Don’t let software chew a dangerous hole in next generation networks and the IoT

Once deployed, the business of managing mobile networks used to be relatively straightforward. Voice and text had a certain predictability. Special events aside, usage of these two services would take place within a set of parameters that the forward-looking network ops team could estimate with sufficient accuracy to stop problems occurring.

Enter the brave new world of mobile internet, and with it a whole new set of variables. Operators found (sometimes to their cost) that users would find a way of surprising them, be it with data heavy applications, tethering or any number of unexpected internet connected uses. The knee jerk reaction was throttling of certain services, additional costs to use the mobile web in certain ways or sometimes outright blocking, says Dmitry Kurbatov, Telecommunications Security lead at Positive Technologies.

The emergence of the data thirsty world of the IoT moves this issue into a whole new world. Not only will there be the same unexpected surprises, but the promise of 5G has been heavily sold as a universal connector. Once inanimate objects now consume bandwidth, often inefficiently.

Thankfully, digital Darwinism works both ways. Into the space has evolved the shiny new world of NFV and SDN. Need capacity quickly, or want to provision a new service? Simple, click this, drag it there and it’s problem solved, right?

Not exactly. Whilst the development of such software undoubtedly makes things easier for operators, it also does what those in the cyber security industry fear the most, centralising control of something very important and connecting it to the internet. This is a practice that creates a bulls-eye for a hacker, an asset which, given enough time and resource by a creative and well-resourced team, could be exploited. This is something that companies with large customer or financial databases have been learning to their peril over the last few years. Putting the king’s jewels in a single chest makes it a target.

Understanding this mindset is the first crucial step in securing any network. Second, and just as important, is actually doing something about it. This sounds obvious, but network security and operations teams are bombarded with a million and one tasks as they prepare to transition to their newly virtualised network, each one a priority and sucking up limited resource as deadlines rush past at terrifying speed.

Getting an external view on security is vital here. Those who have been involved in their planning and deployment are innately biased. This is not a criticism, any team in the middle of a complex technological deployment is not going to be able to see the wood for the trees. Giving someone outside this the remit to break things can be a valuable learning. As previously mentioned, knowledge of the hacker mindset is a valuable defensive tool – so employing a team with the specific remit to find problems can be an eye-opener.

This team should be given the freedom to audit everything from the code being used in critical areas of your deployment to assessing what visibility your network has from ‘the […]

The post Don’t let software chew a dangerous hole in next generation networks and the IoT appeared first on IoT Now – How to run an IoT enabled business.

Blogs – IoT Now – How to run an IoT enabled business

How dangerous are the threat of kill chain attacks on IoT?

Distributed Denial of service concept with the focus on the return button overlaid with binary code

According to recent research from IDC, it is forecasted that there will be 200 billion connected IoT devices by the end of 2020. And while connected, autonomous technology will clearly increase efficiency and productivity, businesses and individuals alike should not underestimate the risks posed by IoT.

See also: Meet the two hackers behind October’s big DDoS attack

One of the major issues with IoT devices in businesses is that, after initial installation, the devices are often forgotten and left to run on their own. This allows major threats to IoT security, like distributed denial-of-service (DDoS) attacks via botnets – the tactic used to attack the Domain Name System (DNS) Dyn in 2016 – and kill chain attacks.

The concept of a kill chain attack has been around for several years. Originally a military term, computer scientists at Lockheed-Martin Corporation began to use it with cybersecurity in 2011 to describe a framework used to defend computer networks. Its relevance has taken on new meaning in the current security landscape of IoT devices and botnet attacks.

The “kill chain” lays out the stages of a cyber attack, starting from early reconnaissance to completion of the attack, with the ultimate goal of data theft and enabling more attacks. These stages are:

  1. Reconnaissance: The intruder selects its target device and begins searching it for vulnerabilities.
  2. Weaponization: The intruder uses a remote access malware weapon, such as a virus or worm, to address the vulnerability.  
  3. Delivery: The intruder transmits cyber weapons to the target device, whether through email attachments, websites, USB drives, etc.
  4. Exploitation: The malware weapons code is used to trigger the attack, taking action on the target network to exploit the vulnerabilities identified above.
  5. Installation: Malware weapon installs access points for the intruder’s use.
  6. Command and Control: Malware then enables the intruder to gain “hands on the keyboard” persistent access to the target network, enabling future attacks.

