that it comes with a hefty price tag.  The daunting task of setting enterprise mode security on your wireless network is not quite as daunting as it once seemed.  With so many networks getting hacked and experiencing security breaches, focusing not just on the wired side, but the wireless side is equally as important.

Since passwords of WEP and WPA/WPA2 PSK wireless networks are stored on the devices used to access them (usually in plain text), this makes your network vulnerable to attack.  There are several scenarios of how this can happen to you.  The most common is a device becoming lost or stolen.  To protect your network and all the data contained within it, you would have to change the PSK not only in AP or wireless controller itself, but every device as well, in order to prevent a potential breach.

So, how can you make a change for the better?  Let’s dive into the benefits of enterprise mode security and explore how this can fit in not only large enterprises but in the SMB space as well.

802.1X authentication provides an extra layer of security for a wireless network and is overall, a better choice for business networks.  One of the main requirements for this method of authentication is utilizing a Remote Access Dial-In User Service (RADIUS) server.  Essentially, this utilizes a username and password to gain access to wireless services.  In fact, if you are already running Windows Active Directory, then you are half way there!  Installing Network Policy Server (NPS) will take you the rest of the way.  Don’t have Active Directory?  No worries, there are a plethora of RADIUS servers available, ranging from open source to hosted solutions. 

In the event of a lost or stolen device, using WPA2-enterprise mode and disabling the user’s account or changing their password is a far easier task to keep your network secure over making a wholesale security change on your entire infrastructure. Another flaw that personal mode is prone to is eavesdropping.  This will allow an attacker to “listen” to all the wireless traffic that is being exchanged from the victim(s) wireless device and gain access to sensitive information.  This is done via decrypting the traffic that is being sent between devices and APs with the wireless key that was easily obtained from the lost/stolen device.  With enterprise mode, decrypting in this fashion is not possible.

Along with these advantages, come additional features to assist in the overall security of your network.  By requiring users to authenticate to a RADIUS server upon connecting, you can specify unique policies that control a variety of limits including time of day, device, and AP restrictions.  With 802.1X, the ability of setting port access on supporting switches is also a great benefit for security conscious admins.

In certain cases, implementing an 802.1X solution may not always be practical, especially for devices that are not compatible.  As time goes on, this is becoming less and less the case.  Many smart devices have the capability built into their software to authenticate against a WPA2-enterprise mode network.  There are a couple of options for devices that are not capable of handling this encryption type.  Many of them are less than ideal, ranging from MAC authentication to setting up a separate SSID with a PSK for those devices.  Neither of which are a wise path when considering implementing WPA2-enterprise mode security.  As MAC addresses are too easily spoofed and a separate SSID using a PSK can defeat the purpose of enterprise mode.  Ideally, using the wire would be the preferred method with those devices; however, a wireless bridge (disabling the internal WiFi) that utilizes enterprise mode would be the preferred choice.

It is much less time-consuming and simpler to implement a personal mode or a PSK when deploying security on a wireless network.  While taking the time to utilize a WPA2-enterprise mode, deployment may seem challenging and not worth the effort, and it’s true that the tradeoffs need to be heavily weighed.  Are you willing to deal with the repercussions of an attack?  Or is securing your wireless network with WPA2-enterprise mode more of a practical and secure long term solution?  I know my answer.

Friday, June 19, 2015

Healthcare Security – A Horror Story

The following tale is fictitious, only in that certain details have been changed to protect the… patients.  Several weeks ago, I had a conversation with an employee named Rachel who works for a small healthcare provider called Gotham Aging-Care Clinic (GACC).

This particular clinic specializes in the care and well-being of the City of Gotham’s citizens of advanced age. During the course of our conversation, we discussed several key aspects surrounding HIPAA and data security relating to patient information. Rachel explained that her clinic did not have much of an IT budget and that most of the clinicians were using personal laptops to perform their daily duties. While concerns have been raised with management at this small practice numerous times, those concerns have fallen on deaf ears. The clinicians are essentially responsible for their own machines and the security of those machines. Of those that I’ve personally spoke with, few are familiar with HIPAA requirements on patient privacy and one didn’t know what HIPAA actually was.

