terabitweb - Tumblr blog

terabitweb · 4 years

Text

Original Post from Rapid7 Author: William Vu

Towards a more reliable BlueKeep exploit

zerosum0x0 recently improved the reliability of our BlueKeep exploit after a little soul searching and a helpful cue from Worawit Wang.

In short, the exploit was developed in a lab without the Meltdown patch, which meant more frequent crashes in the wild against targets that have the patch installed — a high likelihood. You can read zerosum0x0’s full analysis on his blog. We’re just glad it wasn’t the lizard people causing those crashes.

Gaining access to Pulse Secure VPN servers

Earlier this year, Orange Tsai and Meh Chang were on a rampage through VPN server software, having discovered more than a few vulnerabilities in popular VPN solutions, such as Palo Alto Networks, Fortinet’s FortiGate, and Pulse Secure. They were even able to compromise Twitter via their bug bounty!

Starting with a contribution from Alyssa Herrera and Justin Wagner that exploits a file disclosure vulnerability in Pulse Secure’s VPN server, we created a finished module that will download any credentials, hashes, and sessions from a server, allowing an attacker to authenticate to the VPN, potentially as an administrator. A manual mode is also supported to download arbitrary files.

This leads us to the next phase, which uses a valid administrator session from the file disclosure to authenticate a post-auth, remote root RCE against the server, bypassing the software’s application whitelisting by using the env(1) command — which is happily permitted. The module can pop a root shell or run an arbitrary command on a vulnerable target.

A major overhaul of password cracking integration

The ever-reliable h00die graced us with a complete and total overhaul of our password cracking integration, notably adding new support for hashcat. Check out the pull request. It’s a doozy, and we can’t do it enough justice in this wrap-up alone!

New modules (14)

Xorg X11 Server Local Privilege Escalation by Narendra Shinde and Zack Flack, which exploits CVE-2018-14665

Bludit Directory Traversal Image File Upload Vulnerability by sinn3r and christasa, which exploits CVE-2019-16113

Pulse Secure VPN Arbitrary File Disclosure by wvu, Alyssa Herrera, Justin Wagner, Meh Chang, and Orange Tsai, which exploits CVE-2019-11510

Pulse Secure VPN Arbitrary Command Execution by wvu, Meh Chang, and Orange Tsai, which exploits CVE-2019-11539

CMS Made Simple Authenticated RCE via object injection by Daniele Scanu, which exploits CVE-2019-9055

FreeSWITCH Event Socket Command Execution by bcoles

FusionPBX Command exec.php Command Execution by bcoles

FusionPBX Operator Panel exec.php Command Execution by Dustin Cobb and bcoles, which exploits CVE-2019-11409

Password Cracker: AIX by hdm), h00die, and theLightCosine

Password Cracker: Databases by hdm, h00die, and theLightCosine

Password Cracker: Linux by hdm, h00die, and theLightCosine

Password Cracker: OSX by h00die

Password Cracker: Webapps by h00die

Password Cracker: Windows by hdm, h00die, and theLightCosine

Enhancements and features

PR #11695 by h00die is a complete transformation of the cracking system, adding support for additional applications and hash types to be utilized during reversing of stored credential details. JtR has been migrated and Hashcat has been added using this pattern.

PR #12556 by bcoles bumps the maximum size for ASCII art banners to 65,535 bytes.

Bugs fixed

PR #12543 by layderv fixes several modules to use myworkspace_id instead of myworkspace.id, the former of which will check if the database is connected first, whereas the latter will crash if not connected.

PR #12570 by timwr changes the Msf::Post::Linux::Compile mixin to use the correct Failure class.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

Pull Requests 5.0.59…5.0.60

Full diff 5.0.59…5.0.60

We recently announced the release of Metasploit 5. You can get it by cloning the Metasploit Framework repo (master branch). To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial editions).

#gallery-0-5 { margin: auto; } #gallery-0-5 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 33%; } #gallery-0-5 img { border: 2px solid #cfcfcf; } #gallery-0-5 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */

Go to Source Author: William Vu Metasploit Wrap-Up Original Post from Rapid7 Author: William Vu Towards a more reliable BlueKeep exploit zerosum0x0 recently improved…

#Rapid7

0 notes

terabitweb · 4 years

Text

Original Post from InfoSecurity Magazine Author:

Holiday Shopping on Company Devices a Worry for Executives

New research published today by Zix-AppRiver has revealed that 61% of US executives feel powerless to stop employees holiday shopping on company devices, despite knowing that the practice poses a cybersecurity threat to the business.

