In-brief: Mike Tyson famously said of an opponent that ‘everyone has a plan until they get hit.’ That’s useful advice for information security teams worried about whether their existing network security plans will hold up to the onslaught of the Internet of Things, says Marc Blackmer of Cisco.
Get the New 2017 SANS Research Report on 'Threat Hunting' -- Written by experts from the SANS Institute, the survey reveals a number of interesting data points about the challenges and benefits of threat hunting.
The pugilist Mike Tyson famously said of an opponent’s strategy for an upcoming match that “everyone has a plan until they get hit.”
It was a rare bit of wisdom from someone whose job was punching people in the head. The gist of Tyson’s statement is that meticulous planning under normal and controlled conditions goes out the window when an attack becomes reality. Now that the Internet of Things is broadening the already broad attack surface of enterprises, Tyson’s quote is becoming more relevant than ever.
The issue is this: good guys think alike. And we think like, well, good guys. We approach a network design project in a logical, process-oriented way to satisfy the requirements of external or internal customers. That’s a sound, proven method, for sure, but it is also our main vulnerability when it comes to protecting the networks we build. In short: we build defenses like defenders.
What we need to do is think, first, like attackers and then apply what insight we gain to our work as defenders. If you don’t break your network first and then learn how to fix it, the bad guys will be happy to break it for you.
Death by Lightbulb?
In fact: what makes you sure they haven’t broken it already? Just today, I had a conversation with my doctor about IoT cybersecurity (yes, he does ask me about these things). He was intrigued by the idea of smart light bulbs, but incredulous with the idea of a light bulb serving as an attack vector. “Why would anybody want to do that?”
Granted, my doctor’s expertise lies elsewhere (and he’s very good at what he does), but our conversation was very similar to the conversations I have with many people in the “biz.” Too many of us cannot see beyond traditional attack vectors and cannot understand why anybody would want to attack a light bulb, a connected car or other non-traditional targets.
The truth is that each device we add to our networks is a potential attack vector. It may not have the compute power to launch the attack, but it can be the first step to gaining access to the network and to IT assets that are suitable for launching or propagating an attack. My belief is that the more innocuous a device seems, the more necessary it is to get it into the lab and run it through its cybersecurity paces.
‘Where do I start,’ you’re wondering. Think about all of the devices on your network. If you wondered, ‘Why would anybody want to attack that?’ that’s a device you should be worried about.
Faster, better, cheaper: Choose two
I have spent enough time in IT shops ranging from a two-man IT operation to multinational enterprises to know that it’s much easier to talk about best practices than it is to fund and implement them. The reality is that most shops are pushed to their limits daily and have to fight just to keep up with their day-to-day responsibilities. Building out a lab to test products and then keeping up with testing is out of scope.
But we can’t just roll over for the bad guys. This is where the experts come in. Penetration testing (“pen testing”) by a professional third party is the best way to go for a number of reasons.
First, contracted penetration testers do not know your network. They think like attackers and will formulate their attacks based on what they can discover. This means they are far more likely to find vulnerabilities and attack vectors that you didn’t know were there.
Second, their reconnaissance techniques will include human engineering that would not be easy to pull off by in-house resources that may be recognized by the targeted individuals.
Finally, this is what they do – their jobs are to legally break into networks. They bring the experience of hundreds of engagements that will help you improve your security posture.
Bringing in a crack pen testing team may not be affordable for all organizations. That doesn’t mean nothing can be done. Investing in staff training can help you build out a basic penetration testing function within your own IT department. Simple red team/blue team exercises can identify network weaknesses and prepare staff to deal with adverse conditions.
To help foster security awareness with embedded devices, set up a capture the flag using a couple of $35 Raspberry Pis. Urge staff to get familiar with testing and hacking tools like Kali Linux, Wireshark, and the Shodan search engine. Use those tools to search your own IP space to look for rogue devices connected to the Internet, and use Kali’s utilities to look for and map rogue or misconfigured wireless access points. Wireshark will help you see what’s in the packets on your network.
Remember to always keep applicable laws and ethics in mind when testing. Keep management in the loop and involve your legal department as needed. It’s up to us to defend the IoT, and the more we can learn about offense, the better we can build our defenses.
Marc Blackmer is a Product Marketing Manager for Industry Solutions at Cisco Systems.