alphaspirit - Fotolia
Published: 10 Jan 2017
The internet of things, dangers and benefits both, is transforming how businesses work, and it's also changing how enterprises need to think about IT security. Until now, policies for information security have been guided by the confidentiality, integrity and availability (CIA) model, but as control systems and everyday objects begin to connect to other systems and interact with the physical world, safety, reliability and resiliency must also be regarded as crucial components of security. Without them, cyber-physical attacks against critical sectors like energy, healthcare and transportation could result in not only damage to reputations and profits, but environmental damage and loss of life on the scale of a major natural disaster. Devices like energy control systems, smart buildings and hospital equipment have been found to be poorly protected, often missing even rudimentary privacy and security controls, which makes them easy targets for rogue actors around the world.
One of the main tenets of IT security is knowing what assets exist in order to build an appropriate security strategy to protect them. However, countering internet of things dangers requires cataloging, assessing and classifying hundreds and thousands of IoT devices, often located outside an enterprise's recognized physical boundaries, is a big challenge.
IoT devices lack a common set of compliance requirements, and many run nonconventional operating systems and proprietary protocols. The two big initiatives to standardize device-to-device communication and discovery have been the AllSeen Alliance's AllJoyn framework and the Open Connectivity Foundation's IoTivity. OCF has now merged with AllSeen to create a single IoT discovery body, but it's still a confusing arena with Google promoting Weave as a communications platform for IoT devices. Hopefully, a de facto standard will emerge that covers device-to-device communication and discovery as well, requiring consistent implementation of identity, authentication and security controls. Until then, enterprises will have to work hard, even improvise, to take control of their IoT devices and prevent shadow IoT from becoming a bigger threat to enterprises than shadow IT. This feature looks at how other security pros are working to create an IoT device discovery process and what kinds of tools an organization might use in their network to find and secure IoT devices they aren't aware of.
Tools to counter internet of things dangers
Although it's too soon for there to be any industry best practices for IoT device discovery, there are free tools -- some of them open source -- that can identify and help create an inventory of devices that have the capability of connecting to the network or to another device. Nmap has always been a popular tool for network discovery and inventory. It uses raw IP packets to scan for live hosts on a network; Masscan is sometimes a better option when scanning a large IP address space as it's quicker, albeit not as accurate. Subbrute is a subdomain enumeration tool commonly used during the discovery phase of a pen test to find new hosts, often detecting subdomains where their resolution is intentionally blocked. The results from Subbrute can be fed into Nmap scans to ensure no part of a network is left unturned. A tool such as the OpenVAS vulnerability scanner can then be used to detect flaws based on the Nmap inventory.
Cameron Campresearcher, ESET
The limitation with this type of conventional asset scan when looking for IoT devices is that, although it can discover devices, it may not be able to identify them. This is why Shodan and Censys use the banners returned by devices to identify them. Many IoT devices broadcast information about themselves in a banner, metadata sent during the establishment of a connection to an open port. This data is indexed by Shodan and Censys to produce a more meaningful database of IoT devices, and the Shodan Exploits database can be used to find vulnerabilities associated with IoT devices found during a network search. The hackers behind the Mirai and Bashlite malware basically automated this process by continuously scouring the internet for IoT devices protected by factory default or hardcoded usernames and passwords to create an IoT botnet. In response, Rapid7 released IoTSeeker to help network administrators identify devices still using factory settings and default credentials.
Of course, banners can be faked, and these services collect data mostly from well-known ports, but many IoT devices run proprietary protocols using nonstandard ports. Pwnie Express' 2016 "Internet of Evil Things" report found most security professionals aren't in a position to monitor or detect less-common radio frequency and off-network IoT devices: Almost 90% can't see Bluetooth devices or monitor 4G LTE devices, and 56% can't monitor on-network IoT devices in real time.
A range of tools required
IoT device discovery is never going to be a one-off task. It requires a range of tools to complete a thorough scan and assess the potential threats. Gary Hayslip, CISO of the city of San Diego and co-author of the CISO Desk Reference Guide, uses tools like the Tenable Network Security suite to scan the city's networks. He is also using Cyberflow Analytics to "specifically scan for, map and use behavior analytics on IoT/SCADA/ICS devices installed on our networks." On top of this, he monitors protocols and dataflows using PacketSled and Cyphort to expose unknown devices or suspect traffic.
