Mind the Gap - Managing Insecurity in Enterprise IoT

besides DC would like to thank all of our sponsors and a special thank you to all of our speakers volunteers and organizers good afternoon everybody thank you so much for coming to my talk today as you can see I I love Halloween so it made my slides a little fun and festive for you today okay so just a brief thing oops I won't do that again I'm from Toronto Canada I work in threat Intel with a major Canadian bank I'm also a founding member of the Diana initiative we run a conference in Vegas every year to support women in technology and security and diversity in tech I'm also a member of something called the c3x

where we run cyber simulations for college students this was our third great year and you can find me on twitter as encrypted okay the obligatory disclaimer the views expressed here are mine mine alone not those of my employer okay sorry my clicker is not clicking so this talk is about us taking a big-picture view of the threats to our enterprise the threats and the risk in fact to our enterprises and their attack surfaces because we need to see what we're missing and we need to identify the gaps based on our current regulations and security policy frameworks so my hope is that I can give you some takeaways and a better understanding of IOT and ET

within our enterprise environments in terms of definition and threats and attacks and I'd like to give you some recommendations that you can take away with you so that you can better secure the policies and frameworks you've currently got in place and enhance your own security policies alright so let's talk about IOT or IOT in the enterprise now different everybody here I'm assuming does know what IOT is so ET is just that it's in the enterprise realm the enterprise of things and it's a term that's been around for a while however it's not one that we use nearly enough essentially it's what happens when we bring all the stuff that connects into our organizations and our

enterprise networks I want you to think about that for a second because we've really got a handle on this IOT stuff right ain't not a chance and that's why I'm here because there's a lot that we need to talk about so according to Gartner all of those things that connect are going to double between 2018 and 2020 which is next year as the old tech is replaced with the new and that enterprises an automotive IOT market is going to grow to this 5.8 billion endpoints and that's a lot of endpoints so what do you think that's going to include well we've got utilities right we've got smart cars we've got monitoring we've got security systems intruder detection and/or

surveillance building automation nevermind all of the other good things that we rely on there's the convenience things lighting smart lighting we've got a lot of stuff with a lot of benefits that are perceived however we want that but as the saying goes be careful what you wish for so everybody remembers the story of The Sorcerer's Apprentice right he wanted to simplify his chores he used a spell he didn't really understand what he was doing and things got out of hand very quickly well the same analogy applies when we're talking about enterprise of things quite frankly we really don't understand what it is we're doing and yet here we are bringing more and more IOT devices in without actually

having a plan or the security in place right now the biggest users of IOT with the greatest projected growth are manufacturing of course transportation and utilities now I'm going to throw another big number out at you let's talk about all the data that we're producing over 90 percent of that data in the world has been produced over the past two years anybody want to take a guess just a wild guess of what our current output in terms of biases per day I didn't even know this was a number 2.5 quintillion bytes a day that's a heck of a lot of data and we just keep making more of it so when the Internet of Things becomes the enterprise of things

the attack surface grows and so does our liability with that what does it look like well essentially it's some operational tech and that is what's tied to helping businesses achieve their goals and the outcomes in terms of profit so if we want to look at manufacturing that includes automation robots on the floor sensors and scanners there's healthcare which relies increasingly on this not only to help it manage the costs but in terms of delivering higher quality patient care and experience some of the really good things that means are doing remote medicine and reaching people patients in the north far away from available medical facilities that's a really important thing there are pumps there are MRI

machines I know I've relied on these things I know people who are relying on these things there's patient monitors now I've been privy to hear some excellent talks about medical equipment and the security risks and this continues to grow as a concern you may not know this but there could be up to 15 devices 15 connected devices per one patient bed then there's businesses and corporations who use smart TVs and digital conferencing and don't forget the printers and scanners and retail of course which has to use this everywhere because they need to not only just scan in the information but now we have automated kiosks at the CVS like a couple of blocks over there's three of

these independent kiosks and you're going to see more and more of those you may be standing in line at Target and suddenly a message pops up that's because they're utilizing this to pump out the information to get you to buy more goods they also use it to track the inventory on the shelves and to monitor for loss prevention and theft and then of course there's digital displays which can be fun to play with Transportation on logistics warehousing and transports to get our cereal from spot to spot be all of the things have to be delivered monitored protected so not only every scanning goes in and out of the warehouse is to make sure that there's

