We’re drawing on our security knowledge to provide a series on the fundamentals of securing devices and networks. The first item in our series was an introduction to how devices keep time, and which best practices ensure the security of this process. In this segment, we focus on why network audits are an essential element of securing a network.
Computers and devices need to be kept updated and maintained throughout their lifecycle. Neglecting software updates and leaving default passwords in place make them easy targets for intruders who can disable, or take over, vulnerable machines.
There is an old proverb (are there any other kind?) that goes something along the lines of:
If you wait by the river long enough, you’ll see the bodies of your enemies float by.
The accuracy of the translation may be questionable, but the general idea that you’ll see all sorts of things if you stick around holds true. This is particularly true when it comes to the discussion on which cyber defense methodology should have primacy over the other: network-based defense or endpoint-based defense.
Cybersecurity 101: Know what you’re defending. Easier said than done in a lot of environments. Homogeneous environments should ostensibly make a sysadmin's work easier in this regard; you bought 1,000 PCs, you should be able to see 1,000 PCs in use. Heterogeneous environments, those that are more liberal with their bandwidth (BYOD), and those that don’t enforce strict policies (rogue IT), make the job more difficult.
Customers frequently ask us to help identify all the devices of a particular type or class in their environments. A small sample of the varied reasons:
Cyber threats don’t discriminate. The presence of a CPU - any type or size - is enough to make one a target. Yet, if you’ve been a security practitioner for any length of time, you have probably heard this phrase from a prospective customer more than once:
“We’re too small/unimportant to be a target.”
You know this is the point in the conversation where you smile politely, get up, and thank them for their time while they go back to their business, and you go on to your next meeting. Anyone who has it in their head that they don’t have at least one red laser dot on their forehead is not going to be convinced by your war stories, statistics, or reams of counter-examples.
Like so many important life lessons, they will almost certainly learn the hard way.
With the spread of the Internet of Things, and the increasing dangers associated with same, the likelihood that we’re going to be faced with a deluge of new “solutions” is high. It will not be long before someone comes out with an “IoT firewall” or “IoT IDS” because the projected IoT security spend is $1.5 Billion this year alone and, well, that money isn’t going to spend itself.
The problem is that you already spend a lot on IT security. At least that’s what the C-suite thinks. You take their money, you complain it's not enough, and then bad things still happen (requiring you to ask for more money). And now you’ve got to go asking for funds to secure the IoT in your enterprise? That’s not going to go over very well.
Knowing what you’re protecting is a core tenet of cybersecurity, not to mention a fundamental requirement for many IT standard’s bodies like NIST, COBIT, etc., which is why device identification is one of the three primary features of Senrio Insight. We accomplish this by extracting data about all connected devices based on their network traffic, and labeling or “tagging” each device accordingly in our UI.
Senrio uses two types of tags: system tags, and user tags. System tags are automatically generated by Insight based on our massive IT/IoT device data store. If we’ve seen it before (and we probably have) we’ll automatically tag a device accordingly. In very short order you’ll know exactly how many systems in your enterprise are running Windows, Linux, OS X, iOS, Android, etc. Which version of those OSes are in use, and many other details about make, model, etc.
Know what you are protecting. Its a basic tenet of cybersecurity, and one that too many organizations struggle to achieve. It can be overwhelming to deal with the issues you know about, but what happens when your solution to the awareness problem isn’t any better informed than you are?
For those of you were old enough to watch the news in the aftermath of the 9/11 attacks, you probably remember a seemingly nonsensical statement made by then-Secretary of Defense Donald Rumsfeld about intelligence relative to the issue of Iraq and weapons of mass destruction:
“...there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some thing we do not know. But there are also unknown unknowns; the ones we don’t know we don’t know.”
There was a time when the nature of your business is what made you a target for malicious actors. Banks, credit card companies, and so on were where the bad guys went because, to coin a phrase, that’s where the money was.
Today, the mere fact that you have computing resources of any type means you’re a target. Your perception that the size or nature of your business makes you an unattractive target for cyber criminals is just that: your perception, not how the bad guys think. That you don’t deal with money or billion-dollar trade secrets arguably makes you a better target because you’re probably not paying attention to the risk like banks or a fortune 500 company. Today anyone with any computing resources is at risk. Why? Cryptocurrency mining.
