Logo

 

Network Risk Report
Prepared for Cisco dCloud
Wednesday, September 21, 2016
Prepared by Scott Barasch
Contact: sbarasch@cisco.com

Logo

I. Executive Summary

Cisco has determined that Cisco dCloud is at a high risk due to the use of applications that are potentially dangerous to the enterprise yet have low business relevance. These applications may leave your network vulnerable to attack, carry malware, or waste bandwidth.

Assessment Period: Wed Sep 14 2016 15:15:12 to Wed Sep 21 2016 15:15:12
Risky Apps
25
Risky Apps
Risky Users
162
Risky Users
High Bandwidth Apps
4
High Bandwidth Apps
Encrypted Apps
20
Encrypted Apps
Evasive Apps
2
Evasive Apps
Dangerous Web Browsers
291
Dangerous Web Browsers

Your Network Profile

10
Operating Systems
37
Mobile Devices
223
Applications in Use
9
File Types Transferred

Recommendations

Cisco recommends Cisco dCloud deploy Cisco Firepower Appliances (NGIPS/NGFW) with App Control and URL Filtering to:
  1. Reduce your application attack surface
  2. Granularly control applications, bandwidth, URL access and acceptable use policies
  3. Get visibility into network risks and usage, including mobile devices and BYOD risk

Logo

II. Application Risk

Applications with High Risk and Low Business Relevance

Some applications carry high risk because they can be vectors for malware into the organization, possess recent vulnerabilities, use substantial network resources, or hide the activities of attackers. Other applications have low business relevance: they are not relevant to the activities of a typical organization. When an application has high risk and low business relevance, it is a good candidate for application control to reduce your application risk. You should investigate these applications to determine whether they are important to control.
ApplicationTimes AccessedApplication RiskProductivity RatingData Transferred (MB)
NNTP12Very HighVery Low0.51
NNTP client12Very HighVery Low0.51
Yahoo! Slurp4Very HighVery Low0.00
QQ0HighLow0.00
QQ client0HighLow0.00

Summary of All Network Connections by Applicaiton Risk

Pie Chart

High Bandwidth Applications

Some applications use a substantial amount of network bandwidth. This bandwidth usage can be costly to your organization and can negatively impact overall network performance. You may want to restrict the usage of these applications to particular networks: for instance, a wireless network may not be well suited for video streaming. Or, you can shut down these applications entirely or simply get visibility into how your bandwidth is being used.
ApplicationTimes AccessedApplication RiskProductivity RatingData Transferred (MB)
generic audio/video12Very LowMedium0.22
MPEG10LowMedium0.08
SIP9LowMedium0.01
Spotify0MediumVery Low0.00
     

Encrypted Applications

Some applications encrypt data they process, causing security administrators to be blind to attacks and usage patterns. With SSL decryption, administrators can look inside these applications and observe their use. An SSL decryption appliance, such as a Cisco SSL Appliance, can decrypt SSL traffic inbound and outbound: inbound by storing the certificates of private web servers, and outbound by acting as an intermediary in browsers' connections to the Internet. It is important to use SSL decryption to obtain visibility into encrypted applications to help mitigate this potential attack vector.
ApplicationTimes AccessedApplication RiskProductivity RatingData Transferred (MB)
Internet Explorer886MediumMedium15.51
Firefox819MediumMedium41.82
Chrome445MediumMedium1.42
Kerberos173Very LowHigh0.18
Mobile Safari68LowMedium0.42

Evasive Applications

Evasive applications try to bypass your security by tunneling over common ports and trying multiple communication methods. Only solutions that reliably identify applications are effective at blocking evasive applications. You should evaluate the risks of these applications and see if they are good candidates for blocking.
ApplicationTimes AccessedApplication RiskProductivity RatingData Transferred (MB)
SSL client377MediumMedium2.30
cURL1MediumMedium0.02
     
     
     

Other Applications of Interest

Other applications were observed that may be of interest and possibly candidates for control. Users may use anonymizers and proxies to bypass your network security or cloak their identities. Gaming applications may be distractions to productivity and use excessive bandwidth. Peer-to peer applications are often malware vectors. And remote administration applications may allow malicious users to control machines in your environment.
Anonymizers and Proxies (accesses):
No Data
Games and Recreation (accesses):
Instagram(1)
Peer-to-Peer and Sharing (accesses):
cURL(55), TFTP(16), NNTP(12), Adobe Creative Cloud(4), Pinterest(2), Instagram(1), MS Online(1), Windows Media Player(1), MSN(0)
Remote Administration and Storage (accesses):
HTTP(3,441), HTTPS(343), FTP(68), cURL(55), FTP Data(13), FTP Passive(13), NFS(8), Dropbox(7), IRC(6), Google Hangouts(3)

Dangerous Web Browser Versions

A profile of your network revealed the following old web browsers in use. Outdated web browsers are a major vector for network malware and it is important to update them (or encourage users to). These browsers often have unpatched vulnerabilities or carry other risks.
BrowserVersionNumber of Hosts
Internet Explorer 0
Google Chrome1.0.154.36, 11.0.696.71, 27.0.1453.110, 27.0.1453.94, 28.0.1464.0, 28.0.1500.52, 3.0.198.1, 30.0.1599.101, 37.0.2062.94, 39.0.2171.95, 4.1.249.104232
Safari2.0.4, 3.0.4, 3.1.1, 3.1.2, 3.6.4,, 4.0.4, 4.0.5, 5.0.413
Firefox0.10, 0.10.1, 0.9.1, 0.9.2, 1.0, 1.0.1, 1.0.4, 1.0.6, 1.0.7, 1.5, 1.5.0.0, 1.5.0.2, 1.5.0.4, 10.0.1, 11.0, 12.0, 13.0.1, 2.0, 2.0.0.1, 2.0.0.16, 2.0.0.17, 2.0.0.20, 2.0.0.4, 20.0, 25.0, 3.0.1, 3.0.8, 3.5, 3.6, 31.0, 34.0, 4.0.1246

