Internet of Things (IoT) Security

Internet of Things Security

There is not a distinctive standard explanation of what exactly what the Internet of Things (IoT) is. Most professionals define the term as the connection of diverse devices that can provides or request a service over the Internet to enable human-to-thing, thing-to-thing, and thing-to-things for the transmission of data. There are many ways that IoT applications are improving everyday life. Vehicles are now being equipped with small IoT devices that enable vehicles to downloading roadmaps with updated traffic information and protection against auto theft. Even are buildings are having IoT device installed with sensors that allow users to remotely control a building’s energy consumption to different systems such as lights and air conditioners based on preferences. Even many household items are sold being sold with their own embedded processing unit which enable product to have IoT abilities.

The concept of what IoT as systems is composed of has caught the attention of many people from academic and industry. The IoT reference model has been used to explain the each of the different sections within an IoT system ranges from three to seven different levels. The first reference model for IoT system consisted of three levels and described IoT as a system of Wireless Sensor Networks (WSNs).

  1. Application
  2. Cloud server
  3. WSN

The second model proposed model has five-levels and reduces the complexity during interactions between different sections of the model, resulting in simpler applications with well-defined components. The current model created by CISCO in 2014 extends the previous models into seven different levels, where the flow of data has a dominate direction depending on the type of application. The first three levels of the model are grouped into the Edge-side layer.

  • Level 1 consists of edge devices computing nodes such as: smart controllers, sensors, and RDIF readers.
  • Level 2 consists of the many communication components that enable the transmission of data or commands.
  • Level 3 is the edge ( or fog) computing level. This is where simple data processing starts to reduce the computation load in the upper levels, producing a faster response.

The next three layers are grouped into the server or Cloud-side layer.

  • Level 4 reduces the amount of data in motion to resting state by filtering and selective storing network packets to database tables.
  • Level 5 the information becomes abstract to provide the ability to render and store data allowing more efficient and simpler data processing.
  • Level 6 the information can be interpreted in application for marketing, academic, and industrial needs.

The final group contains only level 7, this is where users interact with the data using application from the IoT node data.

 

 

The motivations of potential attackers who launch attacks against IoT devices and systems might include the stealing of sensitive data or compromising IoT component. The vulnerabilities for IoT devices at the first level start with hardware Trojans. These are a major concert for IoT integrated circuits since an attacker can use the circuit to exploit a nodes functionality to get access to data or software running on integrated circuits. This might happen one of two ways:

  • Externally activated trojan by an antenna or sensor
  • Internal-activated trojan once a certain condition is met within the integrated circuits

Non-network side-channel attacks in edge node may reveal critical information under normal operation even when a node is not current using any wireless communication to send or receive data. Lastly, a Denial of service (DoS) attacks can occur against IoT devices and the three main types of attack are: battery draining, sleep deprivation, and outage attacks.

  • In a batter draining DoS attack, an attacker will send many packets to a node forcing it to run varies system checks repeatedly. Since nodes tended to be very small, carrying small batteries with limited energy capacity.
  • In a Sleep deprivation attack, an attacker will attempt to send a chain of request to a node that will appear to be legitimate. Since most IoT nodes are battery-powered node with a limited energy capacity.
  • When a possible outage attacks occurs, an edge node stops performing at normal operating. However, this may be as a result of an unintended error or a system issue.

Implementing RFID tags in IoT device at the edge node level requires all such RFID tags to provide a unique identifier that any nearby RFID reader can read. The tag that is attached to a product or an individual making creating tracking information. Certain types of tags can carry information about the product or individual it is attached to making a node easily inventoried for a third party. The electronic product code (EPC) tags contains two custom fields that create privacy concerns for users: the manufacturer and product code.

The scope of attacks at the communication level of the reference model an attacker might consider for reconnaissance is network eavesdropping or packet sniffing. This occurs when an attacker deliberately listening to private conversion over system communication links. This can prove an attacker with invaluable information when the data is unencrypted or sent in plaintext. Data contained within a network packet might contain the following:

  • Usernames & passwords
  • Shared network passwords
  • Node configuration

A side-channel attack is not easy to implement but are powerful attack against encryption algorithms. This type of attack can be launched from the both edge node and communication levels. However, when a side-channel attack is launched from the communication level are not easily defended against since this method is non-invasive and undetectable. Another possible attack at this level is the injection of fraudulent packets into communication links by inserting new packets in networking or the capturing networking packets then manipulation of the data containing with.

There are new and emerging challenges to securing IoT systems such as dramatic increase in the number of weak links and unexpected uses of data. The dramatic increase in the number are as a result of the special characteristics of devices and cost factors by device manufactures such as compact battery-powered devices with limited storage and computation resources, many market devices are not able to support secure cryptographic protocols. Lastly, the unexpected uses of data from environment or user-related data collection by Internet sensors from present computing enabled by IoT technologies has led to the unwelcome influence of Internet-connected sensors in everyday living around create privacy concerns with users.

