We’re drawing on our security knowledge to provide a series on the fundamentals of securing devices and networks. The first item in our series was an introduction to how devices keep time, and which best practices ensure the security of this process. In this segment, we focus on why network audits are an essential element of securing a network.
Computers and devices need to be kept updated and maintained throughout their lifecycle. Neglecting software updates and leaving default passwords in place make them easy targets for intruders who can disable, or take over, vulnerable machines.
We’re drawing on our security knowledge to provide a series on the fundamentals of securing devices and networks.
First up is an introduction to how devices keep time, and what best practices ensure the security of this process.
Devices are built with clocks that help them keep time, but those clocks do not remain accurate over long periods of time. Since timing of tasks can be crucial, manufacturers design devices to reach out to time servers, to update their internal clocks to the correct time.
“You’re giving us more things to look at. We’re already ignoring all but the most critical alerts. This is great information, but we can’t handle it.”
A disturbingly high percentage of organizations we demonstrate our capabilities to respond using these or similar words. Defending your enterprise has been likened to trying to find a needle in a haystack. Apparently there is a worse situation: needing to find the worst needle in a stack of very bad needles.
When we talk about cybersecurity fundamentals, “knowing what you’re defending” is arguably the most important tenet. But sometimes it's not enough just to know a device is using your bandwidth; being able to mount an effective defense means knowing where a thing is physically. This is particularly true in environments that are not strictly speaking “office” environments: factories, hospitals, etc.
A common request from customers, particularly in the medical space, is “where are my devices?” It's not that PCs, tablets, or medical IoT devices are missing per se, but a physical check of devices often reveals that they appear to have grown legs and walked off down the hall.
The single software component that contained the vulnerability of the camera, was used by the manufacturer not only in the firmware of the one camera model that we exploited, but also throughout the manufacturer's product line affecting more than just cameras. Furthermore, that same "design" (including the vulnerable component) was repeated by other manufacturers to make devices of all kinds (even desktop software)...all potentially vulnerable to the same bug.
We found a vulnerability in millions of devices....
You’ve managed to get a handle on the connected devices in your environment: congratulations! Now that you know what you’re defending, you need to get a handle on the conversations those devices are having. Who are they talking to? Over what protocols? What is that protocol anyway?
There are connections you want the systems in your enterprise to make, and there are others you’d rather they not. Your ability to distinguish between good, bad, or merely unusual connections gets more difficult the larger and more complex your environment. This is particularly true in situations where the connected devices you’re responsible for protecting aren’t exclusively PCs.
Policy validation is not the easiest or most enjoyable part of anyone’s job. Once you’ve formed and enacted a policy, it’s important to make sure that every computer is and stays compliant. However, networks can be unwieldy and people make changes without alerting IT constantly. Take the example of Windows updates. Let’s say you’ve set up a central server from which all Windows computers should update. How do you find the ones that don’t?
Let’s say you’ve just set up Senrio on your network, and you want to find all the non-compliant Windows computers. Senrio automatically applies the tag “Windows Update” every time a computer reaches out to the main Windows update server. This means you can simply search for the “Windows Update” tag in the explore view to discover all computers still using the external update server.
There is an old proverb (are there any other kind?) that goes something along the lines of:
If you wait by the river long enough, you’ll see the bodies of your enemies float by.
The accuracy of the translation may be questionable, but the general idea that you’ll see all sorts of things if you stick around holds true. This is particularly true when it comes to the discussion on which cyber defense methodology should have primacy over the other: network-based defense or endpoint-based defense.
Update 10:21am PST 5Oct2018 (added quite a few links/references to articles mentioned).
Update 17:32am PST 5Oct2018 (added references to Eclypsium's work)
Cybersecurity 101: Know what you’re defending. Easier said than done in a lot of environments. Homogeneous environments should ostensibly make a sysadmin's work easier in this regard; you bought 1,000 PCs, you should be able to see 1,000 PCs in use. Heterogeneous environments, those that are more liberal with their bandwidth (BYOD), and those that don’t enforce strict policies (rogue IT), make the job more difficult.
Customers frequently ask us to help identify all the devices of a particular type or class in their environments. A small sample of the varied reasons:
Cyber threats don’t discriminate. The presence of a CPU - any type or size - is enough to make one a target. Yet, if you’ve been a security practitioner for any length of time, you have probably heard this phrase from a prospective customer more than once:
“We’re too small/unimportant to be a target.”
