I really struggled to come up with a clever analogy to start this post. In doing so I realized that this exercise was itself, the exact problem I was trying to describe. So much conversation about cyber security, especially cyber security for the Internet of Things (IoT), focuses on the sexy, the complicated, the one-in-a-million. In doing so, we ignore the most common threats and basic attacks.
I would like to argue that if we are to effectively defend ourselves in this new IoT world, we cannot ignore the fundamentals of security.
But let’s be honest: the basics are boring. I know that. Many of the practices that are most important are also the ones we’ve heard about before. As we look at them: there isn’t anything new there. That’s true – but I take that as proof that they are sound practices, worthy of keeping top-of-mind, rather than old knowledge that can be discarded.
Here’s what I mean: Recently, I had dinner with one of Cisco’s professional penetration testers. This guy is a true hacker who we’ll call “Bob.” Admittedly, I like talking about Stuxnet or Regin, and I’ve always imagined pen testers on the front lines of the battle against epic malware. So when I sat down with Bob, I was dying to hear him talk shop: undiscovered zero-day threats, crafty exploits, and technical subterfuge.
He thought a bit when I asked him about what he was up to and noted that his crew had, in fact, discovered a new and interesting, zero day vulnerability. “But we didn’t have time to exploit it,” Bob continued. “They had missed so many of the basics that we had totally owned their network at the outset of the engagement.”
Bob and his team were stuck documenting for the customer all the basic security blocking and tackling that they failed to do. There was no time left after all that to even get to the cool “zero day” stuff.
And that scenario isn’t unusual. In fact, Bob explained that the most common problems he finds are so simple and so well-documented that they have been discussed (and exploited) for years. These are problems like SQL injection (long the #1 item on the OWASP Top 1o), as well as other OWASP Top 10 items like broken authentication and cross-site scripting (XSS) vulnerabilities. They’ve been on that list for years – more than a decade in the case of injection attacks.
In Bob’s experience, SQL injection vulnerabilities are “a dime a dozen,” and these could easily be eliminated with very little effort during the development cycle. Sadly, this often fails to happen, and patching the application after it has been deployed is much more difficult. Besides: numbers favor the attackers, as Bob pointed out: “…it just takes one for your network to be pwnd.”
Well-known and well-exploited vulnerabilities take on new urgency as organizations adopt IoT advances. The confluence of these commonly shared vulnerabilities with rapid IoT device development, a rush to market by eager IoT firms and widespread consumer adoption of Internet of Things technologies may mean big problems for both consumer and enterprise networks.
As Bob said to me, “An attacker’s first step is to gain a foothold on your network, and it’s so much easier…” when applications and devices easily give up their secrets. There are countless examples of this. One he shared with me was of popular network device that gave up its password file to any user who could access the device from the public Internet and type in the URL of the file on the device. (I’m being intentionally vague on the details because this device is easily found with a simple Shodan search.)
Closing these common vulnerabilities has been a stated goal of the technology and business community for years. Unfortunately, we aren’t any closer to doing so. On that shaky foundation, the IoT will heap even more weight, adding a scale and the potential for cyber-physical attacks unlike any we’ve seen.
By all means, we should be working to make cybersecurity an integral part of the design and development process. But we also need to build defenses for the imperfect world in which we find ourselves.
So what is an organization to do? First, it’s important to understand that cybersecurity is temporal, not state-based. Just because you’re “secure” now, doesn’t mean you will be next week, tomorrow, or in an hour. Of course, patch management, change management, monitoring, and other technologies are vital.
I am also a big proponent of penetration testing. The bad guys are constantly trying to break your stuff, so I argue that it’s better to have a good guy break your stuff, and then tell you so you know how to fix it.
I’m not confident that we’re going to get the fundamentals right – or that these long-ago identified vulnerabilities will be eradicated any time soon. That makes it imperative to aggressively test our defenses ourselves, and not leave that job to the bad guys.