Researchers asked 1,049 cybersecurity decision-makers within American SMBs across a diverse range of industry sectors about the holiday shopping habits of their employees.

According to the report, 82% of all SMB executives estimated that “many” of their company employees will shop online this holiday season using a computer at work or a device used for conducting business, on which business data is also stored and transmitted.

Among them, 61% admit they know this poses cybersecurity risks to their business and customers, but they believe it is “a fact of life; and there is not much I could do about it.”

At larger-sized SMBs, executives were more likely to make the assumption that employees would use a company device for holiday shopping this year. At medium-sized SMBs with 50–149 employees and at larger-sized SMBs with 150–250 employees, 88% and 90% of executives respectively anticipated this behavior from many of their employees.

Nearly half of the executives surveyed estimate most of their employees would not be able to spot an illegitimate link posing as an online retailer in potential phishing attempts. Many were equally pessimistic about whether they could do likewise.

“Among IT decision-makers who lack confidence that most employees would be able to spot an illegitimate link posing as a fake retailer, many think they themselves could be vulnerable also. Four out of ten who lack confidence in their employees also lack confidence that they themselves could spot a fake link,” Troy Gill, senior cybersecurity analyst at Zix-AppRiver, told Infosecurity Magazine.

Asked if any of the executives who thought their employees couldn’t distinguish between a fake link and a genuine link had plans to implement any cybersecurity training, Gill said: “Yes, and that was one piece of really important good news from this survey. 57% of SMB IT decision-makers plan to invest more in 2020 dedicated toward security awareness training for employees. That figures jumps to 68% among larger SMBs with 150–250 employees.”

Describing where cybersecurity vulnerabilities are present in a typical company hierarchy, Gill said: “Anyone with access to the network, from the board chair to the newest hire, can pose a threat. Training and awareness—not job title or department—are the best indicators and mitigators of individual risk.”

#gallery-0-6 { margin: auto; } #gallery-0-6 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 33%; } #gallery-0-6 img { border: 2px solid #cfcfcf; } #gallery-0-6 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */

Go to Source Author: Holiday Shopping on Company Devices a Worry for Executives Original Post from InfoSecurity Magazine Author: Holiday Shopping on Company Devices a Worry for Executives New

#InfoSecurity Magazine

0 notes

terabitweb · 4 years

Text

Extensive personal health information exposed in Solara Medical data breach

Original Post from SC Magazine Author: Doug Olenick

Solara Medical Supplies reported on November 13 that its system was exposed for several months earlier this year after several employees fell for a phishing scam giving access to their Office 365 accounts to an unauthorized person.

The illegal access was discovered on June 28, 2019 and a further investigation found the data breachexisted from…

View On WordPress

#SC Magazine

0 notes

terabitweb · 4 years

Text

Report: Influential manufacturing trade group targeted by Chinese hackers

Original Post from SC Magazine Author: Bradley Barth

Chinese hackers this past summer infiltrated and potentially stole information from the National Association of Manufacturers (NAM), a trade organization and advocacy group that has helped the Trump administration set trade policies with China, Reuters reported this week, citing sources.

A cybersecurity firm hired by NAM made the connection to…

View On WordPress

#SC Magazine

0 notes

terabitweb · 4 years

Text

Original Post from InfoSecurity Magazine Author:

Ransomware: Still Going Strong 30 Years On

Next month marks the 30th anniversary of the first ever ransomware attack, and according to new research this particular form of malware is still going strong.

According to the “Mid-Year Threat Landscape Report” published yesterday by Bitdefender, ransomware increased 74.23% year on year in the first six months of 2019.

Researchers noted a change in the ransomware landscape following the fall of GandCrab earlier this year. In roughly 18 months of activity, this particular piece of ransomware generated more than $2bn.

“The fall of GandCrab, which dominated the ransomware market with a share of over 50 percent, has left a power vacuum that various spinoffs are quickly filling. This fragmentation can only mean the ransomware market will become more powerful and more resilient against combined efforts by law enforcement and the cybersecurity industry to dismantle it,” wrote researchers.

