SECURE THE ENTERPRISE OF THINGS - UNDERSTANDING THE NEW ATTACK LANDSCAPE Jack Marsal Sr. Director, Product Marketing - AIM Utah
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
SECURE THE ENTERPRISE OF THINGS
UNDERSTANDING THE NEW ATTACK LANDSCAPE
Jack Marsal
Sr. Director, Product Marketing
©2018 Armis Inc. All Rights Reserved.
Enterprise of “Things”
©2018 Armis Inc. All Rights Reserved.
Office Environment ©2018 Armis Inc. All Rights Reserved.
Explosive Growth in Enterprise “Things”
20 Billion
VOIP Security Cameras
20+ Billion Connected Devices
Switches Access Points
15 Printers Bluetooth
Unmanaged
Point of Sale Smart TVs and IoT
Medical Devices Smart HVAC
10
Manufacturing Smart Lighting
Smartphones
BYOD
Tablets (PC & Mobile)
5
Laptops
Unmanaged
Traditional
Managed Web, PCs and Servers
Enterprise
2010 2012 2014 2016 2018 2020
Protected Protected/Unprotected Unprotected Source: Gartner, BI Intelligence 2016
©2018 Armis Inc. All Rights Reserved.
“IoT has become the leading
technology for digital transformation
and is the number one priority for 92
per cent of organizations.”
Inmarsat, “The Future of IoT in Enterprise -- 2017”
©2018 Armis Inc. All Rights Reserved. 5
“IoT architectures and solutions are
critical enablers to achieving
innovative and planned business
outcomes.”
Gartner, “Internet of Things Primer for 2018”,
9 January 2018, Nathan Nuttall, Emil
Berthelsen, Martin Reynolds
©2018 Armis Inc. All Rights Reserved. 6
Meet The New (Insecure) Endpoint
Designed No
To Connect Security
Billions Hard to
of Devices Update
Many Hard to
Manufacturers Discover
©2018 Armis Inc. All Rights Reserved.
Attacks on Unmanageable Devices are Increasing
600% Increase in attacks from 2016 to 2017
Symantec ISTR 2018
had a breach or security incident
46% associated with IoT security.
IDC, 2017
of all identified attacks in enterprises will
25% involve unmanageable devices by 2020.
Gartner, 2017
©2018 Armis – Confidential & Proprietary 8
©2018 Armis Inc. All Rights Reserved.
©2017 Armis Inc. All Rights Reserved. 10
©2017 Armis Inc. All Rights Reserved. 11
©2018 Armis Inc. All Rights Reserved.
6 EXPLOITS
Real Stories Behind the Headlines
©2018 Armis Inc. All Rights Reserved.Compromised Tablet
UNAUTHORIZED VIDEO STREAMING WHAT
• 200 conference rooms, each had an tablet to
control the video system
• The tablet in one conference room was streaming
video and audio to unknown destination
• This represented a leakage of sensitive
conversations.
©2018 Armis Inc. All Rights Reserved.Compromised Smart TV
ATTEMPTING TO INFECT OTHER DEVICES WHAT
• Boardroom was equipped with a Smart TV
• Malware on the Smart TV was trying to infect
nearby devices via Wi-Fi and Bluetooth.
©2018 Armis Inc. All Rights Reserved.Compromised Security Camera
BOTNET ATTACK
WHAT
• Security cameras on the network were
compromised with a botnet
• Botnet was connecting to routers on the network,
trying to compromise the routers.Infected Healthcare Device
ENTRY POINT FOR WANNACRY
WHAT
• MRI machine had an external internet
connection for vendor remote support
• Running Windows XP -- unpatched since it
would void the warranty
• Infected with WannaCry and trying to infect
other Windows systems via SMBUnauthorized Network Bridge
PRINTER ALLOWED ANYONE TO CONNECT WHAT
• A printer connected to the wired network had
an open hotspot, allowing unauthenticated
access to anyone.
©2018 Armis Inc. All Rights Reserved.Rogue Network Stealing Credential
THEFT OF NETWORK CREDENTIALS
WHAT
• A corporate device was connecting to a
pineapple that was collecting Active Directory
credentials or hashes
©2018 Armis Inc. All Rights Reserved.DNS REBINDING EXPLOIT
Nearly Every Enterprise is Exposed
20Armis Findings
Half a billion devices in the enterprise are
vulnerable to DNS Rebinding
Firewall and network segmentation will
not protect against attack
©2018 Armis – Confidential & Proprietary 21Vulnerable Devices
• IP Phone – IP-based desk phones
• Printer – Corporate printers
• Network equipment – access
points, routers, or switches
• IP Camera – Typically security
cameras
• Streaming Media Player –
Chromecast, FireTV, Apple TV, etc.
• Video conferencing – IP-based
conference room phones, speakers
• Smart TV – Connected monitors.
often running apps
• Conference phone – IP-based
conference room phones and
speakers
• HVAC control – Smart / connected
thermostats
• Peripherals – UPS, lab equipment,
KVM
• Point of Sales – Sales terminals,
could be iPads
• Smart speaker – Amazon Echo,
Google Home, Sonos, etc.
©2018 Armis – Confidential & Proprietary 22HOW DNS REBINDING ATTACK WORKS
©2018 Armis Inc. All Rights Reserved. 23worldsportsscores.com
Malvertisement
World Sports Scores
User visits malicious website or site with malicious ad.
