How Local Governments Can Help Their Remotely Employed Cybersecurity Teams

Posted on
cybersecurity checklist
cybersecurity checklist

When the COVID-19 lockdowns began many months ago, experts in the cybersecurity industry knew what was coming next. As we have established in past articles, hackers are opportunistic: eager for any chaos to exploit in pursuit of their goals. A society-wide shut down which left many online for much longer than usual was the perfect opening, especially for high-value targets like local governments, who experienced a 100% increase in site traffic immediately following the stay-at-home orders.

Now six months later – though restrictions have eased throughout the U.S and malicious cyber-activity has reduced from the fever pitch it reached at that time – there are still threats to contend with. This time, cybersecurity teams are working away from the office, and they are facing complex and unprecedented situations. Remote employment is a complicated affair in general, but for cybersecurity teams and operations centers (SOCs) it presents a number of unique challenges.

While 98% of the population says it would “like to work remotely,” no less than 89% of cybersecurity professionals say they are facing increased job difficulty because of stay-at-home policies, according to a recent study. This shocking disparity suggests the obvious: it’s hard for cybersecurity teams to do their jobs properly outside their organizations.

In this article, we’ll look at several reasons why this is the case, and how local governments can help their vitally important cybersecurity personnel to succeed as remote employees.

Insecurity of Remote Endpoints

The first problem is that cybersecurity professionals aren’t the only ones working from home now: their coworkers are doing the same thing, shifting the perimeter that the former are obligated to monitor and protect. In June, only 26% of the U.S workforce were still working in their physical business premises.

When targeting an organization, attackers seek any endpoint that may be attached to it. Those endpoints have expanded to include devices, systems and equipment across a large geographic region. Notoriously vulnerable IoT and mobile devices in employee homes provide the perfect bridge to their work computer and enforcing security measures are tough.

Remote endpoints also offer an increased opportunity for credential theft, which is the main culprit behind 80% of hacking related breaches. While most of these are the consequence of phishing schemes (which have also increased under lockdown), they can easily result from an insecure or keylogged work computer as well. Attackers with stolen credentials are much harder to fend off, since they look like legitimate users.

Protecting Off-Premise Devices

Taking work-devices off-premise has always been a security concern, but it has never occurred at this scale before. Fortunately, there are ways to reduce their vulnerability:

  1. Increase monitoring for suspicious activity on business networks indicating an attempt by a “legitimate” user to elevate their own privileges (new privileged users on network hosts, requests to a domain controller, memory dumps from authentication processes, etc.)
  2. If feasible, recommend that off-premise employees segment the networks in their home office by using dual routers, one for work, and one for personal use. This provides a physical barrier against attacks propagating from vulnerable devices.
  3. Above all, enforce cybersecurity training for all personnel, specifically emphasizing recognition of phishing attacks, the danger of IoT and other non-essential, connected devices.

While none of these measures can guarantee protection from attacks through remote employees, they will definitely diminish the opportunity.

Strained Security Resources

During the lockdowns, local governments and other organizations have experienced a dramatic rise in IT support tickets to troubleshoot problems with business software and home office equipment. Accordingly, nearly half of cybersecurity professionals said they had been shifted to an IT role, leaving their colleagues with double the workload.

Little wonder, then, that in the middle of a cybersecurity talent gap, many have considered leaving their current jobs for calmer waters where they can practice the profession they trained for. This is a loss that local government agencies can ill afford – and fortunately, it’s mostly unnecessary.

Reducing Work Strain

To this day, upper management often considers cybersecurity a mere function of IT when they are actually distinct.

  • Avoid hemorrhaging your security resources by clearly defining the domain of IT and the domain of cybersecurity. Allow the former to handle implementation and troubleshooting made necessary by the transition and consider outsourcing or new hires if they are necessary.
  • Provide adequate resources for your cybersecurity team; maintain communication through HR and ensure that they are not overburdened during a time when they are needed most.

In the hectic and sometimes experimental transition to remote employment, it’s easy for any business to become disorganized and leave people behind in the shuffle. Preventing this is an utmost priority.

