Tuesday, January 24, 2017

Internet of Things, and the CISO

With IoT Proliferation, Does Corporate Security and the CISO Need to Adapt?

By Ed Higgins


The answer to the question above in one word is: Yes.

With the many clever innovations introduced by IoT, comes the need for copious amounts of creative thinking surrounding information security strategy in order to effectively embrace IoT while simultaneously ensuring information confidentiality, integrity, and availability.

The Internet of Things is not going away. It's much too ubiquitous and presents a great opportunity for innovation and benefits for us all (for home, for work, and for industry). I believe most Chief Information Security Officers (CISOs) clearly understand this and want to support IoT. But doing so will require clearly defined rules, appropriate controls and countermeasures, and a certain amount of legitimate paranoia.

I believe CISOs are (or should be) working actively with stakeholders within their respective organizations to fully understand the business's longterm strategy surrounding IoT, in order to adapt their policies, practices, and guidelines to embrace the benefits of IoT advancement while continuing to protect sensitive data, ensure secure operations of the business, comply with regulations, and meet the security standards and business vision already established in their companies.

In many cases, existing security policies and guidelines, at least those which are fairly modern to begin with, can be leveraged and adapted to address IoT, much the same as when the topic of "visitor wireless area networks" was among our list of challenges. But topics involving classification, data integrity, detection controls, risk profiling, impact breadth, and incident response mechanisms all have to be reworked to address the deeper and widening threat landscape. This includes addressing broader security implications now introduced by the IoT product manufacturer. Some security pros argue, and I tend to agree with them, that the number and placement security intrusion detection and data leakage prevention systems could double or triple in complexity and volume-handling requirements due to the impact of IoT.


In a previous article entitled, "IoT, When My Thermostat Becomes a Weapon", I wrote about the potential security concern for when insecure IoT devices enter the home network, where there also exists a VPN connection to the workplace. This could directly impact the business's security posture, since a compromised home LAN could become an attack surface through the business VPN. In talking with many CISOs during the RSA Conference 2017 (week of Feb 13 - 17), not many had even yet considered this potential risk. I believe CISO's should review their detective controls and security policy regarding VPN and home-office workers in order to ensure that adequate security controls such as strong authentication, complex passwords, inactivity logout, as well as VPN, anti-malware tools are functioning on the home-user's PC.

Additionally, many IoT devices are created by new startup product businesses, or even by crowd-funded operations whose primary objective is to produce very cool stuff fast. It is crucial, I believe, that we must evaluate and scrutinize the security postures and data management practices of the IoT product companies, since they essentially become a potentially risky extension of our corporate security landscape.

I hope you enjoyed this article.

Stay tuned, and stay safe,

Ed

Monday, January 23, 2017

IoT: When my Home's Thermostat Becomes a Weapon

IoT: When my Home's Thermostat Becomes a Weapon


By Ed Higgins
January 23, 2017
As I consider the Internet of Things (IoT), I think of things like smart-watches, internet baby cameras, home thermostats, and other neat technologies. I recently pondered a broad range of security concerns and thought it might be fun to explore these questions a bit further and share some thoughts and suggestions. 

What's the security situation with all my cool gadgets? 
My home's thermostat is smart and connected to the Internet. This gadget is a wonderful innovation and part of the virally expanding portfolio of Internet of Things (or IoT) devices. You all know about these, and likely have one or many in your own home or apartment. In fact, industry studies suggest that each person on the planet will own at least five IoT gadgets by 2020. 
My thermostat allows me to alter my home's temperature and check the current settings from the convenience of my cell phone. All cool (pun intended), right? Well, this convenience raises some secondary important concerns and a completely new set questions. But, hold these particular thoughts for a minute. A smart thermostat is technically a system, complete with an operating system, a wireless network interface, ability to control another system, and it offers configurable settings (schedule, override, notifications, etc).
With an operating system; one must safeguard the OS against unauthorized access, root kits and malware infiltration which can infect the system and alter its intended behavior.
With a wireless network interface; one must deny access to outsiders or bad actors. In the case of a wireless network, let us not forget that a bad actor could hijack your thermostat from the seat of their car parked outside your house. However, a bad actor would more likely gain access via the internet, either through a poorly configured firewall (or no firewall), or via open insecure ports on an internet router. Quick question, when was the last time you logged into your Internet Router and checked its settings? Thought so. Regardless of the method a bad-guy may use to get into your local area network (LAN), he or she being there is not good. Once on your LAN the bad actor can and will discover every vulnerable device and shared file on the LAN including any VPN connections to your employer, for which the latter raises some distinct problems and liabilities for both the employee and the employer. 
With a device that can control another device; one must understand the downstream devices that can be controlled by the IoT device (aka, the furnace/AC controlled by the thermostat) and that compromising the controlling device (aka, the thermostat) gains immediate access to control any downstream controlled-device (aka, the furnace/AC system).
With a device that has alterable settings (a configuration table, so to speak); one must safeguard the table from unauthorized alteration. But there's one challenge with safeguarding these settings on many IoT devices. The last time I checked my thermostat there was no password protection. Thus once I connect to the thermostat, I can change any setting without challenge.
Now, let's come back to the point I asked you to hold onto: the cell phone app that allows me to control my thermostat from afar. Yes, there is a third-party involved between me (my cellphone) and my thermostat. It's the thermostat manufacturer's service that connects us. In principle, my thermostat connects to the manufacturer, and my cell phone app connects to the same place, and we're matched by a lookup code that associates us.

