AoT:AuditofThingsVIRGINIATECH- UNIVERSITYINTERNALAUDIT

1

Introduction•Ab-a-what?•AuditManager@VirginiaTechfor3years•Approximately14yearsofexperience,11inhighereducation• ITandoperationalauditexperience• ITSecurity

•AlumniofVirginiaTech(B.S.andM.B.A.)

2

WhatareIo(Things)?•TheInternet ofThings:• Anetworkofinternet-connectedobjectsabletocollectandexchangedata.• i.e.EVERYTHING!•Alternatedefinition:Theinterconnection(viatheInternet)ofcomputingdevicesembeddedinordinaryobjects,enablingthemtosendandreceivedata.•AnIoTdevice:• Anystand-aloneinternet-connecteddevicethatcanbemonitoredand/orcontrolledfromaremotelocation.• i.e.EVERYTHING!

3

WhatareIo(Things)?•ManypeoplethinkofsmarthomeswhenitcomestoIoT:Locks,cameras,thermostats.OtherindustriesusingIoTinclude:

Manufacturing:IndustrialControlSystems InfrastructureSCADASystems(Utilities) RetailTransportation LogisticsDefense FoodServiceAgriculture Healthcare

4

Benefits&Concerns•Benefits1• Safety,Comfort,Efficiency• BetterDecisionMaking• RevenueGeneration&CostSavings•Concerns• Privacy• Cybersecuritythreats• Legalandethical

1)Source:https://www.atlanticbt.com/blog/3-threats-and-3-benefits-of-the-internet-of-things/

5

NewsworthyAttacks•Stuxnet• TheattackwaspurportedlylaunchedtosabotagetheuraniumenrichmentfacilityinIran.StuxnetwasnotatypicalIoTattack,becauseitreliedonthedevicestobeconnectedtoamachinerunningtheWindowsoperatingsystem.

•Miraibotnet• ThisbotnetinfectednumerousIoTdevices(primarilyolderroutersandIPcameras),thenusedthemtofloodDNSproviderswithaDDoSattack.IttookdownsitessuchasEtsy,GitHub,Netflix,Shopify,SoundCloud,Spotify,Twitter,andanumberofothermajorwebsites.Ittookadvantageofdevicesrunningout-of-dateversionsoftheLinuxkernel.

•Brickerbot(2)• BrickerBot.2targetedLinux-baseddevices.Itwipedallstoredfiles,removesthedefaultInternetgateway,disablesTCPtimestamps,andlimitsthemaximumnumberofkernelthreadstojustone.Thatallbutensuresthatmostdamageddeviceswon'tberestoredwithoutasignificantoverhaul.

6

OtherHeadlines•Report:IoTattacksexplodedby280%inthefirsthalfof2017.•FDArecallsnearly500kpacemakersoverhackingconcerns.•LinuxtrojanusedhackedIoTdevicestosendmassspam.•Updategonewrongleavesthousandsofsmartlocksinoperable.•DDoSattackusingIoTdevicesaffectsaUSuniversityfor54hours.•DDoSattackthroughvendingmachineshitsaUSbaseduniversity.

7

TheAuditofThings

8

AoT:TheAuditProcess

IdentifyBusinessObjectives

IdentifyRisks

IdentifyKey

Controls

IdentifyAudit

Objectives

IdentifyAuditTestSteps

ConductTesting&Fieldwork

ReportResults

9

WhatWerethe“Things”?– OurScope•Weconsideredmanydevicetypesthatdidnotfitthemoldof“traditional”computingsystems.•Throughourplanningprocess,whichincludedinterviewswithuniversitydepartmentalmanagementandtheITSecurityOffice,weidentifiedvariousdevicetypesincluding:

•Wereferredtothecollectivesimplyas“networkeddevices.”

• NetworkedIPcameras • Multifunctionprinters• SCADAsystems • Electronicdoorlocksystems• Timeclockterminals • Building automation• Vending Machines • Others

10

WhatWerethe“Things”?– OurScope•Weconsideredmanydevicetypesthatdidnotfitthemoldof“traditional”computingsystems.•Throughourplanningprocess,whichincludedinterviewswithuniversitydepartmentalmanagementandtheITSecurityOffice,weidentifiedvariousdevicetypesincluding:

•Wereferredtothecollectivesimplyas“networkeddevices.”

• NetworkedIPcameras • Multifunctionprinters• SCADAsystems • Electronicdoorlocksystems• Timeclockterminals • Building automation• Vending Machines • Others

11

WhatWerethe“Things”?– OurScope•Printers• Oncontract,off-contract,basicormultifunction• Locatedinacademicdepartments,researchareasandoperationalareas

•NetworkedIPCameras• Locatedinpublicspaces&sensitiveareas

•ElectronicDoorLocks• Locatedinacademicdepartments,residentialbuildings,operationalareas

•TimeClockSystems• Variedareasacrosscampus

12

Planning- TheRisks•InsufficientboundarydefensemayleavedevicesaccessibletotheInternet.•Potentiallysensitivedatasenttoandfromdevicescouldbevulnerabletocapture.•Useofunnecessary,insecure,ordeprecatedportsandservicesmaycreatevulnerabilities.