STEP 1 Java-script runs on user’s browser
©2018 Armis Inc. All Rights Reserved. 24worldsportsscores.com
Malvertisement
World Sports Scores
IP Cameras Smart TVs Speakers / Digital Printers IP Phones Critical Data
Assistants
Malicious website commands the end-user browser to scan local IP
STEP 2 addresses for target devices
©2018 Armis Inc. All Rights Reserved. 25worldsportsscores.com
Malvertisement
World Sports Scores
IP Cameras Smart TVs Speakers / Digital Printers Critical Data
Assistants
STEP 3 Hacker access the target device
©2018 Armis Inc. All Rights Reserved. 26worldsportsscores.com company.com
DDOS
Malvertisement
World Sports Scores
IP Cameras Smart TVs Speakers / Digital Printers IP Phones Critical Data
Assistants
STEP 4 Hacker establishes outbound connection through the unmanaged or IoT device
©2018 Armis Inc. All Rights Reserved. 27WHAT TO DO?
28What is Your Security Strategy?
Types of Endpoints Security Strategy
VOIP Security Cameras
Switches Access Points
Printers Bluetooth ????????
Point of Sale Smart TVs
Medical Devices Smart HVAC
Manufacturing Smart Lighting
Smartphones
Tablets Mobile device management,
guest networks, VDI
Laptops
PCs and Servers Security agents, patch management,
firewalls, NAC
2010 2012 2014 2016 2018 2020
©2018 Armis Inc. All Rights Reserved. 29Zero-trust Approach
Agent = Trust
©2018 Armis Inc. All Rights Reserved.Zero-trust Approach
©2018 Armis Inc. All Rights Reserved.Discover and Classify – Fortune 1000 Company
• 1,212 Windows Machines 205 Unmanaged • 80 Switches
21 Unpatched
• 578 Servers • 110 APs Vulnerabilities
10 Possible
• 1117 Employee Phones 587 Unmanaged • 150 Security Cameras Botnet Infections
• 370 Tablets 295 Unmanaged • 10 Gaming Consoles
17 Trying to Connect
• 213 Guest Phones • 140 Smart Watches to other Devices
5 Previously
• 60 Smart TVs Unknown • 5 Digital Assistants 4 on Guest Network
• 10 Telepresence Systems • 25 Smart Thermostats
• 100 Printers 78 Open Hot Spots • 20 HVAC Controllers
2 Sending Data To Connecting to Multiple
• 500 VoIP Phones Unauthorized IP • 2 Wi-Fi Pineapples Corp Devices
©2018 Armis Inc. All Rights Reserved. 32Zero-trust Approach
©2018 Armis Inc. All Rights Reserved.Network Segmentation Is Not Trustable
Perimeter Firewall
Guest Corp VLAN “N”
Network Core Core Switch
Aggregation Layer Aggregation Switches
Attacks
Switch
Access Layer Access Switches
Managed &
Unmanaged Devices
©2018 Armis Inc. All Rights Reserved.Remote Control Execution Incidence
Traditional Desktop Mobile Network Infrastructure IoT
1 2-3 100
per year per year per year every year
©2018 Armis Inc. All Rights Reserved.Cisco Bulletin
• April 6, 2018: ”Attacks targeting Cisco IOS
switches were detected exploiting the CVE-
2018-0171 vulnerability in the Cisco Smart
Install Client software. According to the Cisco
Talos team, more than 168,000 devices
worldwide are potentially exposed.”
©2018 Armis Inc. All Rights Reserved.Location of Vulnerable Cisco Devices
CVE-2018-0171
©2018 Armis Inc. All Rights Reserved.©2017 Armis – Confidential & Proprietary 38
Network devices are often easy targets. The following factors contribute to the
vulnerability of network devices:
• Few network devices run antivirus, integrity maintenance, and other security
tools that help protect general purpose hosts.
• Manufacturers build and distribute these network devices with exploitable
services, which are enabled for ease of installation, operation, and
maintenance.
• Owners and operators of network devices do not change vendor default
settings, harden them for operations, or perform regular patching.
©2017 Armis – Confidential & Proprietary 39Zero-trust Approach
©2018 Armis Inc. All Rights Reserved.Continual Behavior Monitoring
DEVICE NORMAL BEHAVIOR TRAITS
Samsung 60" Class J6200 Full LED Smart TV • DNS queries followed by connection attempts to
xpu.samsungelectronics.com
• 10 consecutive attempts spaced 5 minutes apart, followed by a 45
minute gap before attempting again
• Interfaces: BT, Wi-Fi
• Stationary, does not connect to other devices on the network
• Tizen OS
• Several default applications such as Netflix and Amazon Instant Video
Nest Thermostat, 3rd Gen • DNS queries to transport.home.nest.com, transport.home.ft.nest.com
in a periodic manner
• Every night at 4am, ~1GB of data transfer
• Interfaces: Wi-Fi
• Stationary, no other protocols, routing between Nests on the same
network, no connection to other devices, no devices connecting to it
©2018 Armis Inc. All Rights Reserved. 41DISCUSSION ©2018 Armis Inc. All Rights Reserved.
What is your near-term focus?
©2018 Armis Inc. All Rights Reserved.Reaction to Gartner’s prediction?
“By 2020, more than 25% of
identified attacks in enterprises
will involve the IoT, although the
IoT will account for less than 10%
of IT security budgets.”
130 info security professionals
attending Black Hat
©2018 Armis Inc. All Rights Reserved.©2018 Armis Inc. All Rights Reserved.
You can also read