What about the thermostat manufacturer?
The manufacturer's security infrastructure surrounding this "meeting place" becomes one of the most critical components in the mix. I guess I really need to trust my thermostat manufacturer, right? Have they designed reasonable security into the product? Do they have security personnel dedicated to the job and constantly monitoring and testing the environment? Have they secured their product development networks and customer-portal networks? Lots of questions, few answers come to mind.
A commercial product manufacturer's network will likely be more secure than most home wireless networks. But, it's important you know that we as consumers become completely and immediately reliant upon the security that the manufacturer has designed their products, and that they implemented and applied appropriate layers of security within their networks to protect their thermostat (or whatever product) from being infiltrated by an outsider. 
I don't think very many consumers pay much attention to this aspect of certain IoT devices, likely because coolness sometimes overrides the messy topic of security. If you think about how rapidly brand new IoT technologies and start-ups come onto the scene, you have to wonder: have they really implemented a secure infrastructure and hardened their products and services to adequately protect your data and your network? I don't know about you, but this makes me wonder.

So What Could a Hacked Thermostat Do Anyway?

What if my thermostat manufacturer's system or network is hacked? Millions of subscribers' thermostats (or worse, the downstream controlled furnace) could all be compromised as a result. What if a bad actor were to alter the temperature in every smart thermostat to the maximum possible setting (say, 99 degrees) and leave it there until you pay the ransom? A team at DEF CON demonstrated this very scenario just this past summer. Or, what if a bad actor compromised all thermostats to initiate a massive distributed denial of service attack on another victim, perhaps a targeted business, or Internet DNS servers (which actually occurred very recently)?
If this attack was for the purpose of a ransomware scenario, then the sure-fire home solution is to simply shut off the thermostat and replace it with a different device or a non-tech variant. This eliminates the problem entirely. But this fix is not as easily accomplished in commercial businesses or hospitals, where the complexity and impact is far greater.
What if all the smart thermostats turned on all furnaces at the same time? Could this cause a significant measurable drain on our electrical power grids? Perhaps, not so much at the present time, because not every home has a smart thermostat, nor are they all the same brand of smart thermostat. But given the time and the motive, the capability definitely exists for a bad actor to infiltrate a broad range of smart thermostat brands, business HVAC systems, and other targets, and create a coordinated attack through exploitation of many brands of thermostats and smart devices. This would become a new type of attack, and certainly one that could be categorized as being among the aspirations of nation state bad actors rather than being attributed an individual bad actor. 
There are things about things that we just don't yet know.
All these "what-ifs" could actually occur. And, over time, they will in one form or another.  

So, Could My Thermostat Steal My Data? Actually, yes.
There are additional concerns beside using thermostats as a ransomeware devices, or as "mules" in a distributed denial of service botnet attack against a 3rd party. What if a bad actor hacked the thermostat manufacturer's network and introduced a malicious thermostat OS update with the ability to steal data from devices on your LAN, or the ability to spread malware to them? 
Perhaps a bad actor configures the hacked thermostat to function normally but with an additional malicious feature. What if a hacked thermostat were to become a data leakage device sitting inside your LAN with the sustained ability to forward every piece of electronic data from every device on your LAN (your PCs, your file shares, your media devices, etc.) sending it all to a malicious site somewhere in the ether. This type of attack may not need to steal data very quickly, but go undetected for weeks or perhaps months or years without being detected as it siphons data in bits and pieces in a sustained attack. While the latter type of attack is a bit more sophisticated in its approach, the operating system and technology present in many small micro-controlled systems (e.g. Linux and Java) could make the smart thermostat a formidable place for such an attack to begin.
In a similar manner to the hacked thermostat, what if the bad-actor infiltrated the respective cell phone app with a malicious version, with the ability harvest all your contacts, credit card info, and other sensitive data stored in your cell phone? 
When you think about this, and use your imagination, the possibilities along with the potential nightmares are endless.
My Home's LAN is not that interesting to a "bad actor", Right? Wrong.
Actually, your home network is pretty interesting to bad actors. Home local area networks are changing in many ways. With more connected devices such as IoT devices, increased data storage devices (local and cloud connected), and media sharing devices, your network is a very interesting place. Home network Internet connection speeds have dramatically increased to impressive levels, thanks to powerful fiber optics and advanced consumer bandwidth plans that rival many commercial business networks. Most home networks today boast extremely fast download connection speed (in many cases greater than 100Mb). More importantly to the aspect of data theft, these also boast the same high-capacity bandwidth for uploads as well. Thus, the home owner's local area network may have 100Mb or greater down/up with very little security beyond the Internet router. Unlike commercial business networks, the home network typically does not employ advanced security perimeter controls such as intrusion detection systems, data leakage prevention, enforced access control policy mechanisms. This is why it is an attractive place for bad actors. In other words, once a bad actor gets access past your cable router, they would potentially have access to a wide open network, complete with an extremely fast Internet connection by which they could establish as a beachhead to launch other attacks, and attack you.
Think of the many hundreds of millions of home networks out there for a bad actor to choose from, most of which are wide open territory. Now think of the volume of IoT gadgets out there. Early predictions regarding IoT growth reveals that the number of IoT gadgets will reach 20.8 billion devices by 2020 (reference: Gartner, 2015). Intel Security predicted the number to be in the range of 20 to 30 billion devices by 2020. That's a lot of IoT devices spanning perhaps billions of relatively insecure home networks across the globe. Most recently, security firms have adjusted their predictions to nearly 50 billion IoT devices by 2020. This leads me to wonder: do we really know the prolific potential of global IoT sprawl?

