There is an increasing landscape of risks facing well-connected businesses, and security practitioners must act now to mitigate them, explains Wendy M. Grossman
By the end of Laura Poitras’s documentary about the Snowden revelations, CitizenFour, Edward Snowden and Glenn Greenwald are so worried about surveillance that they sit side by side and write each other notes on paper sheets carefully shielded from the camera and discuss only in vague monosyllables. It’s not paranoia if they’re really spying on you.
The incoming constellation of technologies known as the internet of things (IoT) is bringing with it new security concerns that only a few years ago would have sounded like paranoia but are increasingly realistic. In November, a Reddit user posted a story about a boss’s computer that was infected with malware after plugging an infected e-cigarette into the USB port to recharge.
“The funny thing about it,” says Rik Ferguson, vice-president of security research for Trend Micro, “is that it’s not a new thing. Production line malware has been built into hardware like digital photo frames and others for many years now. The oldest example I could find was 2008.” What matters more, he says, “is how you manage any devices being connected.”
Lagging Behind
The underlying problem, says Adam Westbrooke, product director for UK-based Ovo Energy, is that manufacturers build to customer requirements: low cost, ease of use, and high functionality. Adding security tends to interfere with at least two of those – but the risks associated with breaches are wide: escalating attacks, unchecked access points to more complex systems, and hidden surveillance. He cites, for example, a recent survey of cheap tablets that found many are released with developer access still enabled and even spyware installed. All of these build on existing vulnerabilities.
The head data scientist for Massachusetts-based BitSight, Stuart Layton, says that one consequence of his company’s efforts to create objective ratings of the security effectiveness of other companies is that, “People are just beginning to realize how poorly their security has been configured up until now. We’re trying to tell people so they can make changes.”
At this early stage of the IoT, Layton is seeing what experts have been warning from the beginning: devices of all types accessible via the open internet – webcams in companies, printers, industrial-grade network switches, and mail servers, many with manufacturer-installed backdoors that are thoroughly documented in manuals that are easily accessible.
“What’s kind of alarming about the internet of things is that the technology industry, despite being in technology, has a pretty bad track record on maintaining the security of devices,” Layton explains. “Small companies won’t update, users won’t be aware how connected they are, and they pose a real security threat to themselves and anyone connected to them.”
The key to change, he adds, is ensuring you know what your public-facing network looks like, reviewing policies governing traffic passing over your network, and regular self-scans to ensure nothing unexpected has been able to connect in or out.
Device or Data?
However, Ferguson suggests that focusing on the devices themselves – as in Black Hat talks – is to some extent misguided. Instead, he says, “What hackers are going after is the data,” which, he adds, means the cloud. “In large part, as a business you should be looking at how you mitigate the risk in the data center as well as the devices connected to the corporate network.” Even with something as personal as a heart rate monitor, the risks lie primarily in how the data is transferred, stored, and processed. “These are all data center questions,” Ferguson summarizes.
Despite that, some risks invoke the scene from CitizenFour. In mid-2014, the consultancy NCC Group demonstrated compromises of smart TVs and electronic hotel door locks. The researchers made three main points. Firstly, manufacturers assume that only other machines, not humans, will communicate with these devices and therefore security doesn’t matter. Secondly, manufacturers in the embedded world still think ‘security by obscurity’ is a reasonable strategy, forgetting that internal schematics and technical manuals including default passwords are all easily accessible on the internet. Thirdly, vulnerabilities present in devices when first deployed – such as the decision to run everything on some smart TVs as root – are likely to persist for years. Who patches a car – or a light bulb?
“I think you have to make the assumption that a lot of these devices should be untrusted and treat them accordingly,” says Rob Horton, NCC Group’s European managing director. He advises that, whenever a new device is connected, security practitioners should assess whether it introduces insecurities into the network that provide an entry point and what the impact of a compromise would be.
"As a business you should be looking at how you mitigate risk in the data center"Rik Ferguson, Trend Micro
“I know of a company where the video conferencing system would allow you to dial in and it would automatically pick up, but the TV wouldn’t necessarily turn on,” Horton explains. The resulting scenario was very like last year’s season-ending episode of the TV show The Good Wife, where a law firm gained the advantage over its opponents by listening in on an apparently disconnected conference room.