Communication Problems

Effective cybersecurity requires a constant stream of communication between different operatives, and often communication between departments, especially when problems need to be resolved in real time. But while it is possible to remain in communication while working remotely, that does not mean it is easy.

As vCISO at Dubai Expo 2020 Dr. Grigorios Fragkos notes:

When you work with your team throughout the day, you can discuss, coordinate and brainstorm on-the-fly, but it takes way more time to have these micro-communications over virtual mediums, phone-calls and emails, compared to a brief face-to-face catchup.

Therefore, remote employment brings delays to the communications process, and important communications may even be lost in the noise.

Ensure Communication

There are several ways to make sure your cybersecurity professionals can stay in touch:

  • Invest in collaboration software and lightweight communication channels that bring together your IT, cybersecurity, HR and business teams
  • Even if channels are provided, engagement with those tools may be low, simply because old habits die hard. Ensure regular team check-ins, and make those channels a fundamental part of the new work process.
  • Segment critical channels from more general ones so your cybersecurity team knows how to prioritize their response to incoming information.

Your security professionals are frequently inundated with data – especially in a SOC environment – that may require intense and focused attention. Ensuring they have the tools they need to quickly communicate and get back to work is essential to their success.

Conclusion

In our free infographic checklist, we step through all the ingredients of an effective remote cybersecurity team including:

  • Crucial security strategies for remote endpoints
  • Key points of effective cyber hygiene for your entire organization
  • What every remote cybersecurity professional needs to succeed

cybersecurity checklist

Remote employment is far from impossible, even in the domain of cybersecurity, but the process of establishing a balanced workload, communication and effective strategies for securing remote endpoints requires proactivity from everyone involved, especially those at the top.

Securicon provides information security solutions to public and private sector organizations. Our expert cyber security teams help our clients manage and secure their Information Technology (IT) and Operational Technology (OT) environments by providing vulnerability and penetration testing/assessments; governance, risk and compliance services (GRC) and security architecture review and design services.  Contact Us to learn more!

The IoT Security Problem in 2020: Taking a Deeper Look

Posted on
Risk assessments, iot security
Risk assessments, iot security

In 2017, an unnamed casino found that its data servers had been compromised and called on the aid of a security firm to help them find the culprit. Shortly afterwards, the surprising results of this investigation were reported far and wide: like the plot of an ill-conceived James Bond story, hackers had entered the casino’s network through an Internet-connected thermostat in a decorative aquarium. Today’s organizations have a lot more to worry about than the old fish tank trick: this year, experts estimate that the number of devices connected to the Internet will reach 30.1 billion, setting a world record that will continue to climb for years to come. In our time, connected refrigerators, printers, TVs, and smart meters will provide points-of-entry for hackers with increasing frequency. In the past, we’ve written about the security problems plaguing the current generation of IoT devices: just two years ago, researchers at the Black Hat and DEFCON security conferences showed just how bad the problem is by hacking dozens of devices in unique and novel ways. This begs the question: how did we get here? Why is IoT so difficult to secure, and what can organizations do about it?

Why IoT is A Supply-Side Problem

To explain the IoT security problem, we have told ourselves a plausible story sometimes repeated on our website: IoT is an inherent security risk, because increasing the number of Internet-connected devices in an organization also expands the attack surface available to malicious actors. But – while there is truth to this story – it does not explain the sheer number of easily prevented security issues in business grade IoT. According to the Ponemon Institute, 51% of organizations acquire IoT products through a third party; meanwhile, 48% of organizations have been subject to at least one IoT attack, and that number is rising. As we will see, these two facts are not unrelated.

Manufacturing in the 21st Century

The way that technical products are developed today – especially technology based products – has evolved from a pure engineering perspective to a model based more on component-integration. Rather than manufacture a new TCP/IP network card for your new product, for instance, it’s quicker and less expensive to integrate one already produced by a third-party vendor. On the positive side, this means that your product can reach the marketplace quicker, or in manufacturing speak, “reduced time to market”. On the negative side, the same components may end up in hundreds of products from a variety of manufacturers, and – if one such component has a security flaw – it may end up in all those products at the same time.  This phenomenon is well-attested by the current state of IoT.

