Securing the Internet of Things - Developer's Guidance

The "Internet of Things" or "IoT" as it's affectionately known, has become one of the most prevalent buzzwords of 2016.  Almost everything you touch today is somehow associated with it. Everything from smart thermostats, security systems, refrigerators and baby monitors in your home, to fitness bracelets and watches on your wrist, are connected to the Internet now.  From clothing that use coloured LEDs to reflect your mood, to children's educational toys, all have connectivity to "enhance your life experiences".

With the race to bring new products to this evolving market, issues of both Security and Privacy are raised for consumers. At the low end of the spectrum, an attached IoT device could expose your WiFi configuration.  On the high end of the spectrum, your personal banking, and health information could be exposed. 

Depending on who you listen to, the analysts are saying that there will be between 25-30 BILLION Internet connected devices by the year 2020... just a short 4 years from now. (Cisco says 50 Billion!)



http://hpe-enterpriseforward.com/eiu-securing-iot/

Each one of these devices is a potential

Security or Privacy liability.

Management consultant Capgemini found:

• only 33% of organizations believe their IoT products are “highly resilient” against any future cyber security threats,
• 48% of companies focus on securing their IoT products from the beginning of the product development phase.

 Hewlett Packard Enterprise Security goes even further:



http://hpe-enterpriseforward.com/eiu-securing-iot/



In the past year, we have seen:

• Baby Monitors that share their video publicly over the Internet
• Police Body Cameras that come preinstalled with Conficker malware
• Interactive Barbie Dolls that can be used to spy on children
• Smart Thermostat that can be hacked for surveillance in just 15 seconds
• IoT doorbell can reveal your Wi-Fi key
• How insanely easy it is to exploit hospital equipment
• The hack of the Ukraine Power Grid
• A Jeep remotely disabled on the highway

Cisco: IoT Security Timeline

Who are these "Malicious People" and why do they want to wreak havoc with our Inventions?

IoT devices and systems are typically remote sensors or controls involved in managing a process of some sort. Whether it be collecting weather information for crop management, to sensor data for proper maintenance of an automobile, temperature and humidity information for building climate control, or bio sensors for monitoring a patients health, IoT devices manage a large amount of critical information.  Critical information that could potentially be considered Private and/or Confidential in nature. 

IoT PenguinBot

By the remote nature of these devices, they are also typically designed to be "low cost" and "low energy" battery operated systems.  Function and performance are the critical design success factors, while Security has not played a significant development role to date.  MOST current IoT devices are readily exploitable through several means. 

Oh, and did I mention that most IoT devices are connected (and trusted) in some way to logging, monitoring, and analysis tools deep within the corporate infrastructure?  Find a kink in this light armour, and you can sail right past the corporate security systems in place.

What type of attacker is interested in exploiting IoT devices?  We are finding that the IoT Threat Landscape is quite varied.  Everyone from cybercriminals to government entities, hacktivists, and even insiders have shown up to the game. It's apparently hard to resist the low hanging fruit of an easily exploitable system, that could lead directly into the corporate infrastructure.  
From stealing sensitive data by hacking IoT devices, to facilitating denial of service against a third-party entity, there are plenty of reasons and opportunities to exploit a connected Internet of Things device.

 

So, as developers, what are we to do? 

How can we ensure that our products are secure from the beginning?  What aids do we have to guide us in creating a more secure, more private consumer product?

I'm glad you asked!  There are many initiatives currently to define the obstacles and opportunities to creating a secure Internet of Things ecosystem, but there ARE some guideline that you can follow.

First, from Cyber Security company I am the Cavalry, here is a snippet of sage advice:

Security:

1. Secure by Default
1. No default passwords shared between devices, or weak out of the box passwords.
2. All passwords should be randomly created using a high quality random password generator.
3. Advanced features used by small percentage of users should be turned off by default(VPN,Remote Administration, etc...)
2. Secure by Design
1. Firmware should be locked down so serial access is not available.
2. Secure Ethernet (SE) or Trusted Protection Modules (TPM) devices should be used to protect access to the firmware and hardware.
3. All GPIO, UART, and JTAG interfaces on the hardware should be disabled for production versions.
4. NAND or other memory/storage mediums should be protected with epoxy, ball sockets (so the memory cannot be removedand dumped), or other methods to prevent physical attack. 
3. Self Contained Security
1. The devices should not rely on the network to provide security. Rather, the device's security model should assume the network is compromised, and still maintain protection methods. This can be done with prompts to the user to accept handshakes between devices trying to access other devices on their networks.
2. Communication between devices should be encrypted to prevent MiTM attacks and sniffing/snooping.

