Prevention: you keep using that word…
This past week the infosec industry and others took notice of two disturbing events. First was the huge Yahoo breach in which 500 million (or possibly more) data records have been stolen. The second event was a huge DDOS attack on Brian Krebs, a leading investigative reporter of cyber crime and the cyber criminal element. Brian’s account can be found here. The important thing about this attack was that the botnet involved had harvested thousands of embedded, and internet of things devices. Many security pundits have been predicting a possible scenario due to the lack of IOT security, for a while, and it looks like the future has arrived quickly. Here are some main points on the implications of this, from articles I’ve scanned.
IoT (In)Security Round-up!
The article “Armies of hacked IoT devices launch unprecedented DDoS attacks“ tells us,
“… this attack was launched with the help of a botnet that has enslaved a large number of hacked so-called ‘Internet of Things,’ (IoT) devices — mainly routers, IP cameras and digital video recorders (DVRs) that are exposed to the Internet and protected with weak or hard-coded passwords,“
Isn’t that lame? Well done IoT vendors!!! But there’s more. The article goes on to tell us that,
“… in June DDoS protection provider Arbor Networks warned that there are over 100 botnets built, using Linux malware for embedded devices.”
Hey, is that all? Apparently we don’t want attackers to have to work very hard at all. Surprised there aren’t more, but, there likely will be, as the copycats are probably racing to harvest devices right now. (Woops! This just in! The source code used by the botnets for those DDOS attacks, including the hard-coded passwords, has been released online as I write this! Will this bode well. Copy-cat anyone?)
(IoT) prevention …
eventually fails fails right now
A very good article worth checking out, “Record-breaking DDoS reportedly delivered by >145k hacked cameras” provided more details and informs as to why this is worrisome;
“Most come with only a minimal control panel, and it’s not possible to use antivirus software to scan them for infections.”
“With no easy remedy for the growing epidemic of infected devices, people should be prepared for attacks that have the ability to disrupt ever bigger swaths of the Internet.“
Akamai’s Martin McKeay suggests what the nature of that disruption might look like,
“It’s getting huge… You’re going to see brownouts, sections where a data center, an ISP, a region, may have so much traffic that it takes down that region.”
A LA Times article with Brian Krebs commenting hits it as to why this should terrify us, here.
“In the last few years we’ve seen widespread dissemination of information about how to exploit vulnerable systems, … millions, or tens of millions, or billions of devices are out there that could be used. We’re just now scratching the surface.”
“They’re elements of the highly touted “Internet of things,” easily converted into threats to our privacy and security.”
“These vulnerabilities create an asymmetric battlefield — it’s cheap and easy to mount an attack, hugely expensive to repel one.”
“The scariest elements of this episode are these: First the weapons allowing cyber attackers to bring down websites and networks no longer belong exclusively to “state actors” such as governments, but are widely available in private hands. Second, these weapons are getting better every day. Finally, the cost of defending against such attacks can ruin their targets, vastly enhancing the attackers’ ability to silence them.”
“The economics of mitigating large-scale DDoS attacks do not bode well for protecting the individual user, to say nothing of independent journalists,” Krebs says. He calls the result “the democratization of censorship”: One doesn’t need a government censor’s blue pencil and scissors to muzzle an adversary; one can bludgeon him into silence.”
The post by Elliot Williams, “Distributed Censorship or Extortion? The IoT versus Brian Krebs“, makes the point,
“… it used to take a nation-state to censor information on the Web — strongman regimes or agencies with spooky contacts in big ISPs. But if any script-kiddie can leverage IoT devices with hardcoded passwords to pull selected websites off the Net, the game has fundamentally changed.”
“Exploiting botnets of IoT devices has become a viable criminal option. Unpatched IoT appliances are the (pre-service-pack-two) Windows XP machines of the moment: they’re a public menace because they enable criminal activity. And it’s going to take both industry involvement and user education to get us out of this mess.”
