SECURE THE ENTERPRISE OF THINGS - UNDERSTANDING THE NEW ATTACK LANDSCAPE Jack Marsal Sr. Director, Product Marketing - AIM Utah
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
SECURE THE ENTERPRISE OF THINGS UNDERSTANDING THE NEW ATTACK LANDSCAPE Jack Marsal Sr. Director, Product Marketing ©2018 Armis Inc. All Rights Reserved.
Explosive Growth in Enterprise “Things” 20 Billion VOIP Security Cameras 20+ Billion Connected Devices Switches Access Points 15 Printers Bluetooth Unmanaged Point of Sale Smart TVs and IoT Medical Devices Smart HVAC 10 Manufacturing Smart Lighting Smartphones BYOD Tablets (PC & Mobile) 5 Laptops Unmanaged Traditional Managed Web, PCs and Servers Enterprise 2010 2012 2014 2016 2018 2020 Protected Protected/Unprotected Unprotected Source: Gartner, BI Intelligence 2016 ©2018 Armis Inc. All Rights Reserved.
“IoT has become the leading technology for digital transformation and is the number one priority for 92 per cent of organizations.” Inmarsat, “The Future of IoT in Enterprise -- 2017” ©2018 Armis Inc. All Rights Reserved. 5
“IoT architectures and solutions are critical enablers to achieving innovative and planned business outcomes.” Gartner, “Internet of Things Primer for 2018”, 9 January 2018, Nathan Nuttall, Emil Berthelsen, Martin Reynolds ©2018 Armis Inc. All Rights Reserved. 6
Meet The New (Insecure) Endpoint Designed No To Connect Security Billions Hard to of Devices Update Many Hard to Manufacturers Discover ©2018 Armis Inc. All Rights Reserved.
Attacks on Unmanageable Devices are Increasing 600% Increase in attacks from 2016 to 2017 Symantec ISTR 2018 had a breach or security incident 46% associated with IoT security. IDC, 2017 of all identified attacks in enterprises will 25% involve unmanageable devices by 2020. Gartner, 2017 ©2018 Armis – Confidential & Proprietary 8
©2017 Armis Inc. All Rights Reserved. 11
©2018 Armis Inc. All Rights Reserved.
6 EXPLOITS Real Stories Behind the Headlines ©2018 Armis Inc. All Rights Reserved.
Compromised Tablet UNAUTHORIZED VIDEO STREAMING WHAT • 200 conference rooms, each had an tablet to control the video system • The tablet in one conference room was streaming video and audio to unknown destination • This represented a leakage of sensitive conversations. ©2018 Armis Inc. All Rights Reserved.
Compromised Smart TV ATTEMPTING TO INFECT OTHER DEVICES WHAT • Boardroom was equipped with a Smart TV • Malware on the Smart TV was trying to infect nearby devices via Wi-Fi and Bluetooth. ©2018 Armis Inc. All Rights Reserved.
Compromised Security Camera BOTNET ATTACK WHAT • Security cameras on the network were compromised with a botnet • Botnet was connecting to routers on the network, trying to compromise the routers.
Infected Healthcare Device ENTRY POINT FOR WANNACRY WHAT • MRI machine had an external internet connection for vendor remote support • Running Windows XP -- unpatched since it would void the warranty • Infected with WannaCry and trying to infect other Windows systems via SMB
Unauthorized Network Bridge PRINTER ALLOWED ANYONE TO CONNECT WHAT • A printer connected to the wired network had an open hotspot, allowing unauthenticated access to anyone. ©2018 Armis Inc. All Rights Reserved.
Rogue Network Stealing Credential THEFT OF NETWORK CREDENTIALS WHAT • A corporate device was connecting to a pineapple that was collecting Active Directory credentials or hashes ©2018 Armis Inc. All Rights Reserved.
DNS REBINDING EXPLOIT Nearly Every Enterprise is Exposed 20
Armis Findings Half a billion devices in the enterprise are vulnerable to DNS Rebinding Firewall and network segmentation will not protect against attack ©2018 Armis – Confidential & Proprietary 21
Vulnerable Devices • IP Phone – IP-based desk phones • Printer – Corporate printers • Network equipment – access points, routers, or switches • IP Camera – Typically security cameras • Streaming Media Player – Chromecast, FireTV, Apple TV, etc. • Video conferencing – IP-based conference room phones, speakers • Smart TV – Connected monitors. often running apps • Conference phone – IP-based conference room phones and speakers • HVAC control – Smart / connected thermostats • Peripherals – UPS, lab equipment, KVM • Point of Sales – Sales terminals, could be iPads • Smart speaker – Amazon Echo, Google Home, Sonos, etc. ©2018 Armis – Confidential & Proprietary 22
HOW DNS REBINDING ATTACK WORKS ©2018 Armis Inc. All Rights Reserved. 23
worldsportsscores.com Malvertisement World Sports Scores User visits malicious website or site with malicious ad. STEP 1 Java-script runs on user’s browser ©2018 Armis Inc. All Rights Reserved. 24
worldsportsscores.com Malvertisement World Sports Scores IP Cameras Smart TVs Speakers / Digital Printers IP Phones Critical Data Assistants Malicious website commands the end-user browser to scan local IP STEP 2 addresses for target devices ©2018 Armis Inc. All Rights Reserved. 25
worldsportsscores.com Malvertisement World Sports Scores IP Cameras Smart TVs Speakers / Digital Printers Critical Data Assistants STEP 3 Hacker access the target device ©2018 Armis Inc. All Rights Reserved. 26
worldsportsscores.com company.com DDOS Malvertisement World Sports Scores IP Cameras Smart TVs Speakers / Digital Printers IP Phones Critical Data Assistants STEP 4 Hacker establishes outbound connection through the unmanaged or IoT device ©2018 Armis Inc. All Rights Reserved. 27
WHAT TO DO? 28
What is Your Security Strategy? Types of Endpoints Security Strategy VOIP Security Cameras Switches Access Points Printers Bluetooth ???????? Point of Sale Smart TVs Medical Devices Smart HVAC Manufacturing Smart Lighting Smartphones Tablets Mobile device management, guest networks, VDI Laptops PCs and Servers Security agents, patch management, firewalls, NAC 2010 2012 2014 2016 2018 2020 ©2018 Armis Inc. All Rights Reserved. 29
Zero-trust Approach Agent = Trust ©2018 Armis Inc. All Rights Reserved.