enough supply in just-in-time inventory but it's monitoring those trucks and some of those are refrigeration trucks right to keep seafood etc perishable items safe for consumption they also help the trucks in terms of tracking fuel consumption location rerouting in case there's an accident down the road or bad weather conditions checking on delivery times there are wearables which enable employees to communicate more effectively with one another and then of course there's buildings and facility management we've got HVAC systems locks physical security monitoring in other words that's a whole lot of vulnerability that's just waiting to happen

so this is my first and main takeaway for you right now we're not spending as much as we're buying and we're not putting that security in place if the greatest projected sources for end point electronics revenue in 2020 are going to be consumer connected cars and networked printing all I can say is we are so hacked all right we all know what the road to hell is paved with don't we so just about a year ago I heard a talk by Christine glass be she's the head of product security operations with blackberry about when she was talking about how the Internet of Things has grown exponentially no secret we we definitely know that not just within the

consumer space but specifically within enterprise and enterprises want to use all of these fabulous innovative new endpoints for potential business value right and it's opportunity and its growth and it can help create organizational efficiencies this is all the kind of stuff that business wants to achieve and if you're aligned with the business goals you also want to achieve these it's a combination of what's coming in through literally billions of sensors and sophisticated algorithms for analysis and this is supposed to help streamline business processes increase productivity and then develop leading-edge products because innovation however with great reward comes great risk as we continue to venture further into uncharted technologies and face it we really do not know what we think we

know when it comes to IOT especially when we bring it in to enterprise environments so what that we are not considering what is it that we haven't thought of for example how many of these vices these devices can actually listen to us now another factor we still don't have a handle on cloud but that's the home of IOT we face serious capability gaps when it comes to integrating IOT into business companies are not taking a holistic or a big-picture view but they're just focusing on one one Enterprise IOT program and what happens is that leaves out organizational capabilities and change management which you need when you are doing any kind of a large-scale rollout or initiative those are the

checks that help keep us in place so even with all that we know about inherent security risks in IOT and as targeted ransomware attacks significantly increased across 2019 try a hundred and eighteen percent increase from 2018 there are no real regulations or enforcement to ensure security so let's talk about what we think we know to understand enterprise the things we kind of have to understand the Internet of Things and I'll start with this drawing are people familiar with thee exactly everybody has a different definition of the same thing well that leaves us with what this is not surprise this isn't IOT now they say that a picture's worth a thousand words and so we'll give you

this what you see here is a lot a lot of devices different firmware different products there are different protocols different third-party api's essentially that is risk that is vulnerability waiting to happen so simply put IOT devices are typically non internet items that have been unable to connect to enable them to communicate with other devices online and that coin was officially termed that term II was coined by kevin eldridge kevin aston sorry MIT back in 1999 so it's been around for a while there are different flavors of course of IOT there is industrial IOT and there is the Internet of Health things and then there of course is enterprising IOT what it is is technology that communicates either

machine to machine or mobile to mobile and it it means in whatever flavor that you care to describe it it's extending that Internet connectivity to ordinary physical devices and I keep emphasizing that because these were things that were not initially designed to communicate with the network so we're enabling them to connect and communicate with other similar devices and what we're doing in that sense is we're going beyond our defined security boundaries to allow connections to devices and then we the humans are taking ourselves out of that equation and let me leave that concept with you

so what are unmanaged endpoints this is what IOT devices essentially can be well there are the things that don't have any security built in not security that we can manage and better configure I think plug and play for example because convenience my friends has become the root of all evil and so many IOT devices are actually unmanaged systems that are able to communicate with other devices and systems within enterprise organizations your organization they process and transmit information and they have an operating system however simple that might be and they cannot be managed by traditional security tools that we have in place but a lot of people think they can we don't get to configure them we can't make them better

than they are we're stuck with what we get so yeah what could go wrong well let's start with refrigeration on transport trucks and you've got a load of shrimp going to your local seafood store and the temperature control fails but it doesn't alert the driver and he shows up at the door and the shrimp is disgusting well that's a loss you can measure in dollars but what about when it's a loss you have to measure in terms of life what about HVAC systems in the buildings where we work where we live or the hotels that we get to stay at is anybody familiar with Legionnaires disease there are outbreaks and if you're relying on controlled monitored systems to ensure