A notable player stepping into the space left by GandCrab’s exit is Sodinokibi (aka REvil or Sodin), which has quickly gained popularity in recent ransomware campaigns, focusing on specific industry verticals.

To help educate businesses about the threat posed by ransomware, Sophos yesterday published a report titled “How Ransomware Attacks.” In addition to detailing how the threat has evolved over the past three decades, Sophos’ report also takes an in-depth look at the largest ransomware families and highlights the most common types of attacks.

Included in the report are the characteristics and file system activity of ten ransomware variations. Alongside classics such as WannaCry, Ryuk, and SamSam, the report delves into newer strains like RobbinHood, Sodinokibi, and LockerGoga.

While ransomware continues to wreak havoc, Bitdefender researchers identified coin-mining malware used in cryptojacking campaigns, exploits leveraging unpatched or previously unknown vulnerabilities and fileless attacks, and banking trojans as the top three threats facing businesses and consumers.

Underlining just how serious the consequences of cyber-attacks can be, the researchers found that the European Union economy could face up to €2.5bn in financial losses, should internet infrastructures be taken offline for a single hour by IoT botnets causing DDoS attacks. The losses for an eight-hour workday reach around €20bn.

Go to Source Author: Ransomware: Still Going Strong 30 Years On Original Post from InfoSecurity Magazine Author: Ransomware: Still Going Strong 30 Years On Next month marks the 30th anniversary of the

#InfoSecurity Magazine

0 notes

terabitweb · 4 years

Text

Original Post from Security Affairs Author: Pierluigi Paganini

On Thursday, US authorities arrested two crooks charging them with stealing $550,000 in cryptocurrency from at least 10 victims using SIM swapping.

American law enforcement has declared war to sim swapping scammers and announced the arrest of two individuals for stealing $550,000 in Cryptocurrency.

The suspects stole the funds from at least 10 victims using SIM swapping between November 2015 and May 2018. In February, a 20-year-old college student that has stolen more than $5 million worth of cryptocurrency through SIM swapping attacks got a 10 years jail sentence.

In May, the U.S. Department of Justice charged nine individuals connected to a hacking crew focused on identity theft and SIM swapping attacks.

In SIM swap frauds crooks are able to port the phone number of the victims to a new SIM card under their control.

A SIM swap fraud is a type of fraud that overwhelms the additional security measures introduced by organizations to protect their customers.

Attackers obtain victims’ information by launching a phishing campaign, or by purchasing them in the underground market.

Crooks use the information gathered on the victims in the attempt to impersonate them in front of a telco operator and ask it to provide a new SIM to replace the old one that was lost or stolen.

They can prove their identity by answering basic security questions and requesting the cancellation of the old SIM and the activation of a new one. Once obtained a new SIM, crooks can operate with the victim’s mobile account, intercepting or initiating calls, accessing SMSs (including authorizations codes sent by bank and cryptocurrency exchanges) and to authorize transactions.

“Two Massachusetts men were arrested today and charged in U.S. District Court in Boston with conducting an extensive scheme to take over victims’ social media accounts and steal their cryptocurrency using techniques such as “SIM swapping,” computer hacking and other methods.” reads the press release from DoJ. “Eric Meiggs, 21, of Brockton, Massachusetts, and Declan Harrington, 20, of Rockport, Massachusetts, were charged in an 11-count indictment, charging them with one count of conspiracy, eight counts of wire fraud, one count of computer fraud and abuse and one count of aggravated identity theft. “

According to the DoJ, the two defendants Eric Meiggs (20) and Declan Harrington (21) targeted users with high-value cryptocurrency accounts, and also executives of cryptocurrency companies.

The duo has also been charged for taking over social media accounts of their victims, including two who individuals that “had high value or ‘O.G.’ (slang for ‘Original Gangster’) social media account names.”

The duo has been charged with:

one count of conspiracy to commit wire fraud,

eight counts of wire fraud,

one count of computer fraud and abuse, and

one count of aggravated identity theft.

The defendants face a maximum penalty of 20 years in prison, the aggravated identity theft charge can add to the sentence additional 2 years in prison.

In March, the FBI issued a SIM swapping alert in response to the increasing cases of SIM jacking attacks.

