Corporate defenses need to be stronger than ever these days, but 85% of security teams are understaffed. Three new statistics came out last week which present a clear picture of the state of cybersecurity: companies are under siege and do not have enough personnel to handle the ongoing work of patching vulnerabilities and securing their networks.
Industrial Control Systems (ICS) have a reputation for being more secure than consumer devices. Their use cases and price points are vastly different, so they should be more secure too, right?
We posted over two years ago about the trend we saw in Industrial Control System security. To explore this idea in more detail, take a look at the controllers below.
According to The Beatles, all you need is love. As this is Valentine’s Day, we’ll discuss love and endpoint protection: What they are, how they work, and whether they’re all you need.
This is part 6 of our Fundamentals of Device Security series. The last video looked at encryption's effectiveness.
What is Love?
Poets and philosophers have been working on the answer for centuries, so it’s a bit out of our depth, but we can define endpoint protection. These platforms combine a range of security functions into a single product usually consisting of antivirus, anti-spyware, a firewall, application control, and intrusion prevention. Some also provide patch and configuration management, which helps to prevent vulnerabilities before attack.
To set the scene: You found a stack buffer overflow, wrote your shellcode to an executable heap or stack, and used your overflow to direct the instruction pointer to the address of your shellcode. Yet your shellcode is inconsistent, crashes frequently, and core dumps show the processor jumped to an address halfway through your shellcode, seemingly without executing the first half. The symptoms haven’t helped diagnose the problem, they’ve left you more confused.
You’ve tried everything. Changing the size of the buffer, page aligning your code, even waiting extra cycles, but your code is still broken. When you turn on debug mode for the target process, or step through with a debugger, it works perfectly, but that isn’t good enough. Your code doesn’t self-modify, so you shouldn’t have to worry about cache coherency, right?
That’s what happened to us on MIPS when we exploited a TP-Link router. In order to save time, we added a series of NOPs from the beginning of the shellcode buffer to where the processor often “jumped,” and put the issue in the queue to explore later. We encountered a similar problem on ARM when we exploited Devil’s Ivy on an ARM chip. We circumvented the problem by not using self-modifying shellcode, and logged the issue so we could follow up later.
Since we finished exploring lateral attacks, the research team has taken some time to dig into the shellcoding oddities that puzzled us earlier, and we’d like to share what we've learned.
In our fundamentals of security series, we introduce common concepts in security. The last segment looked at DNS security. In this segment, we discuss encryption: What it is, how effective it is, and how to use it.
Encryption is essential, and can be extremely effective, but it’s important to make sure it is used correctly. There are misconceptions with encryption that even experts get wrong sometimes.
In our device security series, we introduce common concepts in security. The last item in our series was a look at the effectiveness of firewalls. In this segment, we discuss DNS: What it is, how secure it is, and what you can do to protect yourself.
DNS is the subject of over a dozen known, common, attacks. Many are straightforward and easy to carry out. Others require prior access to a server or machine. Some prevent a DNS server from doing its job, others use DNS servers to attack specific machines.
What can you do to protect yourself?
It depends on the attack, but there are a number of precautionary steps you can take that will help you avoid problems.
We wrote last month about the continuing impact of NotPetya, long after its initial impact, due to insurance companies refusing to pay for damages.
Today we learned of a new development, after Mondelez filed a lawsuit against Zurich Insurance for $100 million because it rejected their claim.
The result of this lawsuit will affect not just Mondelez and Zurich Insurance, but all the companies NotPetya hit and their insurers.
According to Wired's article on NotPetya's devastating impact, NotPetya cost Maersk, a major shipping company, $300 million and shut down the majority of their shipping operation. It cost Merck, a pharmaceutical company, $870 million.
The total cost was initially estimated at $10 billion. The questions now are who will pay and how high the total will go.
In our security series, we introduce common concepts in device security. The last item in our series was an introduction to SSH. In this segment, we discuss firewall security, setup, and maintenance.
Firewalls are a critical component of keeping machines and networks safe. You’ll find them on everything from your laptop to your router. They require maintenance, like any software program, and unfortunately there are problems that interfere with their ability to keep attackers safe.
Last summer, Wired reported the devastating impact NotPetya had on companies around the world. It infected companies like Merck and shipping giant Maersk, spreading from computer to computer until even IT was helpless to respond. PCs weren't NotPetya’s only victims, because machines like ATMs and Point of Sale systems still run on Windows, some on versions as old as Windows 2000. According to a Wired's reporting, the cost of NotPetya’s initial impact was $10 billion.
