Embed Size (px)
Citation preview
Transforming IoT Security Through Visibility
Liran Chen , CISSPDirector – System Engineering , ForeScout
5/10/17
1
2
3
IoT Landscape
Threat Landscape
Gartner IoT Security Market Guide
4 IoT Attacks- Observations
IoT: Internet of Threats – A Message You Can Hug
http://www.computerworlduk.com/security/mongodb-ransomware-attacks-what-your-business-needs-know-3652793/
3
One by one,
these are
becoming a
reality.
Time to secure
them is now.
common passwords like “qwerty”,
“password”, and “123456”
Exponential IoT Growth
Source: Gartner IoT, PC and Mobile device forecast 2015
4
PC’s & Mobile Devices
IoT Devices
Took 25 years to get to
10 Billion devices* Will take only 5 years to get
to 30 Billion devices*Reference acronym glossary at the end of presentation
IoT Device Landscape is Fragmented
Source: Harbor Research, 2014; McKinsey Global Institute, 2015
5
IoT Device / Solution Vendors by Physical Environments
Personal Home CityFactory LogisticsRetailVehiclesOffice WorksiteMedical
Device landscape is going from few devices and OS types to innumerable devices and OS types
Reference acronym glossary at the end of presentation
Challenges and Lessons Learned
IoT Adoption Driven by Business Needs
6
Nothing is more powerful than an idea whose time has
come – Victor Hugo
IoTResistance is futile – Shadow IoT Devices
Businesses need IoT to improve their business
Non-IT provisioned devices
IT can’t manage the devices via agents
BYOD
Resistance was futile – Shadow IT
Users needed it to do their jobs
Non-IT provisioned devices
IT couldn't manage the devices via agents
Reference acronym glossary at the end of presentation
1
2
3
IoT Landscape
Threat Landscape
Gartner IoT Security Market Guide
4 ForeScout Solution
IoT Opens Much Bigger Attack Surface
Less than 10% of new devices connecting to the corporate environment will be manageable through traditional methods
8
Source: Gartner, BI Intelligence, Verizon, ForeScout
Managed
Devices
Unmanaged
Devices
2010 2012 2014 2016 2018 2020
By 2020: 20+ BillionUnmanagedConnected Devices66%
of all networks will have an
IoT security breach by 2018
Reference acronym glossary at the end of presentation
Visibility is a Top Security Concern
9
Source: 2016 ForeScout IoT survey
Only 14.6% quite
confident about visibility
into their IoT devices
Reference acronym glossary at the end of presentation
A Perfect Storm of Threats Creating New Security Needs
10
Attacks targeting devices that corporations can’t see
5 out of 6 large
companies is hit
with targeted
attacks today
Reference acronym glossary at the end of presentation
Insecurity of Things: Danger Rankings
11
DISASTROUS
Cause irreversible
damage
DISRUPTIVE
Disrupt corporate
and operational
processes.
DAMAGING
Enable information
stealing
Illegal remote monitoring
Tampering with temperature controls
Spying viavideo and
microphone
Accessing company
information
Obtaining user
credentials
Source: ForeScout IoT Enterprise Risk ReportReference acronym glossary at the end of presentation
Extracting Wi-Fi credentials
Snooping on calls
IP-Connected Security Systems
An Example of IoT Device Risks
12
Many use proprietary radio
frequency technology that lack
authentication and encryption.
Attackers can form radio
signals to send false triggers
and access system controls.
User compute capability to ex-filtrate
large amounts of data.
Disable camera to allow
physical break in.
Hijack camera to spy on
employees usage of computers,
passwords, applications, designs.
DISASTROUS
Reference acronym glossary at the end of presentation
Use as launching point for DDoS
attacks.
Mirai Botnet
Mirai used in DynDNS attack on ~100K devices involved.
13
11/1/2016
Reference acronym glossary at the end of presentation
Follow Mirai Attacks on Twitter – @MiraiAttacks.
A tweet is sent each time a Mirai attack is detected, as of Feb
6th 2017, there were over 1,750 tweets with count starting in
October 2016.
Hajime Botnet- Destination Unknown
Hajime (meaning ‘beginning’ in Japanese) is an IoT worm that was first mentioned on 16 October 2016 . One month later we saw the first samples being uploaded from Spain to VT. This worm builds a huge P2P botnet (almost 300,000 devices but its real purpose remains unknown.
14
11/1/2016
Reference acronym glossary at the end of presentation
After a little analysis we see that most of the victims turn out to
be DVRs, followed by web cameras, routers, etc.