Risky Web Browsing

The following web communications were identified that correspond to risky activity. Malware sites, open proxies and anonymizers, keyloggers, phishing sites, and spam sources are all Web activities that can put your networks at risk. It is wise to evaluate the use of URL filtering technologies to detect and control communications to risky sites.
URL CategoryConnectionsBlockedData Inbound (KB)Data Outbound (KB)
Social Network2700.0063.85
Adult and Pornography700.0018.42
     
     
     
     
     
     
     
     

The Applications on Your Network

This is a list of the riskiest applications discovered in use on your network. Three types of applications are identified and listed here: client applications (including web browsers), web applications (such as Facebook), and application protocols (such as HTTP). Full visibility over all application types enables you to get a better perspective on how your networks are currently utilized.
Client ApplicationsWeb ApplicationsApplication Protocols
Client applications include web browsers and other desktop applications that access the network.Web applications are carried over web-related protocols such as HTTP and HTTPS. Many web applications operate on port 80 and/or port 443.Application protocols are the means by which other applications communicate over your network. Examples include HTTPS and SSH.
Total: 108Total: 92Total: 102
IMAP, NNTP client, RDP, RDP client, TFTP client, …WebDAV, Yahoo! Slurp, iCloud, Outlook, QQ, …IMAP, NNTP, RDP, TFTP, WebDAV, …

Logo

III. Asset Profile

The Operating Systems on Your Network

The operating systems below were observed on your network. You should identify any operating systems that fall outside your IT policy and investigate them further as to whether they should be permitted.
Pie Chart

The Mobile Devices on Your Network

The following mobile devices were profiled on your network. Mobile devices may be vulnerable, especially older or jailbroken versions. It is important to be aware of how mobile devices are used and set appropriate security policies.
OS VendorOS VersionCount
MicrosoftXP, 715
RIM5.0.012
Apple5.09
Apple4.2.17
Google4.0.37

The Files Traversing Your Network

Downloads

File CategoryFile TypeProtocolCount
ExecutablesMSEXEHTTP181
Office DocumentsMSOLE2HTTP55
ExecutablesBINARY_DATAHTTP47
ArchiveJARHTTP40
ArchiveZIPHTTP32

Uploads

File CategoryFile TypeProtocolCount
ExecutablesMSEXEHTTP8
ArchiveZIPHTTP5
    
    
    

Misc

File CategoryFile TypeProtocolCount
    
    
    
    
    

Logo

IV. Recommendations

Despite existing protections, your organization's application usage exposes it to added risks. This assessment, which contains a profile of your network, has identified risky assets. New countermeasures and security controls are required to mitigate the risks to these assets.
Cisco recommends that Firepower Appliances with Application Control and URL Filtering are depoyed to:
  1. Establish continuous network visibility into its application and asset risk
  2. Augment its existing controls in order to mitigate this risk

1. Establish continuous network visibility into application risk

Existing security infrastructure provides inadequate protection against application and asset risks. Cisco recommends deployment of network-based protections via Firepower Appliances (NGIPS/ NGFW). These will provide the following new capabilities and benefits to augment your network visibility:
New CapabilityBenefit
Network MapProfiles hosts on the network, including network infrastructure, desktops, servers, mobile devices, virtual machines, and many others.
Application Visibility and ControlIdentify and control over 3000 applications. By leveraging OpenAppID, application detectors can be created for custom application. Furthermore, Snort rules can be written to address specific applications.
Security IntelligenceWith unparalleled visibility into the Internet, Cisco Talos provides dynamic IP and URL black list to protect against malicious websites.
Mobile AwarenessIdentifies and profiles mobile devices, including iOS, Android, Amazon, Blackberry, and other mobile device types. Identifies jailbroken devices.
Real-time Contextual AwarenessProfiles hosts and identifies communications that are of unusual bandwidth or hosts that are running inappropriate applications for the environment.

2. Augment Controls to Mitigate Risk

Deploying additional countermeasures can help mitigate the risk applications pose. These measures may entail reduction of the application threat surface and blocking risky URLs. Cisco recommends deployment of network-based protections via Firepower Appliances with Application Control and URL Filtering. These provide the following new capabilities and benefits:
New CapabilityBenefit
Granular Application ControlReduce potential area of attack through granular control of thousands of applications.
File Identification and ControlDetect and optionally block files by file type. Capture files for offline analysis, if desired.
URL FilteringControl on a database of millions of URLs, by risk or productivity characteristics
Virtual ProtectionProtect VM-to-VM communications the same as physical network
In addition, Cisco offers NGIPS capabilities and optional Advanced Malware Protection for networks and hosts, to help better protect against the latest threats. Please contact your Cisco representative or reseller for more information.

Logo

 

About Cisco
It's no secret that today's advanced attackers have the resources, expertise, and persistence to compromise any organization at any time. As attacks become more sophisticated and exploit a growing set of attack vectors, traditional defenses are no longer effective.

It's more imperative than ever to find the right threat-centric security products, services, and solutions for your current environment. These solutions must also easily adapt to meet the evolving needs of your extended network, which now goes beyond the perimeter to include endpoints, mobile devices, virtual machines, data centers, and the cloud.

For over three decades, Cisco has been a leader in network security protection, innovation, and investment. Our expertise and experience helps us increase intelligence and expand threat protection across the entire attack continuum for a level of security you can build your business on.

Cisco delivers intelligent cybersecurity for the real world.
Contact Us
Want to learn more about getting this information on your network? Go to cisco.com/go/security and request a live demo.