Mind the Gap: Managing Insecurity in Enterprise IoT

available medical facilities that's a really important thing there are pumps there are MRI machines I I know I've relied on these things I know people who are relying on these things there's patient monitors now I've been privy to hear some excellent talks about medical equipment and the security risks and this continues to grow as a concern you may not know this but there could be up to 15 devices 15 connected devices per one patient bed then there's businesses and corporations who use smart TVs and digital conferencing and don't forget the printers and scanners and retail of course which has to use this everywhere because they need to not only just scan in the information but now we have

automated kiosks at the CVS like a couple of blocks over there's three of these independent kiosks and you're going to see more and more of those you may be standing in line at Target and suddenly a message pops up that's because they're utilizing this to pump out the information to get you to buy more goods they also use it to track the inventory on the shelves and to monitor for loss prevention and theft and then of course there's digital displays which can be fun to play with transportation and logistics warehousing and transportation spotting to spot B all of the things have to be delivered monitored protected so not only every scanning goes in and out of the

warehouse is to make sure that there's enough supply and just-in-time inventory but it's monitoring those trucks and some of those are refrigeration trucks right to keep seafood etc perishable items safe for consumption they also help the trucks in terms of tracking fuel consumption location rerouting in case there's an accident down the road or bad weather conditions checking on delivery times there are wearables which enable employees to communicate more effectively with one another and then of course there's buildings and facility management we've got H fax systems locks physical security monitoring in other words that's a whole lot of vulnerability that's just waiting to happen so this is my first and main takeaway for you right now we're not

spending as much as we're buying and we're not putting that security in place if the greatest projected sources for end point electronics revenue in 2020 are gonna be consumer connected cars and networked printing well they can say is we are so hacked all right we all know what the road to hell is paved with don't we so just about a year ago I heard a talk by Christine glass be she's the head of product security operations with blackberry about when she was talking about how the Internet of Things has grown exponentially no secret we we definitely know that not just within the consumer space but specifically within enterprise and enterprises want to use all of these fabulous innovative new

endpoints for potential business value right and it's opportunity and its growth and it can help create organizational efficiencies this is all the kind of stuff that business wants to achieve and if you're aligned with the business goals you also want to achieve these it's a combination of what's coming in through literally billions of sensors and sophisticated algorithms for analysis and this is supposed to help streamline business processes increase productivity and then develop leading-edge products because innovation however with great reward comes great risk as we continue to venture further into uncharted technologies and they said we really do not know what we think we know when it comes to IOT especially when we bring it into

enterprise environments so what is it that we are not considering what is it that we haven't thought of for example how many of these vices these devices can actually listen to us now another factor we still don't have a handle on cloud but that's the home of IOT we face serious capability gaps when it comes to integrating IOT into business companies are not taking a holistic or a big-picture view but they're just focusing on one one Enterprise IOT program and what happens is that leaves out organizational capabilities and change management which you need when you are doing any kind of a large-scale rollout or initiative those are the checks that help keep us in place so

even with all that we know about inherent security risks in IOT and as targeted ransomware attacks significantly increased across 2019 try a hundred and eighteen percent increase from 2018 there are no real regulations or enforcement to ensure security so let's talk about what we think we know to understand enterprise the things we kind of have to understand the Internet of Things and I'll start with this drawing are people familiar with thee exactly everybody has a different definition of the same thing well that leaves us with what this is not surprise this isn't ayat e now they say that a picture's worth a thousand words and so we'll give you this what you see here is

a lot a lot of devices different firmware different products there are different protocols different third-party api's essentially that is risk that is vulnerability waiting to happen so simply put IOT devices are typically non internet items that have been unable to connect to enable them to communicate with other devices online and that coin was officially termed that term was coined by chemin Alldredge Kevin Aston sorry MIT back in 1999 so it's been around for a while there are different flavors of course of IOT there is industrial IOT and there is the Internet of Health things and then there of course is enterprising IOT what it is is technology that communicates either machine to machine or mobile to mobile

and it it means in whatever flavor that you care to describe it it's extending that Internet connectivity to ordinary physical devices and I keep emphasizing that because these were things that were not initially designed to communicate with the network so we're enabling them to connect and communicate with other similar devices and what we're doing in that sense is we're going beyond our defined security boundaries to allow connections to devices and then we the humans are taking ourselves out of that equation and let me leave that concept with you