Zero-trust Approach ©2018 Armis Inc. All Rights Reserved.
Discover and Classify – Fortune 1000 Company • 1,212 Windows Machines 205 Unmanaged • 80 Switches 21 Unpatched • 578 Servers • 110 APs Vulnerabilities 10 Possible • 1117 Employee Phones 587 Unmanaged • 150 Security Cameras Botnet Infections • 370 Tablets 295 Unmanaged • 10 Gaming Consoles 17 Trying to Connect • 213 Guest Phones • 140 Smart Watches to other Devices 5 Previously • 60 Smart TVs Unknown • 5 Digital Assistants 4 on Guest Network • 10 Telepresence Systems • 25 Smart Thermostats • 100 Printers 78 Open Hot Spots • 20 HVAC Controllers 2 Sending Data To Connecting to Multiple • 500 VoIP Phones Unauthorized IP • 2 Wi-Fi Pineapples Corp Devices ©2018 Armis Inc. All Rights Reserved. 32
Zero-trust Approach ©2018 Armis Inc. All Rights Reserved.
Network Segmentation Is Not Trustable Perimeter Firewall Guest Corp VLAN “N” Network Core Core Switch Aggregation Layer Aggregation Switches Attacks Switch Access Layer Access Switches Managed & Unmanaged Devices ©2018 Armis Inc. All Rights Reserved.
Remote Control Execution Incidence Traditional Desktop Mobile Network Infrastructure IoT 1 2-3 100 per year per year per year every year ©2018 Armis Inc. All Rights Reserved.
Cisco Bulletin • April 6, 2018: ”Attacks targeting Cisco IOS switches were detected exploiting the CVE- 2018-0171 vulnerability in the Cisco Smart Install Client software. According to the Cisco Talos team, more than 168,000 devices worldwide are potentially exposed.” ©2018 Armis Inc. All Rights Reserved.
Location of Vulnerable Cisco Devices CVE-2018-0171 ©2018 Armis Inc. All Rights Reserved.
©2017 Armis – Confidential & Proprietary 38
Network devices are often easy targets. The following factors contribute to the vulnerability of network devices: • Few network devices run antivirus, integrity maintenance, and other security tools that help protect general purpose hosts. • Manufacturers build and distribute these network devices with exploitable services, which are enabled for ease of installation, operation, and maintenance. • Owners and operators of network devices do not change vendor default settings, harden them for operations, or perform regular patching. ©2017 Armis – Confidential & Proprietary 39
Zero-trust Approach ©2018 Armis Inc. All Rights Reserved.
Continual Behavior Monitoring DEVICE NORMAL BEHAVIOR TRAITS Samsung 60" Class J6200 Full LED Smart TV • DNS queries followed by connection attempts to xpu.samsungelectronics.com • 10 consecutive attempts spaced 5 minutes apart, followed by a 45 minute gap before attempting again • Interfaces: BT, Wi-Fi • Stationary, does not connect to other devices on the network • Tizen OS • Several default applications such as Netflix and Amazon Instant Video Nest Thermostat, 3rd Gen • DNS queries to transport.home.nest.com, transport.home.ft.nest.com in a periodic manner • Every night at 4am, ~1GB of data transfer • Interfaces: Wi-Fi • Stationary, no other protocols, routing between Nests on the same network, no connection to other devices, no devices connecting to it ©2018 Armis Inc. All Rights Reserved. 41
DISCUSSION ©2018 Armis Inc. All Rights Reserved.
What is your near-term focus? ©2018 Armis Inc. All Rights Reserved.
Reaction to Gartner’s prediction? “By 2020, more than 25% of identified attacks in enterprises will involve the IoT, although the IoT will account for less than 10% of IT security budgets.” 130 info security professionals attending Black Hat ©2018 Armis Inc. All Rights Reserved.
©2018 Armis Inc. All Rights Reserved.
You can also read