I’m doing a series of blogs with cybersecurity experts to talk about what they’re seeing out there in the Wild, Wild West of security. The first is with Logan Brown, President/Founder, and Ted Ross, CEO, of Exodus Intelligence. To get caught up on Part 1 click here. Diving back in…
Dan: We are starting to see devices of all kinds on corporate networks these days. What are the challenges organizations face in defending attacks against them versus traditional managed IT devices?
Logan: One of the areas that we’re doing some interesting research in is around connected infrastructure like SCADA systems that you might find on a power grid or medical devices in a health care provider. Recently, we have found 48 SCADA vulnerabilities in downloadable management software.
Ted: Right – and these new devices are typically focused on driving revenue. Where time-to-market almost always trumps security – meaning that they do NOT go through a thorough security audit. When we get our hands on new devices, its usually trivial to find new ways of attacking the device.
Dan: And getting access to the software must be difficult…
Logan: It’s why we’re establishing relationships with SCADA vendors, SIs, and end users of the products. The reality is the software in these kind of devices is not the best. The software libraries were created a long time ago. It’s old and open and ripe with vulnerabilities.
There are tons of embedded devices that are running on custom code built on an older well-known operating system. A single vulnerability affects many embedded devices as they all share a common library. In this particular area of interest, if someone knows of a single vulnerability, it can affect big industrial manufacturing equipment, drones, dental systems, networking equipment, etc.
Dan: And the risk isn’t just in the device itself getting owned, but it also enables an actor to potentially pivot to any device on that same network. It’s the notion of hacking through vs hacking to.
Logan: And to make matters worse, most of the equipment running this code is business critical, so it can never be down to be patched (if those devices are even easy to patch). This is why most end users are so reliant on defensive security products.
Ted: Exactly Dan. These new devices represent a new attack vector for critical assets. This is one reason why we recommend to put Internet of Things (IoT) devices on a separate VLAN that has no access to sensitive/critical assets. It’s already bad enough to worry about someone listening to your conversations because they hacked a camera/TV with a mic, but allowing these devices to be jump points is worse. To make the problem severe, most organizations do NOT consider an IoT device as something they need to worry about. Do you think it’s common for people to ask the security department before they install a new smart TV?
Dan: Developers who build IoT devices are not compensated on security features – they need to develop the next cool functionality as fast as possible.
Logan: The mobile/IoT industry hasn’t learned the lessons that plague the PC industry around security. We continue to make the same mistakes when it comes to developing secure code. It’s like the movie industry when they make a mistake when filming on set – “we’ll fix it in post”. We’ll patch it later or someone will discover it later and a security vendor will protect with an appliance or an app. It’s frustrating, but it’s also job security if you are a security professional.
Ted: Not only do they want to develop as quickly as possible, they are created on point-and-click development environments that do not go through the normal software development life cycle. They are inherently less secure due to the way the apps are developed. I recently met an Industrial Control System’s Developer. I asked him how they ensured a secure product. His answer was “We don’t test for security. We assume that our customers are using a firewall.” I was floored.
Dan: So, what’s the answer if the devices themselves can’t be secured?
Logan: Providing vulnerabilities for IoT devices is a common request from some security companies who are our customers. But, securing these devices is nearly impossible. There is a huge diversity of devices with different code bases and customizations. It’s a huge challenge.
And, interestingly, because IT security orgs are so focused on known stuff on managed endpoints, the demand for IoT security is not quite there yet. I suspect many security companies want to claim they protect them largely for marketing purposes without really being all that concerned about protecting them.
Ted: As a starting point, install these devices on a separate untrusted network/VLAN and assume that anything with a mic or camera can be hacked. Then make use of technology such as ForeScout CounterACT to identify when new IoT devices are added to the network – don’t rely on process/procedure or for users to notify the IT department when they add an IoT device – be realistic.
Dan: Unfortunately, I sense that the answer is just more hard work – that we, security professionals, need to 1) build awareness with organizations about the known and unknown threats in their environment, whether to managed or unmanaged devices, 2) discover what devices are in their environment, 3) make sure we do regular IT hygiene around patching, etc., 4) ensure we put enough defenses in place to protect against those threats, and 5) constantly monitor for signs of infection and remediate as quick as possible.
ForeScout is investing pretty heavily into agentless device visibility, classification and integration with different management and security platforms to automate remediation and make it easier to do some of the steps above. It’s not easy.
Logan: It is definitely a challenge. The goal in the long run for Exodus Intelligence is not only notifying IT organizations of new vulnerabilities, also making this intelligence actionable by integrating to threat intelligence platforms through an API or STIX/TAXII. Showing organizations where they may be vulnerable to 0-day attacks, how they can protect themselves, and providing signatures for their IPSs. The key is to make it easier for IT security professionals to take action and recognize value.
Dan: Thanks for taking the time to meet with us today, we’ll catch up with you soon.