That’s just it. This event and things like ransomware demonstrates that the game has changed. The industry doesn’t really have an answer to ransomware yet. Once again, it looks like decades of failing to address the fundamental issue that is the root cause of insecurity, has created another perfect storm, this time for IoT security!
Williams ends his post with,
“In short, the consumer IoT botnet problem is a thorny one, and it’s not one that we’ve heard the last of. What do we do?“
Well, that’s the burning question isn’t it? With no real solid remedies in sight, what else could go wrong?
Perfect storm, meet perfect storm
What happens should two perfect storms hook up? Ben Dickson’s article, “What makes IoT ransomware a different and more dangerous threat?“ discusses this and Jeremiah Grossman tweeted about a future IoT ransomware scenario. While some decry this as potential FUD-mongering, it’s highly likely that there will be some insecure IoT devices lacking internal controls that can easily be exploited by ransomware or new forms of malware.
So, some devices will be easily recruited into botnets, which can then used to conduct DDOS OR malware attacks on either other IoT devices, or enterprise targets for extortion. The problem is that even if only 10% of devices remain vulnerable, the sheer number of IoT devices that would be possible to attack for either purpose is still huge. Fun times indeed.
<Added Oct.10/16 A great post from some folks at 451 Group on the IoT attack surface numbers game, is linked below and can be found here.>
Is prevention possible?
Obviously something needs to be done to prevent IoT devices from being attacked. One often reads or hears that, “prevention eventually fails” and that while prevention is necessary, it’s not sufficient. My beef is that what passes for prevention is what fails pretty darn quickly. Thus, it’s now common acceptance that adversaries are already in your network and one must strive for early detection and breach containment. As a vendor of trustworthy computing and trusted execution environment software, accepting this would just grate at the soul. It’s just not on.
Consider this doozy of a comparison, from “Cybersecurity: is it really a question of when, not if?“;
” I am confident you have heard a famous slogan “it’s not a question of if you will be breached, but when you will be breached”? Can you imagine your banker saying “it’s not a question of if I will lose your money, but when will I lose your money” “.
Just raise your hand now if you think business as usual is going to work out.
Enterprise security to the rescue?
Another common tact is the notion that the enterprise security model can simply be ported to the IoT embedded world, such as being tried with the cloud, mobile etc.. If someone says your pacemaker needs to run AV, run the other way. Newsflash; the enterprise security model hasn’t work that great … in the enterprise. You may have heard a growing number of breaches in the media the last few years.
In case there’s any doubt, consider some opinions. From the article, “Cybersecurity: Time for a Paradigm Shift“,
“ … the current strategy of most organizations—layering on many different technologies—is not only proving ineffective, it is overly complex and expensive. “The status quo is not sustainable,” says Keith Weiss, head of U.S. software coverage for Morgan Stanley.”
” Is enterprise security achievable? I could buy everything at the annual RSA Data Security show and still not feel secure.”
From “Is the information security industry having a midlife crisis?“, Tsion Gonen of Safenet says,
“Security is hot right now. It’s hot because we’re totally failing,” said Gonen. “1800 cybersecurity startups were funded last year, and that’s driven by total failure,”
“Plan B accepts that hackers will get unauthorized access, but what is key for security is making sure that what they take they can’t really use.”
Except that when it comes to IoT devices, once they have unauthorized access, they already have what they can use. Attackers aren’t after data here.
Check out this SANS diagram which presents typical network speed bumps and increasingly outward looking approaches to security. Which of these practices are going to protect IoT devices?Where’s intrinsic system defensive capability? Is it not part of cyber security?
These approaches don’t constitute prevention in the sense of preventing unauthorized tampering with the devices. They won’t work very well for IoT devices because none of these are really addressing the root issue that is the core of device insecurity. So once they’re hacked, they’re hacked. Fixing core system security is the real prevention that’s needed.