While in the office, Rachel connects to an open, unsecured company wireless network to access their hosted EMR system. She also connects her smartphone to this same wireless network to listen to streaming music, update Facebook status, tweet, and perform other non-work related activities during her break or lunch hour.  Sometimes during lunch, she will visit a coffee shop that occupies the building next door and work on updating her patient records from her morning rounds, while still connected to the clinic’s wireless network.

Now, there are several red flags in the previous paragraphs, all of which were a part of our discussion.  The EMR system is hosted with a known, reputable provider of secure electronic medical records. They enforce frequent password changes, have very granular logging and access controls, and encrypt traffic to and from the system. Unfortunately, that’s the ONLY portion of the patient access that could be considered secure.

The following is a list of the security related items that I noticed during a ten minute inspection of Rachel’s personal laptop:

Rachel’s password to log into her laptop is a single character…the space bar.  She says this is secure because, “no one would ever guess that as my password”.

Rachel uses Microsoft Terminal Services to access a remote desktop in her office over the internet on the standard port, unencrypted. Frequently, via unsecured wireless connections remotely. Her password is saved, so she doesn’t have to type it in every time she logs in. While in the office, she has a software client that she runs to access the EMR system while connected to the clinic’s unsecured wireless network. The account she uses to access the EMR system is one of four accounts that are shared amongst 10-12 clinicians (a cost-saving decision related to licensing purchases).

Rachel doesn’t run any form of Endpoint Protection / Anti-virus because it “slows her machine down”.

Rachel has Excel spreadsheets containing patient data stored locally on her laptop so she can update information for patients in areas of their clinic where wireless signal is absent or unreliable. This is standard, and practiced by all clinicians in those wings of the building and was recommended by management due to the fact that “wireless networks are expensive to install and maintain”.

Now, following my inspection of Rachel’s laptop and subsequent discussion of all of these findings (and others that I’ve decided to omit, again, to protect the patients), Rachel dropped the security bomb of all bombs.  Her clinic handles the care and wellbeing of senior citizens in Gotham City. Their “hosted” EMR system is actually nothing more than “secure” remote access to the EMR system that resides at Gotham Memorial Hospital (GMH), which is one of the largest healthcare providers in Gotham City. Where GACC has several hundred patients for which they provide services in a given year, GMH services hundreds of thousands of patients throughout the year. Now, GACC does NOT have access to all of their patient data, but an attacker with the proper skill set would have the capabilities to gain this access. An attacker with very little skills could gain access to the hundreds of patients that GACC serves with virtually no effort.

There are multiple lessons to be learned here. So many so, in fact, that I would surely miss one if I tried to hit all of them. My biggest concern here isn’t with GACC and their lack of security policy, although that is a part of it. What concerns me most is that GMH still allows them access to their data, most likely, due to the lack of checks and balances when it comes to the “covered entity” portion of HIPAA. Their system is inherently at risk due to the lack of security of one of their partners. It’s okay though. When a breach occurs, they will have all of the necessary measures in place to be able to pinpoint the source of the breach, tie that to GACC and their lack of security, and wash their hands of any responsibility for the theft of hundreds of thousands of patient records. I know I’ll sleep better at night knowing that the healthcare provider I chose to take care of my family’s healthcare needs isn’t responsible for the identities of my wife and children being stolen. After all, it’s not their fault that GACC checked all of the right boxes on the form. HIPAA doesn’t say they have to validate anything, just that they have to ask the right questions and receive the right answers – so they can still be compliant without being secure.