that ventilation is clean and air conditioning is running properly and those fail and the bacteria develops and builds up and it's not being tested for and you can't monitor everything you can have an outbreak of Legionnaires disease or something similar think in terms of quality control for food we eat or medicines that we use what if those controls are not working properly or we can't see end to end to ensure that something isn't in there and interfering with that transmission process if those controls were tampered with how would we know now I might be a little paranoid here but we have seen ransomware very active in our hospitals it's an ongoing situation the fact is we

rely on these these devices to be reliable and to notify us in other words we trust them and what is that cardinal rule about trust for those of us in InfoSec trust nothing trust but verify okay so there's a lot that we don't get right does anybody hear a baker when you're baking and you've got a great recipe for birthday cake and you you can make maybe double it up and make like a second batch of cupcakes for the the class fair it's okay it works really well but that does not scale to 10,000 cupcakes you are not going to get anything near that original cupcake recipe if you try this same thing applies and hyper-connectivity

because we have to connect all of the things all of the time and that consumer-driven need four things has just made itself right at home in our enterprise environments we've got we're dealing with a rush to market right we're dealing with the need to be innovative and ahead of our competitors so we don't have security in our software-defined life cycles the way we need to we face supply chain risk and the possibility for the liability so devices get shipped that cannot be updated or are really difficult to update and risk gets pushed along that supply chain so that whoever buys it owns it and consumers wind up bearing that security maturity issue for the enterprise of

things according to a poem on survey done back in March of 2017 most organizations were not inventory a IOT devices because they just didn't have centralized control over the devices that were coming into their workplace along with the apps needed you know what that can lead to shadow IT how many people here are familiar with the term do I need to explain ok good now I have a question how are you inventory the personal devices used by your staff or your employees for bring your own thing IOT you might have BYO device to some extent but a lot of stuff is coming in that is IOT that is getting plugged into the networks and it is staggering

to see what is actually on there that should not be on there and cannot be seen so I'm gonna leave you with this concept just one of those devices compromised offers lateral movement within the networks for an attacker

okay so let's consider this an open invitation to shadow IOT through increasing unmonitored and unsanctioned BYOD and as IOT continues to move further into our enterprise realms shadow IT become shadow ioad eat IOT become shadow et and we have new challenges and risks that our current frameworks do not address so here's another worry for you how does your current security policy and SLA address IOT with your trusted third parties this really doesn't appear on a lot of agreements and it needs to

so the our thing in an article from CSO from 2018 97% of risk professionals said that a data breach or cyber attack caused by unsecured IOT devices could prove catastrophic to their organization well that's pause for concern and I'm gonna use this as an analogy IT teams and hospitals do not have the visibility to see how many devices that are IOT or what types of medical devices are actually on their networks I think that that translates to any organization unless you're actively monitoring for it unless you've actually set up the configurations to identify you really don't know what's on there and what's out there as well you don't have an appreciation or an understanding of the

risks and vulnerabilities of these types of devices you're we are used to working with conventional equipment and sanctioned and approved networked devices within our enterprise environments but these devices are also getting attacked for their access to data and they can reveal all of the valuable stuff financial health personal but they can also be leveraged for ransomware pulled into botnets or potentially worse so here are our takeaways we've identified what makes et different from others we know about the ongoing and increased risk to shadow IT as it becomes shadow emt and then what we need to have happen is a shared corporate responsibility across multiple layers of management to be responsible for this so now that we know what it is

and we care how does it work this will be just a really quick step through i'm i'm gonna i am leaving a lot of stuff out because this is not a course on what i would he is i'm gonna ask that you think of it in terms of three layers first level of course are the devices the things these are sensors and actuators and that's pretty much the realm of it they're sitting at the the edge and they're gathering all of the data and then they're able to action it and they send it up using an IOT gateway to the cloud they typically communicate through either wire or through radiofrequency now some devices come ready to go out of the box others are

more legacy or older equipment and these connect through analog or serial connections and they get connected to things like microcontrollers there are systems on modules known as psalms or there's single board computers called SBC's and these utilize devices like we're familiar with arduino Zoar raspberry PI's next we have the IOT gateways and these actives are our middlemen to both serve as a messenger and a translator between the cloud and the smart device clusters so we've got a lot of physical devices or software programs working alongside that and what they need to do is they normalize connect and transfer the data between the physical device and the cloud and that is a ton of raw data that has to be