Privacy:

1. Consumer PII not shared with manufacturers or partners.
2. Usage data on individual consumer is never shared with partners or advertisers.
3. Anonymous data for buckets of users on usage patterns is acceptable as long as it's proven to no be traceable back to an individual consumer.
4. Data collection policy, type of data collected and usage of data is clearly documented on site.

As well, I am the Cavalry has published the Five Star Automotive Cyber Safety Program, with the purpose of bringing the industry together to standardize on a security framework for connected devices.

At the same time, an organization called OWASP, or The Open Web Application Security Project, has created a project specifically around Security for the Internet of Things.

According to their website:  

The OWASP Internet of Things Project provides information on:

• IoT Attack Surface Areas
• IoT Vulnerabilities
• Firmware Analysis
• ICS/SCADA Software Weaknesses
• Community Information
• IoT Testing Guides
• IoT Security Guidance
• Principles of IoT Security
• IoT Framework Assessment
• Developer, Consumer and Manufacturer Guidance
• Design Principles

Of interest in this discussion is the topic of "IoT Attack Surface Areas". Each one of these boxes identifies specific threat vectors to IoT product development, as well as guidance and recommendations on remediating these concerns early in the development cycle.





IoT Attack Surface Areas

Ecosystem Access Control	Device Memory	Device Physical Interfaces	Device Web Interface
Device Firmware	Device Network Services	Administrative Interface	Local Data Store
Cloud Web Interface	Ecosystem Communications	Vendor Backend APIs	Third Party Backend API's
Update Mechanism	Mobile Application	Network Traffic

 IoT Security != Device Security

The OWASP IoT Attack Surface Areas are as follows:

Attack Surface	Vulnerability
Ecosystem Access Control	Implicit trust between components Enrollment security Decommissioning system Lost access procedures
Device Memory	Cleartext usernames Cleartext passwords Third-party credentials Encryption keys
Device Physical Interfaces	Firmware extraction User CLI Admin CLI Privilege escalation Reset to insecure state Removal of storage media
Device Web Interface	SQL injection Cross-site scripting Cross-site Request Forgery Username enumeration Weak passwords Account lockout Known default credentials
Device Firmware	Hardcoded credentials Sensitive information disclosure Sensitive URL disclosure Encryption keys Firmware version display and/or last update date
Device Network Services	Information disclosure User CLI Administrative CLI Injection Denial of Service Unencrypted Services Poorly implemented encryption Test/Development Services Buffer Overflow UPnP Vulnerable UDP Services DoS
Administrative Interface	SQL injection Cross-site scripting Cross-site Request Forgery Username enumeration Weak passwords Account lockout Known default credentials Security/encryption options Logging options Two-factor authentication Inability to wipe device
Local Data Storage	Unencrypted data Data encrypted with discovered keys Lack of data integrity checks
Cloud Web Interface	SQL injection Cross-site scripting Cross-site Request Forgery Username enumeration Weak passwords Account lockout Known default credentials Transport encryption Insecure password recovery mechanism Two-factor authentication
Third-party Backend APIs	Unencrypted PII sent Encrypted PII sent Device information leaked Location leaked
Update Mechanism	Update sent without encryption Updates not signed Update location writable Update verification Malicious update Missing update mechanism No manual update mechanism
Mobile Application	Implicitly trusted by device or cloud Username enumeration Account lockout Known default credentials Weak passwords Insecure data storage Transport encryption Insecure password recovery mechanism Two-factor authentication
Vendor Backend APIs	Inherent trust of cloud or mobile application Weak authentication Weak access controls Injection attacks
Ecosystem Communication	Health checks Heartbeats Ecosystem commands Deprovisioning Pushing updates
Network Traffic	LAN LAN to Internet Short range Non-standard

As stated earlier, this is starting guidance on what to look for when building out your Internet of Things Security Framework.  For further ideas and guidance, please read the references below. 

Good luck, and happy coding.

