In this week’s episode of the Podcast, # 157, sponsored by LookingGlass Cyber Solutions: Sarah Zatko of the Cyber Independent Testing Lab joins us to talk about CITL’s big new study of firmware security. In our second segment, we’re joined by Allan Thomson who is the Chief Technology Officer at LookingGlass* to talk about the growing use of cyber threat intelligence and the need to evolve cybersecurity practices to keep ahead of fast-evolving threats.
On Firmware Security: Nobody’s Trying
The Mirai Botnet caught the world’s attention back in 2016 as the first, high profile IoT botnet. Since then, attacks on Internet of Things devices have grown rapidly. Why? Well, for one thing: they’re easy marks. Two decades ago, Microsoft’s Windows Operating System, IE browser and Office software were the primary targets of malicious hackers because they were widely used and widely known to be vulnerable to attack. Today, those platforms are far more secure and boast protections against a wide range of common attacks like buffer overflows.
On the Internet of Things, however, things are different. Connected devices like home routers, IP enabled cameras and digital video recorders or smart televisions and appliances commonly run software – or “firmware” – that lacks even basic protections against common threats like buffer overflow attacks. That makes them easy prey for hackers looking to gain a foothold on a home or business network, or interested in building powerful “botnets” of infected devices to do their bidding.
How bad is it on the Internet of Things? It has been hard to say. Unlike Windows or Office – which were made and managed by a single company – there are thousands, even tens of thousands of device makers out there. Each is distributing its own device firmware. Up until now, nobody has ever undertaken the job of studying this software to figure out how secure it is. But that changed last week, when the Cyber Independent Testing Lab released data from what it is calling the first longitudinal study of IoT device security. The results were not surprising, but they were surprisingly bad.
The CITL study surveyed firmware from 18 vendors including ASUS, D-link, Linksys, NETGEAR, Ubiquiti and others. In all, more than 6,000 firmware versions were analyzed, totaling close to 3 million binaries created from 2003 to 2018. Time and again, firmware from commonly used manufacturers failed to implement basic security features even when researchers studied the most recent versions of the firmware.
Even worse, CITL researchers found no clear progress in any protection category over time, said Zatko. Researchers documented 299 positive changes in firmware security scores over the 15 years covered by the study…but 370 negative changes over the same period. Looking across its entire data set, in fact, firmware security actually appeared to get worse over time, not better, CITL said.
In our first segment this week, Security Ledger is airing an interview that I did with Sarah Zatko, the Chief Scientist of CITL last week in Las Vegas. Sarah was presenting the CITL’s findings at an event sponsored by the Hewlett Foundation. I started by asking her about one of the proposals she made for shoring up software security: to create an agency akin to the FDA just to manage software security. Wasn’t that the job of the FTC, I wanted to know?
Does Threat Intelligence make you Smarter?
In our second segment: threat intelligence services have fast emerged as a critical tool in the tool belt of enterprise security teams. But what is security intelligence really?
There are certainly plenty of security tools out there creating reams of data. Is that security intelligence, or not? Moreover, even if you have reliable security intelligence, how do you act upon it in ways that will prevent future attacks and stiffen your organization’s security posture?
To hash it out, we invited in someone who should know. Allan Thomson is the Chief Technology Officer at LookingGlass Cyber a threat intelligence vendor. In this conversation, Allan and I talk about the challenges of doing security in a way that matches the speed and agility of malicious actors and how organizations can benefit from the increasing use of deception technology to learn from would be attackers and better defend their IT assets.
(*) Disclosure: This podcast was sponsored by LookingGlass Cyber Solutions or more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.
As always, you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloud, Stitcher, Radio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted.