Article by Ivan Wen, General Manager of Quann Malaysia
Cybercrime has cost the global economy an estimated US$450 billion a year. Last year, over two billion personal records were compromised, and Asia-Pacific seems to be the most unprepared region for such attacks.
As IoT devices become the norm for Asians, cyber attacks are increasing in the region as it is much more easier for cybercriminals to conduct massive DDoS attacks, or leverage industrial IoT devices for targeted attacks against a single network.
Whilst some IoT devices have integrated security features, most of these low-cost devices are vulnerable to cyber attacks.
INHERENT IOT VULNERABILITIES
IoT devices are built to perform specific tasks, and are kept small, with just enough processing power, to keep costs low. This makes it difficult to incorporate security features into the devices.
No security testing
Most IoT manufacturers are not experienced in security, and are not required by regulation to incorporate security into the devices. As a result, the devices are only tested for functionality, but not security. 70% of IoT devices contain vulnerabilities, such as insufficient authorisation requirement, lack of in-transit encryption, insecure web interface, and inadequate software protection.
These devices are identically produced in massive numbers. If a vulnerability is found and exploited, the same attack can be replicated on other devices, making large scale attacks easily accomplished.
Lack of encryption
Notwithstanding the lack of security, the data on the devices is also not encrypted.
Not easily patched
Security updates are either non-existent or slow in releasing. With millions of devices in the market – most of them owned by individuals – it is challenging to ensure that they are promptly patched. Companies on the other hand hold on to obsolete devices that are no longer being sent software updates.
IoT devices often use specialised protocols that are not recognised and covered by enterprise security tools.
Negligence – eg using default password
Threat actors can easily get their hands on the list of default passwords that the IoT devices come with. But not many consumers would change the passwords. This is similar to leaving the key under the door mat. This makes it easy for hackers who use brute strength attacks.
For example, the Mirai Botnet, was specifically designed to scan the internet for poorly secured products like cameras and then access them through easily guessable passwords like “admin” or “12345.” The botnet only needed to try a list of more than 60 combinations of user names and passwords to infect more than 380,000 devices.
The hardware industry and IOT makers must move away from default passwords, more such automated Botnets will be released to infect IoT devices.
These IOT devices were built for service reliability and not security in mind. Unless a total reworking of the system is done, these devices remain vulnerable to attacks.
TODAY’S CHALLENGES MULTIPLY VULNERABILITIES
In 2013, a dam in New York suffered a cyber-attack by Iranian hackers who luckily only managed to hack the back office system through a cellular modem. Had they been able to hack into the operational systems, they would have access to remotely open the dams sluice gate and cause millions in damage and worst human casualties.
230,000 residents in Ukraine were left in the dark when hackers took down the power grid in December 2015. The perpetrators gained access to the company systems 6 months before causing the well-coordinated outage. First the attackers “weaponized” Microsoft Office documents by embedding malware called BlackEnergy 3 that were sent via email from a trusted source to specific individuals within the organizations. Once their devices were infected, the attackers were able to access the company systems. They then stole credentials that allowed them to access the Supervisory Control And Data Acquisition (SCADA) that controls workstations and servers. The attack was completed when they used the SCADA system to take at least 27 substations offline across three Ukrainian energy companies (Prykarpattyaoblenergo, Kyivoblenergo and Chernivtsioblenergo) for several hours.
With so many devices in the market, the adoption of mobile computing, and the prevalence of Bring Your Own Device culture, personal and organisation’s data is now accessible everywhere and at any time. To do that, networks are converging, allowing devices on public networks to access corporate networks. Inevitably, one compromised device can lead to other compromised devices, eventually compromising a network. This threat surface will only continue to grow. There is an estimated 6.4 billion IoT devices in the world today. This is set to grow to 20.8 billion by 2020.
