Internet of things (IoT) devices are prevalent in our home and business lives. Embedded devices have revolutionized manufacturing, industrial, supply chain management, logistics, retail, infrastructure management, food production, surveillance, and other functions combining data gathering, tracking, and analysis.
As IoT devices in homes, industrial environments, transportation networks and elsewhere continue to proliferate, so do our network attack surfaces. For example, in September 2020, IBM X-Force reported that IoT attacks observed from October 2019 through June 2020 rose 400% compared to the combined number of IoT attacks in the previous two years.
IoT devices pose a critical security threat since they are often connected to higher-value targets. Hence, with this rapid innovation, it is imperative to ensure the security and management of IoT devices. For example, you might think that printer off in the corner doesn't pose a threat until a pen tester comes in, uses it to harvest credentials and proceeds to gain privilege escalation and move laterally through your network.
How Does IoT Impact the Threat Landscape?
IoT devices in vehicles, industrial systems, medical equipment and network gear are often designed as what's known as 'embedded' systems. An embedded system combines hardware (typically low-power ARM or Intel CPUs), firmware and software, designed for a specific function. Embedded systems designers typically leverage boxed hardware and commonly available firmware and software stacks. The result is a lot of common architecture among devices that attackers know well. These devices often include an embedded, stripped-down Linux kernel or an embedded Microsoft OS. Often, they cannot be remotely patched. This commonality can make them easy targets for attackers. To make things worse, too often embedded devices are deployed with default passwords and configurations.
Botnets are an infamous example of attackers taking over IoT devices and using them for nefarious purposes. Attack types commonly associated with botnets are the launch of Distributed Denial-of-Service (DDoS) attacks, brute-force attacks leading to information theft and ransomware deployment, and the covert installation of cryptocurrency mining software on vulnerable, Internet-facing servers.
One of the most well-known botnet attacks is Mirai, which made its debut with catastrophic DDoS attacks in 2016 against DNS provider Dyn and the website of cybersecurity expert & reporter Brian Krebs.
Mirai, named after the anime series Mirai Nikki, was initially developed by an undergrad at Rutgers as a proof of concept for DDoS attacks. The first DDoS attack from Mirai was against Minecraft game servers.
Mirai's source code has been used to create variants, including Okiru, Satori, and Masuta. Despite the age of the original botnet, the code underpinning the network and the use of its code in mutated versions means that Mirai is still a risk to organizations today.
Hacking Wireless Access Points
You probably have addressed WiFi security and have at least the top 3 threats covered. However, if you don't already have fundamental IoT and WiFi security policies and procedures in place, your network has likely been infiltrated, whether you know it or not. For the simple reason that it is so easy for an attacker to acquire tools and break into weak defenses. Hacking tools are plenty and require little to no technical skills by the user to carry out a successful attack.
The HAK5 WIFI PINEAPPLE:
The HAK5 WiFi Pineapple, as featured on the HBO series Silicon Valley, is real and an example of how easy it is for hackers of both white and black hats to acquire and use powerful hacking tools to their advantage. Check out the HAK5 website for details on the Pineapple. At the time of this blog, the basic model is only $119 and comes with a powerful array of software hacking tools ready for use against enterprise networks. This is one example of hundreds of readily available wireless hacking tools.
Protecting Your Enterprise – IoT Risk Management
OWASP IoT Top 10
The Open Web Application Security Project (OWASP) maintains a list of the top 10
IoT threats. The top 3 exploited vulnerabilities since 2018 are:
- Weak, Guessable or Hardcoded Passwords
- Insecure Network Services
- Insecure Ecosystem Interfaces
Mitigating IoT Threats
If you can do only three things to defend against IoT security vulnerabilities, experts recommend these steps as a high priority.
- Never use default passwords and configuration
- Close non-secured legacy remote access ports like SSH, Telnet and HTTP
- Employ penetration testing
While IoT security should be a component of your holistic cybersecurity and privacy risk management program, mitigating these fundamental vulnerabilities can significantly enhance your defense-in-depth posture.
Securing Enterprise WiFi Networks – Best Practices
According to the Cybersecurity & Infrastructure Security Agency (CISA), Wireless networks (also called WiFi) lack robust security tools such as firewalls, intrusion prevention systems, content filters, antivirus, and anti-malware detection programs—common to wired networks. In addition, WiFi networks also provide wireless access points, which can be susceptible to infiltration. CISA published a list of best practices for hardening enterprise wireless networks, including:
- Use multi-factor authentication for access to the network
- Use TLS to secure authentication and data transmission
- Implement a guest WiFi network separate from the main network
- Keep equipment configuration and security patches up to date
- Enforce a "no WiFi" policy per subnet and across multiple subnets
- Deploy a wireless intrusion detection and wireless intrusion prevention systems (WIDS/WIPS)
At Truvantis, we also have a three-pronged approach to building and maintaining information systems for cybersecurity, privacy and compliance:
- Conduct a formal risk assessment, including using cyber-threat intelligence for an attack surface analysis. - Determine where you are positioned concerning the threat landscape, budget, and risk appetite.
- Implement policies and controls leveraging standards-based frameworks. (e.g., SOC 2, CIS Controls, ISO 27001, PCI-DSS, NIST CSF)
- Pentest your security and response systems.
Truvantis is a governance, risk management and compliance consulting organization. We specialize in helping our clients by implementing, operating, auditing and testing information security programs that work – balancing budget with organizational risk appetite. Contact us today to speak with a cybersecurity, privacy and compliance expert.