In October, the U.S. Federal Trade Commission (FTC) released guidance on how to protect against SIM swapping attacks in October, below the list of countermeasures recommended by the agency:

• Don’t reply to calls, emails, or text messages that request personal information. These could be phishing attempts by scammers looking to get personal information to access your cellular, bank, credit or other accounts. If you get a request for your account or personal information, contact the company using a phone number or website you know is real. • Limit the personal information you share online. If possible, avoid posting your full name, address, or phone number on public sites. An identity thief could find that information and use it to answer the security questions required to verify your identity and log in to your accounts. • Set up a PIN or password on your cellular account. This could help protect your account from unauthorized changes. Check your provider’s website for information on how to do this. • Consider using stronger authentication on accounts with sensitive personal or financial information. If you do use MFA, keep in mind that text message verification may not stop a SIM card swap. If you’re concerned about SIM card swapping, use an authentication app or a security key.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199";

try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – SIM swapping, cybercrime)

[adrotate banner=”13″]

The post Two men arrested for stealing $550,000 in cryptocurrency with Sim Swapping appeared first on Security Affairs.

Go to Source Author: Pierluigi Paganini Two men arrested for stealing $550,000 in cryptocurrency with Sim Swapping Original Post from Security Affairs Author: Pierluigi Paganini On Thursday, US authorities arrested two crooks charging them with stealing $550,000 in cryptocurrency from at least 10 victims using SIM swapping.

#Security Affairs blog

0 notes

terabitweb · 4 years

Text

Original Post from Eset Author: Tomáš Foltýn

ESET experts share how they got started in cybersecurity and whether or not a degree is needed for a career in the industry

The post Week in security with Tony Anscombe appeared first on WeLiveSecurity

Go to Source Author: Tomáš Foltýn Week in security with Tony Anscombe Original Post from Eset Author: Tomáš Foltýn ESET experts share how they got started in cybersecurity and whether or not a degree is needed for a career in the industry The post Week in security with Tony Anscombe appeared first on WeLiveSecurity Go to Source Author: Tomáš Foltýn

#Eset Security

0 notes

terabitweb · 4 years

Text

The Australian Parliament was hacked earlier this year

Original Post from Security Affairs Author: Pierluigi Paganini

The computer network of Australian Parliament was hacked earlier this year, and hackers exfiltrated data from the computers of several elected officials.

According to the Australian Broadcasting Corp (ABC), earlier this year hackers penetrated the computer network of Australian Parliament and stole data from the computers of several…

View On WordPress

#Security Affairs blog

0 notes

terabitweb · 4 years

Text

Original Post from Rapid7 Author: Harley Geiger

This year, the number of cybersecurity incidents at K–12 schools has increased by 30 percent, and schools are now the second highest target for cybersecurity attacks. Coupled with the security talent shortage and the proliferation of technology usage, school systems are facing an overwhelming challenge.

The Texas school system has decided to do something about it. Back in 2019, lawmakers began work on Texas Senate Bill 820, and it was officially signed into law in June. SB. 820 became effective in September 2019.

In this post, we’ll share what the law is, how it will affect your school and district, and how you can respond by selecting a security framework to either start or improve upon your security program.

What is the Texas Senate Bill 820 and how can you prepare?

SB 820 requires each Texas school districts to:

Adopt a cybersecurity policy

Designate a cybersecurity coordinator (appointed by the superintendent)

Report cybersecurity incidents to the Texas Education Agency (TEA) and district families

In our recent webcast on Texas Senate Bill 820, Frosty Walker of the Texas Education Agency explained that the cybersecurity policy must be aligned with the Texas Cybersecurity Framework, which aligns to the federal NIST Cybersecurity Framework. Both the Texas Framework and the NIST framework outline how to address critical security functions (described below), as well as specific actions to execute those functions, such as encryption, vulnerability management, user access, password policies, backups, and vulnerability disclosure policies.

This new law will give the Texas school system greater resilience against cyberattacks, provide uniformity and oversight with a standard policy in place, and establish new processes for reporting and metrics.

How to adopt a cybersecurity policy to respond to Senate Bill 820

So, what do districts have to do to meet the requirements of SB 820? The first step is implementing an organization-wide cybersecurity policy. While the law allows districts to adopt any policy they want, it must not conflict with the Texas Cybersecurity Framework (TCF), which is why the federal NIST framework is a good guide to follow, since it aligns so well.