so what are unmanaged endpoints this is what IOT devices essentially can be well there are the things that don't have any security built in not security that we can manage and better configure I think plug and play for example because convenience my friends has become the root of all evil and so many IOT devices are actually unmanaged systems that are able to communicate with other devices and systems within enterprise organizations your organization they process and transmit information they have an operating system however simple that might be and they cannot be managed by security tools that we have in place but a lot of people think they can we don't get to configure them we can't make them

better than they are we're stuck with what we get so yeah what could go wrong well let's start with refrigeration on transport trucks and you've got a load of shrimp going to your local seafood store and the temperature control fails but it doesn't alert the driver and he shows up at the door and the shrimp is disgusting well that's a loss you can measure in dollars but what about when it's a loss you have to measure in terms of life what about HVAC systems in the buildings where we work where we live or the hotels that we get to stay at is anybody familiar with Legionnaires disease there are outbreaks and if you're relying on controlled monitored

systems to ensure that ventilation is clean and air conditioning is running properly and those fail and the bacteria develops and builds up and it's not being tested for and you can't monitor everything you can have an outbreak of Legionnaires disease what something similar think in terms of quality control for food we eat or medicines that we use what if those controls are not working properly or we can't see and to end to ensure that something isn't in there and interfering with that transmission process if those controls were tampered with how would we know now I might be a little paranoid here but we have seen ransomware very active in our hospitals it's an ongoing situation the

fact is we rely on these these devices to be reliable and to notify us in other words we trust them and what is that cardinal rule about trust for those of us in InfoSec trust nothing trust but verify okay so there's a lot that we don't get right does anybody hear a baker when you're baking and you've got a great recipe for birthday cake and you you can make maybe double it up and make like a second batch of cupcakes for the the class fair it's okay it works really well but that does not scale to 10,000 cupcakes you are not going to get anything mirrored that original cupcake recipe if you try this same thing

applies and hyper-connectivity because we have to connect all of the things all of the time and that consumer-driven need four things has just made itself right at home in our enterprise environments we've got we're dealing with a rush to market right we're dealing with the need to be innovative and ahead of our competitors so we don't have security in our software-defined life cycles the way we need to we face supply chain risk and the possibility for the liability so devices get shipped that cannot be updated or are really difficult to update and risk gets pushed along that supply so that whoever buys it owns it and consumers wind up bearing that security maturity issue for the enterprise and

things according to a poem on survey done back in March of 2017 most organizations were not inventory IOT devices because they just didn't have centralized control over the devices that were coming into their workplace along with the apps needed you know what that can lead to shadow IT how many people here are familiar with the term do I need to explain ok good now I have a question how are you inventory the personal devices used by your staff or your employees for bring your own thing IOT you might have BYO device to some extent but a lot of stuff is coming in that is IOT that is getting plugged into the networks and it is staggering to see

what is actually on there that should not be on there and cannot be seen so I'm gonna leave you with this concept just one of those devices compromised offers lateral movement within the networks for an attacker

okay so let's consider this an open invitation to shadow IOT through increasing unmonitored and unsanctioned BYOD and as IOT continues to move further into our enterprise realms shadow IT become shadow I eat IOT become shadow et and we have new challenges and risks that our current frameworks do not address so here's another worry for you how does your current security policy and SLA address IOT with your trusted third parties this really doesn't appear on a lot of agreements and it needs to

so the our thing in an article from CSO from 2018 97% of risk professionals said that a data breach or cyber attack caused by unsecured IOT devices could prove catastrophic to their organization well that's pause for concern and I'm gonna use this as an analogy IT teams and hospitals do not have the visibility to see how many devices that are IOT or what types of medical devices are actually on their networks I think that that translates to any organization unless you're actively monitoring for it unless you've actually set up the configurations to identify you really don't know what's on there and what's out there as well you don't have an appreciation or an understanding of the

risks and vulnerabilities of these types of devices Europe we are used to working with conventional equipment and sanctioned and approved networked devices within our enterprise environments but these devices are also getting attacked for their access to data and they can reveal all of the valuable stuff fine health personal but they can also be leveraged for ransomware pulled into botnets or potentially worse so here are our takeaways we've identified what makes et different from others we know about the ongoing and increased risk to shadow IT as it becomes shadow emt and then what we need to have happen is a shared corporate responsibility across multiple layers of management to be responsible for this so now that we know

