IoT: The Emerging Security Challenge

they're not just consumer products IOT czar ending up in enterprise enterprises and they're typically you know think about you're thinking of like what Amazon echo you think of nest thermostats and then you also are thinking about printers right because because probably the most common IOT device that's on these networks and use five by people are printers and historically these devices are typically left out of policies for manageability and security and monitoring stuff so let's jump into this I'm going to talk about the threat landscape this is the fun part this is the part I love okay we know cybersecurity is a disruptive force some of the numbers that we've got worldwide cyber crime would be a six

trillion dollar problem by 2021 the 2016 data 1,700 significant this sooner really loaded me when I first saw this 1700 so but notice it says significant now how how many of you guys remember the Reagan era okay so I think there's a lot of there's some people in here that weren't even born then okay and during the Reagan era the National Defense organization defensive tech security in the US they had on average about 8,000 attack cyber attacks a year okay 8,000 today so by the way Reagan was back in the 80s okay guys today it went from eight thousand a year eight million attacks okay on the US government eight million okay this this just blew my mind when I heard this so

it is happening and it's not good so we know that the adversaries are evolving okay and why and how their attack sophistication is increasing not necessarily because the individual is becoming more sophisticated but because the tools that these bad guys are developing these hackers are developing they're they're sold on the darknet you can go on you can go on the darknet buy these tools that are readily available for hacking into systems you know there's there the eternal blue one right that happened on that was back on windows 7 eternal blue scripts where that and code there's tools that are developed by and for hackers Metasploit how many people have used math boy yeah okay great reverse engineering tool

right we use it for testing you should be using for you can use it for penetration testing without developed by a hacker okay Ida Pro same similar concept Ida Pro is developed by a hacker it's sold commercially now so these tools that are being developed there they're developed by hackers and they're being bought and sold for hackers you know they're being utilized so I'm in the manufacturing space for our printers what can we do to counteract these attacks the sophistication of attacks well I'm going to get into more details about what we mean by we have to be build resilient devices what does that mean it's got that there's actually a definition and there's a new

specification that we'll talk about in a second but essentially resilience means that you can protect yourself to the degree that you can in the event that you cannot protect against everything you need to detect certain things in certain anomalies that may be in your devices that are occurring and then recover the resiliency is the ability to recover so let's look at what we I love this one these are destructive attacks okay destructive attacks are out there to actually damage data damage companies you know bring them down it's a loss of revenue it's a loss of data if you look the one that I like them you know this Shamoon 2012 hugely devastated saudi aramco one of the big oil refineries in

saudi arabia okay so i heard this story from mafia boy he was the guy that brought down the walls you know brought down Wall Street back in the 90s so imagine you're in your company you're an IT guy you get an email from a friend looks like it's from a friend it says click this link okay this guy this is Shamu well this guy clicked the link and a picture of the us-american fight comes up on his screen and it starts burning okay and as it's burning people are getting up inside the company going what the heck is going on so it brought down 30,000 pcs in a matter of minutes because what it did is if they basically

overrode the Master Boot Record and you couldn't you could not bring those pcs back there you have to they had to go and walk to each one and reinstall the BIOS reinstall the operating system and God forbid if you haven't backed up your data it was gone so a huge impact to Saudi Aramco during that time the other one I'll point out is that the Ukrainian Power Group so this one about a quarter of a million people in the Ukraine there were without power for hours and what's interesting about this one it was the reconnaissance that was done before the attack these hackers spent months collecting information collecting passwords you know and through phishing attacks or various means but they

basically gathered all this reconnaissance information and the logistics of it we're just if you look at how they attacked it with it within minutes a quarter of a million people without power it's just impressive very impressive some of these other ones are going to talk about Mariah was an IOT device IO T attack and so with Reapers I'm going to get into a little bit more details about those but you know you can kind of see wanna cry Petya those were grand somewhere and you ran some orders where essentially it encrypts all the data you guys know there's like crypts all the data right and if you pay the ransom supposedly you'll get you know the key that outs

you decrypt it do you know what most instances when somebody paid the ransom they got nothing they got nothing back and and then not Petiot was specifically I'm gonna just screwed screwed through all the data on your PC and forget about a ransom I don't need that I just want to you know distract cause you know rap the destruction of this information so I do I want to keep moving quickly here but NSA did a presentation of RSA this year so basically this is the these statistics are so kind of mind-boggling right so ninety-three percent of the 2017 incidents were preventable with best practices what type of best practices are they talking about hardening endpoints like setting