The TCF details the functions and objectives that are designed to protect organizations from a diverse set of threats. It has five functions (or goals), that cover 40 security objectives. These same functions are shared across many cybersecurity frameworks, including the NIST Framework. To provide a sense of what a TCF-aligned cybersecurity policy will require districts to do, here is some more information on those functions and objectives:

1. Identify

This function encompasses 11 of the TCF objectives. An example of an objective under this function is that the organization must conduct a critical information asset inventory. This requires districts to identify and prioritize information assets so they can match the importance of those assets with the appropriate security protections and ensure the highest-priority ones are safeguarded.

2. Protect

This function encompasses 28 objectives, including asset control to ensure any access to servers, databases, etc. are limited to authorized users only.

3. Detect

This function encompasses three objectives, including vulnerability assessment, or the monitoring and patching of vulnerabilities. Considering the volume of device types, operating systems, and applications, managing and patching devices can be a huge challenge to school districts, which is why more than half rely on patch management controls. However, these controls reportedly have a 56% failure rate, and more than one-third of devices require at least one repair per month. With that said, the impact of this function alone is significant.

4. Respond

This function encompasses two objectives, including cybersecurity incident response. It requires the organization to create an incident response program to track, document, and report incidents that occur to the appropriate officials.

5. Recover

This function encompasses one objective: disaster recovery. It requires the organization to have procedures to get systems back up and operational in the event of loss or damage from a cybersecurity incident.

How to use the Texas Cybersecurity Framework Roadmap

The TCF is supplemented by a roadmap, which provides recommended measures for organizations to fulfill each security objective in the TCF. For example, it explains how to fill Objective #35 under the “Detect” function of vulnerability assessment. The roadmap acts as a guide to help organizations take the steps necessary to have a cybersecurity policy that aligns with the TCF.

The roadmap operates through self-assessment, so organizations are able to determine their own level of compliance and fulfillment of the security objectives. The assessment is evaluated on a scale of 0–5:

#Recommended resources

If you’re on the cybersecurity team of a Texas school district, there are a couple of resources that will help you begin implementing Senate Bill 820:

Texas Gateway Cybersecurity Tips and Tools

Rapid7 NIST framework toolkit

Go to Source Author: Harley Geiger What Is Texas Senate Bill 820, and How Will It Affect Your School District? Original Post from Rapid7 Author: Harley Geiger This year, the number of cybersecurity incidents at K–12 schools has increased by…

#Rapid7

0 notes

terabitweb · 4 years

Text

Original Post from Security Affairs Author: Pierluigi Paganini

A new threat actor tracked as TA2101 is conducting malware campaigns using email to impersonate government agencies in the United States, Germany, and Italy.

A new threat actor, tracked as TA2101, is using email to impersonate government agencies in the United States, Germany, and Italy to multiple families of malware, deliver ransomware, and banking Trojans.

The phishing campaigns delivering malicious attachments were observed since the end of October. According to Proofpoint researchers, the news threat actor has been impersonating the United States Postal Service, the German Federal Ministry of Finance, and the Italian Revenue Agency.

“Proofpoint researchers recently detected campaigns from a relatively new actor, tracked internally as TA2101, targeting German companies and organizations to deliver and install backdoor malware.” reads the analysis published by ProofPoint. “Between October 16 and November 12, 2019, Proofpoint researchers observed the actor sending malicious email messages to organizations in Germany, Italy, and the United States, targeting no particular vertical but with recipients that were heavily weighted towards business and IT services, manufacturing, and healthcare.”

Between October and November 2019, the TA2101 threat actor carried out a malspam campaign against targets in Germany that impersonates the German Federal Ministry of Finance (“Bundeszentralamt fur Steuern”).

The spam messages pretend to be a notification from the above agencies that informs users of a tax refund. The emails use malicious Word attachments that claim to include instructions on how to request a refund.

Once the user opened the attachment and enabled the macros, the malicious code will install the Cobalt Strike pentesting tool or the Maze Ransomware on the victim’s computer.

The threat actors also targeted IT support companies to compromise their MSP and use it to deliver the Maze Ransomware to its clients.

Another campaign observed by ProofPoint aimed at German users impersonating the German internet service provider 1&1 Internet AG.

On October 29, Proofpoint observed dozens of emails attempting to deliver weaponized Microsoft Word attachments with Italian lures impersonating the Italian Ministry of Taxation, the “Agenzia delle Entrate“.

This bait email pretends to inform citizens about a message sent by the agency to inform the recipients about new activities related to the contrast to the tax evasion.