What This Means for Security

With a lack of industry regulations that encourage high security standards for IoT products, the incentive for vendors to make a quick profit by cutting corners can drive sloppy development, a lack of vulnerability testing and quality control issues galore. The IoT market is in its “wild west” phase, as the PC market was three decades ago, and organizations must be wary who they work with. The following tactics are some of the most common ways we find IoT vendors punting the responsibility for secure design from themselves to their customers:

  1. Quick Turnaround

The term “Internet of Things” has been around since the 1990s, and the basic premise has never changed: it promises to automate basic tasks, from turning on the lights in your home to adjusting the window shades in a conference room based on the level of ambient sunlight to measuring the temperature gradient over a pipeline in a refinery. At its most basic, IoT is simply the implementation of connected technology to solve a problem. But in order to drive IoT adoption, products must have a reasonable price-point. Consumers won’t pay excessive amounts of money to automate tasks they can easily do by themselves. Manufacturing costs have to be kept low enough that the final products will sell, and this is why manufacturers generally choose to integrate cheap and readily available components.

  1. No Vulnerability Testing

Vendors are not immune to the lack of security awareness which impacts their customers. While it may be in their best, long-term interest to offer products with a high bar for security, it’s all-too-easy for vendors to skip a comprehensive vulnerability testing phase, opting instead to run down a checklist of features, if even that. Many companies lack the capabilities to test their products for security issues in the first place, and without regulations forcing them to do so, they simply won’t bother.

  1. Convenience at the Cost of Risk

When it comes to ease-of-access, what benefits IoT customers also benefits hackers. For the sake of convenience, vendors make design choices that exacerbate the vulnerability of their products: web interfaces, for instance, are the biggest target of IoT attacks – even those behind a network address translation (NAT) firewall can be compromised. Likewise, the omission of two-factor authentication (2FA) and forced credential updates is a decision driven by form over function, when both features could thwart a huge number of IoT attacks. Rather than go to the trouble of building a dedicated customer support channel, vendors have even been known to add easily exploitable backdoors into a device’s firmware.

  1. Poor Firmware

Speaking of backdoors in IoT firmware, the design of firmware is a major contributing factor to IoT security issues: few vendors will dedicate the time it takes to work out all the kinks before release; debugging systems used in the staging system of a device are often left in, allowing hackers to dump a huge amount of useful information. Lack of testing may leave firmware vulnerable to buffer overflow, and the use of open-source platforms leaves a completely unprotected attack surface exposed to attackers. The best vendors update their firmware on a regular basis to patch for newly discovered vulnerabilities, but this is a rarity.

  1. API Flaws and External Threats

From the outside, IoT integration with third-party apps through an application programming interface (API) seems like a great idea, but API flaws left by vendors open the doorway to attacks from malicious code hidden within seemingly innocuous applications. Researchers have also proven the possibility of DNS-rebinding attacks on IoT through a website, infected link, advertisement or malicious redirect. In the future, organizations may have to worry that their network will be infected every time their employees browse the Internet.

How to Avoid Bad Vendors

The IoT security gap remains one of the greatest threats to security across federal agencies. In response, legislators have discussed the idea of enforcing IoT regulations for some time, and NIST has produced IR 8259, a draft of recommendations for IoT manufacturers. But until that happens, irresponsible IoT vendors will persist, and organizations must practice due diligence to protect themselves. Here’s how to do that:

  1. Take inventory of the IoT products throughout your organization, alongside any devices connected to the Internet (organizations should be keeping inventory of all their IT assets as part of a comprehensive security strategy).
  2. Conduct a vulnerability assessment to discover the devices that constitute a real threat to your organization, and remediate the issue. This will also give you an idea which vendors to avoid moving forward.
  3. Be careful who you do business with: vet your vendors during the product acquisition phase (industry reputation, quality control, customer testimonials and quality of business). Show an equal amount of caution when expanding the capabilities of IoT devices through third-party software vendors.