what it is and we care how does it work this will be just a really quick step through i'm gonna i am leaving a lot of stuff out because this is not a course on what i would he is i'm gonna ask that you think of it in terms of three layers first level of course are the devices the things these are sensors and actuators and that's pretty much the realm of it they're sitting at the the edge and they're gathering all of the data and then they're able to action it and they send it up using an IOT gateway to the cloud they typically communicate through either wire or through radiofrequency now some devices come

ready to go out of the box others are more legacy or older equipment and these connect through analog or serial connections and they get connected to things like microcontrollers there are systems on modules known as psalms or there's single board computers called SBC's and these utilize devices like we're familiar with arduino zorb raspberry PI's next we have the IOT gateways and these actives are our middleman to both serve as a messenger and a translator between the cloud and the smart device clusters so we've got a lot of physical devices or software programs working alongside that and what they need to do is they normalize connect and transfer the data between the physical device and the

and that is a ton of raw data that has to be filtered and processed so a lot of these are now being enhanced with additional capabilities to do just that to filter through the data and make it more useful and take out a bunch of the stuff that nobody can or wants to have to use it's designed to help address we saw that previous slide with multiple protocols that are out there to connect with AI to do some pre-processing to help us do provisioning and device management as well more of these devices are being equipped for data encryption and that is a huge thing ideally what we want to see is encryption of the data

from end to end whether it is in transit or at rest and then as well offering some degree of security monitoring last but not least is the application layer via the cloud so we need a huge place to store all of this data and a place with a ton of processing power hence the cloud and this is all about big data so we have got storage filtering data analytics as well as the alerts and monitoring so wireless sensors and actuators work together they provide that connection between the digital and physical worlds if the sensor is collecting the information passing them on to the actuators so if I was going to use an example for you I could use a cell phone

on your cell phone you've got a camera and a mic these are inputs and they take in obviously visual as well as audio data the speaker and your screen act as the actuators to turn that into actionable information for you so how many sensors are out there billions billions of them the average home actually has enough to fill more than 300 32 gigabyte iPhones and much of that information as I said earlier is raw and it needs to be filtered out it's literally not usable for example in a report from a gas rig the managers were only able to use 1% from a ship's 30,000 sensors to do maintenance planning so on average they're saying that companies are using

maybe 10% of all the information they're taking in another important point is that actuators can produce physical changes based on the information that they get from the sensors they actually make a decision and do something they can move something or shut off a device so think back to when we were talking about handing over control to the machines and what could go wrong there are four types of communications between the devices there's the device to device basically using things like Bluetooth or ZigBee to communicate with each other there's the device to the cloud talking up through that gateway there's the device to the Gateway again just going straight to the Gateway and finally there's cloud cloud so

that's within the architecture and you have API is and software when we're talking about IOT architecture these are essentially the requirements that we are striving for to build in and support because you need to be able to do good data collection have it efficiently handled so that you can minimize the raw data coming in and put together usable output connectivity and communications because not only do you have to connect to that network but you want it to be flexible and robust in terms of the protocols that it will support scalable of course we want security ideally and to end encryption and monitoring we want both availability and quality of service because we want to limit the downtime

and have a fault tolerant it needs to be modular and flexible and platform independent because it's gonna be working across a huge range of things and territories each layer ideally is going to allow you to add different features different hardware and cloud infrastructures from a variety of suppliers and manufacturers you want it to conform to open standards and be interoperable and then for device management you want to enable automated and remote device management so that you can get things like automatic updates you also want to have defined api's within each layer to allow for easy integration and that brings us here we have to integrate all of this fast moving and evolving tech into established constraints

welcome to enterprise architecture so think of enterprise architecture or EA as urban planning for systems it's for systems for networks for integrations all of the things have to live somewhere so while systems engineering is essentially for one component like a building ei is for the community and the challenge comes from trying to incorporate all of that new technology from IOT into the existing and even legacy systems of enterprise architecture so terms like rigid and traditional can apply here and the fact is these are not systems that are designed for speed or agility they they are in place because they're solid and they're secure and they're looking at a different bigger picture IOT is about innovation

and you want to be able to move quickly and rapidly and enhance what you've already got and keep building on it that's not the goal of enterprise architecture nFA's architecture has to address existing security concerns manageability and interoperability now it has to also do this in conjunction with IOT so that it doesn't inhibit an organization's ability to innovate or operate you can see where the challenge is so if we're looking at those principles what did I leave out what we're never got mentioned in there somehow security gets left off this list a lot this is kind of what it looks like this is actually what it looks like so you're bringing data across three different

