Insider’s InfoTech Services

Insider’s InfoTech Services Contact information, map and directions, contact form, opening hours, services, ratings, photos, videos and announcements from Insider’s InfoTech Services, Information Technology Company, Sanepa, Lalitpur, Kathmandu.

What is ACL?ACL stands for Access Control List and it is one of the most fundamental components of information security....
21/09/2022

What is ACL?

ACL stands for Access Control List and it is one of the most fundamental components of information security. It is made up of some 'rules' that would allow or deny access to a computerized environment.

For example, you are a manager of an exclusive club and have made a list of club's members and selected few guests who are invited to a party. When you strictly follow the LIST you have made up of your members & guests, then only those on this list are allowed in the doors. Right?

Access Control List is very much similar to this. It enable you to ensure that, unless the proper credentials are presented by the device or user, it cannot gain access in your environment, e.g., your network or system.

At the fundamental level, there are two basic kinds of ACLs:

1) Filesystem ACLs

These ACLs give instructions to the operating system of your computers, servers, etc. as to what types of users are allowed to access the system. These instructions also define the users' privileges they are entitled to when they are inside. Thus, these Filesystem ACLs works as filters and manage users' access to your directories or files.

2) Networking ACLs

Networking ACLs do the similar thing, as they manage users' access to your network. Likewise, they provide instructions to switches and routers, so as to manage the kinds of traffic that would be allowed to interface with your network. They also define what your users' or devices can do once they are inside your network.

When ACLs were first conceived, they worked like firewalls, and were used to block network access to unwanted entities. Even today, ACLs are quite common among companies. You may find network admins using them along with VPNs. They might be dictating which kinds of traffic get encrypted and then sent through the secure tunnel of the VPN.
___
👉 Network ACLs

ACLs are common in switches, routers or firewalls, but you can also configure them in any device that runs in the network, from hosts, network devices, servers, etc. The primary purpose of using a network ACL is to provide security to your network.

That's why, you can think of network ACLs as network traffic 'filters' that can control incoming or outgoing traffic. The idea is to ensure that only approved traffic is allowed to enter your network. It performs a similar function as a filesystem ACL in that the credentials of devices are checked against an approved list. However, a network ACL is different in that it protects a network, as opposed to directories or files inside a network.

ACLs can play an integral role in your networking architecture, and help you in keeping bad actors or those who can inadvertently hurt your systems from gaining access.
___
👉 How Do ACLs Work?

With a filesystem ACL, you have a table that tells your computer’s operating system which users have which access privileges. This table dictates the users who are allowed to access specific objects, such as directories or files on the system. Every object on your computer has a security property that links it to its associated ACL. On this list, there is information for every user that has the requisite rights to access the system.

Every time when you are attempting to change or open a file on your computer, knowingly or unknowingly, you are interfacing an ACL. For example, there are certain files or objects on your laptop or computer that only an administrator can access.

Those files or objects would not be allowed to open, if you sign in to your computer as regular user. However, if you sign in as an administrator, the object’s security property will see that you are an administrator and then you will be allowed to access.

Thus, when a user makes a request to access an object, your computer’s operating system checks the ACL to see if the user should have the access they desire. If the list dictates that the user should not be allowed to open, use, or modify that particular object, access will be denied to him/her.

Sometimes, you may depend upon 'Security Groups.' These groups may be composed of categories of users such as administrator, guests, and normal users, etc. These may also be composed of a list of people who can gain access to the system or files. But, even when there is a similarity between security groups and ACLs, they are not the same.

Networking ACLs are fundamentally different because they are installed in switches and routers, etc. Here, they are traffic filters.

A network access list also allows you to prevent ALL unwanted users and traffic. To filter traffic, a network ACL uses RULES that have been predefined by your administrator or the device manufacturer. These rules check the contents of 'packets' against tables that govern access parameters. Based on those parameters, the access is either granted or denied to the users. You can set up these 'parameters' that dictate which source or destination addresses and which users are allowed to access a network, you can prevent all others from getting inside.