Verizon Security whitepaper: Securing the Internet of Things

Resources:

OWASP: Top 10 IoT Security Issues
OWASP Top Ten IoT Security - Infographic
OWASP: IoT Security Guidance
RSA Conf: Mapping the IoT Attach Surface Areas
ARSTechnica: “Internet of Things” security is hilariously broken and getting worse
ARSTechnica: Police body cams found pre-installed with notorious Conficker worm
ARM.COM: From Sensor to Server, ARM drives the Internet of Things 
Texas Instruments: Internet of Things - Opportunities and Challenges 
DEFCON 23: IoT Attack Surface Mapping
HPE: Securing the IoT
Capgemini: Securing the Internet of Things
Globe and Mail: Internet of Things a playground for hackers
Globe and Mail: The Future is Smart - Why privacy must be baked into the Internet of Things
https://www.iamthecavalry.org/
IamtheCavalry: Five Star Automotive Cyber Safety Program
https://www.theguardian.com/technology/2015/nov/26/hackers-can-hijack-wi-fi-hello-barbie-to-spy-on-your-children
http://www.computerworld.com/article/2476599/cybercrime-hacking/black-hat-nest-thermostat-turned-into-a-smart-spy-in-15-seconds.html
https://www.exploitee.rs/index.php/Exploiting_Nest_Thermostats
http://www.theregister.co.uk/2016/01/12/ring_doorbell_reveals_wifi_credentials/
Embedded: Security framework for IoT devices
NIST Releases Draft Framework on the Internet of Things
Online Trust Alliance: IoT Trust Framework
WolfSSL: Embedded SSL Library for Applications, Devices, IoT, and the Cloud
http://www.bankingexchange.com/news-feed/item/5770-5-hacks-into-your-internet-of-things-devices
https://www.helpnetsecurity.com/2016/05/09/internet-of-fail/
Cisco: IoT Threat Environment
https://blog.knowbe4.com/worlds-most-famous-hacker-kevin-mitnick-iot-is-exploitable
http://krebsonsecurity.com/2016/02/this-is-why-people-fear-the-internet-of-things/

CSIRT: Classifying the Severity of a Breach

We are all aware of the need and value of Classifying our Corporate Data. We all have embedded Information Classification into our Security Policy Framework, and many of us have even gone through the exercise of tagging and classifying our data.  (Read that last sentence as "a vast majority of us have either not started or not completed this daunting exercise").

One tangible outcome of performing an Information Classification exercise is being able to effectively communicate the impact of a potential Information Security Breach.  

I was asked recently to provide guidance to the Executive and Audit team of one of my clients to help identify and classify severity levels related to Breach Communication. They wanted a system to "value" the outcome of any potential Data Breach, should one happen.

I was told to constrain my scope to a High, Medium, Low classification model.

Using their own Information Classification Policy, I was able to quickly provide the following model, and thought it a valuable lesson for others in this situation.

Please feel free to use this or any portion thereof to assist in your own CSIRT exercises.

---

Information Security Breach Impact Classification

ABSTRACT: 
This document, based upon  's Information Classification Policy, provides a basic model to identify and classify the potential impact of a loss of data in the event of an Information Security Breach. This information can provide guidance in Communicating your Breach, as well as in determining requirements and constraints for acquiring CyberSecurity Insurance. 

Significance of Breach: - High Level Breaches

                                          - Medium Level Breaches

                                          - Low Level Breaches

A High level Breach would be considered any breach that exposed PII, PCI, PHI, or Corporate Restricted Information pertaining to either  or it’s Partners/Clients/Vendors

RESTRICTED  

The ‘RESTRICTED’ classification is assigned to data that, if corrupted, disclosed without authority or lost, might result in a critical loss to .

Example:

‘RESTRICTED’ information includes but is not limited to personal identifiable information (PII), employees’ medical history, Credit Card information, Bank account information, and encryption keys and passwords.

A Medium level Breach would be considered any breach that exposed Corporate Confidential Information, but not PII, PCI, PHI, or Corporate Restricted Information pertaining to either   or it’s Partners/Clients/Vendors

Confidential  

The ‘CONFIDENTIAL’ classification for information is assigned to data that, if corrupted, lost or disclosed without authority, might result in important or significant loss to  .

Example:

‘CONFIDENTIAL’ information includes confidential business proposals, customer information, HR information such as employment contracts and compensation, and general financial data.

