In our fundamentals of security series, we introduce common concepts in security. The last segment looked at DNS security. In this segment, we discuss encryption: What it is, how effective it is, and how to use it.
Encryption is essential, and can be extremely effective, but it’s important to make sure it is used correctly. There are misconceptions with encryption that even experts get wrong sometimes.
In our security series, we introduce common concepts in device security. The last item in our series was an introduction to SSH. In this segment, we discuss firewall security, setup, and maintenance.
Firewalls are a critical component of keeping machines and networks safe. You’ll find them on everything from your laptop to your router. They require maintenance, like any software program, and unfortunately there are problems that interfere with their ability to keep attackers safe.
Last summer, Wired reported the devastating impact NotPetya had on companies around the world. It infected companies like Merck and shipping giant Maersk, spreading from computer to computer until even IT was helpless to respond. PCs weren't NotPetya’s only victims, because machines like ATMs and Point of Sale systems still run on Windows, some on versions as old as Windows 2000. According to a Wired's reporting, the cost of NotPetya’s initial impact was $10 billion.
NotPetya’s impact continues to grow, with reports that insurance companies are refusing payouts, because it was due to “warlike action.” This will increase the cost that already eclipses that of infections like WannaCry.
What this shows is that we all have a lot to learn about securing our networks. The first, and most critical step, is knowing what's on your network. In the case of defending yourself against NotPetya, not just the Windows PCs, but also all the machines and devices that run on Windows, and all the devices whose operation depends on communication with Windows PCs.
Until we are all aware of the technology we depend on and the risks associated with those assets, we will continue to see stories like NotPetya unfold long after their initial impact.
We’re drawing on our security knowledge to provide a series on the fundamentals of securing devices and networks. The first item in our series was an introduction to how devices keep time, and which best practices ensure the security of this process. In this segment, we focus on why network audits are an essential element of securing a network.
Computers and devices need to be kept updated and maintained throughout their lifecycle. Neglecting software updates and leaving default passwords in place make them easy targets for intruders who can disable, or take over, vulnerable machines.
We’re drawing on our security knowledge to provide a series on the fundamentals of securing devices and networks.
First up is an introduction to how devices keep time, and what best practices ensure the security of this process.
Devices are built with clocks that help them keep time, but those clocks do not remain accurate over long periods of time. Since timing of tasks can be crucial, manufacturers design devices to reach out to time servers, to update their internal clocks to the correct time.
Policy validation is not the easiest or most enjoyable part of anyone’s job. Once you’ve formed and enacted a policy, it’s important to make sure that every computer is and stays compliant. However, networks can be unwieldy and people make changes without alerting IT constantly. Take the example of Windows updates. Let’s say you’ve set up a central server from which all Windows computers should update. How do you find the ones that don’t?
Let’s say you’ve just set up Senrio on your network, and you want to find all the non-compliant Windows computers. Senrio automatically applies the tag “Windows Update” every time a computer reaches out to the main Windows update server. This means you can simply search for the “Windows Update” tag in the explore view to discover all computers still using the external update server.
There is an old proverb (are there any other kind?) that goes something along the lines of:
If you wait by the river long enough, you’ll see the bodies of your enemies float by.
The accuracy of the translation may be questionable, but the general idea that you’ll see all sorts of things if you stick around holds true. This is particularly true when it comes to the discussion on which cyber defense methodology should have primacy over the other: network-based defense or endpoint-based defense.
Update 10:21am PST 5Oct2018 (added quite a few links/references to articles mentioned).
Update 17:32am PST 5Oct2018 (added references to Eclypsium's work)
Cyber threats don’t discriminate. The presence of a CPU - any type or size - is enough to make one a target. Yet, if you’ve been a security practitioner for any length of time, you have probably heard this phrase from a prospective customer more than once:
“We’re too small/unimportant to be a target.”
You know this is the point in the conversation where you smile politely, get up, and thank them for their time while they go back to their business, and you go on to your next meeting. Anyone who has it in their head that they don’t have at least one red laser dot on their forehead is not going to be convinced by your war stories, statistics, or reams of counter-examples.
Like so many important life lessons, they will almost certainly learn the hard way.
With the spread of the Internet of Things, and the increasing dangers associated with same, the likelihood that we’re going to be faced with a deluge of new “solutions” is high. It will not be long before someone comes out with an “IoT firewall” or “IoT IDS” because the projected IoT security spend is $1.5 Billion this year alone and, well, that money isn’t going to spend itself.
The problem is that you already spend a lot on IT security. At least that’s what the C-suite thinks. You take their money, you complain it's not enough, and then bad things still happen (requiring you to ask for more money). And now you’ve got to go asking for funds to secure the IoT in your enterprise? That’s not going to go over very well.
Know what you are protecting. Its a basic tenet of cybersecurity, and one that too many organizations struggle to achieve. It can be overwhelming to deal with the issues you know about, but what happens when your solution to the awareness problem isn’t any better informed than you are?
For those of you were old enough to watch the news in the aftermath of the 9/11 attacks, you probably remember a seemingly nonsensical statement made by then-Secretary of Defense Donald Rumsfeld about intelligence relative to the issue of Iraq and weapons of mass destruction:
“...there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some thing we do not know. But there are also unknown unknowns; the ones we don’t know we don’t know.”
There was a time when the nature of your business is what made you a target for malicious actors. Banks, credit card companies, and so on were where the bad guys went because, to coin a phrase, that’s where the money was.
Today, the mere fact that you have computing resources of any type means you’re a target. Your perception that the size or nature of your business makes you an unattractive target for cyber criminals is just that: your perception, not how the bad guys think. That you don’t deal with money or billion-dollar trade secrets arguably makes you a better target because you’re probably not paying attention to the risk like banks or a fortune 500 company. Today anyone with any computing resources is at risk. Why? Cryptocurrency mining.