passwords closing ports and hardening your network okay so 93 percent could have been you prevent it very easily and then the 90 percent of cyber incidents are due to human error human error they either inadvertently or purposefully do this the perk down on the bottom which is sort of interesting about this NSA has not responded to an intrusion using zero-day exploit in the last 24 months so zero day exploits are new new attacks right new attack vectors what that means is and this is the part that just as amazing is that they are using existing hacks okay so what's old is new again that eternal blue some of the existing hacks that are out there they're getting the

tools on the darknet and they're attacking devices because they're not updated you know Microsoft came out with you know fixes for a lot of these facts and other other devices did as will we on printers we have a hard time getting our customers to update their devices we are fixing security vulnerabilities in our products issuing security bulletins and issuing new firmware and about 70 percent of the time they're not updating their devices so you know these are in points that are going to be on your network and they're putting your infrastructure at risk right this is another telling one about a cyber security agent from the FBI actually this base turn Boise 70% of the time the

device on the company's network hardly cause that initial breach is unknown what does that mean they weren't monitoring those devices and in most instances that's an IOT device during them how many customers are monitoring their thermostats that if they're you know the smarts thermostats or their printers or any of these devices and yet they can be used to attack an outlet and bring it down so IOT is the weakest link you know there's a big predict seventy-five billion units of IOT devices will be out there they're there grantees are playing with security flaws there's boner abilities in those in them there's weak default passwords lack of software updates they're not you have to actually have these updates occur and make sure

that they're timely and they're applied to the device and then we have these distributed denial of service attacks where they're using these devices as botnets and essentially bringing down the network and I've got a couple of examples infect the next one was let's get to that but a lot of the device manufacturers don't make security a priority and that's why these devices are targets of attack so arrived did you how many guys have heard of Mariah and where I attack okay yeah brought down the internet on the eastern seaboard so people could not get to their you know favorite web sites out there Mariah actually attacked 2.5 million devices and and what they targeted were

you know security cameras DVRs and Printers printers were included in that they looked for devices that didn't have passwords that they're just blank rights only do have default passwords the default password is like no topspin at all it doesn't take you very long to figure out what it is and they found these devices they were running SSH or telnet and weak passwords that boom they could inject their color right into him and they basically brought down created a distributed denial-of-service on the DNS server the dining DNS server so people couldn't find get to their websites without with no DNS you can't use a hostname to get to a server right this is the other one Reaper IOT botnet

effects networks okay this the reason this one's a little scary is that you don't know that you've been infected and these these these these little malware on these devices is sitting there and the one thing that the malware typically does when its installed on an infected devices that tries to phone home to its commanding control center right and so it's exchanging information externally and asking what do I want to do they're predicting that this could potentially be there waiting for enough devices that they can utilize to create this distributed denial-of-service so and the only way to know is if you were running Wireshark and saw these packets going out from these devices these devices don't have like antivirus software

running on right IO T's just don't so what are some of the common attack vectors that you have the the default passwords is a bad one buffer overflows that's where you know the input and this is you know not a good thing either because that's typically where they can inject code is using a buffer overflow and some of these others unpatched you know I kind of talked about them patched systems and phishing attacks as well exploits those are still occurring so what our cyber resilient devices are going to just bring this thing up a couple of slides to kind of share on average for every hundred lines of source code how skilled or what a

code cook developer you are there's typically on average one defect the odds are against us so recognizing that you can protect your devices and harden them to the best degree possible do you want to be able to detect those potential attacks and then recover from those and this is kind of going through what are the steps you go through so protect detect recover during the initial startup the first thing that loves bootloader loves the BIOS right you want to make sure that that is rooted in trust otherwise it attacks the device and you essentially want to own it there was a canon device where they were ready to do on the printer and just started up it means you're doing running

on the control panel that's something that's just been rootkit you want to secure the defaults and click data or grass code signing validation doing boot so that you don't blow a code that hasn't been validated write a little code that's become from the manufacturer and then code signing validation when you're doing update and you want those updates to be automatic right so that your customers that's [Music] typically it will pop in at night when it's plugged in but that's what we want all these IOT devices to do because there will be four abilities found in these devices no question about it then you want to monitor these devices to understand what's going on in them

and then some device monitoring as well looking for anomaly so one of the things that we have our HP Labs team found that when malware attacks remember I said the typical thing that we'll do is call a command and control server well guess what what most names should it go after can't go after an IP address because by the way those servers could shut down fairly quickly host names get shut down by you know other things you know other other monitoring to monitoring you know companies that are monitoring here net will shut those down so what they do is they have a domain generation algorithm okay so what since Eric tries all these host things and you'll have hundreds

