BrianContos

foreign [Music] get into their other networks and other things so security isn't often thought about when these devices are being created so with that it brings us to the last device out of all the devices we've covered thus far what do you think is the number one most attacked X iot device do you say cameras yep you're right number one are cameras and there's a few reasons for this we're working with the casino this casino had 27 000 security cameras they had security cameras that were just there to watch other security cameras they had a lot of security cameras um and I think all of us would agree that casinos have a pretty high power bill so these cameras were taken over to do crypto jacking they were mining crypto that's all they were doing they were just mining crypto why use these to mine crypto because it's a Linux server that's more powerful than the laptop and there was a lot of them and they said this is a great place to do it and I'd love to say that some incident Response Group caught it or it created an alert that made it to a Sim or something happened this no the person that caught it was the lady that worked for the company that managed the power bill and she says why is our power bill 1700 times higher than it was last month because crypto mining sucks a lot of power and when you're a casino that must have been a pretty big Bill right there was another case in a casino unrelated to this where you might have heard this did you guys hear about the thermometer attack for the fish tank so some attackers compromise a thermometer and a fish tank but from there they gained access to the whale database all the high rollers their financial information their home information probably proclivities of those individuals and that was all free for the taking because of a thermometer but these cameras were a big deal and the thing about cameras again is you have a lot of them they're not insecured secured by security folks but the worst thing about them is this when you do say wow look at all these problems you have with your security cameras Casino one you have 27 000 devices that are decryptomining who's responsible for this and everyone's in the room that they think should be responsible facility says oh no it's not us that's network security network security says it's not us that's it security I.T security is nope nope that's outsourced to hickvision or somebody else as a third party so remember the end of Spider-Man where they're all pointing at each other cameras that's why and again the bad guys know this and that dates all the way back to that Mirai attack we talked about in 2016. they're Big Easy targets that can be used for a lot of malicious things I can do crypto mining I can spy on you I can use that as a pivot point to attack it assets and exfiltrate data they're just little Linux servers now we've covered a few different areas I just wanted to kind of show you how expansive this is we talked a little bit about industrial um internet of things but certainly on the battlefield side as well so we work with a lot of military organizations here and abroad and they have big concerns about aircraft and terrestrial vehicles and actual soldiers and devices that they have on them things are very very connected if you think about the first iot device came out in 1990 it was released at interop you guys know what it was it was a toaster it was a tcpip toaster back in 1990 fast forward to 2020 Dublin Ireland becomes the first smart City the entire city is interconnected right so now we're going from to Battlefield things to healthcare devices um smart ships smart buildings smart cities which all kind of falls into the same category some of them float um these are all just things and these things are just unmanaged insecure critical assets that are on your network again those of you that are in college or high school that are here today this is going to be a great area to focus on for the next couple decades at least so that's kind of the bad side let's talk a little bit about how you can kind of remediate some of these threats so we talked about earlier how there's about three to five of these devices per person per company 10 000 people 30 to 50 000 devices the first part's just discovering them I'm going to share a couple different vendors at the end I think I've got like a half dozen or so because this is a new category it's not like a firewall or a Sim or a vulnerability scanner that we've all been dealing with these are what are called Enterprise X iot security platforms for some of you you probably haven't even heard that term but again these are the new new so what's wrong with Old School discovery so what's one way you can discover something on a network scam well the problem with scanning is it usually works by sending malformed packets to a device and if you're an IT device and you're using tenable or qualis or rapid7 or one of those Legacy scanners that's fine but if you go to somebody that works in a scada environment say hey we're going to go ahead and run these devices sending malform packets to all your OT devices they're going to chase you out of that room and probably carrying a wrench um they're not going to be very happy so scanning doesn't really work because if you scan an X iot device even some cameras you can knock it over and kill it so sniffing okay let's sniff the network well that's a lot of span ports that's a lot of TAPS that's a lot of money when you have 30 to 50 000 devices for a 10 000 person company right so it can be very expensive plus a lot of the information is encrypted so you might be able to say I'm 60 sure this device is a printer well it might turn out to be an MRI machine and some people base it on the oui the organizational unique identifier the first six octets of the MAC address that's not always very telling so if you want to go beyond just discovering actually start fixing things you don't want to turn a two million dollar MRI machine into a 500 HP bubble jet printer right people tend to dislike that so old school scanning old school sniffing using oui generally doesn't work so these Enterprise xiot devices they use what's called interrogation the best way I can explain it is think of C3PO from Star Wars he was a protocol Droid he could speak millions and millions of languages like water evaporators so if you speak to the printer the way the printer wants to be spoken to or the switch or the PLC you're speaking in a way it's expecting you're not sending a malformed packet you're not scanning for vulnerabilities you're not scanning 50 65 000 ports You're simply communicating the way it's meant to so one you don't knock it over until you're able to extract all that valuable metadata and why is that valuable metadata important because when you go on to the next step and the most important step is okay now I found all my devices now I want to fix them we talked about how the average age of the firmware was six years old well how would you upgrade your cameras before you had to send somebody around with a paper clip resetting things and sticking a USB in there so you're not going to do it there's no manual way at scale to address xiot so these Enterprise xiot security platforms can actually upgrade the firmware and they're smart enough because the metadata