Did you read about the Android mobile phones that had firmware vulnerabilities? Do you know how many iOS vulnerabilities there are? If you have a BYOD policy that let’s employees access company networks and data with their phones, do you have any visibility into the make, model, OS, firmware, or data on other software that might be running on those handsets?
More importantly: do you have the authority to manage or patch all the vulnerable devices that employees use to connect to your network? Tell employees what handsets to buy? Tell Alice she can or Bob he can’t connect to the network at any given point in time?
That you’re shaking your head ruefully speaks volumes.
Most cybersecurity conferences of any size have some training component to them, as well as a series of speakers who talk about a wide range of issues pertinent to the problems we all face. Cons are often the only chance some practitioners get to catch up on new information, or add new skills to their repertoire, because the rest of the year is, well, filled with work.
But arguably the biggest lesson we can learn at a Con is found on the vendor floor. The lesson might not be explicit, but the clues are there if you look close enough. The first clue is that for every security problem there is a security solution. Got a malware problem? Anti-virus companies to the rescue. Your people always falling for phishing schemes? There is a thing for that. Network lousy with the APTs? Step right this way. There isn't just one solution for each problem, there are dozens.
The other major clue you pick up on the vendor floor is that if the standard security solutions aren't enough for you, the “next generation” version is totally going to work. Why waste time with those other guys who are merely doing an ordinary job with plain vanilla algorithms, when you could be doing the job with blockchain-enabled, quantum-powered, artificial intelligence awesomeness? The problems are getting worse, so the solutions need to be amazing, right?
You have a pretty good idea of what your major personal possessions are. Your house, your car(s), your TV(s), your furniture.
You know what your wardrobe consists of, both the things you wear regularly, as well as your old uniform or letter jacket, and that Christmas sweater you wear as a courtesy to Aunt Mabel who spent all summer in ‘92 knitting it.
Contrast this with your situation at work, in which you know what you bought - servers, PCs, VOIP phones, printers - because you have invoices to prove it. What you don’t have is a comprehensive picture of what’s actually hanging off of your network. Why is that?
But look, you know what you’re responsible for and you’ve taken steps to protect those devices and the data they process. You’ve got endpoint protection, and a network monitoring solution, and all the usual mechanisms in place. Why worry?
According to media reports Amazon.com:
“has contemplated offering home insurance as an offshoot of its development work on robots and other connected devices for the home...The idea is that robots and other smart devices can be used to monitor for threats.”
This is great news in that it would get real, unfiltered, unbiased data, from a large data set, that can be used to build actuarial tables to help quantify risk with more granularity and accuracy than is possible today.
If you are a managed service provider, how do you grow?
There is always another company to sign up, but there are only so many potential customers. No, the real issue around growth is not clients, its devices. Having said that, the footprint of commodity IT devices that will need protection is shrinking over time, while IoT devices are on track for hockey-stick-like growth.
At the annual RSA conference this year, on April 19th, our CTO, Stephen Ridley, and our VP of Research, M Carlton, will take the stage to demonstrate the first ever purely IoT-based lateral attack. We intend to show how it’s possible to daisy chain several compromised IoT devices together -- without touching a traditional computer -- to ultimately get to a company’s “crown jewels”. (Click here to read Wired's coverage of this attack)
Lateral attacks between different types of IoT devices have been referenced but never before publicly demonstrated. Worms that spread from PLC to PLC (programmable logic controller) are a threat to manufacturing, and botnets that spread from camera to camera have had a huge impact in the last few years. However, attacks taking over a network, device by device, has remained largely within the sphere of pundits and hypothetical discussions.
Lateral attacks are known to take place in traditional IT environments, which include employee workstations, networks, servers, etc., and are typically well secured. In these attacks computers and networks are compromised, which then allows a hacker to gain access elsewhere, like a server. Unlike those attacks, we hop from IoT device to IoT device -- no workstations touched -- to gain access to a Networked Attached Storage (NAS) device (yet more IoT) that contains sensitive information.
Our research is an integral part of Senrio culture that informs our approach to addressing IoT security problems. Demonstrating the ability to hopscotch across IoT devices without touching an IT end-point helps us illustrate the very real and persistent risks associated with IoT devices that are in use in a wide range of industries and enterprises today.
The preceding decades of hype about all the horrible things that could happen if computers became too ingrained in our lives and were attacked or went haywire is finally, if regrettably, coming to fruition. These are not abstract problems, or readily recoverable ones like the loss of banking credentials or personal information: they are becoming matters of life and death.
This summer we released our findings on a vulnerability we called Devil’s Ivy: a flaw in the gSOAP library that was found while researching a surveillance camera, but whose impact extended far beyond any one device, or any one platform.
This week IoT security company Armis revealed BlueBorne: a set of eight vulnerabilities found in the bluetooth stacks used by a variety of OS vendors. The vulnerabilities impact several billion devices across the Windows, Linux, iOS and Android platforms. Along with a variety of commodity IT devices, any IoT or “smart” devices running any of these OSes are vulnerable.
In both cases the flaws impact, both IoT as well as commodity or ‘ordinary’ computer technology. This doesn’t apply in all cases, but as more research is done, it is highly likely that we’re going to hear more about how the line between problems in IoT and just plain IT is a lot fainter than previously thought
Senrio in the press!
IoT Hacking comic book!
Watch some our IoT security research
Live On Twitch.tv
Upcoming Trainings by our Team!
Practical Android Exploitation
Black Hat 2018
Las Vegas, NV
13-16 November 2018
Software Exploitation Via Hardware Exploitation
Black Hat 2018
Las Vegas, NV
6-9 November 2018