filtered and processed so a lot of these are now being enhanced with additional capabilities to do just that to filter through the data and make it more useful and take out a bunch of the stuff that nobody can or wants to have to use it's designed to help address we saw that previous slide with multiple protocols that are out there to connect with AI to do some pre-processing to help us do provisioning and device management as well more of these devices are being equipped for data encryption and that is a huge thing ideally what we want to see is encryption of the data from end to end whether it is in transit or at rest and

then as well offering some degree of security train last but not least is the application layer via the cloud so we need a huge place to store all of this data and a place with a ton of processing power hence the cloud and this is all about Big Data so we have got storage filtering data analytics as well as the alerts and monitoring that's you so wireless sensors and actuators work together they provide that connection between the digital and physical worlds if the sensor is collecting the information passing them on to the actuators so if I was going to use an example for you I could use a cell phone on your cell phone you've got a camera

and a mic these are inputs and they take in obviously visual as well as audio data the speaker and your screen act as the actuators to turn that into actionable information for you so how many sensors are out there billions billions of them the average home actually has enough to fill more than 300 32 gigabyte iPhones and much of that information as I said earlier is raw and it needs to be filtered out it's literally not usable for example in a report from a gas rig the managers were only able to use 1% from a ship's 30,000 sensors to do maintenance planning so on average they're saying that companies are using maybe 10% of all the

information they're taking in another important point is that actuators can produce physical changes based on the information that they get from the sensors they actually make a decision and do something they can move something or shut off a device so think back to when we were talking about handing over control to the machines and what could go wrong

there are four types of communications between the devices there's the device to device basically using things like Bluetooth or ZigBee to communicate with each other there's the device to the cloud talking up through that gateway there's the device to the Gateway again just going straight to the gateway and finally there's cloud cloud so that's within the architecture and you have api's and software when we're talking about IOT architecture these are essentially the requirements that we are striving for to build in and support because you need to be able to do good data collection have it efficiently handled so that you can minimize the raw data coming in and put together usable output connectivity and communications because not only do you

have to connect to that network but you want it to be flexible and robust in terms of the protocols that it will support scalable of course we want security ideally end-to-end encryption and monitoring we want both availability and quality of service because we want to limit the downtime and have a fault tolerant it needs to be modular and flexible and platform independent because it's going to be working across a huge range of things and territories each layer ideally is going to allow you to add different features different hardware and cloud infrastructures from a variety of suppliers and manufacturers you want it to conform to open standards and be interoperable and then for device management you want to enable automated

and remote device management so that you can get things like automatic updates you also want to have defined api's within each layer to allow for easy integration and that brings us here we have to integrate all of this asked moving and evolving tech into established constraints welcome to enterprise architecture so think of an arise architecture or EA as urban planning for systems it's for systems for networks for integrations all of the things have to live somewhere so while systems engineering is essentially for one component like a building EA is for the community and the challenge comes from trying to incorporate all of that new technology from IOT into the existing and even legacy systems of enterprise

architecture so terms like rigid and traditional can apply here and the fact is these are not systems that are designed for speed or agility they they are in place because they're solid and they're secure and they're looking at a different bigger picture IOT is about innovation and you want to be able to move quickly and rapidly and enhance what you've already got and keep building on it that's not the goal of enterprise architecture enterprise architecture has to address existing security concerns manageability and interoperability now it has to also do this in conjunction with IOT so that it doesn't inhibit an organization's ability to innovate or operate you can see where the challenge is so if we're

looking at those principles what did I leave out what we're never got mentioned in there somehow security gets left off this list a lot this is kind of what it looks like this is actually what it looks like so you're bringing data across three different networks with a variety of protocols requirements firmware and hardware

which brings us to our takeaways you've got three different layers of architecture to consider the physical the Internet gateway as well as the cloud billions of devices out there the sensors and the actuators that can even produce and how we are monitoring the data across three different networks and the integration issues when you try to bring IOT into existing enterprise architecture so how is it that I wrote e attacks are different let's start here please we're used to talking about conventional attacks in terms or breaches even in terms of being focused on data exfiltration for identity theft and credit card theft and monetization in the IOT world there is some of that but really these connected devices have