Cylance Inc., a cybersecurity company, uses Bastille, a software as a service (Saas), to uncover covert listening devices and rogue access points that could be used to extract sensitive information. Bastille monitors and details the threat capabilities of devices emitting radio signals -- such as Wi-Fi, cellular, wireless dongles and other IoT communications -- in an enterprise's radio frequency (RF) airspace. Cylance's chief research officer Jon Miller said, "A firewall's not going to protect you from an RF-based attack, and Bastille was actually able to identify a bunch of vulnerable RF devices in our network, and we were able to go around and get everything replaced."
Norwich University chose Pulse, another SaaS tool made by Boston-based Pwnie Express, to identify and alert on any malicious activity across wired, wireless and Bluetooth-connected devices in real time during the Super Bowl. "With five critical networks to monitor, it was crucial that we had a platform which could quickly show us what threats needed our attention immediately. With Pwnie, we were able to see the full gamut of threats to the operational networks at Super Bowl 50 and focus our response activity accordingly," said Phil Susmann, Norwich University's vice president of strategic partnerships.
Classify, configure, identify devices
IoT devices found on the network need to be classified and inventoried just like any other IT asset; classification helps to determine the security controls suited to the type of endpoint and the risks inherent in compromising it. Some form of configuration management database (CMDB) can help track and manage the lifecycle of IoT devices, but as Hayslip pointed out, "IoT configuration management is still relatively new. We have agreements with our vendors to manage the devices and install security patches" within a time frame the service-level agreement designates.
Administrators certainly need to ensure any CMDB they use can accommodate potentially thousands of additional devices and the connectivity and relationships between them. ManageEngine's AssetExplorer CMDB can store dependency and connections between assets, while i-doit is a web-based CMDB for documenting an IT infrastructure. The IBM Watson IoT Platform offers various industry-specific asset management solutions.
Internet of things dangers
When it comes to identifying internet of things dangers created by devices, the diversity of devices will mean organizations will need to conduct customized risk assessments, often relying on third-party expertise, to identify what the risks are and how best to contain them. The city of San Diego uses AttackIQ to perform attack scenario testing to remediate risks from installed solutions. Hayslip explained, "We have tools in-house to test, but we also contract out to third-party vendors to provide pen testing services. Many of the risk issues associated with industrial IoT are still relatively new, so I have no problem asking for help and collaborating with people who have those skill sets."
Both established and startup security vendors are looking for ways to help enterprises secure their IoT. "IoT clearly has a malicious-code dimension, and antimalware vendors have been working on the problem for some time," explained Cameron Camp, a researcher with ESET, the Slovakia-based security software company. "For example, because routers handle a lot of the connections that IoT devices make, we already have security suites addressing router issues, and you can expect to see antimalware technology embedded at more points in the IoT ecosphere moving forward."
Internet of things dangers are mostly a problem for the manufacturers to solve. It may be some time before IoT alliances and consortia develop best practices and technology standards mandating that security is built in from the beginning. Hayslip said, "There are all kinds of protocols and proprietary software suites running right now for IoT. I would love to see IoT consolidate around some mutual communications protocols that have security as a major component. I think it would make it easier for the industry to provide a quality product that is secure."
Until there's consensus on how best to secure devices and the data they create and transmit, early adopters must choose their partners with extra care because, in many instances, users will be dependent on the security of the device rather than perimeter and endpoint defenses. Traditional security best practices will still apply, of course. For example, "microsegmentation, keeping IoT in a separate community so the data flows are separate, which makes it easier to monitor and manage from a visibility standpoint," is the key security control that helps Hayslip sleep more easily at night.
The fast-moving nature of IoT and the rapid and unprecedented expansion of internet of things dangers mean enterprises need complete awareness of what IoT devices are using their network. To that end, a good first step may be to check out the Center for Internet Security's "Critical Security Controls for Effective Cyber Defense: IoT Security" report. Security teams must also know what capabilities these IoT devices have and what vulnerabilities and threats they introduce. It's still a steep learning curve for everyone, but by using a combination of tools, techniques and third-party expertise, enterprises can begin to reduce the risk many IoT devices pose.
Learn how the internet of things evolved
One blogger's view on why an IoT future is exciting
Read the latest US government guidance on IoT security