Now you see that-- switches, routers and firewalls that have ACLs features, perform the function of packet filters. They check the IP addresses of the sources and destination, the source and destination ports, and the packet’s official procedure, which dictates how it is supposed to move through the network.

ACLs are great as they allow you to simplify the way your local users, remote users and remote hosts are identified on the network. You can configure an authentication database to ensure that only approved users are allowed access to the device.

You can also categorize the kinds of traffic you want to allow to access the network and then apply those categories to the ACL. For example, you can create a rule that enables all email traffic to pass through to the network but block traffic that contains executable files.
__

👉 What are the important components of ACLs?

There are several components of ACL which are critical to its function:

➤ Sequence number
The sequence number identifies the ACL entry with a specific number.

➤ ACL name
The ACL name defines the ACL entry using a name assigned to it as opposed to numbers. In some cases, the router will allow both numbers and letters.

➤ Remark
On some routers, you can input comments, which can be used to include more detailed descriptions.

➤ Statement
Statement is not remarks or description, as given above. With a statement, you either permit or deny a source using a 'wildcard mask' or address. A wildcard mask dictates which elements of an IP address can be examined by a system.

➤ Network protocol
This section can be used to permit or deny certain networking protocols, such as IP, Internetwork Packet Exchange (IPX), TCP, ICMP, UDP, or others.

➤ Source or destination
It defines the destination or source IP address as an 'address range' or a single IP. It can also allow all addresses.

➤ Log
There are devices that can maintain a log when they find ACL matches. Quite handy for you!

➤ Other criteria of advanced ACLs
Some more advanced ACLs will give you the option to control traffic according to 'IP precedence,' the type of service (ToS), or its priority as derived from its Differentiated Services Code Point (DSCP). DSCP is a networking architecture that allows for the classification and management of traffic on a network.
__

👉 4-Types of Network ACLs

Given the context of Network ACLs, there are four types of ACLs that play different roles in a network.

1. Standard ACL

The standard ACL aims to protect a network using only the source address. It is the most basic type and can be used for simple deployments, but unfortunately, it does not provide strong security. They also use numbers 1300-1999 or 1-99 so that the router can identify the specific address as the source IP address.

2. Extended ACL

These types of ACL allow you to block 'source' and 'destination' for specific hosts or the whole network. With Extended ACLs it’s possible to filter traffic based on protocols (IP, TCP, ICMP, and UDP) too.

3. Reflexive ACL

Reflexive ACLs are also referred to as IP session ACLs. These type of ACLs, filter traffic based on upper layer session information. They react to sessions originated inside the router to whether permit outbound traffic or restrict incoming traffic. The router recognizes the outbound ACL traffic and creates a new ACL entry for the inbound. When the session finishes, the entry is removed.

4. Dynamic ACL

As the term suggests, Dynamic ACLs are reliable on extended ACLs, Telnet, and authentication. They grant users access to a resource only if the user authenticates the device through tenet. This type of ACLs are often referred to as “Lock and Key” and can be used for specific timeframes.
__
👉 How to implement an ACL on your router?

The devices that are facing unknown external networks, such as the Internet, need to have a way to filter traffic. So, one of the best places to configure an ACL is on the edge routers.

As you know that your ROUTER is usually placed between the incoming traffic and the rest of your network, or a specific segment of the network, e.g., DMZ. Thus, the ACL of your router would consist of a table that would determine -- What kinds of traffic are allowed to access your system or network.

The ACL will then examine the information contained within data packets flowing into or out of your network to determine where it came from and where it is going. And then it would decide whether the data packet should be allowed to pass to the other side. You can also configure an ACL in this router to protect against specific well-known ports (TCP or UDP).

Now you know that how the ACL on your router works, but to implement it correctly on your router, it is very important for you to UNDERSTAND --How the traffic flows 'in' and 'out' of it.

Remember, you need to identify the 'interfaces' of your routers first and you set the rules based on the point of view of the INTERFACE of your router. This is different than that of your networks.

For example, if traffic is flowing into a router and it then is flowing out of your network, knowing this perspective makes a huge difference as to how the traffic’s motion is described.