13

Planning- TheRisks•Manufacturerdefaultpasswordsmightstillbeinuseondevicesoradministrativepasswordsmaybemissingaltogether,potentiallyallowingforunauthorizedaccess.•Out-of-datefirmwaremayincreasevulnerabilities.•Physicallocationofdevicesmaycreatevulnerabilities.

14

Planning- OurObjectives•Todeterminewhetherdevices:•Weresecurelymanagedandprotectedfromunauthorizedaccess.• Providedlegitimateservicestoonlyuniversitynetworksandweresufficientlyhardenedagainstabuseormisuse.• Sufficientlyprotectedsensitivedatawheninuse.

15

Fieldwork- OurTestingApproach•Identifiedasampleof“non-traditional”networkeddevices.•Observedandassessedlogicalandphysicalaccesscontrolsfordevices.•Assessedtheuseandprocessingofsensitiveinformationthroughobservationandinterviews.•Observedandassesseddevicefirmwareandproceduresformanagingfirmwareupgrades.•Portscanneddevicesfrombothon-campusandoff-campuslookingforopenports.

16

Fieldwork- OurTestingApproach•AttemptedtoconnecttoopenportswhilecapturingpacketstreamsinWireshark.•Observedwhetherdevicesrefusedoracceptedconnections.Ifconnectionswereopened,weretheysubsequentlyclosedbythedestinationdevice?•Fordeviceswithoutbuilt-inIPfiltering,wereotherboundarydefensecontrols(firewalls)inplace?•Examineddeviceconfigurationstoensureunnecessaryservicesweredisabled.

17

OurResults• Manydevicesarrive“out-of-box”withnumerousprotocolsand

servicesturnedon.• Administratorsshouldbeawareofthecapabilitiesofthesedevicesand

ensurethatonlytheservicesnecessaryforoperationareenabled,andthatallothersaredisabledtoreducethepotentialattacksurface.

• Protectingsensitivedata-in-transitcanbeachallenge.Abetterunderstandingofthetypesofdatainuseisneededinordertodeterminewhen/wheretouseencryption.• Manydevicetypes,includingmultifunctionprinters,havethecapabilityto

encrypttransittrafficusingIPsecorSSL/TLS,butthesecapabilitiescanbedifficulttoconfigureduetothecomplexitiesoftheclientcomputingenvironment.

18

OurResults(cont.)• Firmwareupgradescanbea“double-edgedsword.”• Whilefirmwareupgradesoftenprovideimportantsecurityenhancements

thatshouldbeappliedtodevices,theycanalsoincludecodedefectsthatcanintroducenewvulnerabilities.

• Built-inaccesscontrollists(ACLs)shouldbeused,butarenotalwayssufficientforboundarydefense.• IPfilteringcapabilitiesofdevicesmaypreventaccesstowebservicesand

otherservicesbutdonotalwayscoverallportsandservicesinuseonthedevice.

• SeveralservicesonsomedevicesacceptedconnectionsfromInternet-connecteddevicesoutsideoftheallowedIPrangeconfiguredinthedevice’sACL.

19

OurResults(cont.)Figure1:Connectionstoport80werepreventedbythedevice’sACL(closedbydestinationdeviceafter3-wayhandshake);however,onthesamedeviceconnectionstoport514wereacceptedandnotclosedbythedestinationdevice.

20

KeyRecommendations•CIShasagreatbreakdownofthe20criticalcontrolsperIoTdevices:• https://www.cisecurity.org/wp-content/uploads/2017/03/CIS-Controls-IoT-Security-Companion-201501015.pdf

•SecureConfigurationsforHardwareandSoftware(3)• Gainanunderstandingofthefullcapabilitiesofallnetworkeddevices,andenableONLYtheservicesandfeaturesrequiredforbusiness.

•ContinuousVulnerabilityAssessmentandRemediation(4)• Ensureyourenvironmentisconfiguredasdesigned.

•LimitationsandControlofNetworkPorts,Protocols,andServices(9)• Disableoutdated/deprecatedprotocolsunlessabsolutelynecessary,andusecompensatingcontrolsifso.

21

KeyRecommendations•SecureConfigurationsforNetworkDevicessuchasFirewalls,Routers,andSwitches(11)• Ifbuilt-inACLsdonotpreventaccesstoalldeviceservices,thenuseexternalhardwarefirewalls.

•DataProtection(13)• IfsensitivedataorPIIissentto/fromnetworkeddevices,thenencryptionshouldbeusedtoprotectdataintransitandatrest.

•ApplicationSoftwareSecurity(18)•Maintainupdatedfirmware,butalwaystestnewversionsbeforedeployingtoalldevices.

22

BillAbplanalpAuditManager540-231-3818wabplana@vt.edu

Visit our website at: http://www.audit.vt.edu/

Contact

23