As our lives become more digital and our homes are filled with SMART devices connected to the Internet, we introduce technology dependence and new vulnerabilities. The Internet of Things (IoT) paradigm opens an eldorado for cyber criminals as consumers do not know how to protect their devices against abuse, or they just don’t care. IoT brings the physical and cyber world, together in a totally new way, meaning that insecure devices become a problem for societal safety.
The inherent vulnerability of the Internet was introduced by the Morris worm more than 30 years ago. Within 24 hours on 2. November 1988, it caused significant damage across the world. Morris infected 10% of the Internet, which was only 60 000 computers at the time. Similarly, In 2016, DDoS attacks of unprecedented magnitude were launched from vulnerable IoT devices all over the world, primarily through online consumer devices, such as IP cameras, home routers, printers and baby monitors. These devices were all zombies in the Mirai botnet. Moreover, in May 2017, over 200 000 computers in over 150 countries were attacked by the WannaCry ransomware as thousands of victims had failed to patch a vulnerability in Server Message Block (SMB). A protocol for local Windows networks, which should never have been exposed online in the first place.
The essence of this is that our own actions and negligence can be exploited by cyber criminals to cause harm and disrupt society. You can compare it to opting out of public vaccination programs for deadly diseases. If a given amount of the population is not vaccinated, there is a risk of outbreaks harming vulnerable individuals, children and elderly. Another analogy is fire safety in domestic rental properties. If one household does not have a smoke alarm and a fire extinguisher in place, a potential fire can spread to the whole building – and even the whole block. In the case of cybersecurity, the risk of spreading is more subtle. You may think that it does not matter if your SMART refrigerator is being hacked, but are you really that comfortable with supporting organized crime or participating in cyber-attacks against innocent people in armed conflicts?
Vendors of course have a responsibility for not creating vulnerable devices, but we as consumers also have a responsibility for applying recommended security configurations. This is particularly important for organizations managing sensitive information, production systems and critical infrastructure, as IoT devices may increase the attack surface against core business.
Unawareness and unknown vulnerabilities
Every penetration tester knows that hacking an organization is either easy or difficult, but never impossible. It is only a matter of time and effort. Sadly, it is often a lot easier than necessary. Now why is that?
Some organizations are not aware of cyber risk, or it is considered an issue for the IT department and not given the proper focus from top management and the board. This has improved through more awareness gained from the recent disclosed global incidents, such as the WannaCry ransomware and NotPetya in 2017. But even if the management is aware of cyber risk, many organizations are not aware of their own vulnerabilities. BDO often encounters customers that have never performed any security testing before, not even vulnerability scanning of their public networks. Even organizations with an excellent security posture for 99% of their assets, might have this one-off admin account with the password Winter2018, and accidentally configured their redundant VPN server to allow remote access using only username and password. There is often a chain of vulnerabilities which can be exploited in targeted cyber-attacks when combined.
The Center for Internet Security ® (CIS) have developed top 20 security controls to prioritize the effort to protect against known cyber-attack vectors. Number 20 is penetration testing and red team exercises. Still, we often see that organizations are vulnerable because they fail on security control 1 and 2, which is knowing your hardware and software assets. For example, we can find old servers that were believed to be terminated years ago, or we find installed software which is not in use, not patched and therefore expose remote code execution vulnerabilities. These vulnerable servers might not be important to the organization at all. However it may still be leveraged by an attacker to gain access to more secured systems and information. Another reflection is that security often is considered on the network layer, yet vulnerabilities are often found and exploited on the application level. Mature organizations have a security testing program for their applications, but this effort is often focused on new releases of core services, while their basic infrastructure and other applications are not tested.
The risk represented by vulnerable devices can be partially mitigated with good segmentation of networks and privileges. For example, a firewall protects most internal assets from being targeted directly from the Internet. Still, we often encounter insecure configurations. A building control system for ventilation and power saving can easily be exploited to penetrate the perimeter. This is especially true if it exposes a web interface with default credentials and remote code execution vulnerabilities, such as the ability of uploading a web-shell and run arbitrary commands on the server.
What to do?
The first step to raise the bar for cyber criminals, is to know your assets, understand your own vulnerabilities and how threat actors can exploit them to harm your business, reputation, sensitive information or service production. A business risk assessment for cybersecurity should identify effective countermeasures, which will reduce the impact of successful cyber-attacks.
National Institute of Standards and Technology (NIST) has published security guidelines for IoT devices. These guidelines can be a good reference for the specific risks to consider regarding IoT. However, if you want to assess cybersecurity risk of an IoT-device, you can ask the same questions as you would for any other IT system you would install in your network.
An unofficial list of questions you should consider:
1. What kind of information is processed by the system? Is personal or sensitive information sufficiently protected in storage, processing and transit?
2. What are your availability requirements for the system? Is it business critical? Do you need a continuity plan? How about backup and recovery routines?
3. Do you have an inventory of assets such as hardware, software, user accounts and system administrators?
4. Is the system configured per best practice, security baselines from the vendor and the principles of need-to-know and least-privilege?
5. Do you have a support agreement with the vendor and routines for applying security patches throughout the lifetime of the system?
6. Is the system properly isolated? From which networks is it accessible and manageable? Which services/interfaces/ports/APIs are exposed? If the system is compromised, which internal networks and services may the adversary then access?
7. How are users authenticated to the system? Are there privileged user accounts which need additional protection? Are there backdoor accounts or default passwords that should be changed?
8. Are user and system activities logged to ensure accountability and enable you to investigate incidents and secure evidence of malicious activity?
9. Are routines and technical measures in place to detect and prevent abuse?
10. Will the system be included in your program for security testing?