1
2
3
IoT Landscape
Threat Landscape
Gartner IoT Security Market Guide
4 Few Examples
Gartner IoT Market GuideForeScout Listed As A Representative Vendor
16Reference acronym glossary at the end of presentation
Gartner IoT Market GuideForeScout Listed As A Representative Vendor
17Reference acronym glossary at the end of presentation
Many IoT Devices Are Invisible
18
Many IoT
devices lack
firewall
capability
Many IoT
devices cannot
be patched
Many IoT
devices run on
outdated or
unsupported
software
Many IoT devices
cannot host an
agent
Agentless Visibility
Reference acronym glossary at the end of presentation
1
2
3
IoT Landscape
Threat Landscape
Gartner IoT Security Market Guide
4 IoT Attack Samples
PDQ LaserWash
http://www.darkreading.com/vulnerabilities---threats/hackin-at-the-car-wash-yeah/d/d-id/1319156
20
Overview: Hacking At The Car Wash
Devices: Unmanned Auto Car wash
Industry: Retail
Description: The Web interface in a popular remote access car wash system was hacked allowing the attacker
to hijack the functions of a car wash. One incident included the rotary arm in the car wash to smash into a
minivan mid-wash, spraying water into the vehicle and at the family inside. The minivan driver quickly
accelerated out of the car wash, badly damaging the equipment, as well as the vehicle.
Reference acronym glossary at end of presentation
Various Banks
http://www.ibtimes.co.uk/billion-dollar-bank-job-how-hackers-stole-1bn-100-banks-30-countries-1488148
21
Overview: The Billion Dollar Bank Job: How hackers stole $1bn from 100 banks in 30 countries
Devices: Video surveillance camera among others
Industry: Finance
Description: Carbanak gang (named after the malware it uses), with members in Russia, Ukraine, China and other parts
of Europe, has been stealing tens of millions of dollars from banks, e-payment systems and other financial institutions
since 2013. In addition to other means the gang used the bank's own cameras against them, the gang were able to see
and record everything that was happening on the screens of bank employees. By monitoring these screens the hackers
were able to gain intimate knowledge of just how each bank's specific internal systems worked, allowing them to tailor
each attack.
Reference acronym glossary at end of presentation
Romantik Seehotel Jaegerwirt Hotel
https://www.siliconrepublic.com/machines/iot-hackers-austria-dc-blockchain
22
Overview: Austrian hotel shut out by hackers, quite literally
Devices: Electronic key system and entire computer system
Industry: Austrian hotel rooms
Description: According to Austrian news site The Local, the Romantik Seehotel Jaegerwirt hotel, located in the
picturesque Alps range, was hit by a cyberattack that resulted in all its guests being locked out of their rooms. Guests
could leave their rooms, however they were unable to re-enter them.
Activating the door-locking mechanism remotely, the hackers were able to send the hotel into chaos during the height
of the ski season, while also shutting down the hotel’s entire computer system. The hotel had to pay thousands in
bitcoin ransom to cybercriminals to get the rooms unlocked. The manager said it was cheaper and faster for the hotel to
just pay the Bitcoin.
Reference acronym glossary at end of presentation
Boeing & United Airlines
http://edition.cnn.com/2015/05/17/us/fbi-hacker-flight-computer-systems/
23
Overview: Hacker claimed United Airlines flight's engine controls
Devices: In-flight entertainment systems
Industry: Airline
Description: A cybersecurity consultant hacked into computer systems aboard airliners up to 20 times and
managed to control an aircraft engine during a flight. He hacked into in-flight entertainment systems aboard the
aircraft and then accessed the flight control system, which he then manipulated to cause one of the airplane
engines to climb resulting in a lateral or sideways movement of the plane during one of the flights.
Reference acronym glossary at end of presentation
The End
Acronym Glossary
AAA Authentication, Authorization and Accounting
ACL Access Control List
ACS Access Control Server [Cisco]
AD Active Directory
ANSI American National Standards Institute
API Application Programming Interface
ARP Address Resolution Protocol
ATD Advanced Threat Detection
ATP Advanced Threat Prevention
AUP Acceptable Use Policy
AV Antivirus
AWS Amazon Web Services
BYOD Bring Your Own Device
C&C Command and Control
CA Certificate Authority
CAM Content Addressable Memory
CASB Cloud Access Security Broker
CCE Common Configuration Enumeration
CDP Cisco Discovery Protocol
CEF Cisco Express Forwarding
CIS Center for Internet Security, Inc.
