Author: Steve DeJarnett, Head of Solution Delivery & Customer Success
In 2014, I wrote a blog post called “The Boulevard of Broken Things” which talked about the issues with Internet-connected devices that never (or seldom) received software updates. It was already a real problem at that time, but with the recent news about the Mirai botnet and software creating DDoS attacks at volumes that have never been seen before, I decided to dust off the blog post and update it for enterprise IT teams.
Why should an enterprise IT team be worried about misconfigured consumer devices? Two reasons – one somewhat obvious and the other less-so:
- While security journalist Brian Krebs and DNS infrastructure provider Dyn were the most recent targets of Mirai botnets, what’s to stop someone from pointing that weapon at your website? Very, very little.
- As we at E8 Security have seen in numerous customer trials and production deployments, consumer devices exist on virtually all enterprise
Your data center may be protected and your perimeter secured, but who’s watching out for the TV in your conference room, a vendor device that was connected to your network, or the digital sign in your lobby? Anything that is connected to your network could be a threat vector.
It’s important to be an informed consumer, especially if you’re about to deploy “Things” out into your enterprise. Here are some questions to ask your vendor and your internal IT teams, along with some context about why you should be asking the question. Note: when I use the term software, I am including any software that would be installed on the device including application software, operating system software, device firmware, BIOS, bootloaders, etc. Basically any software that was loaded into the device by the device manufacturer or the manufacturer of any components installed/built into the device. Any and all of it may need to be updated in the future.
Can the software be upgraded remotely via an automated process (i.e. can it be done unattended)?
As a hypothetical example, if you need to deploy monitoring devices on all badge readers at every employee access point, you don’t want to have to send someone out to every device to install updates, especially if you’ve got several office buildings or widespread locations. No matter what business you’re in, think about the cost of sending people to every device each time an update is required, versus the ability of one person (or a small team) to perform the upgrades over the network from a central location, which is much more cost-effective.
Is the vendor willing to commit to patch critical bugs or vulnerabilities within a specified amount of time?
What will you do if a bug like Heartbleed is discovered after you buy the device? If the vendor values product security, they likely have a secure software development process for finding and fixing bugs and vulnerabilities within their product, and deploying patches quickly. Be sure to review your vendor contract, though. While it’s generally understood that critical vulnerabilities should be patched as soon as possible, some vendors aren’t as responsible as others, which could leave your organization susceptible and powerless. Just be sure you know what to expect and that those expectations match your needs. Often times you can negotiate Service Level Agreements (SLAs) for critical vulnerabilities into your contract.
What level of network access do the devices need?
Requiring devices to authenticate to the network before they’re able to send information or receive updates is an added level of security that will prevent unauthorized access and create an additional barrier for attackers. However, consider whether, or how, your network is segmented. If these devices or their update servers are on the same segment as the organization’s other assets, how trivial would it be for an attacker to move laterally to assets that contain sensitive data? Remember the lessons learned from the Target breach of 2013.
Are the software updates digitally signed to show evidence of tampering, and does the device check the digital signature of the image prior to installing it?
If a hacker can slip a modified update onto your devices, he owns you and your network. Even a single compromised device may be enough to put your enterprise data at-risk. Using digitally signed images makes it much harder for the bad guys to try to sneak a modified software image onto your devices. But the vendor has to provide signed images as the first step in the process. Having digitally signed images is not useful if the device doesn’t check the image to ensure that it was signed by the manufacturer. The device needs to check the signature of every image it downloads prior to ever running any upgrade code.
Does the device handle software upgrade failures in a predictable, appropriate manner?
As mentioned above, some software upgrades are bound to fail. Sometimes we can’t figure out why. Sometimes trying the upgrade again works fine. But if your device is going to download code and upgrade itself, it needs to handle those failures in a predictable, non-catastrophic manner. The best result is that the device continues to run the previously-installed version with the configuration that it had prior to the upgrade attempt. A device should never be left in an undefined or unprotected state after an upgrade. Ask your vendor to tell you what the device does when an upgrade fails.
How are devices monitored for signs of tampering?
Just because you aren’t aware of unauthorized access or an exploit targeting a device vulnerability, doesn’t mean it’s not happening. Targeted attacks can be subtle, often imitating the appearance of legitimate activity. Continuous monitoring of such activity — device actions, authentication attempts, and network communications made — can alert you to the presence of an attack on or misuse of devices before an exploit or malware is identified. Behavior monitoring should be done internally and on a regular basis, and response processes should be in place when suspicious behavior is detected.
Are you monitoring for the appearance of new devices on your network?
The devices that you intentionally put on your network may all be secure and up-to-date, but are you monitoring your network for the appearance of new devices? The one weak link could be the device that an employee brought in from home, which could be the vehicle by which your network is compromised. Monitor for the appearance of new devices. Watch for devices that are transient – there for a while, then gone for a while. Anything that physically enters and exits your environment could be compromised while it’s outside of the protective confines of your network.
These questions are important when you’re installing “Things,” whether they are a global network of sensing devices or a new power plant. If we’re going to stay off of the Boulevard of Broken Things, we need to be sure our devices were designed and built to be resilient and that we maintain a watchful eye on our networks.