The security industry by consensus sees the Internet-of-things (IoT) as vast new attack surface. Pwnie Express calls it "The Internet of Evil Things," which is saying a lot. We're not saying they're wrong. In their report of that name, Pwnie Express argued that the IoT is introducing significant security risks to enterprises, and that defenses aren't keeping up.
The Mirai botnets brought the risk of the IoT to general attention. “Mirai demonstrated what the right malware could do if unleashed onto poorly configured or inadequately secured devices,” Paul Paget, Pwnie Express CEO said. “When you consider the exploding number of connected devices, many with poorly configured or no security and the fact that security teams can’t see these devices, it becomes clear that security programs need to shift spending to adapt more quickly.”
Pwnie Express's survey found that: 20% of the respondents said their IoT devices had experienced a ransomware attack last year, 16% of them had experienced man-in-the-middle attacks mediated by IoT devices, and "devices continue to lend themselves to problematic configurations." The report draws attention to open-by-default wireless SSIDs in common routers, and printers' built-in hotspots for configuration and set-up as especially "problematic."
The risks of the IoT are undeniably large, but it's benefits are also large (arguably larger) and it would be quixotic to expect a general retreat from connectivity in devices we use daily. (Nor would Pwnie Express argue in their report that such a retreat is either feasible or desirable.) So given the benefits, we'd prefer to think of the Internet of, not evil, but rather awkward, things.
The distributed denial-of-service problem.
We took up the distributed denial-of-service (DDoS) risk with Corero. It's not exclusively an IoT problem, but the IoT has figured prominently in it. We asked Corero's CEO, Ashley Stephenson, what trends he saw at RSA. "We view RSA from a relatively small island called 'DDoS'," Stephenson said. Customers are surprised by the amount of activity in the DDoS space. "What they don't see, they don't know about—it gets lumped into network performance. You can't prevent it; it's going to happen." Customers are increasingly looking to providers to protect them.
In terms of protection, he thought the disruption of KrebsOnSecurity's site by Mirai was "an interesting example." Krebs's service provider, Akamai, had an issue with cost, not technology. Their technology was capable of mitigating the DDoS attack, but the cost of protection can exceed the value of the asset being protected. "For any victim there's always a break-even point."
There's lots of interest in Mirai because of the possibility of using the IoT as an attack source. "Attribution is incredibly difficult." The resources required to mount significant attacks are now available to individuals. The real value of the new "muck spreader" version of Mirai that propagates through Windows machines, Stephenson noted, is its ability to recruit bots behind Telnet firewalls. It can enter a network as a phishing payload. Thus bots can be recruited even if their network wasn't accessible from the outside.
Corero's DDoS solution takes in raw Internet traffic and inspects it for DDoS irregularities. "We decide in realtime if every packet entering the networks is legitimate," Stephenson said. There's a range of some fifty different indicators, from unusual source IP addresses, through unusual rates and unusual subnets, down to deep packet inspection. Corero drops the malicious packets and inspects them later to "asymptotically approach zero false positive rates." Corero sees itself not as a cloud provider, but as a service-enabling company. "Akamai and Prolexic are complementary companies."
To a question about whether compromised IoT devices represented the future of DDoS, Stephenson answered, "Well, there are a lot of them, and botnets scale with numbers of bots." IoT devices have poor security, and they're unlikely to be upgraded. "So Mirai scores a 7 out of 10 in its potential to pose an enduring threat," he said. "Botnets have been around for years. Mirai is less a scientific discovery than a rise to fame." As the security industry saw with credit card fraud, if you want to roll systems out rapidly, risk is part of the cost of doing business.
A look at IoT standards, with a side of optimism.
We were able to speak to Citrix's CSO, Stan Black. We began by asking what he thought the likely sources of emerging IoT security standards would be. States, Federal regulators, voluntary standards bodies, NIST, the plaintiff's bar? "Sadly," he answered, "every organization you just outlined will be driving parts of those standards." If you look at technology and risk, it's not just the connected home, he pointed out, or the mom-and-pop shops with networked security cameras, but it's risk we now see in the power grid, in water supplies, in transportation systems. Black would recommend that we start our approach to standards by "naming and framing": name the problem, and frame the potential solution.
He would like to see standards emerge from a consensus of governments around the world. Unfortunately, however, governments tend not to have a lot of domain knowledge. The challenge is all the greater because the attack surface is not only vast, but because, post-implementation, you have so little contact with IoT devices.
Citrix contributes toward the solution by what Black takes to be its distinctive approach to legacy technology. "Since we're pretty platform-agnostic, we can virtualize old technology, securely wrap it, and provide a secure connection that mitigates much risk." Consider dam controls as one example: "You can take thirty-year-old controls, put a rudimentary connected front end on them, and then secure it."
The problem with the small stuff—networked security cameras and so on—is in Black's view "basically access." He explained, "When you put something cheap, old, simple, and not secure online, you have problems. We think we can remove access, and deliver communication in a lightweight, secure tunnel."
In sum, he's optimistic. Whatever business Citrix's customers are in, they now see themselves as effectively in three businesses: IT, security, and then whatever their line business may be (financial services, healthcare, manufacturing, etc.). We're making a significant turn, he thinks, and now have a chance to build a secure, enduring infrastructure. "We have the ability to remove some of the people, processes, and technologies, and get to the root causes of security problems. We couldn't have done that even five years ago."