The rapid onslaught of the Internet of Things poses new challenges to network security; each and every connected device is susceptible to attack. Below, Aaron Portnoy charts the evolution of data security and argues that new challenges call for new tactics, and that a “default deny” policy must become the norm.
From an attacker’s perspective, the concept of the Internet of Things conjures memories of the early 2000s – before firewalls and attack detection systems were prevalent technologies that were sure to be present on large networks. Back then, many hosts on corporate intranets were reachable externally and the Internet was a virtual playground for those who possessed the requisite skillset. The potential for abuse was most clearly demonstrated by so-called computer worms such as Nimda,1 which set propagation records by spreading across the Internet in just 22 minutes, using techniques as simple as abusing open network shares on Internet-exposed systems. Naturally, in response to this and other threats, those tasked with defending enterprises began focusing on shoring up the perimeter of their networks, giving rise to the now ubiquitous Intrusion Detection/Intrusion Prevention Systems (IDS/IPS) technologies.
Protecting the Perimeter
For a while, the perimeter defense became the foremost obstacle to be overcome when attempting to penetrate a network. In almost every medium-to-large sized enterprise one could locate a Visio diagram posted in an IT department cubicle that depicted a hard line between the Internet and the company’s network. By no means a panacea, the IDS/IPS technologies were still fairly capable of filtering out the deluge of mass-exploitation attempts that plagued large networks at the time. They stood resolutely at the border, alerting their administrators to each and every time a curious netizen submitted a web form with an apostrophe or a mass scanner probed their websites for /cgi-bin/phf.
It seemed that focusing resources on protecting the perimeter was a good idea. That is, until the rise in prevalence of mobile phones and tablets, which led to “bring your own device” (BYOD) policies being enacted in corporate environments. No longer could defenders focus mainly on the perimeter; they had to concern themselves with the security posture of every device that any of their employees saw fit to plug into a network jack or connect to a wireless network at the office. This made it quite difficult for network administrators to properly control systems on their networks. Instead, the trend appeared to shift toward securing the flow of sensitive data, rather than preventing access to it. The security industry happily addressed this growing need by developing software and hardware referred to as “data leak prevention”, “data loss prevention”, or a similar combination of such terms (generally referred to as DLP). In addition to trying to whitelist devices by ensuring they are fully updated and running approved anti-virus solutions, administrators also implemented policies that disallow access unless employees’ devices were running a host-based DLP solution. This allowed administrators to track the flow of potentially sensitive corporate information and spot violations reported by the DLP software (save for encrypted transmissions – but that merits an entire discussion itself).
A New Age of Vulnerability
This approach to tracking data flow is all well and good for the time being, but what happens when the DLP software isn’t supported on your network-enabled refrigerator? The Internet of Things, encompassing a potentially unlimited number of devices running on a heterogeneous collection of architectures and operating systems poses a logistical nightmare for those tasked with securing a corporation’s virtual assets. The potential for the IoT is vast and it will not be uncommon in the near future to see network capable devices running electrical systems, air conditioning, fire alarms, televisions, ovens, and even more mobile applications such as wristwatches, heart monitors, glasses, and insulin pumps. Each device that maintains an IP address on a network is susceptible to remote attacks and it is increasingly becoming unclear how one might ensure they are hardened appropriately. As is often the case with embedded devices, much of the code running on the system is from third party libraries. Take, for example, the Heartbleed vulnerability in OpenSSL,2 which affected hundreds of thousands of various systems that included the vulnerable component. Does your organisation have policies in place to patch the televisions in your conference rooms or the multitude of various printers that are constantly trusted with the transfer of sensitive information?
What is becoming clear is that the enterprise needs to develop new tactics to address the potential risk associated with such diverse networks. When you’re unable to secure the systems, all that is left is to attempt to secure the data. While administrators must strike a balance between business needs and security, it is becoming increasingly apparent that the baseline should be a “default deny” policy. Data access policy enforcement coupled with proper compartmentation of information will allow an organisation to properly address the coming generation of (and attacks against) the Internet of Things.
About the Author
Aaron Portnoy has worked in vulnerability intelligence firms since his first internship at age 18. He has since been recognised as an industry expert in reverse engineering, vulnerability discovery, and exploitation, and has presented publicly at industry conferences world-wide as well as privately for government institutions such as the NSA. Aaron featured as the cover story of TIME magazine’s July 21st, 2014 issue and has been quoted by the BBC, Wired, Reuters, NBC, and others. At his firm, Exodus Intelligence, Aaron is mainly responsible for the discovery and exploitation of zero-day threats.