“If I were a cyber-criminal, would I target lots of different companies, or would I go for law firms? They’re aggregators of really sensitive information such as mergers and acquisitions. Your threat as a company comes from many different aspects.”
Escalating Risk
Despite the spooky nature of this complex and less predictable environment, Kim Larsen, a senior client executive for Verizon, argues it isn’t really new: “Machine-to-machine communication, which is the foundation of the internet of things, is something that’s been going on for a long time.”
On the other hand, he agrees that the IoT can exacerbate existing risks. One often cited data point in the 2014 annual Verizon Data Breach Report, for example, is that organizations commonly take up to six months to detect a data breach.
“In the internet of things environment that could be very bad,” Larsen says. Both manufacturers and purchasers of such systems therefore need to ensure that security is built in at the outset rather than applied afterwards. The desktop computer model – release and update – will not work in this environment. SCADA systems are a good example of what not to do; legacy systems newly connected must change their threat model.
Larsen continues: “This is why the companies who do this for internet of things devices need to be very much aware that cyber-threats are a huge issue they need to mitigate from the beginning and not try to solve afterwards.” Among the risks he lists is manipulating sensor data in ways that damage the system – for example by allowing the water pressure to get too high, or creating power spikes and denial-of-service attacks.
Risks like these are beyond what most security practitioners are used to. As Piers Wilson, head of product management for Tier3, a Sydney-based company specializing in security monitoring solutions, puts it, “The effects will be real. The coffee machine will overheat, healthcare will stop monitoring, your car will stop. So the implications are going to be real things rather than just flows of data and credit card information. A part of the physical world will change.”
This is a particular problem for organizations where IoT technologies will be an integral part of delivering the business. These include healthcare, logistics, delivery services, education, and manufacturing, where incorporating sensors into existing automated production lines will be the next stage of development. The key for Wilson will be ensuring that systems are designed to deal with failure scenarios and that good monitoring will catch anomalous behavior that might indicate problems.
Security By Default
The ideal would be to build secure products, write secure software, and deploy secure systems. Decades of software development, however, has shown how difficult a proposition that is.
"95% patching sounds impressive, but 5% of one billion devices is a large number"Wil Rockall, KPMG
Wil Rockall, a director in the cybersecurity advisory team for KPMG, highlights this issue when he says that, “It would be a real shame if we went and, through lack of foresight, designed those systems to operate exactly the way we operate enterprise IT systems – inherently insecure products upon which we put layer upon layer of security products and then products on top of that to compensate for the weaknesses – rather than design them as inherently secure as we can.”
However, he adds, “There are always going to be bugs and problems. It’s hard to write really secure software, so we have a chance to really think about those things and do it intelligently rather than rush and blunder in with the same models.”
A complicating factor is the sheer volume of devices analysts expect will be deployed: we’re counting in billions. At that rate, the law of truly large numbers kicks in. As Rockall says: “95% patching sounds impressive, but 5% of one billion devices is a large number that makes it attractive to attack if you’re a criminal or a terrorist.”
A possible way to remedy that, he suggests, might be a legislative shift in allocating liability. “Who owns a piece of internet of things technology? Does the fridge manufacturer retain liability for all the things the fridge does? Do you have to pay for the two tons of yoghurt it orders?”
Frank Palermo, senior vice-president of the Millennial Solutions Group for Massachusetts-based IT services company Virtusa, favors being able to turn off or isolate misbehaving devices. In cars, for example, the entertainment system should not be hooked into safety-critical systems such as braking or steering.
Wilson notes that an added difficulty is that these technologies will arrive in the workplace without involvement or approval from the IT department, who are not the people historically tasked with buying items like coffee machines. “Technologies like that are not seen as IT projects.”
Taking control will be hard. Despite the risks, Trend Micro’s Ferguson warns that security practitioners will have no more success keeping connected devices out of the workplace than they did previous consumer technologies like mobile phones, tablets, or social networks. His advice: manage, rather than deny, their use.
“It’s an evolution for security departments,” he says. “Stop being the department of no; start being the department of how.”
This feature was originally published in the Q1 2015 issue of Infosecurity – available free in print and digital formats to registered users