Did you read about the Android mobile phones that had firmware vulnerabilities? Do you know how many iOS vulnerabilities there are? If you have a BYOD policy that let’s employees access company networks and data with their phones, do you have any visibility into the make, model, OS, firmware, or data on other software that might be running on those handsets?
More importantly: do you have the authority to manage or patch all the vulnerable devices that employees use to connect to your network? Tell employees what handsets to buy? Tell Alice she can or Bob he can’t connect to the network at any given point in time?
That you’re shaking your head ruefully speaks volumes.
We talk a lot about what Senrio Insight can do, but while the installation of Insight might be push-button simple, there are practical matters that must be addressed when it comes to installing enterprise software. Those hoops are there for a good reason: you don’t want just anyone installing whatever they want without first having some understanding of the impact it might have on other systems.
However, If you’re running AWS, you can have the power of Senrio via the AWS marketplace. Install and configure a Senrio Insight backend in a few minutes using a service you’re already familiar with and rely on; Install a Senrio Insight software sensor in your network in just a few more. Know what your enterprise is really made of so that you can better manage and defend it.
What are the benefits of deploying Senrio via AWS marketplace?
To learn how to deploy Senrio via AWS Marketplace and understand the benefits of Senrio Insight can provide, drop us a line and we’ll set up an appointment to explain how it all works.
During conversations with CIOs, CISOs, and IT Managers, they often bring up an issue we as security practitioners don’t normally think about, and that’s maintenance. When we think of most commodity IT today, reliability is not really an issue, and when it is, replacement is much faster and cheaper than having a technician show up to troubleshoot a problem.
But that’s not necessarily the case when we’re talking about IoT devices. Many devices have some mechanical component to them: a pump, a solenoid, or a relay. Anything not purely solid-state is going to have a greater need for maintenance.
You have a pretty good idea of what your major personal possessions are. Your house, your car(s), your TV(s), your furniture.
You know what your wardrobe consists of, both the things you wear regularly, as well as your old uniform or letter jacket, and that Christmas sweater you wear as a courtesy to Aunt Mabel who spent all summer in ‘92 knitting it.
Contrast this with your situation at work, in which you know what you bought - servers, PCs, VOIP phones, printers - because you have invoices to prove it. What you don’t have is a comprehensive picture of what’s actually hanging off of your network. Why is that?
But look, you know what you’re responsible for and you’ve taken steps to protect those devices and the data they process. You’ve got endpoint protection, and a network monitoring solution, and all the usual mechanisms in place. Why worry?
According to media reports Amazon.com:
“has contemplated offering home insurance as an offshoot of its development work on robots and other connected devices for the home...The idea is that robots and other smart devices can be used to monitor for threats.”
This is great news in that it would get real, unfiltered, unbiased data, from a large data set, that can be used to build actuarial tables to help quantify risk with more granularity and accuracy than is possible today.
If you are a managed service provider, how do you grow?
There is always another company to sign up, but there are only so many potential customers. No, the real issue around growth is not clients, its devices. Having said that, the footprint of commodity IT devices that will need protection is shrinking over time, while IoT devices are on track for hockey-stick-like growth.
Simple, Fast, Accurate IT & IoT Asset Identification
As security people we’ve always got an eye out for solutions that address very pressing, substantial, dare we say ‘sexy’ problems. But if we’re being honest, you get the greatest return on investment focusing on fundamentals - blocking and tackling - than you do fancy stuff that addresses edge cases. Not that you don’t need the latter, but absent the former you’re wasting time, energy, and money.
Case in point: IT Asset Management. Basically, keeping track of all the things. Easy, right? Well, there is what you bought (because procurement has the invoice to prove it), there is what you see (because some script or scan and says so), there is what you don’t know (because Alice in Logistics has purchase authority up to $10,000 and sometimes she buys IT without telling you)...and so on. What you think you have an what you actually have can be two entirely different things. That’s a problem on several levels.