As more developers push new IoT devices and services to the Internet this will lead to the discovery of new IoT vulnerabilities and attacks against users and systems. Most system are designed to a specific application or service and testing the security of the system might be complex and time consuming but is necessary as the number of new devices deployed to the Internet by manufactures increases each week. Some security threats might not be as widely recognized other are, but new threats to IoT devices and application should be made addresses both by security professionals and developers to minizine the scope of possible risk to users and devices.

 

References

MOSENIA, A., & JHA, N. (2017). A Comprehensive Study of Security of Internet-of-Things. IEEE Transactions on Emerging Topics in Computing, 586-602.

 

 

What is the Internet of Things (IoT)?

I. Introduction

The Internet of Things (IoT) is a system of interrelated computing devices, mechanical and digital machines equipped with unique identifiers (UIDs) which have the ability to collecting, sharing, and analyzing data over a networking without requiring human-to-human or human-to-computer interactions. It is an interconnection of heterogeneous entities where the term “entity” refers to a human, sensor, or anything that may request or provide a service. As more wireless networks come online, the total number of IoT devices around the world will only expand the scope of IoT devices and applications. Vendors are now leveraging IPv6 address schemes with high-speed Internet connections to improve the design and performance of IoT devices, thus creating an increased growth and demand for new IoT products.

IoT is playing a key role in transforming everyday life with a greater connectivity and functionality generating data faster than most applications can process and filter. By combining these connected devices with automated systems, it is possible to gather information, analyze it, and create an action or event to help someone with a task or learn from a process. However, many IoT devices have several operational limitations on the computational power available to them. These constraints often make them unable to implement basic security measures and have a low price and consumer focus of many devices makes a robust security patching system uncommon.

The scope of IoT applications has opened the door for many new business opportunities and revenue streams. Many businesses who implement IoT services to have a better view of operational expenses creating a better marketing insight based on consumer behavior and product placement. This can lead to a reduction in the total time it many take for a product to be available to a consumer. IoT also offers businesses just-in-time training for employees to improve labor efficiency to increasing organizational productivity.  Logistics and supply chains are improved with IoT by creating a unique identifier for individual items from supply chains to make intelligent choices on how to deliver goods and services more efficiently to consumers. IoT helps manufacturing companies to measure a product’s performance, diagnose errors, and improve a product’s quality, performance, and support.

II. IoT reference model

The initial proposed IoT reference model consists of three levels and represents IoT as an extended version of wireless sensor networks (WSN).

Level Description
3 Applications
2 Cloud Services
1 WSN

 

In 2014, a new IoT Reference Model was created by Cisco and consists of the following seven levels and has data generally flowing in a bidirectional manner.

Level Description Layer Abstraction
7 Collaboration and processes (People & Business Processes) User-side
6 Application (Reporting, Analytics, Control) Server/Cloud-side
5 Data Abstraction (Aggregation & Access)
4 Data Accumulation (Storage)
3 Edge Computing (Data Analysis & Transformation) Edge-side
2 Connectivity (Communication & Processing Units)
1 Physical Devices & Controllers (Devices)

 

Level 1 – This level is concerned with physical devices at the edge-side, this contains the physical devices such as: smart controllers, sensors, and RFID reader. Data confidentiality and integrity is considered from here upward.

Level 2 – This level contains all communication and processing units that enable the transmission of data or commands by using routing and switching protocols. Communication happens between IoT devices in the first level and components in the second level, including communication across data networks.

Level 3 – Edge Computing, is simple data processing that is initiated and is essential for reducing computation loads in the higher levels as well as providing a fast response to events. Learning algorithms are implemented at this level.

Level 4 – Data Accumulation, data is combined from multiple sources to enable the conversion of data in motion to data at rest. At this level, data is converted into a format from network packets to database tables then is determined if it’s of interest to higher levels through filtering and selective storing for future analysis or shared with high levels computing servers.

Level 5 – Data Abstraction, this provides the opportunity to read and store data such that further processing becomes simpler or more efficient. Services at this level may include data normalization/denormalization then indexing and consolidating data into one place with access to multiple data stores.

Level 6 – Applications information interpretation and software cooperates with data accumulation and data abstraction levels.

Level 7 – This level involves users and business processes using IoT applications and their analytical data to make informed choices.

 

III. Fog and Edge Computing in IoT

IoT vendors are implementing edge and fog computing technology to providing enhanced data analysis and management to increase the scope of possible IoT applications. In computer networking, the control plane is the part of the router architecture that is concerned with the network topology or the information generated in the routing table that defines what to do with incoming packets. The data plane is the part of the software the processes the data requests. Fog computing is a standard that defines how edge computing should work and it facilitates the operation of computation, storage, and networking services between IoT devices and cloud computing centers. This enables computing services to reside at the edge of the network as opposed to servers in a data center. Whereas, the control plane is the part of the software that configures, and shuts downs the data plane. In Fog computing, there is only one centralized computing device responsible for processing data from different endpoints in the networks. This style of architecture uses edge devices to carry data out from substantial amount of computation storage and communication locally then sending it over the Internet backbone. Fog computing can be perceived both in large cloud systems and big data structures, referring to the growing difficulties in accessing information objectively. This brings data closer to the user as compared to storing data far from the end point in data centers, providing location awareness, low latency, and improves the overall quality of service.

