VA Scan 2017 Presentation AoT Final - schd.wsschd.ws/hosted_files/vascan2017/52/VA Scan 2017...
-
Upload
hoangkhuong -
Category
Documents
-
view
215 -
download
0
Transcript of VA Scan 2017 Presentation AoT Final - schd.wsschd.ws/hosted_files/vascan2017/52/VA Scan 2017...
Introduction•Ab-a-what?•AuditManager@VirginiaTechfor3years•Approximately14yearsofexperience,11inhighereducation• ITandoperationalauditexperience• ITSecurity
•AlumniofVirginiaTech(B.S.andM.B.A.)
2
WhatareIo(Things)?•TheInternet ofThings:• Anetworkofinternet-connectedobjectsabletocollectandexchangedata.• i.e.EVERYTHING!•Alternatedefinition:Theinterconnection(viatheInternet)ofcomputingdevicesembeddedinordinaryobjects,enablingthemtosendandreceivedata.•AnIoTdevice:• Anystand-aloneinternet-connecteddevicethatcanbemonitoredand/orcontrolledfromaremotelocation.• i.e.EVERYTHING!
3
WhatareIo(Things)?•ManypeoplethinkofsmarthomeswhenitcomestoIoT:Locks,cameras,thermostats.OtherindustriesusingIoTinclude:
Manufacturing:IndustrialControlSystems InfrastructureSCADASystems(Utilities) RetailTransportation LogisticsDefense FoodServiceAgriculture Healthcare
4
Benefits&Concerns•Benefits1• Safety,Comfort,Efficiency• BetterDecisionMaking• RevenueGeneration&CostSavings•Concerns• Privacy• Cybersecuritythreats• Legalandethical
1)Source:https://www.atlanticbt.com/blog/3-threats-and-3-benefits-of-the-internet-of-things/
5
NewsworthyAttacks•Stuxnet• TheattackwaspurportedlylaunchedtosabotagetheuraniumenrichmentfacilityinIran.StuxnetwasnotatypicalIoTattack,becauseitreliedonthedevicestobeconnectedtoamachinerunningtheWindowsoperatingsystem.
•Miraibotnet• ThisbotnetinfectednumerousIoTdevices(primarilyolderroutersandIPcameras),thenusedthemtofloodDNSproviderswithaDDoSattack.IttookdownsitessuchasEtsy,GitHub,Netflix,Shopify,SoundCloud,Spotify,Twitter,andanumberofothermajorwebsites.Ittookadvantageofdevicesrunningout-of-dateversionsoftheLinuxkernel.
•Brickerbot(2)• BrickerBot.2targetedLinux-baseddevices.Itwipedallstoredfiles,removesthedefaultInternetgateway,disablesTCPtimestamps,andlimitsthemaximumnumberofkernelthreadstojustone.Thatallbutensuresthatmostdamageddeviceswon'tberestoredwithoutasignificantoverhaul.
6
OtherHeadlines•Report:IoTattacksexplodedby280%inthefirsthalfof2017.•FDArecallsnearly500kpacemakersoverhackingconcerns.•LinuxtrojanusedhackedIoTdevicestosendmassspam.•Updategonewrongleavesthousandsofsmartlocksinoperable.•DDoSattackusingIoTdevicesaffectsaUSuniversityfor54hours.•DDoSattackthroughvendingmachineshitsaUSbaseduniversity.
7
AoT:TheAuditProcess
IdentifyBusinessObjectives
IdentifyRisks
IdentifyKey
Controls
IdentifyAudit
Objectives
IdentifyAuditTestSteps
ConductTesting&Fieldwork
ReportResults
9
WhatWerethe“Things”?– OurScope•Weconsideredmanydevicetypesthatdidnotfitthemoldof“traditional”computingsystems.•Throughourplanningprocess,whichincludedinterviewswithuniversitydepartmentalmanagementandtheITSecurityOffice,weidentifiedvariousdevicetypesincluding:
•Wereferredtothecollectivesimplyas“networkeddevices.”
• NetworkedIPcameras • Multifunctionprinters• SCADAsystems • Electronicdoorlocksystems• Timeclockterminals • Building automation• Vending Machines • Others
10
WhatWerethe“Things”?– OurScope•Weconsideredmanydevicetypesthatdidnotfitthemoldof“traditional”computingsystems.•Throughourplanningprocess,whichincludedinterviewswithuniversitydepartmentalmanagementandtheITSecurityOffice,weidentifiedvariousdevicetypesincluding:
•Wereferredtothecollectivesimplyas“networkeddevices.”
• NetworkedIPcameras • Multifunctionprinters• SCADAsystems • Electronicdoorlocksystems• Timeclockterminals • Building automation• Vending Machines • Others
11
WhatWerethe“Things”?– OurScope•Printers• Oncontract,off-contract,basicormultifunction• Locatedinacademicdepartments,researchareasandoperationalareas
•NetworkedIPCameras• Locatedinpublicspaces&sensitiveareas
•ElectronicDoorLocks• Locatedinacademicdepartments,residentialbuildings,operationalareas
•TimeClockSystems• Variedareasacrosscampus
12
Planning- TheRisks•InsufficientboundarydefensemayleavedevicesaccessibletotheInternet.•Potentiallysensitivedatasenttoandfromdevicescouldbevulnerabletocapture.•Useofunnecessary,insecure,ordeprecatedportsandservicesmaycreatevulnerabilities.