You know this is the point in the conversation where you smile politely, get up, and thank them for their time while they go back to their business, and you go on to your next meeting. Anyone who has it in their head that they don’t have at least one red laser dot on their forehead is not going to be convinced by your war stories, statistics, or reams of counter-examples.
Like so many important life lessons, they will almost certainly learn the hard way.
With the spread of the Internet of Things, and the increasing dangers associated with same, the likelihood that we’re going to be faced with a deluge of new “solutions” is high. It will not be long before someone comes out with an “IoT firewall” or “IoT IDS” because the projected IoT security spend is $1.5 Billion this year alone and, well, that money isn’t going to spend itself.
The problem is that you already spend a lot on IT security. At least that’s what the C-suite thinks. You take their money, you complain it's not enough, and then bad things still happen (requiring you to ask for more money). And now you’ve got to go asking for funds to secure the IoT in your enterprise? That’s not going to go over very well.
Knowing what you’re protecting is a core tenet of cybersecurity, not to mention a fundamental requirement for many IT standard’s bodies like NIST, COBIT, etc., which is why device identification is one of the three primary features of Senrio Insight. We accomplish this by extracting data about all connected devices based on their network traffic, and labeling or “tagging” each device accordingly in our UI.
Senrio uses two types of tags: system tags, and user tags. System tags are automatically generated by Insight based on our massive IT/IoT device data store. If we’ve seen it before (and we probably have) we’ll automatically tag a device accordingly. In very short order you’ll know exactly how many systems in your enterprise are running Windows, Linux, OS X, iOS, Android, etc. Which version of those OSes are in use, and many other details about make, model, etc.
Know what you are protecting. Its a basic tenet of cybersecurity, and one that too many organizations struggle to achieve. It can be overwhelming to deal with the issues you know about, but what happens when your solution to the awareness problem isn’t any better informed than you are?
For those of you were old enough to watch the news in the aftermath of the 9/11 attacks, you probably remember a seemingly nonsensical statement made by then-Secretary of Defense Donald Rumsfeld about intelligence relative to the issue of Iraq and weapons of mass destruction:
“...there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some thing we do not know. But there are also unknown unknowns; the ones we don’t know we don’t know.”
There was a time when the nature of your business is what made you a target for malicious actors. Banks, credit card companies, and so on were where the bad guys went because, to coin a phrase, that’s where the money was.
Today, the mere fact that you have computing resources of any type means you’re a target. Your perception that the size or nature of your business makes you an unattractive target for cyber criminals is just that: your perception, not how the bad guys think. That you don’t deal with money or billion-dollar trade secrets arguably makes you a better target because you’re probably not paying attention to the risk like banks or a fortune 500 company. Today anyone with any computing resources is at risk. Why? Cryptocurrency mining.
Did you read about the Android mobile phones that had firmware vulnerabilities? Do you know how many iOS vulnerabilities there are? If you have a BYOD policy that let’s employees access company networks and data with their phones, do you have any visibility into the make, model, OS, firmware, or data on other software that might be running on those handsets?
More importantly: do you have the authority to manage or patch all the vulnerable devices that employees use to connect to your network? Tell employees what handsets to buy? Tell Alice she can or Bob he can’t connect to the network at any given point in time?
That you’re shaking your head ruefully speaks volumes.
We talk a lot about what Senrio Insight can do, but while the installation of Insight might be push-button simple, there are practical matters that must be addressed when it comes to installing enterprise software. Those hoops are there for a good reason: you don’t want just anyone installing whatever they want without first having some understanding of the impact it might have on other systems.
However, If you’re running AWS, you can have the power of Senrio via the AWS marketplace. Install and configure a Senrio Insight backend in a few minutes using a service you’re already familiar with and rely on; Install a Senrio Insight software sensor in your network in just a few more. Know what your enterprise is really made of so that you can better manage and defend it.
What are the benefits of deploying Senrio via AWS marketplace?
To learn how to deploy Senrio via AWS Marketplace and understand the benefits of Senrio Insight can provide, drop us a line and we’ll set up an appointment to explain how it all works.
Most cybersecurity conferences of any size have some training component to them, as well as a series of speakers who talk about a wide range of issues pertinent to the problems we all face. Cons are often the only chance some practitioners get to catch up on new information, or add new skills to their repertoire, because the rest of the year is, well, filled with work.
But arguably the biggest lesson we can learn at a Con is found on the vendor floor. The lesson might not be explicit, but the clues are there if you look close enough. The first clue is that for every security problem there is a security solution. Got a malware problem? Anti-virus companies to the rescue. Your people always falling for phishing schemes? There is a thing for that. Network lousy with the APTs? Step right this way. There isn't just one solution for each problem, there are dozens.