If you want your ACL to perform its intended function well, then it needs to get applied to the INTERFACE of the router. The forwarding and routing decisions are executed by the router’s hardware, which makes for a faster process.

Your internal router, located between the DMZ and the Trusted Zone, can be configured with more restrictive rules to protect the internal network. However, this is a great place to choose a stateful 'firewall' over an ACL.

--------------
REMEMBER
--------------

While creating an ACL entry, you should put the source address first and the destination address after. The router knows how to read the entry when it is presented in this format. The source is where the traffic is coming from, and this is to the “outside” of the router. The destination is a point past the router, where the data packets will end up.

IMPORTANT NOTE:

Regardless of where you implement your ACLs, when you add ACL rules you should document why you are adding them, what they are intended to do, and when you added them. You should ensure that the current rules are documented, so nobody needs to guess why a rule is there. You don’t need to have one comment per rule. You can make one comment for a block of rules, an intricate explanation for a single rule, or a combination of both approaches.

Before you plan an ACL on a switch interface, you must first comprehend the situation and grasp the traffic stream. Understanding the role and effects of ACLs is a common request in CCNA and CCNP exams, and faults in ACL game planning are unquestionably the most common error network guys make during security implementation. You should think about this carefully. For example, if you place an ACL on the wrong interface or mistakenly change source/destination, it can create a negative impact on your network. A single ACL statement can leave an entire business without the Internet.

In recent years, there has been a shift to how ACLs have been thought of, because of development of Role Based Access Control (RBAC).

Now you can use role-based access control (RBAC) systems to control security at a much granular level. Rather than emphasizing the identity of the user and determining whether they should be permitted to see something in the application, RBAC governs the security based on the role of the user within your organization.

SCADA (Supervisory Control And Data Acquisition) is a category of software application program for industrial process co...
14/09/2022

SCADA (Supervisory Control And Data Acquisition) is a category of software application program for industrial process control, the gathering of data in 'real-time' from remote locations in order to control equipment and conditions.

SCADA is a system of software and hardware elements that allows industrial organizations to:

➤ Control industrial processes locally or at remote locations
➤ Monitor, gather, and process real-time data
➤ Directly interact with devices such as sensors, valves, pumps, motors, and more through human-machine interface (HMI) software
➤ Record events into a log file

SCADA systems are used by industrial organizations and companies in the public and private sectors to control and maintain efficiency, distribute data for smarter decisions, and communicate system issues to help mitigate downtime. SCADA is used in power plants as well as in oil and gas refining, Food and beverage, Telecommunications, Transportation, Water and waste control, Manufacturing, Recycling, Pharmaceutical/Bio-tech, HVAC and commercial building management, Energy pipelines and utilities, Energy management and refrigeration, and many more.
__
👉 Evolution of SCADA systems

SCADA found its birth on the floors of industrial organizations or plants. 50-70 years back most such organisations were dependent on their personnel for controlling and monitoring their equipments 'manually,' via push-buttons and analog dials.

As these industrial floors and their remote sites began to scale out in size, it was not possible for them to send their personnel over long distances to control the equipments. Industrial organizations then started to utilize 'relays' and 'timers' to provide some level of supervisory control, so that they would not have to send people to remote locations to interact with each device. But these Relays and timers were difficult to reconfigure, troubleshoot and their control panels took up racks upon racks of space.

In the early 1950s, computers were first developed and used for industrial control purposes, especially in the major utilities, oil and gas pipelines, and other industrial markets at that time. In the 1960s, telemetry was established for monitoring, which allowed for automated communications to transmit measurements and other data from remotes sites to monitoring equipment.

The term “SCADA” was coined in the early 1970s, and the rise of microprocessors and PLCs during that decade greatly contributed to new ability to monitor and control automated processes. This first generation of SCADA systems started off with mainframe computers. In those days, each SCADA system stood on its own, as networking of computer systems was not possible.

In the 80s and 90s, smaller computers, LAN technology and PC-based HMI software came to the fore and SCADA evolved using them. Some sort of network connectivity started to emerge among those, using the proprietary protocols. These SCADA systems were not capable of communicating to other vendors' systems.