A Low level Breach would be considered any breach that either exposes no data, or only Corporate Internal Information. A Low Level Breach does not expose Corporate Restricted or Confidential Information, PII, PCI, or PHI Information pertaining to either  or it’s Partners/Clients/Vendors. 

Internal 

The ‘INTERNAL’ classification is used to denote information that may be shared within   but is restricted from general release to the public.

Example:

‘Examples include training manuals, procedures and communications to all employees.

Definitions:

Personally Identifiable Information (PII), or Sensitive Personal Information (SPI), as used in Canadian, US, and European privacy law and information security, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.

The Payment Card Industry (PCI) Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB.

Protected Health Information (PII), generally refers to demographic information, medical history, test and laboratory results, insurance information and other data that a healthcare professional collects to identify an individual and determine appropriate care.

References:

SANS: Information Classification - Who, Why and How
CSO Online: What security leaders need to know about breach communication
iso27001security.com:Information Classification Policy template
Carnegie Mellon: Guidelines for Data Classification
FIRST: CSIRT Case Classification (Example for Enterprise CSIRT)
Carnegie Mellon: Handbook for CSIRTs.
http://www.databreachtoday.com/blogs/importance-data-classification-p-1153
GIAC: An Introduction to the Computer Security Incident Response Team
CERT: CSIRT Frequently Asked Questions (FAQ)
IAPP: Communicating a Breach: Best Practices and Examples
Your Guide for Data Breach Crisis Communication
Computer Weekly: Lack of data classification very costly to firms, says survey
DHS: Cyber Risk Management and Cybersecurity Insurance

Selling Myself - Michael Ball Consulting Inc.

As of July 2015, I have been providing Information Security Consulting Services on a contract Basis. 

If interested in hiring me for consulting or a speaking engagement, please contact me at the following:

Michael Ball Consulting Inc. 
61 Baxter St. Bowmanville Ontario, L1C 5P8 Cell: (647) 458-5064
Email: unix_guru at Hotmail dot com or @unix_guru on Twitter

Information Security Consulting and Architecture

Over 25 years Information Security Operations and Governance in the Finance and Insurance Sectors.

Finance Sector:

• AGF Mutual Funds, Toronto (Jan 2016 – Present), Acting CISO
• CIBC, Toronto (Feb 2016), Application Threat/Risk Analysis –Mobile Money Manager App.
• Dundee Capital Markets, Toronto (Oct  2015), Information Security Maturity Model (Cobit / ISO 27001 based)
• Dundee Capital Markets, Toronto (Nov  2015), Information Security Architectural gap analysis and Roadmap
• HPE/TD, Toronto (Mar 2016) PCI QSA Self Assessment consulting and review

Health Sector:

• William Osler Health Institute, Brampton (Aug 2015), Privacy Impact Assessment for Patient Record Viewing Application.
• William Osler Health Institute, Brampton (Sept 2015), Information Security Threat/Risk Analysis for Patient Record Viewing Application.
• Trillium Health, Toronto (Mar 2016), SIEM Infrastructure Migration and Governance Review

Transportation Sector:

• Air Canada, Montreal (Nov 2015), Privileged Password Management Architectural Review (CyberArk).
• Metrolinx, Toronto (Feb 2016), Privileged Password Management Architectural Design (CyberArk). 
• Teranet, Toronto (Sept 2016), Active Directory Risk Assessment and roadmap.
• Teranet, Toronto (Oct 2016), Privileged Password Management Architectural Design (CyberArk).  
• Teranet, Toronto (Nov 2016), Web Application Threat/Risk Analysis.

Industrial Supply:

• Wajax, Mississauga (Sept 2015), Information Security Maturity Model (Cobit / ISO 27001 based)
• Wajax, Mississauga (Oct 2015), Information Security Threat/Risk Assessment (ISO 27002 based)

 Speaking Engagements:

• CIO Innovation Summit 2016 – Top CISO Concerns 2016
• SC Congress 2016 – Top 4 CISO concerns
• Sector  2015 – Cloud Security Access Brokers
• DCD Converged Canada (Nov 2015)  - Cloud Security
• SC Congress 2015 – Cloud Access Security Brokers
• SC Congress 2015 – The Role of the CISO
• CIO Innovation Summit 2015 – Identifying Corporate IS Risk
• SC Congress 2014 – Privileged Identity Access
• CyberArk Customer Event 2014 – Corporate Use Cases
• CIO Innovation Summit 2014 – Cloud Security
• Symantec Vision 2014 – Enterprise Single Sign-On
• Symantec Vision 2014 – Enterprise Host Based Security

