Category: Policy

An Easier Way To Validate Policies

10/10/2018

Policy validation is not the easiest or most enjoyable part of anyone’s job. Once you’ve formed and enacted a policy, it’s important to make sure that every computer is and stays compliant. However, networks can be unwieldy and people make changes without alerting IT constantly. Take the example of Windows updates. Let’s say you’ve set up a central server from which all Windows computers should update. How do you find the ones that don’t?

Let’s say you’ve just set up Senrio on your network, and you want to find all the non-compliant Windows computers. Senrio automatically applies the tag “Windows Update” every time a computer reaches out to the main Windows update server. This means you can simply search for the “Windows Update” tag in the explore view to discover all computers still using the external update server.

Tag: You're It! The Power of Device Identification

9/13/2018

Knowing what you’re protecting is a core tenet of cybersecurity, not to mention a fundamental requirement for many IT standard’s bodies like NIST, COBIT, etc., which is why device identification is one of the three primary features of Senrio Insight. We accomplish this by extracting data about all connected devices based on their network traffic, and labeling or “tagging” each device accordingly in our UI.

Senrio uses two types of tags: system tags, and user tags. System tags are automatically generated by Insight based on our massive IT/IoT device data store. If we’ve seen it before (and we probably have) we’ll automatically tag a device accordingly. In very short order you’ll know exactly how many systems in your enterprise are running Windows, Linux, OS X, iOS, Android, etc. Which version of those OSes are in use, and many other details about make, model, etc.

Unknown Unknowns

9/11/2018

Know what you are protecting. Its a basic tenet of cybersecurity, and one that too many organizations struggle to achieve. It can be overwhelming to deal with the issues you know about, but what happens when your solution to the awareness problem isn’t any better informed than you are?

For those of you were old enough to watch the news in the aftermath of the 9/11 attacks, you probably remember a seemingly nonsensical statement made by then-Secretary of Defense Donald Rumsfeld about intelligence relative to the issue of Iraq and weapons of mass destruction:

“...there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some thing we do not know. But there are also unknown unknowns; the ones we don’t know we don’t know.”

You Can't Control Vulnerabilities, But You Can Control Devices

8/29/2018

Did you read about the Android mobile phones that had firmware vulnerabilities? Do you know how many iOS vulnerabilities there are? If you have a BYOD policy that let’s employees access company networks and data with their phones, do you have any visibility into the make, model, OS, firmware, or data on other software that might be running on those handsets?

More importantly: do you have the authority to manage or patch all the vulnerable devices that employees use to connect to your network? Tell employees what handsets to buy? Tell Alice she can or Bob he can’t connect to the network at any given point in time?

That you’re shaking your head ruefully speaks volumes.

Make Attackers Eat the Whole Onion

8/15/2017

Picture© User:Colin / Wikimedia Commons / CC BY-SA 3.0

Since we issued our last set of security recommendations for IoT device makers, we went back into the lab and generated a few more we’d like to share with you. We understand that vendors are primarily focused on creating functional devices, but making a device more secure does not need to take that much effort, and the benefits can be dramatic. Every layer of security puts one more roadblock between an attacker and exploiting a device. These recommendations don’t consist of the most heavy duty defenses, but they are five ways to slow down attackers.

The Good, The Bad, and The Ugly of IoT Security Legislation

8/4/2017

The Internet of Things Cybersecurity Improvement Act of 2017 was introduced in Congress this week. Like all “cyber” legislation of the past few decades it means well. Unlike many bills that have come before it, it actually has a number of good, practical ideas. Will it actually improve IoT security? We’ll get to that in a minute.

For the sake of brevity, we’re going to summarize key elements of the bill, which deals with government contracts that involve the procurement and use of “Internet-Connected Devices” (henceforth “IoT”):

Contractors are required to certify that the IoT devices they provide to the government do not contain any known vulnerabilities per the NIST National Vulnerabilities Database or other, similar database as may be directed.
The software or firmware on IoT devices must be “capable of accepting properly authenticated and trusted updates from the vendor.”
Devices must use only “non-depreciated industry-standard protocols and technologies” for functions such as; communications, encryption, and interconnection with other devices.
Contractors would be required to notify the government when they become aware of any new vulnerabilities that are disclosed by a security researcher.
IoT devices are required to be able to be update or replace firmware or software.
Repairs to vulnerable systems need to done in a “timely manner.”
Contractors are required to inform the gov’t when devices or services that are used by devices become obsolete.
Waivers can be requested for devices with vulnerabilities or weaker security, if there are any number of mitigations in place that would limit the impact of exploitation, if not preclude it altogether.
It carves out an exception to existing cyber crime laws that protects researchers who are acting in good faith.
The Act also creates a new IoT vulnerabilities database.