MANUFACTURERS NEED TO BUILD SECURE DEVICES
The best way to secure devices is to ensure that security is built in from the beginning. Microsoft refers to these principles as SD3+C – Secure by Design, Secure by Default, Secure in Deployment, and Communications
Secure by Design. Developers follow secure coding best practices and implement security features to overcome vulnerabilities. Security has to be incorporated right from the design stage and weaved into every stage of the development stage from architected to implementation.
Secure by Default. There is no perfect security, so developer should assume that security flaws would be present. To minimise the possibility of attacker’s target these remaining flaws, software’s default state should promote security. The devices need to be secure for use with as little intervention from the end user as possible. For example, software should run with the least necessary privilege, and services and features that are not widely needed should be disabled by default. Optional functions should be opt-in rather than opt-out.
Many users do not change the default settings, even if it is a common password. Therefor passwords should be unique for each device.
Secure in Deployment. The applications on the device should be promptly updated with security patches without fail, monitored for attacks, and audited for malicious users and content.
Communications: software developers should be prepared for the discovery of product vulnerabilities and should communicate openly and responsibly with end users and administrators to help them take protective action (such as patching or deploying workarounds).
Further to that it is important to recognise companies that practise secure coding. safecode.org is one such group that is committed to advance proven software assurance methods, admitting only organisations that are able to demonstrate software security. They count Adobe, Dell EMC, Intel, Symantec, Siemens, Boeing, Huawei among their members.
GOVERNMENT SHOULD HAVE A MORE STRINGENT CYBER SECURITY ACT
It is necessary that the government implements stringent laws that hold manufacturers, companies, organisations and consumers liable for negligence on their parts.
For example, the U.S. enforces downstream liability whereby if an end user or organisation is found to have failed to secure, warn, or prevent a cyberattack, he can be prosecuted. If hackers break into your company’s database and steal the personal information of your customers and business partners, you might be held liable for the damage that results.
In 2013, HTC America had to settle charges by the Federal Trade Commission (FTC) over security gaps in the company’s smart phone and tablet software that left millions of users’ personal information at risk. The FTC charged that the company had failed to adhere reasonable and appropriate security practices for design and customisation of software on its smartphones and tablets. Following it, HTC was ordered to release software patches to fix the vulnerabilities, and submit to independent security assessments every other year for the next 20 years. They are also required to develop a comprehensive security program designed to address security risks during the development of their devices
End user measures
Traffic in endpoint devices should be monitored for anomalies. But less than half of enterprises utilise even one of the most common controls, including detailed log and event alerts and analysis, continuous vulnerability scanning, and network segmentation.
Further to that, threat hunting should be conducted on endpoint devices. Checked against global threat intelligence, threat analysts can deep dive into past logs to find anomalies. However, 66% of IT professionals do not know how to check devices for malware, and do not know how many devices are even in their environment. Companies need to employ automated advanced threat detection that is tailored to the specific organisation’s environment.
Most importantly corporate employees and consumers need to be properly educated on good cyber security measures and ensure they practise proper cyber hygiene. Basic steps such as configuring a strong password, not reusing passwords, and updating security patches can avoid major security catastrophes.
About Ivan Wen and Quann
Ivan Wen is the General Manager of Quann Malaysia. He has an extensive experience in the tech industry, having helmed and led the country offices for various tech brands especially in the security field.
Quann, formerly known as e-Cop, is a cyber security services provider and has been in the cyber security business for over 15 years. Quann has evolved from being a Managed Security Service Provider serving enterprises and government agencies, to a leading regional cyber security services provider with an extensive Asian footprint. It is currently the largest service provider with more than ten ISO/IEC 27001 certified, in-country next-generation Security Operations Centers (SOCs) in Asia Pacific that help organizations detect, prevent and respond to cyber threats. Quann’s next-generation SOCs operate on its own patented technologies which provide real-time, advanced big data analytics to swiftly alert both known and unknown threats.
The company is headquartered in Singapore and has offices in Malaysia, Hong Kong, Thailand and India. It has a workforce of over 300 certified security professionals with the skills and knowledge in designing, validating and managing security solutions, as well as providing incident response and forensic services.
For more information, visit www.quannsecurity.com.