Proofpoint also observed a campaign using emails pretending to be sent by the United States Postal Service. The spam messages contained malicious Word doc attachments named “USPS_Delivery.doc”.

The campaign is similar tot he one that hit the Italy campaign, the messages ask users to enable the macros to decrypt the alleged RSA encrypted content.

If a user enabled the macros in this campaign, the macros will download and execute the IcedID banking Trojan on the victim’s computer.

“These spoofs are notable for using convincing stolen branding and lookalike domains of European taxation agencies and other public-facing entities such as Internet service providers. Most recently, the actor has attacked US organizations spoofing the United States Postal Service.” concludes Proofpoint. “The increasing sophistication of these lures mirrors improved social engineering and a focus on effectiveness over quantity appearing in many campaigns globally across the email threat landscape.”

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199";

try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – TA2101, hacking)

The post New TA2101 threat actor poses as government agencies to distribute malware appeared first on Security Affairs.

Go to Source Author: Pierluigi Paganini New TA2101 threat actor poses as government agencies to distribute malware Original Post from Security Affairs Author: Pierluigi Paganini A new threat actor tracked as TA2101 is conducting malware campaigns using email to impersonate government agencies in the United States, Germany, and Italy.

#Security Affairs blog

0 notes

terabitweb · 4 years

Text

Original Post from SC Magazine Author: Doug Olenick

Even as the technology industry continues to scramble to protect personal computers, datacenters and other traditional IT systems from increasingly sophisticated cyberattacks, a new attack target has emerged – the Internet of Things (IoT). To protect their IoT applications from attack, organizations are working to adopt for the IoT the same cybersecurity strategy which has proven to be highly effective for traditional IT infrastructure – Defense in Depth. A Defense in Depth strategy leverages edge device, network and cloud security capabilities, along with end-to-end encryption, to create layers of protection that make it harder for an attacker to effect an IoT application, and easier to detect, isolate and remediate successful attacks. Implementing an IoT security Defense in Depth strategy is complicated, and often requires the creation of a large, dedicated IoT security team to effectively execute. However, a security orchestration approach to IoT security can simplify the implementation of a Defense in Depth strategy, and addresses the cost, complexity and other problems that have made it difficult and expensive for companies to build robust end-to-end security into their IoT applications.

The Unique Challenges Involved in IoT Security

IoT applications can be attractive targets for cyberattacks for a wide variety of reasons. An attacker may want to penetrate the application to steal data or disrupt operations in ways that either subtle (to make minor adjustments to sensor data to mislead business intelligence systems relying on that data) or overt (to disable the entire application with ransomware). They may want to penetrate the application in order to leverage the aggregate processing horsepower or internet bandwidth of a large number of IoT devices to mine cryptocurrencies or to operate mercenary “DDoS for hire” botnets. Or they may want to leverage an insecure edge device to launch a “pivot attack” on the network to which that device is attached. For example, in 2018 Darktrace reported an incident they investigated where a casino network was compromised and its high-roller database was extracted through an internet-connected thermostat used in the casino’s lobby aquarium. There are almost as many reasons to hack into IoT applications as there are IoT applications themselves.

Securing IoT applications against these myriad forms of attack is also more complicated than for traditional IT systems. First, the edge devices used for IoT applications are often low cost and easily obtainable, making it relatively easy to perform “tear downs” to identify exploitable vulnerabilities. Second, these edge devices are often deployed in accessible, unsupervised locations, which makes it easier to tamper with them without being detected. And third, IoT application edge devices are often deployed in large numbers with tight constraints on their bandwidth and battery power, making it more difficult to deploy security updates in a timely fashion.

Benefits of Defense in Depth

A Defense in Depth cybersecurity strategy can address many of the unique challenges related to IoT application security. Such as strategy strives to slow down and dramatically increase the cost of an attack by forcing the attacker to circumvent multiple security mechanisms in order to gain access to the target. This discourages most attackers who don’t have a specific interest in the IoT application. For example, crypto-miners and DDoS botnet operators will in general move along to easier targets if they are frustrated by an attack. At the same time, Defense in Depth also slows down more persistent attackers, while also providing the IoT application owner with more opportunities to detect their efforts and deploy countermeasures before the attackers can achieve their goals.

