On this Down the Security Rabbithole podcast we're joined by Stephen A. Ridley & Jamison Utter for a discussion on the finer points of Internet of Things (IoT) security ... or complete lack thereof. If you own gadgets that are 'connected' or you are ever around them (hint: you're surrounded by things that pull IP addresses right now) then you need to listen to this podcast. Some great discussion in what was the very first podcast we recorded in 2017.
How insecure are products like broadband routers and smart surveillance cameras? The Security Ledger sat down with three experts from the firm SENRIO to discuss the matter: Stephen A. Ridley, the Founder and Chief Technology Officer; Jamison Utter, Senrio’s Vice President of Field Operations and Margaret Carlton-Foss, the company’s Vice President of Research.
Today, security is little more than a cost center for companies developing new, connected products. Building in security features, like a hardware security model or more robust application security and identity management features, adds to the complexity of the development process and the time needed to complete a product. On the other side of the ledger, however, there is little to compel smart device makers from expending that time and effort.
“(The FTC) is changing the cost benefit ratio of having security in products,” said Ridley. “Up to now, there has been no reason to have any security, so the stuff you’ve seen was more altruistic in nature.” The FTC’s suit against D-Link will give vendors pause, he said. “They have to ask: do we spend x on security now if we can avoid paying x-squared in the cost of litigation and class action suits,” Ridley said.
Listen to the Podcast here.
New Year's Resolutions for IT Security Executives and the Cybersecurity Threats Facing Businesses in 2017
What is one resolution every IT security executive should make for the coming year?
“DATA, DATA, DATA. Effective Information Security departments these days are less about cool tech for IR, detection, policy, and orchestration. We have a wealth of those for traditional endpoints/networks. What we now see is that Information Security (like the rest of technology) is that we need to be better about storing and utilizing data (and in an actionable time-frame). The largest transportation networks own no cars. The largest search engines and social media sites generate no content. It's all about data management. Security is now no different. Solutions that don't speak to how data is stored, searched, parsed, and effectively plugged into your existing architecture need to be ignored. Security products need to provide operational value now. We've evolved past the ‘how’ and now need to focus on the ‘why.’ Security solutions have the burden of bringing more to the enterprise than just security.
What’s the biggest cybersecurity threat facing companies in 2017?
“VISIBILITY, VISIBILITY, VISIBILITY. Networks have grown more diverse and now include more than just servers and endpoints that an agent can be installed into for policy, management, and enforcement. Gartner predicts that by 2020, over 15% of all network intrusions will leverage embedded devices. These devices are (from a CISO's perspective) impossible to ‘get into.’ So how do you make sure these devices aren't compromising your network security posture? Look for solutions that speak to this. This burgeoning blind-spot is symptomatic of the CURRENT ‘visibility’ problem. How can you cheaply and efficiently get visibility into the behavior of assets on your network without incurring the cost of archiving terabytes worth of pcaps? Visibility is king. And at the heart of the visibility problem is the DATA problem. The deluge of alerts. The overloaded SIEM. The ‘analysis paralysis’ of your Operations/Security team. Look clever solutions to the data/visibility problem that are tractable and accessible.”
"It's not a very political issue," said Jamison Utter, VP at Portland, Ore.-based Senrio, an IoT cybersecurity firm. "I believe that the issue is pretty strong and apparent, and doesn't have much to do with party or politics. This is a societal problem, not a Democrat or Republican or whatever issue."
“If we consider the disruptive changes that IoT, and globalization of commerce have made on our economy (and culture) maybe we can stop looking for workforce in all the same places. What I am saying here is that we want 8-5 in the office workforces. That’s not where people are, or want to be. Cyber security is not a suit-and-tie, 8-5 job. Let’s flex to a globalized workforces (mobile, on the go) and non-traditional forces; stop looking for your classic computer science grad (they don't make the best analysts, criminals don’t do things by the book). But let’s instead look to displaced soldiers (that might think about security differently) or former security workers, even former criminals. The influx of different thinking might help the perspective of the entire industry.”
Two U.S. government agencies have released security guidance documents focusing heavily on IoT security following a series of massive distributed denial-of-service attacks that leveraged IoT devices using default security settings. Both the Department of Homeland Security (DHS) and the National Institute of Standards and Technology(NIST) have released recommendations for how to approach security for the internet of things (IoT). Experts said the IoT security guidance from DHS focuses on the basics, while NIST offers more of a how-to for businesses.
[...] Jamison Utter, vice president at IoT cybersecurity firm Senrio, said "it's important at this phase for any governing body to set for things that are high-impact, but very achievable."
"For example, in the 'Incorporate Security at the Design Phase' section is to enable security by default," Utter told SearchSecurity via email. "This single recommendation of changing default passwords would have a profound impact on simple compromises -- and 90% are simple. Mirai, for example, uses default passwords."
This video was published in IoT-Inc. See detailed show notes and additional useful information here.
Jamison Utter, VP of Senrio, told SCMagazine.com that the proof-of-concept is “an interesting stopgap solution to the recent distributed denial of service (DDoS) attacks. He said an anti-virus firm could use the approach “in an opt-in manner, rather than as a worm.”
IoT device security specialist Stephen Ridley will join us in this week's feature slot to discuss that.
