In Part 1 of this blog post we discussed one of 2017’s biggest security worries: the emerging threat from Internet of Things (IoT) botnets. As we have seen, the fundamental issue is the vulnerability of IoT devices, which – thanks to market failures – have often been designed with inadequate security.
Clearly, there is a great deal more that IoT device manufacturers, suppliers and regulators should be doing around security; a task which Microsoft recently described as “critical” thanks to growing cyber-attacks.1 There are moves afoot, including January’s announcement that the US Congress will reconsider a specific regulatory bill, the ‘Developing and Growing the Internet of Things (DIGIT) Act’.2 Meanwhile, in Europe, the EU is considering a ‘Trusted IoT Label’, providing evidence a device has met basic security standards.3 But none of this helps an organization today, particularly as it seems clear that millions of unsecured IoT devices will remain ‘in the wild’ for many years to come.
Accepting this, what can an organization do to protect itself? If we are on the edge of an era of IoT orchestrated DDoS attacks what defences can be put in place before disaster strikes?
The key is preparation and planning according to Gary Sockrider, a principal security technologist at Arbor Networks.4 Radware backs this up, noting that it is vitally important that IoT-related security is no longer considered as an afterthought, if it is considered at all. Organizations need to be urgently reviewing their cybersecurity planning in light of these novel forms of threat.
This preparation operates on two levels: what a firm can do to mitigate against attacks from Internet of Things botnets, and, secondly, what it can do to improve the security of its own IoT devices operating within the corporate network.
Preparing For Thing Bot DDoS Attacks
The most important protection is to review preparedness for a large scale DDoS attack.5 These are clearly on the increase, whether from IoT botnets, or from more traditional command and control methods, and events in 2016 have demonstrated the increasing size of such attacks.
Organizations should review their DDoS mitigation planning and procedures to make sure not only that they are up-to-date, but that they specifically include details of what to do in the event of an intensive IoT-based, Mirai-style attack. Plans need to be reviewed on a regular basis, as it seems clear that now that Mirai has been open sourced, new variants will be made available in the coming months. This is an area where activereach can provide high-level advice and support.
A crucial part of this planning is the implementation of regular IoT Botnet DDoS mitigation testing, ideally on a quarterly basis. It is important, in the light of recent events, that organizations test both for a DDoS attack from an external source, but also from an attack from their own IoT devices (Verizon recently documented an unnamed US university whose own IP-enabled food vending machines orchestrated a large-scale attack on the DNS servers on its network).6 We would also recommend that plans allow for, and are tested against, containment of incidents across the network (for example, using effective subnet segregation).
Max Pritchard, Pre-sales Consultant at activereach says:
Internet of Things Device Security: Get Compliant
For the second level of preparation, the most important step any organization can take at this stage is to become much more aware of the IoT devices that are present on their own networks. Firms need to formally audit their devices, including even the most humble seeming, such as IP-enabled vending machines, thermostats and security lighting. Some of them may even have been added by non-IT staff without any consultation (for example, the staff-room coffee pot that orders its own re-supplies). The unnamed university cited above eventually found over 5,000 IP-enabled devices on its network.
All these devices assets need to be ‘visible’ to an organization’s IT security staff and the dependencies between them well understood. As a recent call-to-arms over IoT security, published in the Communications of the ACM, points out: “the owners or users of compromised devices are often not aware their devices are being used to attack other systems”.7
Such unawareness leads, potentially, to compliance issues, with Richard Henderson, a global security strategist at Absolute, recently arguing that organizations will need to prove they have full visibility of devices on their network and have understood, and managed, elements of risk. This is essential, as, in his opinion: “When the next Mirai-style attack occurs, you can bet there will be a team of lawyers ready to hold somebody responsible for their company’s resulting loss of revenue, data, and reputation”.8
activereach recommends that individual devices should be audited and reviewed for a range of parameters, and that basic security is enhanced where possible. There are many aspects of what Microsoft refers to as a ‘Device Risk Analysis’,9 but could include the following:
- Use of default passwords: change if this is allowed by devices.
- Update and patch all firmware on regular basis, where this is available.
- Isolate individual devices from the wider Internet except where explicitly required.
- Ring fence IoT devices within the organizational network using virtual segmentation.
- Regularly monitor and audit event and security logs: understand traffic patterns.
- Review position of devices with respect to network firewall and perimeter defences.
- Block insecure ingress protocols and ports on devices, if this is configurable (e.g. Telnet).
- Implement packet encryption on individual devices (e.g. FIPS-197/AES).
- If a device requires DNS functionality check for DNS Security Extensions (DNSSEC).
- Implement 802.1X, a port-based Network Access Control (PNAC) standard where possible.
- Enable logging of physical access to a device e.g. USB access, where possible.
Device audits should also consider one other aspect that is uniquely vulnerable in many IoT deployments: the physical security of devices.1 Many devices are deployed in the wider physical environment, well away from more secure data centres or staff offices and therefore are more open to tampering. In such situations, it is important to ensure that hardware deployment is as tamper-proof as possible. If USB or other ports are available on the hardware, ensure that they are covered securely.
For organizations that are involved in deploying IoT as part of systems delivery for their partners or customers (for example, in supply chain logistics) it is important to review the entire solution. Microsoft, for example, have recently recommended that, in these cases, businesses “conduct security evaluations of the entire IoT stack”.1 This means looking at not only the devices in question but auditing the level of protection whilst data is in transit over the Internet and reviewing how it is handled in enterprise systems such as private or public clouds.
Harden The Network
In general, organizations should be looking to ‘harden’ their networks and associated assets against attack, by implementing the above measures, but also reviewing configuration settings, application security, operating system patching, firewall configurations and perimeter defences. These are all areas where activereach can offer advice and support, with an independent, vendor-neutral overview of the best way forwards.
IoT security and defence is an issue that activereach is determined to stay on top of and we’ll be going all out to support our customers in the coming months. As Sockrider told the RSA 2017 conference, at the end of the day, “there are a lot more good guys than bad guys…we can come together to put a stop to these attacks”.10
 Abendroth, B., et al. Cybersecurity Policy for the Internet of Things (Redmond: Microsoft Corporation, April 2017), (p.4).
 Eggerton, J., ‘DIGIT Act Reintroduced’, Multichannel News (New York: NewBay Media, LLC., 10th Jan 2017).
 European Commission, ‘Digital Single Market – Digitising European Industry Questions and Answer’ [Press Release], (Brussels: European Commission, 19th April 2016).
 Schwartz, M., ‘Mirai Tools Up for Advanced DDoS Attacks’ [blog], Bank Info Security (13th March 2017).
 Radware, Global Application & Network Security Report 2016-17 (Tel Aviv, Israel: Radware Ltd, Jan 2017).
 Verizon, Data Breach Digest – IoT Calamity: the Panda Monium (Basking Ridge, NJ: Verizon Communications Inc., Jan 2017).
 Lindqvist, U., Neumann, P., ‘The Future of the Internet of Things’, Communications of the ACM, 60/2 (2017), p.27
 Henderson, R., ‘IoT & Liability: How Organizations Can Hold Themselves Accountable’ [blog], DarkReading (10th March 2017).
 Do Carmo Iwase, L., Samuel, A., ‘Are my IoT deployments secure?’ Microsoft Advanced Analytics & IoT.
 Schwartz, M., Sockrider, G., ‘Audio interview at RSA Conference 2017’ [podcast], Bank Info Security (13th March 2017), [04:20]