Beware the Next Wave of Cyber Threats: IoT Ransomware

7/10/2017

Ransomware has become one of the most serious cyber threats plaguing organizations. Today, all of us - from home users to corporations and government organizations - are trying to protect ourselves from encryption viruses. But we are ignoring the beginning of the next wave of ransomware attacks - aimed at encrypting IoT devices. These attacks can be much more dangerous given the omnipresent and extremely diverse nature of the Internet of Things. (Information Management)

One of the rare cases where blending buzzwords makes for an actually more dangerous situation. In this case the danger is not in losing data, but in losing control of devices that are essential for critical infrastructure to operate safely. This is a problem that only gets worse as IoT becomes pervasive, particularly on a personal level (e.g. implantables). Not every individual victim of ransomware is willing to pony up bitcoin; basically everyone will demand power companies and water utilities pay up should they become victims. Installing protections in firmware that detect and prevent abnormal behavior is one way to reduce the likelihood of someone holding a utility for ransom. Ensuring that device operators know when to implement security and safety protocols (awareness and insight) is another.

Getting Smarter About Smart Device Security

6/28/2017

The adoption of smart power meters in the UK faces a hurdle:

"Concerns over cybersecurity are undermining the nationwide introduction of smart meters, with more than one in five people saying they do not want one. Almost six million homes would reject the devices despite government promises that they would cut energy bills. More than half of those who oppose smart meters said that their principal concern was data protection."

A perfectly legitimate concern, given recent events and revelations about what metadata can reveal. Spikes in consumption on certain days or times could not only be used to help regulate supply, but suggest when you’re home, away, or have guests over. Over time this sort of information helps establish a pattern of life, which is useful to multiple entities in myriad ways. Knowing when people are away from home could be useful for the police in crime prevention efforts; or data could be sold to advertisers who would push you ads for home security systems if you’re away a lot, or sales at the grocery store if you host a lot of guests.

While it is refreshing to see the general populace expressing concerns about the security of such devices, it does beg the question: do these same people have any idea how prevalent such devices have been in their lives? In a domestic context they are smart devices, but in a factory they’re industrial control and in a power plant, SCADA. This Internet of Things has become a buzz-phrase, but the fact of the matter is that network enabled devices have been a part of our lives years before we started giving them clever names.

Medical Device Integrity

6/5/2017

Medical device security has largely been concerned with attacks that might compromise device safety and effectiveness. An additionally important but under-appreciated issue is device integrity. In situations where devices are expected to provide objective testimony, the integrity of the device and the data it generates is paramount.

You probably don’t know Ross Compton, but last fall the 59-year-old claimed that when he noticed his house was on fire, he hurriedly packed some personal belongings, broke a window with his cane, and rushed out of the house. Police, suspicious of his claims, got a warrant for Compton’s pacemaker data. The data showed that he had not been in a state of activity he described at the time of the fire. That data, plus physical evidence collected by fire investigators, was more than enough to charge Compton with arson and insurance fraud.

Cases like this bring to light the importance of issues related to integrity verification. The value of device logs as an objective record of facts only exists if we can be assured that the ability to generate records, and the records themselves, have not been compromised.

Overview

Medical devices like pacemakers and drug infusion pumps keep detailed logs of all activity. Due to these logs value in monitoring patient care, device operation, and incident investigation, there is a risk of data modification attacks through physical or remote access.

Consider a generic infusion pump that primarily dispenses pain medication and writes logs to battery-backed RAM. These logs record the dose of drugs as requested and delivered, any program changes, and when infusion starts and stops. If a patient suffered a medical emergency that could be linked to the pump, or anything went awry, investigators would depend on the device logs to tell them the story. But what if those logs didn’t have the whole story, or an accurate one?

5 Tips for Better IoT and Firmware Security

9/5/2016

In this new world of "Internet of Things" and billions of networked embedded devices, it is crucial for device manufacturers to bake security into their new designs before they leave the factory. Here are five tips from a team of security researchers who make a living reverse engineering (hacking) into IoT devices on behalf of industry clients.

1) Disable Unused Debug Interfaces
Turn off JTAG if you don't need it. Disable consoles or password protect them. If devices get taken by an attacker they will use these interfaces to reverse engineer the device/firmware and weaponize remote exploits against your targets.

An Easier Way To Validate Policies

Tag: You're It! The Power of Device Identification

Unknown Unknowns

You Can't Control Vulnerabilities, But You Can Control Devices

Make Attackers Eat the Whole Onion

The Good, The Bad, and The Ugly of IoT Security Legislation

Beware the Next Wave of Cyber Threats: IoT Ransomware

Getting Smarter About Smart Device Security

Medical Device Integrity

5 Tips for Better IoT and Firmware Security

Popular Posts:

Recent Posts:

IoT Hacking comic book!

Watch!

Upcoming Trainings by our Team!

Blog Subjects