more riding on them they run things that we rely on they work often in mission critical environments critical infrastructure so the attackers can turn the devices against the company and it becomes about disruption or destruction and the impact is measured in terms of damage more than it is dollars and that presents a challenge of securing beyond what we know as the CIA triangle attackers can carry out man-in-the-middle attacks spoofing cloning software attacks that will steal credentials and encryption attacks against key algorithms now this information is from the ER dead Oh global report from May of this year there was a survey of 700 enterprises across five countries which included the UK and the US and they stated a distinct

lack of optimism about the future security of IOT devices in these organizations 82% of these organizations that manufacture IOT devices are concerned that their devices they develop are not adequately secured against a cyber attack that's a pretty sobering statement and in the UK Germany and China all of which are very large producers of things a hundred percent of the IOT devices device users felt that the security of the devices they had could be improved to a great extent which is an alarming finding considering how much they're putting out now forty-nine percent of these organizations were making security part of their SDLC process and about 53 percent conducted continuous security or code reviews that sounds like a good

number until I say it only takes one

so just take a look at these stats and think about your own organization and what you might answer if you were asked these questions what are your firmware updates in your policies for security are they automated how about default configurations do you check all of the devices coming in and do you look for backdoors which can also have default configurations things like universal plug and play open ports so this past April Microsoft's threat intelligence Center discovered a targeted attack by an advanced attacker known as strontium apt 28 out of Russia against IOT devices involved was a VoIP phone system printer and a video decoder and the attack hit multiple locations it used the devices as access points

into the wider corporate network that's a huge risk for any enterprise now two of these three devices still carried the factory settings and the software and the third one had not been updated points of ingress will lead to further access so I work in thread Intel and we like to follow the games that nation-states play they target critical infrastructure who here has not heard of Stuxnet exactly but there are other destructive and targeted dollars out there like Shamoon for example and more recently triton international economic sanctions provoke retaliation which we have observed very recently with both Iran and North Korea and they have demonstrated their capability with destructive malware and cyberattacks thanks to the release of Mirai source

code from just a couple of years ago we have a plethora of botnets out there that have been weaponized and pose a real threat this is not about monetization this is about power and control and what are the consequences of ignorance or inaction this is more from that Forrester survey so unmanaged and enterprise of aiming devices are far more vulnerable to attack than conventional devices on the network we cannot apply our same attack scenarios and threat models to these devices and what we need to evaluate is what do we have in place because once they get in attackers can leverage and then they can pivot and go further into our networks which brings me to this misc because it

only takes one these are some attack vectors yes printers printers are a big risk you would be surprised HVAC anything that you can compromise can be leveraged as a point in we have increasing risks through crypto miners once somebody gets into your network there in your network it doesn't matter if they came there to mine they stayed there to do more we talked about the increase in ransomware over 2019 targeted tax on industry Norse Hydra for example 60 billion dollars and Counting there's a lot of money to spend to try and get back up Pitney Bowes got hit and hit hard Silex malware was discovered in June of 2019 in a space of hours it bricked 2,000 IOT

devices it wiped their firmware it trashed the storage it dropped the firewall rules it removed network configuration and it halted the device it pretty much stopped short of frying the circuits this is similar to something known as Bricker BOTS which hit back in April of 2017 and ran through till December of that year and reportedly affected 10 million devices so you could reinstall the firmware but the reality is you won't because it's that hard and chances are you may not even recognize this as malware and just throw the device out so this year again millions of first-generation Amazon echo devices how many people here by chance use at an Amazon echo for eighth generation Amazon