Gary McGraw, CTO of Cigital explains this more in the article, “Is security really stuck in the Dark Ages?“, , says,
“ … missing the more important point – that too many systems don’t even have a good perimeter to defend. “Perimeter security only works if you have a perimeter,” he said, “and that starts with building things that don’t suck.”
” … visibility, while a good thing, doesn’t matter that much if systems lack security by design.”
“You can spend your time with a whole army tracking termites, or you can change your building material from wood to steel.”
Exactly! IoT devices have no perimeter themselves, although they may be located in networks that have some kind of porous perimeter. Past efforts to track down botnet command and control servers to knock them offline may have been wins, but still reactive. The primary goal should ALWAYS have been ramping up inherent security of systems so malware was unable to recruit them for botnet use in the first place!
While securing IoT devices will be a thorny issues, it can certainly start with eliminating the low hanging fruit. Software security and code quality will also play an important role to help reduce attack surface, but with 50 billion IoT devices slated to be on the net in a few years, even 10% vulnerable is a huge chunk.
The NIST 800-160 standard calls for system security engineering design producing trustworthy computing and mentions internet of things devices as a primary need. FYI, “NIST 800-160, No more same-old” provides a high level overview of the intent of this standard, and links to the NIST document. An ICIT paper referenced made these important points which bear repeating.
“In many ways, information security remains, at best, a soft science. NIST SP 800- 160 introduces the rigour of the natural sciences to cybersecurity. The publication applies more methodical, Engineering-based approaches to information security solutions to address the dynamic, complex, and interconnected systems and systems-of-systems, such as the Internet of Things, that run the modern world. ”
“A trust-driven model, such as that proposed in NIST SP 800-160, will preclude many breaches by removing vulnerabilities before adversaries can exploit them. In typical security models, information security is either predictive or reactive. In either case, information about the threat must be known before action can be taken. Trusted systems ignore that constraint. A trusted system is not impervious to compromise; rather, it is developed from initiation to preclude vulnerabilities that result from design and to withstand attacks.”
It’s not a bad idea to remember this from Wikipedia as well;
“The National Security Agency (NSA) defines a trusted system or component as one “whose failure can break the security policy”, and a trustworthy system or component as one “that will not fail“.”
So while these two terms are used interchangeably in the trust model, it’s trustworthy systems where the security can be verified, not just granted and assumed, which is really needed. On a system with a trustworthy computing environment, the ability for threats to exploit vulnerabilities is disconnected. How does the diagram below change if threats are unable to exploit vulnerabilities? Does risk remain the same?
The problem right now is that for COTS systems, the OS controls required to “control what one needs to control” are missing in action. These are the controls required to prevent unauthorized system/device tampering which occurs both on IoT devices (and on enterprise nodes during a hack). They don’t have perimeters, so network speed bumps are insufficient. Once IoT or embedded devices are owned, it’s too late.
There’s a need to ramp up system trusted computing bases, and the use of reference monitors, and separation kernels, to garner control over OS process separation and need-to-access. This is necessary to deliver some level of self-protection for a system’s own security and integrity in order to prevent unauthorized tampering. This is the kind of prevention needed. Without this, how much of the problem of IoT and embedded device security will really be fixed? Without this, then great software security and design becomes paramount to reduce attack surface opportunities. But in an only-takes-one world, this sort of has to be nearly perfect, right? How close are we getting to that?
So, am I really going to blame IoT vendors for doing a lousy job at IoT security? No, they don’t know better. Sure removing the free fruit like hardcoded passwords is a start, but this is an industry failure. Vendors aren’t getting the help they really need because the industry has basically ignored the root issue for decades.
The bonus would be, that addressing the root cause of system insecurity would help enterprise security as well and prevent Yahoo-like breaches. Verifying the root of trust along business process transaction lines as well as making use of controls that can enforce need-to-access, secure data storage and data flows, might be a useful thing.