The other major clue you pick up on the vendor floor is that if the standard security solutions aren't enough for you, the “next generation” version is totally going to work. Why waste time with those other guys who are merely doing an ordinary job with plain vanilla algorithms, when you could be doing the job with blockchain-enabled, quantum-powered, artificial intelligence awesomeness? The problems are getting worse, so the solutions need to be amazing, right?
During conversations with CIOs, CISOs, and IT Managers, they often bring up an issue we as security practitioners don’t normally think about, and that’s maintenance. When we think of most commodity IT today, reliability is not really an issue, and when it is, replacement is much faster and cheaper than having a technician show up to troubleshoot a problem.
But that’s not necessarily the case when we’re talking about IoT devices. Many devices have some mechanical component to them: a pump, a solenoid, or a relay. Anything not purely solid-state is going to have a greater need for maintenance.
You have a pretty good idea of what your major personal possessions are. Your house, your car(s), your TV(s), your furniture.
You know what your wardrobe consists of, both the things you wear regularly, as well as your old uniform or letter jacket, and that Christmas sweater you wear as a courtesy to Aunt Mabel who spent all summer in ‘92 knitting it.
Contrast this with your situation at work, in which you know what you bought - servers, PCs, VOIP phones, printers - because you have invoices to prove it. What you don’t have is a comprehensive picture of what’s actually hanging off of your network. Why is that?
But look, you know what you’re responsible for and you’ve taken steps to protect those devices and the data they process. You’ve got endpoint protection, and a network monitoring solution, and all the usual mechanisms in place. Why worry?
According to media reports Amazon.com:
“has contemplated offering home insurance as an offshoot of its development work on robots and other connected devices for the home...The idea is that robots and other smart devices can be used to monitor for threats.”
This is great news in that it would get real, unfiltered, unbiased data, from a large data set, that can be used to build actuarial tables to help quantify risk with more granularity and accuracy than is possible today.
If you are a managed service provider, how do you grow?
There is always another company to sign up, but there are only so many potential customers. No, the real issue around growth is not clients, its devices. Having said that, the footprint of commodity IT devices that will need protection is shrinking over time, while IoT devices are on track for hockey-stick-like growth.
Simple, Fast, Accurate IT & IoT Asset Identification
As security people we’ve always got an eye out for solutions that address very pressing, substantial, dare we say ‘sexy’ problems. But if we’re being honest, you get the greatest return on investment focusing on fundamentals - blocking and tackling - than you do fancy stuff that addresses edge cases. Not that you don’t need the latter, but absent the former you’re wasting time, energy, and money.
Case in point: IT Asset Management. Basically, keeping track of all the things. Easy, right? Well, there is what you bought (because procurement has the invoice to prove it), there is what you see (because some script or scan and says so), there is what you don’t know (because Alice in Logistics has purchase authority up to $10,000 and sometimes she buys IT without telling you)...and so on. What you think you have an what you actually have can be two entirely different things. That’s a problem on several levels.
We all know by now that IoT is vulnerable, and after our survey of vulnerable remote configuration services last year, we began to pursue the actual repercussions of those vulnerabilities. After we published Devil’s Ivy and CVE-2017-9466 last summer, we decided to tackle the problem of “then what?” After an attacker compromises a camera or gains control of a router, what happens next? If a company’s valuable data is in a secure location, does it matter if an attacker compromises its Nest thermostat?
As previously noted, attacks that take over a network, device by device, has remained largely within the sphere of pundits and hypothetical discussions. So we have tended to think about lateral attacks as being solely within the realm of sophisticated attackers, but as we explored this project in more depth, we came to realize that this kind of attack requires very little technical knowledge.
While we are not aware of publicly available exploits for the vulnerabilities we discovered, products like Metasploit allow those with a basic knowledge of networking and the Linux command line to do some damage without writing a single line of code. After exploiting a first device, an attacker can use the additional access to take over the rest of the network, exploiting device after device.
Senrio in the press!
IoT Hacking comic book!
Watch some our IoT security research
Live On Twitch.tv
Upcoming Trainings by our Team!
Practical Android Exploitation
Black Hat 2018
Las Vegas, NV
13-16 November 2018
Software Exploitation Via Hardware Exploitation
Black Hat 2018
Las Vegas, NV
6-9 November 2018