Prepare for the Future

While they have never been more serious than they are today, the risks of IoT and principles of supply chain security have been understood for over a decade. But sadly, it’s difficult to apply them, especially when the component integration strategy of many product developers depends on technology sourced from countries that are hostile to the U.S. The Department of Defense (DoD) believes that foreign espionage through IoT products purchased by government agencies in America will be a major issue in the near future, and soon it will require all DoD-partners to follow the policy and procedural controls in NIST 800-178 and to comply with the Cybersecurity Maturity Model Certification (CMMC). Until that happens, government contractors would do well to proactively adopt compliant security strategies, fortify their networks, and analyze their own IoT assets for vulnerabilities. The right time to beat hackers is before they strike.

Securicon Can Help

Securicon offers comprehensive IoT security and compliance solutions to organizations. Our services include penetration testing and social engineering assessments which are trusted by critical infrastructure companies across the U.S and other critical organizations to find vulnerabilities and maximize safety. In 2020, there’s no room to be lax about security – contact us today!

 

Why Third-Party Vendors Are Responsible for the IoT Security Problem

Posted on
iot security problems
iot security problems

In 2017, an unnamed casino found that its data servers had been compromised and called on the aid of a security firm to help them find the culprit. Shortly afterwards, the surprising results of this investigation were reported far and wide: like the plot of an ill- conceived James Bond story, hackers had entered the casino’s network through an Internet-connected thermostat in a decorative aquarium.

Today’s organizations have a lot more to worry about than the old fish tank trick: this year, Gartner predicts that the number of devices connected to the Internet will reach 20.4 billion, setting a world record that will continue to climb for years to come. In our time, connected refrigerators, printers, TVs, and smart meters will provide points-of-entry for hackers with increasing frequency.

In the past, we’ve written about the security problems plaguing the current generation of IoT devices: just two years ago, researchers at the Black Hat and DEFCON security conferences showed just how bad the problem is by hacking dozens of devices in unique and novel ways. This begs the question: how did we get here? Why is IoT so difficult to secure, and what can organizations do about it?

Why IoT is A Supply-Side Problem

To explain the IoT security problem, we have told ourselves a plausible story sometimes repeated on this website: IoT is an inherent security risk, because increasing the number of Internet-connected devices in an organization also expands the attack surface available to malicious actors.

But – while there is truth to this story – it does not explain the sheer number of easily prevented security issues in business grade IoT.

According to Ponemon Institute, 51% of organizations acquire IoT products through a third party; meanwhile, 48% of organizations have been subject to at least one IoT attack, and that number is rising. As we will see, these two facts are not unrelated.

How Vendors Cheat on Security

In the lack of industry regulations incentivizing high security standards for IoT products, the incentive for vendors to make a quick profit by cutting corners drives sloppy development, lack of vulnerability testing, and quality control issues galore. The IoT market is in its “wild west” phase, as the PC market was three decades ago, and organizations must be wary who they work with.

The following tactics are some of the most common ways we find IoT vendors punting the responsibility for secure design from themselves to their customers.

  1. Quick Turnaround

By now, we have been talking about the “Internet of Things” for years, but the hype cycle isn’t over yet: because it is still cited as one of the best ways for organizations to modernize and take advantage of “big data,” the demand for IoT motivates companies to join the market as fast as they can with an often-questionable supply.

Vendors with no history in the IoT market may introduce products too quickly without an adequate development cycles, patch “IoT” features into their existing product lineup, or simply label existing devices as “IoT”. Practices like these lead to devices that not only suffer from general quality issues, but easily succumb to probing and attack.

  1. No Vulnerability Testing

Vendors are not immune to the lack of security awareness which impacts their customers. While it may be in their best, long-term interest to offer products with a high bar for security, it’s all-too-easy for vendors to skip a comprehensive vulnerability testing phase, opting instead to run down a checklist of features, if even that. Many companies lack the capabilities to test their products for security issues in the first place, and without regulations forcing them to do so, they simply won’t bother.

  1. Convenience at the Cost of Risk

When it comes to ease-of-access, what benefits IoT customers also benefits hackers. For the sake of convenience, vendors make design choices that exacerbate the vulnerability of their products: web interfaces, for instance, are the biggest target of IoT attacks – even those behind a firewall with NAT can be compromised. Likewise, the omission of two-factor authentication (2FA) and forced credential updates is a decision driven by form over function, when both features could thwart a huge number of IoT attacks.