CIUP Cumulative Infrastructure Update Pack
CLI Command Line Interface
CMDB Configuration Management Database
CoA Change of Authorization
CPPM ClearPass Policy Manager
CPU Central Processing Unit
CSC Critical Security Controls
CSV Comma Seperated Value
CUP Cumulative Update Pack
CVE Common Vulnerabilities and Exposures
DB Database
DDoS Distributed Denial of Service
DHCP Dynamic Host Configuration Protocol
DLP Data Loss Prevention
DNS Domain Name Server
EDR Endpoint Detection and Response
EM Enterprise Manager
EMM Enterprise Mobility Management
ePO ePolicy Orchestrator
EPP Endpoint Protection Platform
FERC Federal Energy Regulatory Commission
FIPS Federal Information Processing standards
FQDN Fully Qualified Domain Name
FTP File Transfer Protocol
FW Firewall
GCP Google Cloud Platform
GPO Group Policy Object
GUI Graphical User Interface
HA High Availability
HBSS Host Based Security System
HIP Host Information Policy [Palo Alto Networks]
HIPAA Health Insurance Portability & Accountability Act
HITECHHealth Information Technology for Economic and
Clinical Health
HPS Host Property Scanner
HR Human Resources
HTML Hypertext Markup Language
HTTP Hypertext Transfer Protocol
IaaS Infrastructure as a Service
ICMP Internet Control Message Protocol
ID Identification
IDaaS Identity as a Service
iDRAC Integrated Dell Remote Access Controller
IM Instant Messaging
IMAP Internet Message Access Protocol
IOC Indicator of Compromise
iOS iPhone Operating System [Apple]
IoT Internet of Things
IP Internet Protocol
IPMI Intelligent Platform Management Interface
IPS Intrusion Protection System
ISE Identity Services Engine [Cisco]
IT Information Technology
ITAM Information Technology Access Management
ITSM Information Technology Service Management
LAN Local area Network
LDAP Lightweight Directory Access Protocol
LLDP Link Layer Discovery Protocol
MAB Mac Authentication Bypass
MAC Media Access Control
MAPI Messaging Application Programming Interface
MDM Mobile Device Management
MTP Mobile Threat Prevention [FireEye]
MTTD Mean Time to Detection
MTTR Mean Time to Resolution
NA Not Applicable
NAC Network Access Control
NAT Network Address Translation
NBT NetBIOS over TCP/IP
NERC North American Electric Reliability Corp.
NetBIOS Network Basic Input/Output System
NGFW Next-Generation Firewall
NIC Network Interface Card
NIST National Institute of Standards and Technology
Nmap Network Mapper
NOC Network Operations Center
OS Operating System
OT Operational Technology
OU Organizational Unit
OVAL Open Vulnerability and Assessment Language
P2P Peer-to-Peer
PAM Privileged Access Management
PAN OS 7.x Palo Alto Networks Operating System 7.x
PC Personal Computer
PCI Payment Card Industry
PKI Public Key Infrastructure
PoE Power over Ethernet
POP3 Post Office Protocol
pxGrid Platform Exchange Grid [Cisco]
RADIUS Remote Authentication Dial-In User Service
RAP Roving Analysis Port
RDP Remote Desktop Protocol
Reauth Reauthorization
RI Remote Inspection
RM Recovery Manager
RMM Remote Monitoring and Management
RO Read Only
ROI Return on Investment
RPC Remote Procedure Call
RRP Remote Registry Protocol
RTU Remote Terminal Unit
RW Read/Write
SaaS Software as a Service
Acronym Glossary
SANSSystem Administration, Networking and Security
Institute
SCADA Supervisory Control and Data Acquisition
SCAP Security Compliance Automation Protocol
SCCM System Center Configuration Manager
SDN Software Defined Network
SEL System Event Log
SGT Security Group Tags [Cisco]
SGT Security Group Tags [Cisco]
SIEM Security Information and Event Management
SMS Short Message Service
SNMP Simple Network Management Protocol
SOC Security Operations Center
SOX Sarbanes-Oxley
SPAN Switch Port Analyzer
SQL Structured Query Language
SSH Secure Shell
SSID Service Set Identifier
SSL Secure Sockets Layer
SSO Single Sign On
STIG Security Technical Implementation Guide
SYSLOG System Log
TACACS Terminal Access Controller Access Control System
TAM Threat Assessment Manager [FireEye]
TAP Threat Analytics Platform [FireEye]
TCO Total Cost of Ownership
TCP Transmission Control Protocol
TIP Threat Intelligence Platform
TLS Transport Layer Security
UBA User Behavior Analytics
UDP User Datagram Protocol
URL Universal Resource Locator
USB Universal Serial Bus
VA Vulnerability Assessment
vCT Virtual CounterACT
VDI Virtual Desktop Infrastructure
vFW Virtual Firewall
VGA Video Graphics Array
VLAN Virtual Local Area Network
VM Virtual Machine
VoIP Voice over IP
VPN Virtual Private Network
WAF Web Application Firewall
WAN Wide Area Network
WAP Wireless Application Protocol
WMI Windows Management Instrumentation
WSUS Windows System Update Services
XCCDFThe Extensible Configuration Checklist Description
Format
XML Extensible Markup Language