 Video:

• ITWorld Canada: Top 4 CISO Concerns for 2016

 Services:

• Office of the CISO - Consulting/Augmentation
• Privacy Impact Assessment.
• Information Security Program Threat/Risk Assessment.
• Information Security Governance Maturity Model Assessment.
• Application Threat/Risk Assessment.
• Network Vulnerability Assessment.
• Cloud Security Consultation and Architecture.
• Cloud Provider Access Review.
• SIEM Governance Review.
• Perimeter Security Review and Architecture.
• Network Security Zoning Review and Architecture.

 Articles:

How CISOs can find and secure rogue cloud applications
Cyber attacks on financial sector three times other industries
#ITWCchats – Breached: Preventing and mitigating data leaks
Darktrace: The enterprise immune system
Jentu: This Canadian company aims to turn virtual desktop infrastructure upside down
BlueLine: This Toronto-based company takes data encryption to new heights
Augmenting Encryption with Tokenization

The demise of excess access: A eulogy for traditional VPN
Specialty retail stores not safe from POS attacks

Toronto's 2015 SecTor Conference.

I feel utterly privileged to have attended this years SecTor Conference at the Metro Toronto Convention Center a few weeks ago now.

For those of you unaware of what Sector is, it is Toronto's pre-eminent Information Security Conference.  Anybody and everybody associated with IT Security is here. SecTor is not only an educational event, but a social one as well.  It is one of the annual events where Security Professionals congregate from around the province and indeed across the country. 


The schedule is hectic, with multiple tracks of discussion panels suited to a variety of current topics. 
Although the main conference is two days in length, there is a third day just before the conference for those who wish to participate in various Infosec educational courses. 


This years daily Infosec sessions can be found here: http://www.sector.ca/Program/Sessions

Over the two days, there were four Keynotes:

• Big Data Needs Big Privacy ... Enter Privacy by Design - Dr. Ann Cavoukian
• Globalization of Cybercrime - Jason Brown
• IT Security Operations: Successful Transformation - Kristin Lovejoy
• Maturing InfoSec: Lessons from Aviation on Information Sharing - Trey Ford 

All four of these speakers bring with them a wealth of experience and skill.  I was riveted to my seat the entire time.  

As for the actual Infosec discussions themselves, they were very wisely organized into a Technology track, a Management track, a Security Fundamentals track, and a Sponsor track.  Again, see http://www.sector.ca/Program/Sessions  for a drill down on the actual discussion topics for each. 

I wish I could tell you I saw them all, I *had* planned on jumping between several presentations, but each one I attended had me fully engaged. I can honestly say that SecTor went out of it's way to select exceptional topics and speakers for this event.

Part of the problem with committing to a track as an attendee is that the CSO Summit is co-hosted alongside SecTor!  The CSO Summit is co-sponsored by KPMG, and this year featured discussions by Kris Lovejoy, the former Global CISO if IBM, and Tim Rains, Chief Security Advisor, Microsoft.

The Expo Hall itself was huge, with a broad cross section of Infosec vendors from Educational Institutions, Compliance and Governance bodies, to Appliance and Software Vendors.  Securesense and  Fortinet showed off their "Forti-Express" a state-of-the-art rolling Briefing and Demo center. 

 Two things that grabbed my attention among all of the commotion in the Expo Hall were the "Lockpick Village" and the "Internet of Things Hack Lab".

The Lockpick Village has been a mainstay of SecTor for the past several years now. It's a free, full participation, workshop in using the standard tools of the trade to learn how to pick physical locks! Attendee times are recorded, with a prise at the end for the quickest time. The people sitting at these seats are among the happiest at the entire event. 

 

This year Tripwire introduced the Internet of Things Hack Lab. Employees from Tripwire, as well as one of their previous hackathon winners were onsite to  guide attendees into the world of IoT hacking. They brought samples of common IoT devices with them, and were willing to educate anyone who wanted to sit for a while and get an understanding of the security (or specifically lack thereof) of the Internet of Things.

SecTor was an overall success in my books.  They brought the right people to discuss relevant topics, the vendor space was very well represented, and the social quality was outstanding.  Thank you SecTor for once again putting on a remarkable event.