Do you know what your security devices are connecting to

Network Monitoring: Do you know what your security devices are connecting to?

Guest post by one of our trusted suppliers, John Day of Datensaft.com

Your network is crucial to your business. In fact, industry research suggests that network downtime can cost your organization an average of $5600/minute (Gartner), which is why an effective network monitoring system is so important. One of the network monitoring tools we recommend is EdgeSentry, which is why we asked John Day of Datensaft to tell us more.

The alert landed on my cell phone with a chime. It was an alert from my test network, with a cursory overview of the condition. Normally, these alerts are quick to either explain or dismiss – but this one was neither.

My security network is used for testing a network monitoring product called EdgeSentry, which monitors network traffic and lets me know when a device’s behaviour changes from its ‘normal’ state.

An alert about device behaviour change happens mostly when a device stops working, but it can indicate a host of security conditions as well: Maybe there’s work being done on the network, new devices are being added, something has been misconfigured, a power outage. All of these are readily explicable and easy to address.

However, this alert was different.

It indicated that one of my network cameras was connecting to an unknown location on the internet. Given that my security network is not configured for off-network purposes, this was concerning. Not only was this an internet connection I hadn’t set up, it was not immediately apparent who or what was tapping into my information.

Thanks to the EdgeSentry alert, I was able to log into my network within moments and started to investigate. I immediately knew the specific camera involved, its MAC address, manufacturer and IP (internet protocol) address, but I also was able to see the public IP address to which the camera had connected. This enabled me to begin effective troubleshooting.

I began by running the public IP address through an online website reputation tool, which rates the probability that the address is being used for spam or malware. However, in this case, the site reputation tool told me that the destination IP address was being used by a VPN service, which is often an indicator that the entity at the other end is trying to hide their identity and location – and that’s never a good sign.

Immediately, I removed the device from the network, logged into my router and blocked inbound and outbound traffic to that IP address. That done, I started to ask the obvious questions: How did this happen? How bad could it be? Assuming there was a bad actor at the other end of the VPN, what were they trying to accomplish?

EdgeSentry gives me a few other tools to work with. For example, the system tracks all connections between devices, meaning I can create a list of every single device the infected device connected to. This particular device had more than 30 different connections per week, which made it an attractive target for a bad actor.

All these symptoms – the connection to an unknown site, the use of the VPN service, and the probing of other devices in the network – all pointed to the camera having a botnet infection.

A botnet is a coordinated network of internet-connected devices, including computers, mobile phones, IoT hardware, etc., which is infected with specialized malware that grants remote control to a single attacking party. This allows the attacking party to execute automated, large-scale cyberattacks that would be impossible for a single machine to perform. Typically, the goal is to get the ‘bot herder’ (the control server) to instruct hundreds of thousands (or even millions) of devices to ‘attack’ a targeted website, rendering the site unusable.

Usually, botnets attack security devices which have been left open to the internet via weak or compromised passwords – they’re on the lookout for gaps, mistakes or errors that they can exploit for malicious purposes. I thought my network was locked down pretty tightly, so what happened?

Because my security network is used as a test bed for EdgeSentry development, I need lots of devices of all different types and brands, and from time to time I purchase batches of used security equipment from eBay for testing. While the infected camera was a good brand from a tier-one vendor, it’s likely that it was left open to the internet by the previous owner, and I hadn’t properly reset the camera to factory defaults (which should have been enough to clear any infection) before I installed it.

Lesson learned: When using (or reusing) second-hand internet-enabled security devices, it pays to double- or triple-check that they’ve been reset before being installed into a new system.

More importantly, the incident was a good reminder that ‘alerts’ are just the start of network monitoring. Effective security requires a structured or automated response to those alerts, in order to prevent a security incident. EdgeSentry offers an automated response through integration with the site’s network switches.When an unsafe/unauthorized behaviour is detected, EdgeSentry will write a rule to the switch, allowing the device to continue with ‘normal’ behaviour, but preventing risky operations like an off-network connection.

Want to learn more about network monitoring, network security, or how to protect your organization? Don’t hesitate to get in touch!

Tags

  HR  HRPA  INVESTIGATIONS  Investigations  NEWS  OIAA  Profile in the news  SCREENING  SYSTEMS  Screening  Uncategorized  background checks  background screening  claims  corporate investigations  employment screening  entry-level  fraud  independent  insurance  integrated  interviewing  investigation  investigations  labour disputes  legislation  network  news  partners  recruiting  retention  risk management  risk mitigation  screening  security  sourcing  talent management  talentmanagement  threat assessment  tips and tricks  trends  workplace investigations  workplace violence