IoT devices including wearables, TVs in the boardroom, and security cameras are all easy targets for kill-chain intruders; the IoT device owner is not necessarily always at fault. For the manufacturers of IoT devices, security mechanisms are usually an afterthought — many companies employ weak security practices like having little to no encryption for information and coding passwords directly into the device. In fact, last year, 80 Sony IP security camera models were found to have back doors, which could give hackers easy access to extremely private security footage.

Steps to prevent and respond to a kill chain attack

The best way to prevent a kill chain from infiltrating enterprise IoT security is to invest in a layered approach. There are four steps to applying this approach.

The first step is assessment, or starting with a network discovery process of all of the existing IoT devices connected to the network, including managed and partially managed devices. It is important to understand the classification of each device, which operating system it runs on, and which applications are installed on it.

After conducting an assessment, the next step is segmentation. IoT devices should not be included in the same network segment as other devices, or within reach of the organization’s mission critical systems and data. The best practices for ensuring security include deploying a firewall between IoT and non-IoT segments to minimize the risks to the “crown jewels” of your network.

Following segmentation, the next step is detection or making sure to regularly analyze network behavior, so that if new IoT devices are added, it is possible to ascertain whether their behavior is in pattern with other similar devices. A compromised device or fake device might look the same as other IoT device but behave differently.

The final step is response. Because manual alerts can be hours or even days to process, businesses should involve a backup plan that will immediately limit access to a device with irregular behavior patterns.

See also: Traffic cameras lead to big Dyn DDoS attack

This layered approach is designed to both prevent the likelihood of a kill chain attack, and perform damage control during live attacks. Using this inventory, people will be able to understand device behavior on networks and to be alerted to irregular behavior. If, despite all of these steps, an attack does occur, people will be able to effectively respond based on a previously devised back-up plan.

Take, for example, a smart refrigerator that has been installed in your company’s office. Besides cooling your favorite refreshments and reporting on electricity usage, smart refrigerators connect to the wireless network to fetch data, and as a result, it also has the ability to infiltrate other devices in its immediate vicinity, such as laptops, desktop computers, and mobile phones. Because access to the refrigerator isn’t password protected, hackers can easily access and carry out a lateral attack, not only on smart devices but on all devices under a company’s roof.

In a connected environment, only smart, layered approach technology that can see, control, react and manage risk will be effective in securing corporate networks and IoT devices from the next great kill chain attack.

The post How dangerous are the threat of kill chain attacks on IoT? appeared first on ReadWrite.


New research warns of ‘alarming’ and ‘dangerous’ flaws in embedded systems design

More than one in five designers of embedded systems admit they hardly pay any attention to the security of their internet-enabled embedded systems products, according to a study from Barr Group.

The report, Barr Group’s 2017 Embedded Systems Safety and Security Survey, uncovered what was described as ‘alarming’ and ‘dangerous’ information about the state of embedded systems design.

Nearly 28% of the more than 1,700 qualified respondents (50% from North America, 27% from Europe, 14% from Asia, and 9% from other geographies) directed towards the fact that products currently being designed by them are capable of causing injury or death to one or more people in the event of a malfunction. Of these products, nearly half will mostly be connected to the internet, as anticipated by the respondents.

It is well known that any computer connected to the internet, including medical devices or embedded systems, are likely to be attacked through hacking; data breaches reached their highest level yet in 2016. Yet in spite of this, 22% of embedded systems engineers working on internet connected safety-critical products did not believe security as their requirement list for the product.

Michael Barr, Barr Group CTO, said: “This is dangerously inadequate planning that puts all of us at greater risk. When safety-critical devices come online, it is imperative that the devices are not only safe but also secure.”

Survey findings also revealed that of the designers working on safety-critical projects that will be connected to the internet. 19% admitted they do not follow coding standards, 36% use no static analysis tools, and 42% conduct only occasional code reviews. Latest from the homepage