  1. Corner-Cutting

Vendors frequently cut corners to make their products work as intended, and these tactics incur a high security risk. Because most IoT devices are embedded, they lack the power to perform data encryption or key negotiation. While these functions could be implemented with a dedicated security chip, most vendors won’t bother due to the added cost of production.

Similarly, when IoT devices lack adequate data storage – or any storage at all – vendors will connect them with the cloud and advertise this as a feature rather than a security liability. Rather than build dedicated customer support channels, vendors will add easily exploited backdoors into the device’s firmware. The list goes on and on.

  1. Poor Firmware

Speaking of backdoors in IoT firmware, the design of firmware is a major contributing factor to IoT security issues: few vendors will dedicate the time it takes to work out all the kinks before release; debugging systems used in the staging system of a device are often left in, allowing hackers to dump a huge amount of useful information.

Lack of testing may leave firmware vulnerable to buffer overflow, and the use of open-source platforms leaves an unprotected attack surface completely visible to attackers. The best vendors update their firmware on a regular basis to patch for newly discovered vulnerabilities, but this is a rarity.

  1. API Flaws and External Threats

From the outside, IoT integration with third-party apps through an application programming interface (API) seems like a great idea: but API flaws left by vendors open the doorway to attacks from malicious code hidden within seemingly innocuous applications. Researchers have also proven the possibility of DNS-rebinding attacks on IoT through a website, infected link, advertisement or malicious redirect. In the future, organizations may have to worry that their network will be infected every time their employees browse the Internet.

How to Avoid Bad Vendors

The IoT security gap remains one of the greatest threats to security across federal agencies. In response, legislators have discussed the idea of enforcing IoT regulations for some time, and NIST has produced IR 8259, a draft of recommendations for IoT manufacturers.

But until that happens, bad IoT vendors will persist, and organizations must practice due diligence to protect themselves. Here’s how to do that:

  1. Take inventory of the IoT products throughout your organization, alongside any devices connected to the Internet (organizations should be keeping inventory of all their IT assets as part of a comprehensive security strategy).
  2. Conduct a vulnerability assessment to discover the devices that constitute a real threat to your organization, and remediate the issue. This will also give you an idea which vendors to avoid moving forward.
  3. Be careful who you do business with: vet your vendors during the product acquisition phase (industry reputation, quality control, customer testimonials and quality of business). Show an equal amount of caution when expanding the capabilities of IoT devices through third-party software vendors.

Adopting a Threat-Based Mentality

While they have never been more serious than they are today, the risks of IoT have been understood for over a decade. If organizations have ignored them, it’s because they have adopted a checklist mentality: but following regulations to the tee won’t protect against threats that legislation doesn’t address.

In order to protect their data, revenue and customers, today’s organizations must take a proactive approach to security. With the help of vulnerability and penetration tests, cyber hunt and asset management, “cybersecurity” can mean a lot more than compliance: it can mean safety against malware and targeted attacks.

Take stock of your IT assets and fix vulnerabilities before NIST tells you to: with a DoD background, our world-class experts in governance, vulnerability testing and ethical hacking can help through technical consulting and federal security services. Contact us today!

The IoT Security Gap, and Six Ways to Overcome It

Posted on
IoT Security
IoT Security

By next year, Gartner predicts that the number of devices connected to the Internet will reach 20.4 billion. That’s up 14.1 billion from 2016 – a shocking amount of growth in a short period of time and quintuple the number of usable IP addresses that existed under IPv4.

Like thought leaders predicted a decade ago, the burgeoning Internet of Things (IoT) is outgrowing mobile phones and dominating network connectivity in both the public and private sector. Unfortunately, the more Internet connections an organization has, the more vulnerable it is to attack; but IoT vendors don’t seem to care.

While today’s IoT is more secure than the devices of yesterday, security remains little more than an afterthought for too many product developers. According to scientist Sarah Zatko, IoT vendors continue to omit basic security features out of mere complacency.  “They’re just not bothering,” said Zatko, adding that “the needle hasn’t moved much in 15 years”.