networks with a variety of protocols requirements firmware and hardware which brings us to our takeaways you've got three different layers of architecture to consider the physical Internet gateway as well as the cloud billions of devices out there the sensors and the actuators can even produce and how we are monitoring the data across three different networks and the integration issues when you try to bring IOT into existing enterprise architecture so how is it that I wrote e attacks are different let's start here please we're used to talking about conventional attacks in terms or breaches even in terms of being focused on data exfiltration for identity theft and credit card theft and monetization in the IOT world there is some of that but

really these connected devices have more riding on them they run things that we rely on they work often in mission critical environments critical infrastructure so the attackers can turn the devices against the company and it becomes about disruption or destruction and the impact is measured in terms of damage more than it is dollars and that presents a challenge of securing beyond what we know as the CIA triangle attackers can carry out man-in-the-middle attacks spoofing cloning software attacks that will steal credentials and encryption attacks against key algorithms now this information is from the or detto global report from May of this year there was a survey of 700 enterprises across five countries which included the UK and the US and they

stated a distinct lack of optimism about the future security of IOT devices in these organizations 82% of these organizations that manufacture IOT devices are concerned that their devices they develop are not adequately secured against a cyberattack that's a pretty sobering statement and in the UK Germany and China all of which are very large producers of things a hundred percent of the IOT devices device users felt that the security of the devices they had could be improved to a great extent which is an alarming finding considering how much they're putting out now forty-nine percent of these organizations we're making security part of their SDLC process and about 53 percent conducted continuous security or code reviews that sounds like a good

number until I say it only takes one so just take a look at these stats and think about your own organization and what you might answer if you were asked these questions what are your firmware updates in your policies for security are they automated how about default configurations do you check all of the devices coming in and do you look for backdoors which can also have default configurations things like universal plug and play open ports so this past April Microsoft's threat intelligence center discovered a targeted attack by an advanced attacker known as strontium a PT 28 out of Russia against IOT devices involved was a VoIP phone system printer and a video decoder and the attack hit multiple locations

that used the devices as access points into the wider corporate network that's a huge risk for any enterprise now two of these three devices still carried the factory settings and the software and the third one had not been updated points of ingress will lead to further access so I work in threat Intel and we like to follow the games that nation-states play they target critical infrastructure who here has not heard of Stuxnet exactly but there are other destructive and targeted malware out there like Shamoon for example and more recently triton international economic sanctions provoke retaliation which we have observed very recently with both Iran and North Korea and they have demonstrated their capability with destructive malware and cyberattacks

thanks to the release of Mirai source code from just a couple of years ago we have a plethora of botnets out there that have been weaponized and pose a real threat this is not about monetization this is about power and control and what are the consequences of ignorance or inaction this is more from that Forrester survey so unmanaged and enterprise of fame' devices are far more vulnerable to attack than conventional devices on the network we cannot apply our same attack scenarios and threat models to these Isis and what we need to evaluate is what do we have in place because once they get in attackers can leverage and then they can pivot and go further into

our networks which brings me to this it's because it only takes one these are some attack vectors yes printers printers are a big risk you would be surprised HVAC anything that you can compromise can be leveraged as a point in we have increasing risks through crypto miners once somebody gets into your network they're in your network it doesn't matter if they came there to mine they stayed there to do more we talked about the increase in ransomware over 2019 targeted tax on industry norsk hydro for example 60 billion dollars and Counting there's a lot of money to spend to try and get back up Pitney Bowes got hit and hit hard Silex malware was discovered in

june of 2019 in a space of hours it bricked 2090 devices it wiped their firmware it trashed the storage it dropped the firewall rules it removed network configuration and it halted the device it pretty much stopped short of frying the circuits this is similar to something known as Bricker BOTS which hit back in April of 2017 and ran through till December of that year and reportedly affected 10 million devices so you could reinstall the firmware but the reality is you won't because it's that hard and chances are you may not even recognize this as malware and just throw the device out so this year again millions of first-generation Amazon echo devices how many people here by chance

use an Amazon echo or eighth generation Amazon Kindle devices how many have a Kindle yeah our vulnerable to something called a key when's the installation attack or crack this is a 4 Way handshake vulnerability in the network and it was identified in October of 2017 these are the two cv e codes that are associated with it well it came to light that actually these vulnerabilities exist in these devices and they can be exploited by attackers to conduct man-in-the-middle attacks against wpa2 protected networks a lot of average consumers are going to just click right on that wpa2 button because it's a button and it's easy boom I'm secured unfortunately no India can go into these supposedly protected networks and steal