extractions say oh you're on version four version seven is the newest one but you have to go four five six seven or you can go straight from four to seven and they could even downgrade oh you're on version seven version seven has a log for J vulnerability but the vendor is like we're not going to have another version of the firmware up for another year Well everyone's scanning for log4j right now but version 6 doesn't so you can downgrade so being able to move those around really makes a lot of sense now in the olden days the olden days being like a year ago people used to hide these things behind vlans and that's fine nothing against vlans vlans are a great part of any organizational architecture security practice but all you're doing is taking something broken and vulnerable with a default password and sticking it on another subnet it's analogous is saying I'm up here typing and I cut out my left hand it's bleeding all over the place I should go see a doctor but as an alternate I just wrap my hand in a plastic bag and put duct tape around it so I guess it's good because I'm not getting blood in my right hand but I still have a bloody hand in a bag which is usually a bad idea so that's kind of what vlans do Again by themselves they're not a Panacea they can help though so the first thing discover your devices second thing upgrade the firmware and being able to do that at scale is important upgrade all 10 000 printers all 30 000 cameras so on so forth and then Harden so like we talked about those printers my printer doesn't have to be running Bluetooth maybe I don't want it to run wireless maybe I don't want to run clear text protocols so hard on those devices as well by pushing those things out again a big a big sort of stuff for xiot kind of I.T security 1990s so I found my device I hardened it and I upgraded the firmware the next thing is managing the credentials and the certs so we talked about before 50 of the passwords are default no hacking required but if you can tie your xiot devices into your Pam Solutions cyber R cache Corp psychotic so on and so forth that's great oh but wait there's a problem those Pam Solutions don't talk to xiot well that's okay because the Pam solution can talk to an Enterprise X iot security platform which acts as an intermediary and then talks to the endpoint so as that Discovery process happens when you're doing discovery of the xiot you can automatically enroll them in the Pam and now you can change the password every 90 days you can set your uh capabilities and just like you know about the firmware hey I know the firmware path is upgraded from four to five to six then seven you know that the password capability is oh I can only have a 10 character password I can only have a four digit numeric pin because I was built in the 1980s and my company depreciates me like a turbine or they say and we've seen weird stuff like you can have any password but not the letter b I have no idea why it's not it's not even a SQL injection thing so by having that knowledge that I can control those credentials and the other part of that is certs wireless access points are notorious for having expired certs uh TLS version 1.1 1.2 self-signed all sorts of other problems cryptologically unsecure systems and that makes them votable as well so the same thing that you're able to manage the passwords the credentials you can manage the certs so now you're looking pretty good I found my devices I've hardened my devices I've upgraded the firmware I'm managing the credentials and I'm imagining the certs we're looking pretty good at this point so now you've fixed everything now you want to keep it fixed in perpetuity so we talked about before how these tools do interrogation so now the idea is I'm going to reinterrogate these devices every day because I was in version five of the firmware but now in version three I did have an awesome super cool password but now my password is APC APC maybe somebody took a paper clip and they reset that device because it's really easy to do that in X iot devices now it's back to the default build so across your 50 000 devices you'd like to get an alert in Splunk or service now or de Mista or one of your other tools to say hey you know what something that was Secure is no longer secure you have 50 000 devices but here's the five you need to take a look at right now so that addresses that environmental drift because when you're talking X iot it's all about scale if you only had five devices someone could just run around and manage these things but you don't you have thousands so it doesn't get done and the last bit of that is reporting how cool would it be to have a report that just says yep you have 50 000 devices twenty thousand have default passwords fifteen thousand are our end of life firmware you've got clear text protocols open on the age you've got eight nine and ten vulnerabilities on these you just have a good picture of what's happening and then you also have a solution that can help remediate it don't just discover but fix them you can actually get that to Green the worst thing in the world is to say oh I've got 50 000 devices and I have a hundred thousand vulnerabilities okay good luck but now you have a way to actually address this so to kind of wrap things up most organizations don't know what things they have so discoveries are really really important part of this and because of that they don't know which things to fix and even if they did know what things to fix because of the scale of this problem they can't fix it with automation because they didn't have anything in place before these Enterprise xiot security platforms that are listed here below they they weren't around a decade ago and some of these play in a little bit of different areas some of them just focus on Discovery some focus on remediation some a combination of the two but if you keep in mind again that there's no difference really in these xiot devices in a laptop except they're insecure and they're on your network it starts to really make you say okay this is something I should really start paying attention to because the Cyber criminals are paying attention to it and the nation states are paying attention to this so the last thing I'll leave you with is this um again all all my travels and all my conversations with you know big businesses small businesses governments they're finding that they can no longer be passive when it comes to this the bad guys are hoping you'll be passive they're hoping you're gonna go oh I've got 10 other high priority things to focus on before I focus on the fact that I have 50 000 default password devices on my network they're hoping you're not going to address this because they're investing heavy and tools to discover and attack these so disappoint them because this is going to be how they're going to get out um if you guys want to contact me again here's my contact information you can see me down at the phosphorus booth and then again Andrew want to raise your hand up there in the back corner as you might remember from Fast and Furious version three Tokyo Drift uh but treat him like a regular guy just a regular guy um please come by and talk to us and we'll uh be more than happy to drill down in any of these topics with you thanks so much guys appreciate it foreign [Applause]