Kindle devices how many have a Kindle yeah are vulnerable to something called a key rinse the installation attack or crack this is a 4 Way handshake vulnerability in the network and it was identified in October of 2017 these are the two CBE codes that are associated with it well it came to light that actually these vulnerabilities exist in these devices and they can be exploited by attackers to conduct men in the middle attacks against wpa2 protected networks a lot of average consumers are going to just click right on that wpa2 button because it's a button and it's easy boom I'm secured unfortunately no it can go into these supposedly protected networks and steal information from the targeted devices

and decrypt the packets sent by the clients via plain text so you can see denial of service attacks result a disruption to network communications replay attacks there's potential for greater ok who hasn't had a Polycom experience sent your organization it's ubiquitous right but this is what we do I don't know about you but my organization has cut travel spending and this is what we rely on is teleconferencing there are a lot of endpoints in these systems well the attackers know about these they know that there are vulnerabilities and with all of those endpoints the fact is each one is an opportunity into your network who implements these in your organization typically it's somebody who's familiar with audio-visual

equipment it's not the security team that's not going to be something that's on the checklist so Polycom HDX had a significant phoner ability that was actually being exploited and these Polycom systems they're linked to each other across different corporations just think about that for a second across the globe and the risk of this is that through these unified communications devices which often still have their default passwords or pins in place for use one it just takes one to infect the whole system urgent 11 has anybody heard about this because this was just recently announced this is a very significant set of six vulnerabilities that can lead to remote code execution there's a huge range of

the affected versions that spans across 13 years and there are a lot of manufacturers who use this as their operating system attackers can effectively circumvent the NAT and firewalls to control these devices remotely via the tcp/ip stack undetected because the vulnerabilities have a low-level position in the stack there they're just seen as harmless communication that's what they're showing up this and there's no user interaction required so the vulnerabilities don't require any adaptations to the devices and it spreads very very easily here are just some of the devices that are impacted and some of the huge manufactures we all use things from these companies in enterprise systems and this affects everybody there are proof of concepts

for these attacks by Armus online this for example is against a sonic firewall I used to work for a managed service provider that put sonic walls in because firewalls are supposed to be your line of difference they're not supposed to be vulnerable but they are and an attacker can take over this sonic firewall via urgent 11 and then they use a specially crafted TCP packet to take over all of the firewalls in another instance any of these connected devices can be taken over by an attacker to get in and to compromise your network here our takeaways

which brings us to this we need to make it better who's seen the movie I Robot exactly it was good until it wasn't good right and that about sums it up when we have IOT infiltrating enterprise systems these devices are not the obedient little soldiers that computers and laptops are they interact differently with the network and they behave differently and they operate with little to no human intervention because we've taken ourselves out of that equation so I'm just gonna say this automating convenience with inadequate supervision it's just gonna end badly so how do we make it better this whole section is a take away for you know your attack surface operating systems software liability reduction

please use strong authentication in conjunction with good passwords check for the defaults and remove them Network segmentation you've got to keep them separated give them their own space set them up on a private VLAN their own portion of the network firewalls and VPNs because you got to go through me first automation you can't do this the way you're used to doing it anymore you really have to automate for visibility because you need visibility and you need to be able to identify currently everything that's on your network in your network and establish baselines and then be able to update it regularly have centralized access logs which will help your IT team know your baseline and then monitor for anomalies

this we need to put rules in place businesses need to be clear about what they're using how they're using it why they're using it and then set that up with policies and enforcement's yes we need to use automation to help us do this better we need to classify our devices in terms of how they're going to be used and who's going to use them and who is going to have access and give that authorization accordingly we can utilize frameworks in NIST and CIS that actually address IOT we can develop a better comprehensive IOT security policy data encryption all the time and have a mature software-defined lifecycle if you need help you can find things like this

online to get that framework in place for you big takeaways no your normal so you can monitor for those anomalies and automate there's even this zero trust privilege that will move us past existing approaches to privileged access management so let's recap we need budgets but spend some time and money to control unmanaged an IOT device security put them in their own place invest in the people policies and procedures across your organization invest in automation so you have the visibility collaborate work together get out of the silos and share the information and make a good security policy and that is it and I thank you very much for your time and attention today Thank You Cheryl

you've got time for one quick question so if there is one raiser any of any questions at all for the devices but for a number of years we're you know we've been saying these things are not secure these things shouldn't be part of network so I thinks getting better or things getting worse things are getting uh-huh I believe things are getting worse because we're outnumbered by those devices we do not have policies in place we don't fully understand what we're using and we are not really secure yet in the cloud where a lot of this is going the volume of data that we're producing and we're losing through things like miss configuration every week it's another

elasticsearch database or a database that's exposed with a you know 180 million records because of miss configuration we are not there yet that would be my answer sorry okay okay thank you everyone [Applause]