Defense in Depth takes many forms, and IoT application designers should strive to deploy as many of them as possible. For example, designers should ensure their Defense in Depth strategy forces an attacker attempting to intercept communications from an edge device to the cloud to compromise a cellular carrier firewall to access a private APN, then a VPN tunnel between the device and the cloud, and then penetrate application-layer encryption to get at the actual data.

No system can be made perfectly secure, but like medieval castles, IoT Defense in Depth mechanisms like those described above complement each security mechanism (moat, castle wall, keep) with another, making it much more difficult for an attacker to fully penetrate the application. When properly executed, such a strategy will frustrate attackers and cause them to give up, and also increase the probability that an attack is detected before it can succeed or cause significant damage.

Large, Dedicated IoT Security Teams – Effective, But Resource-Intensive

However, implementing an IoT Defense in Depth security strategy is complicated, as companies need to manage security on different types of devices, multiple connectivity service providers and various cloud service providers. They need to ensure all these security mechanisms are kept in synch and work smoothly together. The entire process is both difficult and time-consuming – much more so than web or other types of applications.

Some larger companies have succeeded in implementing IoT Defense in Depth strategies by creating dedicated teams of experts versed in the security of the key elements of an IoT application (edge device, network connectivity and cloud management). These experts implement a Defense in Depth strategy by ensuring each element of the application has the most up-to-date security possible, while also coordinating to protect the points where each element integrates with the others. This approach can be effective, especially as the resulting Defense in Depth strategy is specifically designed to address the vulnerabilities of the company’s particular IoT applications. However, this approach is complicated, and requires the investment of extensive time and resources.

For example, an IoT security team still has to manually configure their VPN for different devices, different network connectivity service providers and different cloud service providers. All the edge device and network firewalls must be kept in sync, with trusted hosts added to white lists, along with new ports and protocols. This approach, using different interfaces to adjust the security of each element of an IoT application, also increases the chance of human error, leaving open a vulnerability that an attacker could exploit. In addition, the costs and difficulties involved in recruiting, hiring, retaining and coordinating large teams of dedicated IoT security experts make this approach difficult, if not impossible, for small and medium-sized firms, preventing them from implementing strong IoT security Defense in Depth strategies.

Security Orchestration: A Different Way to Easily and Cost-Effectively Implement IoT Defense in Depth

Increasingly, companies are considering an alternative approach for implementing an IoT application Defense in Depth strategy – security orchestration. For most companies, a security orchestration approach allows them to implement a robust Defense in Depth strategy with a much smaller dedicated security team, and thus lower initial and ongoing costs.

A security orchestration approach simplifies the implementation of an IoT Defense in Depth strategy by providing companies with a solution to orchestrate the deployment and management of layers of protection around all elements of the IoT application – edge device, network connectivity and cloud. Security orchestration solutions not only provide multiple layers of protection for the IoT application, but also simplify security management by allowing the IoT application’s owner to define a high-level security plan, and then apply and manage this plan from a single “pane of glass.” Using this single interface, users can configure and update security provisioning on all their devices, connectivity providers and clouds, and easily designate who their edge devices can and cannot communicate with (using whitelists and blacklists) and how they communicate (ports and protocols).

Key Considerations When Adopting a Security Orchestration Approach for Your IoT Application

For a security orchestration approach to be effective, the security orchestration solution needs to be built and maintained by a company with its own experts in all elements of IoT security – edge device, network connectivity and cloud. In addition, security orchestration does require IoT application owners to use a single solution (compromising devices, network connectivity and cloud management software) for their applications, limiting their flexibility when it comes to “mixing-and-matching” elements from different providers in their applications.

However, such an adjustment is well worth the benefits of a more cost-effective and robust Defense in Depth IoT security strategy, especially for small and medium-sized firms where investment in a large, dedicated IoT security team is cost-prohibitive. In a world where IoT applications are playing an increasingly important role in companies’ digital transformation strategies and the number of cyberattacks continues to grow, security orchestration offers companies an opportunity to implement a simple, affordable end-to-end IoT Defense in Depth strategy that allows them to better protect their IoT data from being stolen, altered or lost.

The post Using security orchestration to simplify IoT defense in depth appeared first on SC Media.

Go to Source Author: Doug Olenick Using security orchestration to simplify IoT defense in depth Original Post from SC Magazine Author: Doug Olenick Even as the technology industry continues to scramble to protect personal computers,

#SC Magazine

0 notes