The Consequences of Insecure IoT

On one hand, the almost impossibly fast growth of IoT means that a security gap is inevitable. On the other hand, this gap has consequences which organizations cannot afford to ignore: according to research, 48% of companies have already been the victim of at least one IoT attack.

Some of these incidents are damaging enough to gain significant publicity. In 2016, the Mirai botnet propagated through open Telnet ports on 600,000 IoT devices and brought down Internet connectivity across the U.S. East Coast. Other major attacks include:

  • EchoBot – with similar source code to Mirai, EchoBot targeted popular consumer and enterprise routers using over 26 unpatched vulnerabilities. It’s spread continued into 2019, and still threatens organizations today.
  • TheMoon – in many ways TheMoon represents “peak malware,” allowing threat actors to rent out thousands of hijacked routers and modems around the world for various malicious purposes.
  • Industroyer – in 2016, the Industroyer malware targeted Ukraine’s power grid and left thousands without electricity for a few hours. In 2017, researchers concluded that points of entry had been exploited within “Industrial IoT” deployed throughout the grid.

What happened in the Ukraine is instructive. As time wears on, critical infrastructure in the United States will depend on remote access technologies facilitated by IoT or will at least be in contact with IoT devices on the same network. Current security standards leave vulnerabilities that could have devastating consequences on businesses, their customers and the nation as a whole.

Regulatory Attempts

Efforts to regulate IoT like other technologies – including cloud and storage systems for classified information – have failed on more than one occasion. In 2017, the “Internet of Things Cybersecurity Improvement Act” was proposed to Congress, but never passed.

A new version of the same bill was introduced earlier this year, with a narrower focus. If passed, it would have put the National Institute of Standards and Technology (NIST) in charge of developing security standards for IoT devices by last month – a move that many in the industry approved of. However, the act is still in limbo and no further developments have occurred.

Unfortunately, it may take a serious incident before the government is prepared to hold IoT vendors to a higher standard. In the meantime, vendors simply don’t face enough pressure from the free market to take care of the problem themselves. For now, organizations must shoulder the responsibility of securing their own devices.

Six Ways to Improve IoT Security

Fortunately, there are many ways to significantly improve IoT security within a public or private enterprise environment. Here are six:

1. Minimize device footprint – the billions of IoT devices in use today, not all serve an important purpose. Minimize the number of devices in your organization, removing the frivolous and using non-networked solutions wherever possible. Remember that any opening to the Internet creates a potential route for attackers.

2. Segment IoT from critical assets – whenever possible, keep IoT disconnected from networks used to access classified information and sensitive data. Barriers between critical and non-critical assets in your organization make it difficult for attackers to move laterally even if they gain a foothold through one opening.

3. Replace default credentials – according to the Office of Management and Budget (OMB), lack of strong authentication is one of the most common security mistakes across federal agencies. IoT devices rarely require administrators to change their weak default credentials. Ensure that every networked device in your organization is tightly secured.

4. Use two-factor authentication – in the same vein, two-factor authentication (2FA) creates an extra barrier against brute-forcing and stolen login information. Most IoT devices are compatible with 2FA, but – again – they will not prompt users to install it. Take the initiative to keep devices as secure as possible.

5. Choose high-reputation vendors – not all IoT is created equal, and some vendors have a better reputation for security than others. Research IoT vendors as part of your risk management strategy and avoid those known for past attacks, lax standards or slow firmware updates.

6. Track and test devices – tracking IT assets is an important part of any security strategy, and IoT is no exception. Track all your IoT assets, and regularly test them for strong authentication. Firmware updates sometimes include patches for known vulnerabilities, so ensure that the latest version is always installed.

Adopting a Threat-Based Mentality

While they have never been more serious than they are today, the risks of IoT have been understood for over a decade. If organizations have ignored them, it’s because they have adopted a checklist mentality: but following regulations to the tee won’t protect against threats that legislation doesn’t address.

In order to protect their data, revenue and customers, today’s organizations must take a proactive approach to security. With the help of vulnerability and penetration tests, cyber hunt and asset management, “cybersecurity” can mean a lot more than compliance: it can mean safety against malware and targeted attacks.