In the 1990s and early 2000s, there was high adoption of 'Open System' architecture' and network protocols that were not vendor-specific. Using the distribution system model, SCADA systems evolved a great deal. These were called networked SCADA systems and they were using the ETHERNET as communication technology. Networked SCADA systems allowed systems from other vendors to communicate with each other, alleviating the limitations imposed by older SCADA systems, and allowed organizations to connect more devices to their networks.

NOW COMES THE SAD PART OF THE STORY...

There was a technology boom in the field of personal computing and IT. When SQL databases were becoming a norm in IT, they were not adopted by most SCADA developers. The gulf between the industrial controls systems and IT kept widening with each year of passing. And, SCADA technology became antiquated over time. SCADA developers were literally forced to stop their obsession with proprietary technology to handle the 'data' their systems collected. Modern SCADA systems aim to solve this problem by leveraging the best of controls and IT technology.

Modern SCADA systems allow real-time data from the plant floor to be accessed from 'anywhere' in the world. This access to real-time information allows governments, businesses, and individuals to make data-driven decisions about how to improve their processes. Without SCADA software, it would be extremely difficult if not impossible to gather sufficient data for consistently well-informed decisions.

The introduction of modern IT standards and practices such as SQL and web-based applications into SCADA software has greatly improved the efficiency, security, productivity, and reliability of SCADA systems. One big advantage of using SQL databases with a SCADA system is that it makes it easier to integrate into existing MES and ERP systems, allowing data to flow seamlessly through an entire organization.

Historical data from a SCADA system can also be logged in a SQL database, which allows for easier data analysis through data trending.

There are numerous SCADA platforms on the market; however, the most popular platforms include Rockwell Factory Talk, Siemens WinCC, Wonderware Systems Platform, and Ignition. Each of these platforms can be programmed with modern web languages such as HTML5, Python, and PHP, and integrated with generalized database software such as SQL.
___
👉 How do SCADA systems work?

Using modern SCADA solutions, operators and field supervisors can access actionable data and manage hundreds of assets without visiting every field device.

SCADA systems include hardware and software components. The hardware gathers and feeds data into a computer that has SCADA software installed. The computer then processes this data and presents it in a timely manner. SCADA also records and logs all events into a file stored on a hard disk or sends them to a printer. SCADA applications warn when conditions become hazardous by sounding alarms.

The basic SCADA architecture begins with programmable logic controllers (PLCs) or remote terminal units (RTUs). PLCs and RTUs are microcomputers that communicate with an array of objects such as factory machines, HMIs, sensors, and end devices, and then route the information from those objects to computers with SCADA software. The SCADA software processes, distributes, and displays the data, helping operators and other employees analyze the data and make important decisions.

SCADA provides real-time visibility into your industrial operations. For example, the SCADA system quickly notifies an machine operator that a batch of products is showing a high incidence of errors. The operator pauses the operation and views the SCADA system data via an HMI to determine the cause of the issue. Then he reviews the data and discovers that Machine 4 was malfunctioning. The SCADA system’s ability to notify the operator of an issue helps him to resolve it and prevent further loss of product.
__
👉 What are main Components of SCADA systems?

1. REMOTE TERMINAL UNITS (RTUS)

RTUs collect and store information from sensors, then send it to the master terminal unit (MTU), which is composed of a computer, PLC, and a network server that forms the core of a SCADA system. An RTU collects and stores data until it receives the appropriate command from the MTU, then transmits the necessary data. The MTU is then able to communicate with operators and share data with other systems.

2. HUMAN-MACHINE INTERFACE (HMI)

Within a SCADA system, a human-machine interface is any user interface or dashboard where operators can interact with a machine, system, or device. It’s where water operators or technicians can track real-time data on every connected piece of equipment. These user interfaces allow for full remote control of your assets. This enables operators to monitor machine 'input' and 'output,' oversee their key performance indicators (KPIs), track production time and trends, and visually display data across the SCADA system.

HMIs are used to interact with machines and optimize their processes. They can take the form of computer monitors, tablets, and screens built onto machines themselves, which provide insight into the performance and progress of the mechanical system. For example, an operator on the floor level of an industrial plant could use an HMI to control and monitor the temperature of a water tank or monitor the performance of a pump within the facility.

