How many devices do you have that are connected to the Internet? Are your staff or employees using cameras, smart watches, fitness trackers, or even network-connected printers that could be putting your organizational network at risk? The Internet of Things (IoT) includes any devices other than computers or smartphones that connect, store, or transmit information via the Internet. With over 20 billion connected devices in use worldwide, it is no surprise the hackers have begun using them to their advantage.
In October of 2016, a massive Internet attack creating outages and network delays on several popular sites (including Twitter, Amazon, Reddit, Spotify, and Netflix) was found to be caused by a Distributed Denial of Service (DDoS) attack on Dyn, an Internet infrastructure company providing critical technology services. The attack used billions of ordinary web-connected devices and turned them into an army of robots. A malware strain, Mirai, scans the Internet for IoT devices using factory-default usernames and passwords and then enlists those devices in large scale attacks.
According to Krebs on Security, many attacks are using inexpensive and mass-produced devices like DVRs and cameras, and will remain a danger to others until they are completely disconnected from the Internet. Hardware makers need to require users to create strong passwords when setting up a new device, versus hard-coding credentials or setting default usernames and passwords that many users will never change.
Please advise your employees to check all Internet-enabled devices. Mirai is actually downloaded into the memory of a device and is wiped once the infected device is disconnected from power. If possible, reset devices to the factory-default settings and then reboot. Once you have restarted the device(s), navigate to the administration panel and update your default credentials and passwords to something unique and difficult to guess. Once your password is reset, you may also want to check for any software or firmware updates to fix identified vulnerabilities.
More devices connecting to your network means more threats. Be aware of what devices your employees are using that are connected to the Internet and make sure they are using them securely. You will also want to ensure you are adopting a multi-layered approach to ensure end-to-end protection across your entire network and CDE, from application layer firewalls, to access management, to remote workers. It is also critical to scan your networks on an ongoing basis for potential vulnerabilities. If you are purchasing new equipment, verify with your vendor that admin credentials can be updated and updates are available to patch newly discovered security flaws.
Below is some expert advice from CampusGuard’s certified security team:
[Campbell]: This attack illustrates the ever-present struggle between convenience and security. Yes, it can be convenient to have your refrigerator order eggs and milk for you, but these features should always be measured in terms of risk, the same as you do for PCI DSS Requirement 12.2. Consider likelihood and impact. Consider any available mitigation. Decide upon your risk tolerance, and either accept, mitigate, or transfer the risk (less relevant in this instance). This story should also provide lessons that apply equally to your personal and professional lives. Although the attack vector and purpose vary, some readers might recall the case where a stalker remotely activated the webcams of approximately 200 victims, whom he remotely surveilled and extorted. The common lesson is that even a ubiquitous and seemingly innocent device can often be remotely turned into an invasion of your privacy and personal information. If it connects to the Internet, it presents risk. Be informed and aware.
[Wheeler]: Until the IoT manufacturers realize that they should take security seriously, there will be plenty of devices available to consumers that contain potentially severe security flaws. Make informed decisions before purchasing, by researching online first to see if the device is already known to have flaws. Whether it is an internet- connected coffee pot for the office, or a smart light bulb at home, these devices should be evaluated before being placed on the network. If unchecked, you could be opening a door right into your network, with obvious implications. Luckily for the owners of the IoT devices controlled by Miraj, the objective was to use them as part of a DDoS attack, and not to invade their networks to steal sensitive or personal information. Your security assessment doesn’t have to be that extensive. Security checklists for IoT devices can be found online, or the below questions can give you a great start:
- What services does this device have running? (Nmap can tell you this. Web console, SSH, FTP, etc.?)
- Can these services be disabled if they will not be used or if they are plaintext protocols?
- Can I add new or disable existing user accounts, and change passwords?
- Does the manufacturer have a good track record of releasing security/firmware updates?
- Run a vulnerability scan against the device; are there any identified vulnerabilities?