NotPetya’s impact continues to grow, with reports that insurance companies are refusing payouts, because it was due to “warlike action.” This will increase the cost that already eclipses that of infections like WannaCry.
What this shows is that we all have a lot to learn about securing our networks. The first, and most critical step, is knowing what's on your network. In the case of defending yourself against NotPetya, not just the Windows PCs, but also all the machines and devices that run on Windows, and all the devices whose operation depends on communication with Windows PCs.
Until we are all aware of the technology we depend on and the risks associated with those assets, we will continue to see stories like NotPetya unfold long after their initial impact.
We’re drawing on our security knowledge to provide a series on the fundamentals of securing devices and networks. The previous item in our series was an introduction to why asset management is important for securing networks. In this segment, we introduce SSH and remote servers.
SSH is a protocol that allows two machines to communicate securely. A client connects into a server, in a similar way to how your browser connected to a server to receive this content before displaying it on your screen. SSH secures traffic by encrypting it. Other protocols, like Telnet and HTTP, do not. As you likely know, HTTPS does, which is why it is preferred over HTTP.
SSH isn’t perfect though, and it depends on users to keep its servers secure.
We’re drawing on our security knowledge to provide a series on the fundamentals of securing devices and networks. The first item in our series was an introduction to how devices keep time, and which best practices ensure the security of this process. In this segment, we focus on why network audits are an essential element of securing a network.
Computers and devices need to be kept updated and maintained throughout their lifecycle. Neglecting software updates and leaving default passwords in place make them easy targets for intruders who can disable, or take over, vulnerable machines.
We’re drawing on our security knowledge to provide a series on the fundamentals of securing devices and networks.
First up is an introduction to how devices keep time, and what best practices ensure the security of this process.
Devices are built with clocks that help them keep time, but those clocks do not remain accurate over long periods of time. Since timing of tasks can be crucial, manufacturers design devices to reach out to time servers, to update their internal clocks to the correct time.
“You’re giving us more things to look at. We’re already ignoring all but the most critical alerts. This is great information, but we can’t handle it.”
A disturbingly high percentage of organizations we demonstrate our capabilities to respond using these or similar words. Defending your enterprise has been likened to trying to find a needle in a haystack. Apparently there is a worse situation: needing to find the worst needle in a stack of very bad needles.
When we talk about cybersecurity fundamentals, “knowing what you’re defending” is arguably the most important tenet. But sometimes it's not enough just to know a device is using your bandwidth; being able to mount an effective defense means knowing where a thing is physically. This is particularly true in environments that are not strictly speaking “office” environments: factories, hospitals, etc.
A common request from customers, particularly in the medical space, is “where are my devices?” It's not that PCs, tablets, or medical IoT devices are missing per se, but a physical check of devices often reveals that they appear to have grown legs and walked off down the hall.
Updated 16Feb2019 to include links to Bunnie Huang's & Trammell Hudson's talks
The single software component that contained the vulnerability of the camera, was used by the manufacturer not only in the firmware of the one camera model that we exploited, but also throughout the manufacturer's product line affecting more than just cameras. Furthermore, that same "design" (including the vulnerable component) was repeated by other manufacturers to make devices of all kinds (even desktop software)...all potentially vulnerable to the same bug.
We found a vulnerability in millions of devices....
You’ve managed to get a handle on the connected devices in your environment: congratulations! Now that you know what you’re defending, you need to get a handle on the conversations those devices are having. Who are they talking to? Over what protocols? What is that protocol anyway?
There are connections you want the systems in your enterprise to make, and there are others you’d rather they not. Your ability to distinguish between good, bad, or merely unusual connections gets more difficult the larger and more complex your environment. This is particularly true in situations where the connected devices you’re responsible for protecting aren’t exclusively PCs.
Policy validation is not the easiest or most enjoyable part of anyone’s job. Once you’ve formed and enacted a policy, it’s important to make sure that every computer is and stays compliant. However, networks can be unwieldy and people make changes without alerting IT constantly. Take the example of Windows updates. Let’s say you’ve set up a central server from which all Windows computers should update. How do you find the ones that don’t?
Let’s say you’ve just set up Senrio on your network, and you want to find all the non-compliant Windows computers. Senrio automatically applies the tag “Windows Update” every time a computer reaches out to the main Windows update server. This means you can simply search for the “Windows Update” tag in the explore view to discover all computers still using the external update server.