3. COMMUNICATIONS NETWORK

The communications network is the connection between the RTU and the MTU, which enables data to be transmitted between the two units. It can be wired- or wireless network. Now a days, wireless communication is more prevalent and it is bidirectional. It is used for networking purposes, alongside other communication processes and equipment, such as fiber optic cables and twisted pair cables.

4. INPUTS

SCADA systems rely on inputs that are read and written by a PLC (Programmable Logic Controllers) to log and store data. What is a PLC, you may ask. It is a mini-computer that sits within a SCADA network and collects inputs and outputs from devices in the system. The PLC monitors the state of inputs, such as the speed and performance of a motor, then uses this insight to output signals to devices, such as stop or slow down the motor.
__
👉 Key Security Concerns with SCADA

As you know now that SCADA systems use computers, networks, and graphical human-machine interfaces (HMIs) to provide high-level control, management, and supervision of industrial processes. Although SCADA networks are crucial to industrial operations but they are made up of hardware and software. That's why, they can easily fall prey to hacking, which makes SCADA security increasingly important for you.

However, some of ICS/SCADA networks are particularly vulnerable to attacks by hackers, insider threats, and even terrorists. For example, ICS firm Schneider Electric was attacked by sophisticated hackers who launched a targeted zero-day attack on Schneider's systems in 2018. The attack used a remote access Trojan, the first of its kind to infect safety-instrumented systems equipment, which is crucial to monitoring utility firms’ critical systems. The firm released a firmware update and issued advice and tools for customers to detect and mitigate the attack.

Common weaknesses of SCADA systems include the followings:

➤ A lack of security around 'Application development,'
➤ Issues with SCADA systems monitoring,
➤ A lack of maintenance or updates to the software, etc

All these weaknesses thus create some serious security gaps.

Another key threat to SCADA systems is a lack of security training for employees, who need to understand the potential threats they face and how to spot a potential cyberattack.

Security of SCADA systems is key component of protection of Operational Technology (OT). But you need specialized solutions from security vendors which are specially designed for ICS/SCADA security. These SCADA security solutions, protects SCADA networks and prevents vulnerabilities from being exploited by cyber criminals.

Avoiding potential security issues is reliant on documenting and mapping where systems connect to the internet and other internal networks and the people who have access to them. This provides insight into all potential data 'entry' and 'exit' points, which helps organizations monitor for cyberattacks.

Your organization also need to implement appropriate detection and monitoring systems that can prevent attacks and 'malware injection.'

You must ensure procedures are in place around network security, including report monitoring, standard protocols, and security checks, which will help you address new and existing vulnerabilities.

May Lord Krishna steal all your worries and give you peace, and happiness on this holy occasion of shree Krishna Janmash...
19/08/2022

May Lord Krishna steal all your worries and give you peace, and happiness on this holy occasion of shree Krishna Janmashtami 💞🙏

What are IOCs?These are known as Indicators of Compromise...IOCs are a little different from Indicators of Attack (IOAs)...
22/07/2022

What are IOCs?

These are known as Indicators of Compromise...

IOCs are a little different from Indicators of Attack (IOAs), IOCs focus on examining what happened after an attack has occurred, whereas IOAs focus on identifying the activity associated with the attack while the attack is happening.

IOCs are pieces of actual forensic data or artifacts, or remnant of an intrusion that can identify potentially malicious activity on your networks and systems. These are markers of 'unusual activities' and serve as RED FLAGS that indicate a potential or in-progress attack that could lead to a data breach or systems compromise.

Some of these artifacts are found on event logs and timestamped entries in the system, as well as on its applications and services. Security professionals also employ various tools that monitor IOCs.

IOCs are very helpful to you as they assist you in detecting all sorts of data-breaches, malware infections, or any other suspicious activity that may be launched by threat-actors.

It is fundamental to cybersecurity that you continuously monitor IOCs, as IOCs practically act as if they are breadcrumbs... you follow the breadcrumbs and you are led to malicious activity early in the attack sequence.