We all know by now that IoT is vulnerable, and after our survey of vulnerable remote configuration services last year, we began to pursue the actual repercussions of those vulnerabilities. After we published Devil’s Ivy and CVE-2017-9466 last summer, we decided to tackle the problem of “then what?” After an attacker compromises a camera or gains control of a router, what happens next? If a company’s valuable data is in a secure location, does it matter if an attacker compromises its Nest thermostat?
As previously noted, attacks that take over a network, device by device, has remained largely within the sphere of pundits and hypothetical discussions. So we have tended to think about lateral attacks as being solely within the realm of sophisticated attackers, but as we explored this project in more depth, we came to realize that this kind of attack requires very little technical knowledge.
While we are not aware of publicly available exploits for the vulnerabilities we discovered, products like Metasploit allow those with a basic knowledge of networking and the Linux command line to do some damage without writing a single line of code. After exploiting a first device, an attacker can use the additional access to take over the rest of the network, exploiting device after device.
Does your team use Slack to collaborate? If so, we've released a thing that you might like ;-) A few days ago, we announced a new feature of our web interface that allows you to chat directly with Senrio support engineers.
But today, we are announcing that in addition to existing integrations with Splunk, RSA, SEIMs, all major firewalls, and familiar dashboards, now you can ask Senrio Insight questions about your network directly from Slack! Any question. Don't know what an asset is, and only have a piece of the story? Ask Senrio with the piece you have, and get back the whole story. It's like the asset "search engine" for your network.
Check out the video below to see what we mean.
Related: "Senrio Integrates with Slack!"
If you follow our blog here, you've periodically seen our "Product Release Notes" blogpost category, but instead of bury this latest update in a list of the other awesome other features we've added , we wanted to share this one on its own...
You can now get support for Senrio live (in real-time) via the chat client. To date, only integration partners and OEM customers have been given dedicated chat channels to communicate, fileshare, and collaborate with our team, but now we can offer this to all Senrio users!
Watch below to see how a Senrio user gets support directly from the webui...
And of course, if you aren't a current Senrio customer and you want to try it out. Drop us a line: http://iot.security/signup
The ingenuity and audacity of attackers should never be underestimated. In the summer of 2016, hackers used tweets to control malware. This past summer, after Twitter worked to eliminate this capability, hackers switched to posting Instagram comments to send commands to victim systems.
We decided to see if Senrio Insight could detect this “hiding in plain sight” tactic. Without proper context, it can be difficult to separate malicious traffic from ordinary operations. IoT devices may connect to the Internet, but they shouldn’t browse social media.
January 30th – Portland, OR – Senrio, Inc., provider of the leading IoT visibility and security solution has announced an interoperability with the RSA NetWitness® Suite to enable users to detect and respond to threats to IoT devices.
The RSA NetWitness and Senrio Insight interoperability helps ensure that critical data about the status and operation of both IoT devices as well as traditional endpoints and assets is sent to the RSA NetWitness Suite from the Senrio platform, which uses predictive analytics and expert input to determine normal behavior, and trigger alerts when abnormal behavior is detected.
Senrio Founder Stephen Ridley said, “IoT is a blind spot in most enterprises. Most aren’t sure what devices they have, much less if they’re compromised or otherwise pose a risk to people or operations. By integrating Senrio Insight data in the RSA NetWitness Suite, organizations will gain unprecedented visibility into the IoT devices in their enterprise and more effectively deal with safety or security concerns.”
This interoperability allows organizations to quickly identify all connected devices in their enterprise, and build profiles of device behavior. This knowledge enables IT administration and security teams the ability to build trust with devices by understanding typical device behavior, and rapidly respond when atypical patterns of behaviors are detected by Senrio’s self-learning technology.
Senrio Insight was designed specifically for the challenges of an IoT-rich enterprise. Designed to be lightweight, it puts no burden on your network, does not impact data privacy, and is up and running in minutes.
Senrio is an IoT security company that was founded on the belief that, with the right mindset and proper tools, we can bridge the gap between legacy security approaches and the new reality of the IoT. Our mission is to provide the visibility and actionable insights essential to ensuring the security and safety of all connected devices. We envision a world where our trust in the IoT matches the benefits it brings to our lives. Senrio is a trusted partner of global technology companies and government agencies. To see Senrio Insight in action visit: http://iot.security/.
