A very merry Christmas could give way to a not-so-happy New Year security hangover for enterprises, once a few million more Internet of Things (IoT) devices are unwrapped and migrate from homes into the workplace.
因此,网络研讨会本周主办题为安全莱杰:“谁让物联网中字符查找和保护环境中的无线设备,”旨在提供关于如何应付它一些提前的建议。
保罗·罗伯茨的创始人和编辑在安全台账,谁主持了事件的首席,开始就这个问题的框架部分:虽然物联网现在已经非常成熟,许多传统工具企业仍然使用来识别和管理易受攻击的设备是,“designed for the ‘Internet of Computers’ rather than the IoT.
“他们不适合于斑点射频和连接的智能设备使用通信和功能等无线通信协议,”他说。
换句话说,如果你不能看到它,你就无法管理。因此,有很多的讨论集中在寻找什么,以及如何找到它。特德·哈灵顿,在独立的安全评估方以及三个小组成员一个执行合伙人,他说,物联网消费设备,“被带入企业未经批准的,即使无意的方式。”
And the warning is that these devices are indeed a clear and present danger to enterprises. They remain notoriously insecure, which makes them the weak link that can allow attackers to hack into them and then “pivot” too much more important and valuable parts of the network.
The panelists noted that besides the devices themselves, another element of the expanded attack surface is being created through relatively new kinds of wireless networks that cater to low-power IoT devices like electric meters or smart watches, which emit small amounts of data.
Bob Baxley, chief engineer at Bastille Networks and another panelist, said the, “long-range, low-power, low-data-rate, nearly free protocol,” offers an alternative to WiFi and cellular, which have different strengths and weaknesses but are both “power hungry.”
He said the new networks amount to, “a huge slice of the performance space,” that until recently was not covered by other protocols or vendors. “Once you have it, you can start deploying sensors widely for pennies, and it opens up a whole bunch of new use cases for a whole bunch of things,” he said.
So, of course, new and established companies are flocking to it. Baxley mentioned Sigfox, LoRa and NarrowBand IOT, but added that, “huge players like Comcast, Verizon and Orange have publicly announced they are getting into this space.”
Of course, enterprises are likely aware of their IoT devices that differ from the consumer market – Baxley mentioned the sensors that handle the physical security system, such as door locks, and said other automated systems include everything from forklifts to lighting to the HVAC environmental controls in a data center.
但哈林顿指出,有物联网设备主要是针对消费市场,在企业普遍。
“The prime example is the smart TV,” he said. “You can’t walk into a conference room without seeing a large monitor for presentations or conferences. They’re generally the same things that a consumer would buy.
“这有什么引人注目的是电视具有计算能力的巨大数额。这样,因为这使他们能够做很多事情的对手,”他说。
To avoid getting burned by IoT vulnerabilities, the panelists said IT departments need to know what is connected to their internal environment. Right now they frequently don’t.
[ MORE ON CSO:安全神话,可以让你笑......还是哭]
Baxley的,他的公司采用了一种软件定义的无线电传感器来扫描无线启用的物联网设备的网络上,一个工作,一个主要的信用卡处理公司,其中IT安全总监,“是确保数据,他的公司没有告诉中心将免费无线未知的。这是非常安全的 - 即使是员工护送。
“But as soon as we turned on the sensors, we saw that all the HVAC units were beaconing ZigBee (a short-range wireless protocol) – you could clearly see them on the UI,” he said.
“Theoretically you could ‘talk’ to them from the parking lot, which makes it an interesting attack vector.”
巴克斯利补充说,新的,便宜的,无线市场上的协议具有更长的范围,这将允许攻击者从更远操作。“现在我不必须是200米,我就可以在两公里外通话将它和惹它(设备),”他说。
The panelists stressed that the risk is not so much that an individual device is compromised, but that it provides a gateway to the network. Harrington called them “stepping stone” attacks.
“即使是适度复杂的攻击是不直接结束后受害者,”他说。“,众所周知的问题是,如果有人黑客我的灯泡,谁真正关心?但是,它的意思是,这是一个支点到网络中。你找到一个信任链,然后利用信托或访问最薄弱的环节才能到最后的受害者“。
而且,正如安全专家一直在说了多年,物联网设备很少考虑到安全性设计。The third panelist, Drew Fry, manager of PwC’s Cyber Threat Detection and Response practice, noted that, “the development cycle – the time engineers have to design and develop the chips, select the protocols and then go to market – is so insignificant that to stay competitive, they are going to the easiest, most vulnerable thing. Not because they don’t care but because it works. It’s easy to make Telnet work. It’s easy to use built-in, default root passwords,” he said.
But while the IoT threats are obviously expanding and evolving, both Fry and Harrington said security basics remain the same.
“我们看到的是我们20到50年前看到了同样的问题,”弗莱说,“我们必须回去找是否装置被正确修补,物理安全,或者被允许无限制地沟通。我们需要确保这是我们正在寻找的东西,并且,如果一个攻击者使用这样的设备,我们能够发现并分析它。”
哈灵顿说,他认为物联网,甚至与所涉及的新的无线协议,甚至没有达到一个新的范例。“物联网已经改变了很多东西,”他说,“但是从安全的角度看,它是相同的挑战,因为处理任何其他安全风险。它需要一个纲领性的方法 - 威胁建模”
这一点,他说,有四个组成部分:
- Identify the assets your organization cares about protecting.
- 找出你的潜在对手 - 民族国家,有组织犯罪或其他类型的群体。
- 了解你的攻击面 - 物联网就是其中之一。
- 知道对手可能如何进攻。
“That approach will help companies think through this and any security problem,” he said. ”Then you can start thinking about tools and techniques.”
This story, "The IoT: Gateway for enterprise hackers" was originally published byCSO 。