But, IOCs are not always easy to detect; they can be as simple as metadata elements or incredibly complex malicious code and content samples that require advanced reverse engineering and analysis. IOCs are nothing but the cumulative results of a process of pulling all these different pieces together.

Security Analysts often identify various IOCs to look for correlation and piece them together to analyze a potential threat or incident. Every time when multiple IOCs correlate strongly, then you may assume that there exist a security threat or a network intrusion, and it is time to send in your CSIRT team.
__
If you are a security analyst, incident responder or threat researcher, the your ability to collect, record and notate IOCs in a detailed manner cannot be stressed enough. Being able to demonstrate the Who, What, Where, When, How and (assuming you have enough data, the ‘Why’) is invaluable!
__
If your security teams discover recurrence or patterns of specific IOCs, they can update their security tools and policies to protect against future attacks as well.

__
👉 THREAT INTELLIGENCE IS THE CORNERSTONE

Threat intelligence refers to evidence-based knowledge that can specifically be used to prevent cyber attacks. Threat intelligence can include many things, for example:

➤ Context-dependent threat indicators
➤ Mechanisms of attack (TTPs)
➤ Attack vectors
➤ Indicators of compromise (IOCs)
➤ Other information, etc

Though your company can develop your own threat-intel, through your own activities and interactions -- by discovering a suspicious event, identifying it as a security incident, correlating it with a specific type of attack from a specific source, etc.
__
However, most companies worldwide prefer the threat-intelligence feeds from security vendors and Open-sourced Threat-intel feeds. You can in fact, source it from multiple third-parties. It is far better approach, as there is so match that goes into the development/creation of right set of IOCs pertaining to any malicious activity!
__
If your company has access to up-to-date threat intelligence, your can heavily automate the process of searching for IoC. It would leave your security analysts free to focus on innovation, as well as disaster recovery and incident response preparation and strategy.
__

👉 15-Indicators of Compromise

While researching on Internet, I have found a list of 15-Indicators of Compromise:

➤ Unusual outbound network traffic
➤ Anomalies in privileged user account activity
➤ Geographical irregularities
➤ Other log-in red flags
➤ Swells in database read volume
➤ HTML response sizes
➤ Large numbers of requests for the same file
➤ Mismatched port-application traffic
➤ Suspicious registry or system file changes
➤ DNS request anomalies
➤ Unexpected patching of systems
➤ Mobile device profile changes
➤ Bundles of data in the wrong places
➤ Web traffic with unhuman behavior
➤ Signs of DDoS activity

__

👉 How to identify IOCs?

When your organization is an attack target or a victim, the cybercriminal will leave some traces of their activity in the system and log files. Your threat hunting team will gather this digital forensic data from these files and systems to determine if a security threat or data breach has occurred or is in-process.

Identifying IOCs is a job handled almost exclusively by trained infosec professionals. Often these individuals leverage advanced technology to scan and analyze tremendous amounts of network traffic, as well as isolate suspicious activity.

The most effective cybersecurity strategies blend human-resources with advanced technological solutions, such as AI, ML and other forms of intelligent automation to better detect anomalous activity and increase response and remediation time.
__
👉 IOC Documentation & Recording

Some in the industry argue that documenting IOCs and threats helps organizations and individuals share information among the IT community as well as improve incident response and computer forensics.

The OpenIOC framework is one way to consistently describe the results of malware analysis. Other groups such as STIX and TAXII are making efforts to standardize IOC documentation and reporting.
__
IOCs are an important component in your battle against malware and cyberattacks. While they are reactive in nature, if your organization monitors for IOCs diligently and keep up with the latest IOC discoveries and reporting, then you can improve your detection rates and response times significantly.

-
Do you need any help on strengthening or accessing your network to sort out security issues you might have?

Message garnus na hai.

Address

Sanepa, Lalitpur
Kathmandu

Website

Alerts

Be the first to know and let us send you an email when Insider’s InfoTech Services posts news and promotions. Your email address will not be used for any other purpose, and you can unsubscribe at any time.

Shortcuts

Share

Category