information from the targeted devices and decrypt the packets sent by the clients via plaintext so you can see denial of service attacks result a disruption to network communications replay attacks there's potential for greater ok who hasn't had a Polycom experience at your organization it's ubiquitous right but this is what we do I don't know about you but my organization has cut travel spending and this is what we rely on is teleconferencing there are a lot of endpoints in these systems well the attackers know about these they know that there are vulnerabilities and with all of those endpoints the fact is each one is an opportunity into your network who implements these in your organization typically it's somebody

who's familiar with audio-visual equipment it's not the security team that's not going to be something that's on the checklist so polycomb HDX had a significant vulnerability that was actually being exploited and these Polycom systems they're linked to each other across different corporations globally just think about that for a second across the globe and the risk of this is that through these unified communications devices which often still have their default passwords or pins in place for use one it just takes one to infect the whole system urgent 11 has anybody heard about this because this was just recently announced this is a very significant set of six vulnerabilities that can lead to remote code execution there's a huge range of

the affected versions that spans across 13 years and there are a lot of manufacturers who use this as their operating system attackers can effectively circumvent the net and firewalls to control these devices remotely via the tcp/ip stack undetected because the vulnerabilities have a low-level position in the stack they're they're just seen as harmless communication that's what they're showing up this and there's no user interaction required so the vulnerabilities don't require any adaptations to the devices and it spreads very very easily here are just some of the devices that are impacted and some of the huge manufacturers we all use things from these companies in enterprise systems and this affects everybody there are proof of concepts for these

attacks by Armus online this for example is against a sonic firewall I used to work for a managed service provider that put sonic walls in because firewalls are supposed to be your line of difference they're not supposed to be vulnerable but they are and an attacker can take over this sonic firewall via urgent 11 and then they use a specially crafted TCP packet to take over all of the firewalls in another instance any of these connected devices can be taken over by an attacker to get in and to compromise your network here are takeaways

which brings us to this we need to make it better who's seen the movie I wrote pod exactly it was good until it wasn't good right and that about sums it up when we have IOT infiltrating enterprise systems these devices are not the obedient little soldiers that computers and laptops are they interact differently with the network and they behave differently and they operate with little to no human intervention because we've taken ourselves out of that equation so I'm just gonna say this automating convenience with inadequate supervision is just gonna end badly so how do we make it better this whole section is a take away for you know your attack surface operating systems software liability reduction

please use strong authentication in conjunction with good passwords check for the defaults and remove them Network segmentation you've got to keep them separated give them their own space set them up on a private VLAN their own portion of the network firewalls and VPNs cuz you got to go through me first automation you can't do this the way you're used to doing it anymore you really have to automate for visibility because you need visibility and you need to be able to identify currently everything that's on your network in your network and establish baselines and then be able to update it regularly have centralized access logs which will help your IT team know your baseline and then monitor for anomalies

this we need to put rules in place businesses need to be clear about what they're using how they're using it why they're using it and then set that up with policies and enforcement's yes we need to use automation to help us do this better we need to classify our devices in terms of how they're going to be used and who's going to use them and who was gonna have access and give that authorization accordingly we can utilize frameworks in NIST and CIS that actually address IOT we can develop a better comprehensive IOT security policy data encryption all the time and have a mature software-defined lifecycle if you need help you can find things like this

online to get that framework in place for you big takeaways no your normal so you can monitor for those anomalies and automate there's even this zero trust privilege that will move us past existing approaches to privileged access management so let's recap we need budgets but spend some time and money to control unmanaged an IOT device security put them in their own place invest in the people policies and procedures across your organization invest in automation so you have the visibility collaborate work together get out of the silos and share the information and make a good security policy and that is it and I thank you very much for your time and attention today Thank You Cheryl

we've got time for one quick question so if there is one any of any questions at all

for the devices but for a number of years we're you know we've been saying these things are not secure these things

things are getting uh-huh I believe things are getting worse because we're outnumbered by those devices we do not have policies in place we don't fully understand what we're using and we're not really secure yet in the cloud where a lot of this is going the volume of data that we're producing and we're losing through things like miss configuration every week it's another elasticsearch database or database that's exposed with a you know 180 million records because of miss configuration we are not there yet that would be my answer sorry okay okay thank you everyone [Applause]