There is an old proverb (are there any other kind?) that goes something along the lines of:
If you wait by the river long enough, you’ll see the bodies of your enemies float by.
The accuracy of the translation may be questionable, but the general idea that you’ll see all sorts of things if you stick around holds true. This is particularly true when it comes to the discussion on which cyber defense methodology should have primacy over the other: network-based defense or endpoint-based defense.
Update 10:21am PST 5Oct2018 (added quite a few links/references to articles mentioned).
Update 17:32am PST 5Oct2018 (added references to Eclypsium's work)
Cybersecurity 101: Know what you’re defending. Easier said than done in a lot of environments. Homogeneous environments should ostensibly make a sysadmin's work easier in this regard; you bought 1,000 PCs, you should be able to see 1,000 PCs in use. Heterogeneous environments, those that are more liberal with their bandwidth (BYOD), and those that don’t enforce strict policies (rogue IT), make the job more difficult.
Customers frequently ask us to help identify all the devices of a particular type or class in their environments. A small sample of the varied reasons:
Cyber threats don’t discriminate. The presence of a CPU - any type or size - is enough to make one a target. Yet, if you’ve been a security practitioner for any length of time, you have probably heard this phrase from a prospective customer more than once:
“We’re too small/unimportant to be a target.”
You know this is the point in the conversation where you smile politely, get up, and thank them for their time while they go back to their business, and you go on to your next meeting. Anyone who has it in their head that they don’t have at least one red laser dot on their forehead is not going to be convinced by your war stories, statistics, or reams of counter-examples.
Like so many important life lessons, they will almost certainly learn the hard way.
With the spread of the Internet of Things, and the increasing dangers associated with same, the likelihood that we’re going to be faced with a deluge of new “solutions” is high. It will not be long before someone comes out with an “IoT firewall” or “IoT IDS” because the projected IoT security spend is $1.5 Billion this year alone and, well, that money isn’t going to spend itself.
The problem is that you already spend a lot on IT security. At least that’s what the C-suite thinks. You take their money, you complain it's not enough, and then bad things still happen (requiring you to ask for more money). And now you’ve got to go asking for funds to secure the IoT in your enterprise? That’s not going to go over very well.
Knowing what you’re protecting is a core tenet of cybersecurity, not to mention a fundamental requirement for many IT standard’s bodies like NIST, COBIT, etc., which is why device identification is one of the three primary features of Senrio Insight. We accomplish this by extracting data about all connected devices based on their network traffic, and labeling or “tagging” each device accordingly in our UI.
Senrio uses two types of tags: system tags, and user tags. System tags are automatically generated by Insight based on our massive IT/IoT device data store. If we’ve seen it before (and we probably have) we’ll automatically tag a device accordingly. In very short order you’ll know exactly how many systems in your enterprise are running Windows, Linux, OS X, iOS, Android, etc. Which version of those OSes are in use, and many other details about make, model, etc.
Know what you are protecting. Its a basic tenet of cybersecurity, and one that too many organizations struggle to achieve. It can be overwhelming to deal with the issues you know about, but what happens when your solution to the awareness problem isn’t any better informed than you are?
For those of you were old enough to watch the news in the aftermath of the 9/11 attacks, you probably remember a seemingly nonsensical statement made by then-Secretary of Defense Donald Rumsfeld about intelligence relative to the issue of Iraq and weapons of mass destruction:
“...there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some thing we do not know. But there are also unknown unknowns; the ones we don’t know we don’t know.”
There was a time when the nature of your business is what made you a target for malicious actors. Banks, credit card companies, and so on were where the bad guys went because, to coin a phrase, that’s where the money was.
Today, the mere fact that you have computing resources of any type means you’re a target. Your perception that the size or nature of your business makes you an unattractive target for cyber criminals is just that: your perception, not how the bad guys think. That you don’t deal with money or billion-dollar trade secrets arguably makes you a better target because you’re probably not paying attention to the risk like banks or a fortune 500 company. Today anyone with any computing resources is at risk. Why? Cryptocurrency mining.
Senrio in the press!
IoT Hacking comic book!
Watch some our IoT security research
Live On Twitch.tv
Upcoming Trainings by our Team!
Practical Android Exploitation
Black Hat 2018
Las Vegas, NV
13-16 November 2018
Software Exploitation Via Hardware Exploitation
Black Hat 2018
Las Vegas, NV
6-9 November 2018