A Few Good Steps You Can Take...

Using just the above examples we could fill many whiteboards with attack profiles and scenarios, line diagrams, and pathways to potentially catastrophic damage. And we need to conduct this type of out-of-box thinking to get inside the heads of bad-actors to anticipate what they are thinking, in order to understand how they operate and adapt. While it is unreasonable to think that home users will implement advanced security technology found in commercial business networks, there are some very good basic steps that everyone can and should consider to ensure their security. 
A good first step that home users should consider is locking down your internet gateway (the router) by restricting access with a complex passworddisabling external remote management portsdisabling the DMZ function if you don't need oneapplying the latest security firmware updates, and restricting inbound ports to only those that you really need. Also, disable inbound ICMP requests (we call these ping requests) so that your router doesn't respond to pings from the outside. This will provide a level of stealth since your router won't answer to pings. Incidentally, a ping request is among the first steps a bad actor takes to determine which IP addresses are responsive or not. You should also buy and install a good anti-virus/anti-malware software for all of your PCs, and keep it enabled and always up to date. You should also consider configuring a password on your devices that share files (e.g. media, file servers, home PCs, etc).
Lastly, it is important to try to maintain a current and reasonable awareness about emerging potential security threats and what you can do to minimize them. For example, news of recent examples of phishing attacks have been shared on the internet, local news and mainstream media. Remember to not click on links contained in messages from people you don't know. Even when someone you know sends an obscure message containing a link or attachment, think twice about clicking it since their PC could be compromised and potentially trying to spread malware to you and others. 
With respect to security and the Internet of Things, I consider myself a "cautious IoT embracer" which means, I try to understand and answer as many of the questions presented here to understand the risks, and adapt my security countermeasures to manage them. Good security and IoT can and will coexist. We just need to think creatively and thoroughly as we embrace both.
I hope you enjoyed this article and hope it was helpful.
Stay tuned, and stay safe.
Ed

Tuesday, January 17, 2017

Obama's Legacy in Internet Security: The Good, Bad, and Ugly

I just read NextGov's new article summarizing President Obama's accomplishments in Internet security.  What he did, what he didn't do, and how it all turned out.  The good, the bad, and the ugly.

Below is an excerpt from the article, centered around the following question, which sums it up well.

Are We Better Off Than We Were Eight Years Ago?

"That question—are we better off in cyberspace now than we were eight years ago?—was a particularly troubling one for cyber experts consulted by Nextgov."

Their answer, by and large, was a qualified........ No.


“We’re better off in terms of policies and institutions to deal with cybersecurity, but worse off with regard to the threat landscape and the actual security environment,” said Tim Maurer, co-lead of the Cyber Policy Initiative at the Carnegie Endowment for International Peace.
“There’ve been improvements on protecting us from attacks on critical infrastructure,” said Adam Segal, director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations. “I think those are much less likely than before. But, overall, the progress has not kept up with the pace of the threat.”
Even Michael Daniel, the president’s cybersecurity coordinator, whom many experts credited with shepherding major advances during four-and-a-half years in the post, was not entirely sanguine.
“I think we’re clearly more capable and I think in many ways, we’re more aware and we are safer in many ways,” Daniel told Nextgov. “But our vulnerability has continued to expand as well …The landscape is more serious and more dangerous.”  " ] 
source ~NextGov 

Stay tuned, and stay safe

Ed