opposed to a DNS resolve the message is going out well if that happens the device can detect that right so we have betted technology and then printers so that if we see an upsurge of DNS packets we assume out the device Bennett has been is potentially compromised at that point you go through a reboot flash memory and and essentially start up back up in this new state so we're going to start seeing some more of these detection capabilities occurring so good news and bad news good news is the manufacturers are starting to do things but that is as government's getting involved okay so I've got a couple of examples of what's going on with the

government because that there did you know consumers are at rest Dana's at risk and it costs a lot of money to recover from these attacks so there is a miss specification you know this was a good reading for you it goes out and tells you what how to build a device and it actually HP you know quite a few other companies that participated in this and it defines what cyber is delicacy is in there can tell us it doesn't tell you how it tells you what you should put into your devices to protect them and I'm not going to go through too many details on on this but there's a whole list that you can go out

you know roots of trust I'm sure you can't we get the device protecting you know the suitable code there's just lots of things you can do automatic recovery and things like that you know the UK government just recently in fact came out and said ok we want to protect our consumers we want to protect the consumers in the United Kingdom so they basically have identified that poorly secured io T's increases the security risks and large scale attacks right they can use them as botnets so they right now they're encouraging manufacturers to secure io T's we signed on with another company Centrica v we signed on and said this is important we are going to do it but here's the here's

the guidelines right no default passwords we talked about that that's a big risk you know we have implemented a disclosure policy so that if someone finds an issue in their device they can post that and there's a lot of others I'm not going to go through all of these but basically you know it's getting into just these are basic security hygiene things that you should do when you develop a device right be sure to software integrity it's for personal data that is protected right that it's encrypted appropriately so enough to be outdone the state of California came out of the Senate bills 2700k by 2020 network devices must have and by the way network devices is so

broad it's not just either T's it's in the device that's shipped must have password beneath each device or forced users to set their password so this is you know again some of those attacks that occurred on my ot devices basic things did not have passwords so we are going to start seeing the legislation coming into play requiring these types of things on my devices now what are the some of the things that you can do from a security development best practices so this is about trying to develop products from the beginning the security top of mind Gartner came out ok in 2016 Gartner came out and predicted that customers will demand that code is adequately

secured that it's developed with security best practices and I can tell you in 2018 we we have seen an increase in customers that are saying I want to know what I'm a seafood developer best practices because this is this is serious so this is only going to increase and so it just kind of highlights when we talk about the security differently development best practices what are we talking about here right you you need to ensure all your all your engineers are trained on this you want to ensure that you have you know when you first start a project you need to identify what is it you're trying to protect as a customer data is a you know your own intellectual

property what are you trying to protect in this and then back in 1999 invited to Microsoft and Microsoft have gone through a whole series of attacks on their Windows operating system they have they deployed a hundred engineers to focus on security okay that wasn't okay doctor you could say this is a big problem let's move all over hundred engineers they came out with some pretty cool secured the government best practices you can go to their website they have the stripe model which is it's an acronym for you know spoofing tampering repudiation you know information disclosure it's actually really good to use that stripe model when you're actually developing products we use that at HP and then using tools

on your code like static code analysis tools and security secure coding practices Oh wasp has a great list of checklist of things to do when you're developing code right you put all of that and then the penetration testing is critical as well find out what points are on that device

and software updates this is making sure that the firmware is updated on these devices so that because because again security is not constant what's secure today will be secured tomorrow correct and they will find weaknesses and we must provide an automatic mechanism in fact this is what you know the NSA was talking about what's up old is new again because we fix this issue in the product but the customers weren't updating their products aprender the the other piece of this is monitoring so s is an IT organization event company we should know every devices on your network you should be monitored for instance you should ensure that those devices can integrate into any of the security tools

that are out there are simple tools that are monitoring like Splunk that are taking the band's front they actually consume events from these all your endpoints in your network and can tell you when your devices are at risk and then input protection tools like McAfee and Symantec using those tools to actually ensure those devices are secured those these devices need to be first-class citizens and environment because they are actually not really these environments today and I'm in summary okay i io t it i know i went fast but you guys are starting going tired and stuff so okay I know it's almost five o'clock on a Saturday so I really appreciate you guys hanging in there

IOT devices are an emerging security threat due to lack of security we saw many examples of that with some devices just don't have password set and they need to be designed with security from the beginning and you know what that's going to add cost to it so thank you guys appreciate it [Applause]