13
Planning- TheRisks•Manufacturerdefaultpasswordsmightstillbeinuseondevicesoradministrativepasswordsmaybemissingaltogether,potentiallyallowingforunauthorizedaccess.•Out-of-datefirmwaremayincreasevulnerabilities.•Physicallocationofdevicesmaycreatevulnerabilities.
14
Planning- OurObjectives•Todeterminewhetherdevices:•Weresecurelymanagedandprotectedfromunauthorizedaccess.• Providedlegitimateservicestoonlyuniversitynetworksandweresufficientlyhardenedagainstabuseormisuse.• Sufficientlyprotectedsensitivedatawheninuse.
15
Fieldwork- OurTestingApproach•Identifiedasampleof“non-traditional”networkeddevices.•Observedandassessedlogicalandphysicalaccesscontrolsfordevices.•Assessedtheuseandprocessingofsensitiveinformationthroughobservationandinterviews.•Observedandassesseddevicefirmwareandproceduresformanagingfirmwareupgrades.•Portscanneddevicesfrombothon-campusandoff-campuslookingforopenports.
16
Fieldwork- OurTestingApproach•AttemptedtoconnecttoopenportswhilecapturingpacketstreamsinWireshark.•Observedwhetherdevicesrefusedoracceptedconnections.Ifconnectionswereopened,weretheysubsequentlyclosedbythedestinationdevice?•Fordeviceswithoutbuilt-inIPfiltering,wereotherboundarydefensecontrols(firewalls)inplace?•Examineddeviceconfigurationstoensureunnecessaryservicesweredisabled.
17
OurResults• Manydevicesarrive“out-of-box”withnumerousprotocolsand
servicesturnedon.• Administratorsshouldbeawareofthecapabilitiesofthesedevicesand
ensurethatonlytheservicesnecessaryforoperationareenabled,andthatallothersaredisabledtoreducethepotentialattacksurface.
• Protectingsensitivedata-in-transitcanbeachallenge.Abetterunderstandingofthetypesofdatainuseisneededinordertodeterminewhen/wheretouseencryption.• Manydevicetypes,includingmultifunctionprinters,havethecapabilityto
encrypttransittrafficusingIPsecorSSL/TLS,butthesecapabilitiescanbedifficulttoconfigureduetothecomplexitiesoftheclientcomputingenvironment.
18
OurResults(cont.)• Firmwareupgradescanbea“double-edgedsword.”• Whilefirmwareupgradesoftenprovideimportantsecurityenhancements
thatshouldbeappliedtodevices,theycanalsoincludecodedefectsthatcanintroducenewvulnerabilities.
• Built-inaccesscontrollists(ACLs)shouldbeused,butarenotalwayssufficientforboundarydefense.• IPfilteringcapabilitiesofdevicesmaypreventaccesstowebservicesand
otherservicesbutdonotalwayscoverallportsandservicesinuseonthedevice.
• SeveralservicesonsomedevicesacceptedconnectionsfromInternet-connecteddevicesoutsideoftheallowedIPrangeconfiguredinthedevice’sACL.
19
OurResults(cont.)Figure1:Connectionstoport80werepreventedbythedevice’sACL(closedbydestinationdeviceafter3-wayhandshake);however,onthesamedeviceconnectionstoport514wereacceptedandnotclosedbythedestinationdevice.
20
KeyRecommendations•CIShasagreatbreakdownofthe20criticalcontrolsperIoTdevices:• https://www.cisecurity.org/wp-content/uploads/2017/03/CIS-Controls-IoT-Security-Companion-201501015.pdf
•SecureConfigurationsforHardwareandSoftware(3)• Gainanunderstandingofthefullcapabilitiesofallnetworkeddevices,andenableONLYtheservicesandfeaturesrequiredforbusiness.
•ContinuousVulnerabilityAssessmentandRemediation(4)• Ensureyourenvironmentisconfiguredasdesigned.
•LimitationsandControlofNetworkPorts,Protocols,andServices(9)• Disableoutdated/deprecatedprotocolsunlessabsolutelynecessary,andusecompensatingcontrolsifso.
21
KeyRecommendations•SecureConfigurationsforNetworkDevicessuchasFirewalls,Routers,andSwitches(11)• Ifbuilt-inACLsdonotpreventaccesstoalldeviceservices,thenuseexternalhardwarefirewalls.
•DataProtection(13)• IfsensitivedataorPIIissentto/fromnetworkeddevices,thenencryptionshouldbeusedtoprotectdataintransitandatrest.
•ApplicationSoftwareSecurity(18)•Maintainupdatedfirmware,butalwaystestnewversionsbeforedeployingtoalldevices.
22