We've had quite a summer thus far. Here seven quick updates:
(cue the Bananarama "Cruel Summer" instrumental)
1. We Released "Devil's Ivy"
2. Senrio Was the Exclusive Monitoring Tool of Defcon's IoT Hacking Village!
Be sure to check out our photo gallery of the IoT Hacking Village event!
Our release notes for Senrio Insight for the month of August 2017 include numerous new and powerful features:
We are always looking for your feedback and welcome all suggestions for how we can make Insight more valuable to you.
This last week a debate flared up between a security company Kryptowire, and a cell phone manufacturer BLU, over the possible inclusion of spyware (ADUPS) in BLU phones. Kryptowire initially made their claim in November, then reiterated it last week with more detailed findings. At one point last week, Amazon halted sales of the BLU phones, then re-listed them after BLU issued a statement saying the ADUPS software was normal and wasn’t capturing any sensitive data.
We here at Senrio, didn’t reverse engineer any of the firmware, so I can’t say for sure whether the ADUPS software is sending private information to it’s servers. But, we wanted to show you how you can leverage Senrio Insight to determine if any of the phones in question connected to your network, and if it was communicating to one of the published domains listed in the Kryptowire report.
You can ask Senrio questions, and it will give you answers. You can ask it: "Are there any jailbroken phones on my network?" and in seconds, you'll know!
Imagine for a moment you have a BYOD enterprise, where you allow your employees to bring any device into the office and use that device for corporate emails, texts, etc. How would you know if an employee had a BLU phone? Senrio Insight can help.
The first step is to see what android devices you have on you network. With Senrio, this is easy. Senrio is a "Device Intelligence" platform that you can ask questions. You can ask it if there are any Android phones on your network or even if there are any Jailbroken phones on your network.... For our case, we can simply log in and search for “Android” to view our identification and behavior tags to see all Android devices
The Senrio tag system uses many heuristics and other techniques to identify devices, and as you can see we have several devices on the network that match our search term. But in this case, we are looking for a BLU phone, and we have a very easy way to track that down. We can search for the manufacture “BLU”. It turns out we have one matching phone. The Senrio engine detected this automatically and tagged it accordingly, there was no user-input required.
Ok - so we do have a BLU phone on the network. I wonder if it’s making connections out to any of the domains in question. The Kryptowire report claims several domains are used for both C&C and data exfiltration. One of the first domains in question is adups.com. Let's see if we can find it.
The first thing we do is select the phone and look at the device details. One of the best features in the device details is the “Flow” view. This provides a net-flow like view of all the connections both inbound and outbound for the selected device.
While I could scroll through the list, it’s much easier to look at the “Summaries” which provide an aggregated view of all the connections. I can pull that up and search for adups.com
Yes, we have a match! That phone is connecting out to one of the domains listed by Kryptowire. Now, you might be a little worried that maybe more devices on our network are inflicted. Let's see if we have any other phones connecting to that domain. Senrio Insight has a search capability that allows us to search for all outbound connections. Lets enter that dns name and see what we find.
PHEW! Thankfully, in our case this phone is the only one connecting to this host. And as you can see from the first line, a decent amount of data was exchanged during one of the initial connections. It appears that this application is programmed to connect out to the "adups" server everyday at around 12:15 pm.
Senrio Insight makes it very easy to gain visibility into what’s on your network and what it’s doing. In just a few minutes time we can see the devices Senrio automatically identified as Android devices, and even pick out individual manufacturers. From there we can quickly search through traffic history and identify the network connections in question. With Senrio as our device intelligence platform, in seconds, we have complete device visibility and awareness! Thus alleviating our anxieties.
So how can YOU answer questions about devices on your network? Is it this easy? If not, reach out to learn how we can help.
Our release notes for Senrio Insight for the month of July 2017 include numerous new and powerful features:
We are always looking for your feedback and welcome all suggestions for how we can make Insight more valuable to you.
Senrio in the press!
IoT Hacking comic book!
Watch some our IoT security research
Live On Twitch.tv
Upcoming Trainings by our Team!
Practical Android Exploitation
Black Hat 2018
Las Vegas, NV
13-16 November 2018
Software Exploitation Via Hardware Exploitation
Black Hat 2018
Las Vegas, NV
6-9 November 2018