Between the time of authoring this document and publishing, Rachel resigned from this clinic and has moved on to a larger clinic with a specialization more aligned with her degree. Her laptop was inspected by the GACC system administrator on her last day to ensure that no sensitive data remained on Rachel’s personal laptop. This procedure was performed in less than five minutes. Not only did this system administrator miss several local documents containing patient information, but remote access to the Microsoft Terminal Server and subsequent access to the EMR system is still available. I’m sure access to the EMR system will be terminated when the users are forced to change the passwords on their shared accounts. A report has been filed with the appropriate compliance agencies.

Thursday, June 11, 2015

Where is this Attack Coming From?!

Help Desk Technician: We’re getting reports of users complaining about the internet being slow.  Is there something going on with the network?
Network Technician: It looks like the internet pipes are getting saturated.
Help Desk Technician: By whom?
Network Technician: I’m looking into it… (A couple minutes pass), looks like it’s coming from a number of different IP addresses out on the internet.  I’ll have to look at IANA’s website to find out where they’re coming from and who they belong to.  Call security and inform them that we might be getting attacked.

The situation above isn’t as uncommon as you might think.  With would-be attackers constantly out and about trolling the internet and performing reconnaissance on potential targets, this situation is actually pretty common, and could be happening on your network as we speak.  Most likely, it’s on a smaller scale, but there is a good chance it is happening nonetheless.  So the question becomes, “How do I prevent this from happening?”

The first and most important thing to be done, in my opinion, is to have a sit down with the security team and the business/organization to determine who your target customers are and where they should be coming from.  Does it make sense to leave your online services open to anyone and everyone in the world?  I would say, if security is a priority to the organization, then, it is importation to limit incoming access to the organization’s online services and the geographic regions where it has a significant business interest.  That is to say, if an organization has a target customer base in the United States, as well as some manufacturing in India or China, and is looking to expand their customer base to parts of Europe, then it would make sense to limit access to an organization’s online services to those geographic regions.

Once the discussion above has taken place, you can start to plan how access based on IP is going to be implemented.  The network technician mentioned that you could go to the Internet Assigned Numbers Authority (IANA) website, and begin your search there. However, this would be extremely time-consuming and cumbersome, especially when you consider that would just be the starting point to determine which of the subsidiary sites, for example, the American Registry for Internet Numbers (ARIN) would be the most relevant. Sure, there are other all-in-one sites, such as or, but it is important to take note that the database might be a bit outdated or there might be some conflicting information. 

There are easier ways to determine which IPs belong to which geographic region than having to research IANA’s website.  For example, many manufacturers are starting to offer IP identification as part of their security portfolio. Fortinet utilizes its own FortiGuard labs to provide an IP reputation service that can be utilized when writing firewall policies if you wanted to block or monitor activity of addresses from a particular country (Fortinet, 2015).  Juniper Networks offers a similar service through its Spotlight Secure product, as well as Palo Alto Networks with WildFire.  While it’s not a silver bullet that is going to eliminate threats altogether, it is a great place to start shrinking down your attack surface - making it that much more difficult for would-be attackers to compromise your network.

Fortinet. (2015). FortiGuard IP Reputation Service. Retrieved from               
Juniper. (2015). Spotlight Secure. Retrieved from

Friday, June 5, 2015

End of Support is Coming for Select Catalyst 4500 Switches!

The end of support date for select Cisco Catalyst 4500 Non-E-Series Chassis, Supervisor Engines, and Line Cards is July 31st. For those currently leveraging this switching platform, this can be cause for concern -but it doesn’t have to be. If you wish to continue using these products, you can extend their life by purchasing spare parts and upgrades for your existing 4500 chassis.

Or you may want to take this opportunity to evaluate new solutions for your network for future growth, performance, and reliability. With so many options and vendors to choose from, it can be a bit daunting. Below is some information on both comparable Cisco replacements for the Catalyst 4500 Non-E Series switches as well as comparable replacement options from both Juniper Networks and HP.

The table on the right lists all of the primary end of support SKUs and the Cisco replacements.

*Juniper comparable replacement - Virtual chassis of EX4300 switches or combination of EX4600 and EX4300 virtual chassis
*HP comparable replacement - 5400zl chassis