The problems with the XiongMai devices underscores a general lack of security in the supply chain for devices that are currently being sold globally, said Jamison Utter of the firm Senrio. “Manufacturers really have no guidance on what is good or bad or what they should be doing. It might seem obvious to us that you don’t build devices with unchangeable default administrator account names and passwords, but from their standpoint, there’s no checklist or guidance on what industry best practices are.”
The security industry has not done a great job at protecting our computers and servers. And now we are connecting billions of devices with no or minimal security. IoT poses a real threat to physical safety, cybersecurity, financial and privacy risk. The risk is systemic and at a much bigger scale than we have seen in traditional IT. IoT security requires a scalable and procedural approach - to replace the fragmented and ad hoc practices we currently have in place.
Cisco issued an advisory for a flaw that the company has linked to exploits released by the Shadow Brokers group a month ago. The vulnerability (CVE-2016-6415), which has not yet been patched by the firewall manufacturer, affects Cisco IOS, Cisco IOS XE and Cisco IOS XR Software, and could be exploited by unauthenticated, remote attackers to execute arbitrary code. The vulnerability affects Internet Key Exchange (IKEv1) packet processing.
Senrio CTO and founder Stephen Ridley told SCMagazine.com that researchers are more able to discover “the hallmark of a specific attack” following the release of code containing exploits affecting Cisco products. Companies have likely been observing the behavior of their network traffic, he said. He told SCMagazine.com that he suspects new vulnerabilities “could have been discovered” through an examination of network traffic in the wild. The "1-day" tactic used to be primarily an offensive tool, he said, referring to the process of reverse engineering a vulnerability from a manufacture's patch. "1-days" are highly valuable, Ridley noted, especially concerning networking equipment and embedded devices due to difficulties applying patches to embedded systems.
Code leaked on Github by the Shadow Brokers group this past weekend has unnerved security researchers, as some evidence emerges possibly linking the exploits to the National Security Agency (NSA). [...] One security professional told SCMagazine.com that the speed at which the discussion involving attribution of the exploits and the leaked code is “astonishing". The security industry “agreed that attribution is difficult, and then at one point, we forgot,” Senrio CEO Stephen Ridley told SCMagazine.com. He said the latest evidence is “definitely pretty strong attribution evidence,” but noted that the chronology is not “bullet-proof.”
Not long ago, we sat down with Portland startup founder Stephen Ridley, the founder of Senrio. Senrio is an entirely new approach to data security, a Software as a Service product that easily scales to protect all kinds of companies, from small businesses to major medical, critical infrastructure, and financial institutions.
For this edition of the Making Oregon podcast we bring you one interview divided into two episodes.
In the first half, we ask Stephen to tell us about his path from teenage hacker to working for the Department of Defense, Wall Street banks and social media companies. He’ll tell us how his love of research eventually lead him to become an entrepreneur—two pursuits that require very different skill sets. He’ll describe Senrio, how it works, and what makes it different from other security applications. We’ll learn how it addresses the vulnerabilities found in embedded systems. And yes, we’ll explain how ubiquitous embedded systems are—and here’s a hint—they exist in your cell phone.
In our second episode, we back track for a couple minutes and make sure everyone is on the same page with understanding how Senrio works. Then we dive into a discussion about best practices for protecting data, especially if you are a small business. Stephen will also talk about the vulnerabilities he and his developers find in consumer electronics and how Senrio can play a role in providing solutions. Plus, we’ll get his take on data privacy, metadata and what social media giants like Facebook are doing with the information users supply, whether they know it or not. Finally, we’ll ask whether data privacy really exists in today’s world and how Stephen balances his awareness of security issues with his own personal practices in daily life.
The webcam baby monitor, the computer chips in an elevator panel, the circuitry inside medical devices: Portland startup Senrio sees these as the next frontier in online security.
It takes only a single line of code to hijack over 400,000 vulnerable D-Link devices. The stack overflow issue gives attackers the opportunity to overwrite administrator passwords in home Wi-Fi cameras, placing users at risk of being spied upon. The remote execution flaw not only allows an attacker to set their own custom password to access devices but also add new users with admin access to the interface, download malicious firmware or reconfigure products how they please.
Shodan has turned up half a million D-Link devices exposed to the internet, and subject to easy hijacking using zero-day vulnerabilities. The stack overflow vulnerabilities affect more than 120 D-Link products, from Wi-Fi cameras to routers and modems, and allow remote attackers to completely hijack the administer account of the devices to install backdoors and intercept traffic.
“The market needs a comprehensive answer to the IoT dilemma: A dramatic increase of deployed devices, high susceptibility to attacks due to inherent vulnerabilities and high value of the accessible assets. Today, there are few solutions to this challenge. However, Senrio offers a much-needed new approach,” said Christina Richmond, Program Director, Security Services, IDC.
“We typically associate the term ‘Internet of Things’ with the consumer world, smart toasters and WiFi fridges; however, a large part of our life depends on networked embedded devices that have been around for decades. Think of smart meters, medical devices, and connected industrial controllers used for elevators, traffic lights, and factories. Adoption is driven by business rationale but the security exposure is often overlooked. Based on my experience, there is not a single IoT device that cannot be compromised or misused by a determined attacker,” said Stephen Ridley, CEO of Senrio.