Edge computing is located at the edge of the network, this how IoT data is collected and analyzed directly by controllers or sensors then transmitted to a nearby computing device for analysis. This brings processing closer to the data source and does not need to be sent to a remote cloud or other centralized system for processing. This eliminates the distance and time it takes to send data to a centralized source, which improves the speed and performance of data transport, as well as devices and applications on the edge. Instead of completely depending on a cluster of clouds for computing and data storage, edge computing can prove intelligent services by leveraging local computing and local edge devices. Edge computing applications can pre-process, filter, score, and aggregate data.

Edge Computing Fog Computing
Pushes communication capabilities, processing power, and intelligence data directly into devices; programmable automation controllers Pushes intelligence data to the local area network and processes data either in IoT gateway or a fog node.

 

IV. The Vulnerabilities of IoT

Security is a significant challenge for company to adopt and deploy IoT innovations. There is not much motivation for vendors to change with little or no consequences for selling insecure devices since device can be manufactured very cheaply and are not maintained with regular patches and updates by vendors. An example of a major security concert for integrated circuits is hardware trojans. A malicious modification of an integrated circuit (IC) enables an attacker to use the circuit or exploit its functionality obtain access to data or software running on the integrated circuitry.

  • Externally Activated (Antenna or sensor)
  • Internally Activated (Given Condition; Logic)

IoT systems are higher security risk for several other reasons: insecure network interface or services, insufficient authentication/authorization. These systems might include data or services that were not designed to be connected to the global Internet. These systems may not have a well-defined perimeter and are continuously changing due to device and user mobility.

IoT systems are highly diverse in character with respect to communication medium and protocols, platforms and devices. As a result, IoT systems, or portions, could be physically unprotected and/or controlled by different parties. Also, IoT devices could be autonomous entities that control other IoT devices. Routing Attacks against IoT network will affect how packets are routed in by being spoofed, redirected or misdirected to another network. An attacker can inject fraudulent packets into communication links using three different methods: insertion, manipulation, or replication.

There are several communication vulnerabilities in IoT devices sometimes as a result of a lack of transport encryption/integrity verification this may cause packet being intentionally listening to private conversions over the communication lines by a third party. As a result, there are several privacy concerns with IoT devices such as: Insufficient security configurability, insecure software/firmware, and poor physical security.

DOS Attacks is standard attacks used against IoT devices that jams the transmission of radio signals by either continuous jamming by blocking all transmissions or intermittent jamming by reducing the performance of systems. There are three well know types of DOS attacks against edge computing nodes: battery draining, sleep deprivation, and outage attacks. When a DoS battery draining attack happens nodes usually must carry small batteries with very limited energy capacity. In a Sleep Deprivation attack, the victim is a battery powered node with a limited energy capacity the attacker attempts to send an undesired set of requests that seem to be legitimate. Lastly an outage attacks happens when an edge node outage occurs when an edge device steps performing its normal operations

 V. Botnets and Internet of Things

 

A botnet is a robot network of compromised machines, or bots, that run malicious, or bots, that run malicious software under the command-and-control of a bot master. Bots can automatically scan entire network ranges and propagate themselves using known vulnerabilities and weak passwords an on other machines. Once a machine is compromised, a small program is installed for future activation by the bot master, who at a certain time can instruct the bots in the network to execute actions. A network of infected machines or bots (zombies) that has a command-and-control infrastructure and is used for various malicious activities. Botnet architecture has evolved over time in an effect to evade detection and disruption. Bot programs are constructed as clients with communicate via existing servers. This allows the bot master to perform all control form a remote location, which obfuscates their traffic in a Client-Server or Peer-to-Peer network.

Once the software is downloaded, the botnet will now contact its matter computer and let it know that everything is ready to go. An individual botnet device can be simultaneously compromised type of attack and often at the same time. Servers may choose to outline rules on the behavior of internet bots. This informs the web robot about which areas of the website should not be processed or scanned.

https://www.example.com/robots.txt

The text file, robots.txt, is normally place on the root of a webserver to govern a bot’s behavior on that server, then it can be used by search engines to categorize websites. Robots that choose to follow the instructions try to fetch this file and read the instructions before fetching any other file from the website. If this file does not exist, web robots assume that the website owner is not wishing to place any limitations on crawling the entire site.

Botnets can be used to perform Distributed Denial of Service (DDoS) attacks, steal data, send spam, allow an attacker to access the devise and its connection, or mine cryptocurrency. A Distributed Denial of Service (DDoS) attack is a malicious attempt to make a server or a network resource unavailable to users. It is achieved by saturating a service, which results in its temporary suspension or interruption. The goal of the attacks is to overwhelm a target application with an extreme number of requests per second (RPS) with high CPU and memory usage. A single machine used to either target a software vulnerability of flood a targeted resource with packets, requests, and queries. Application layer type DDoS attacks occur by Http floods, slow attacks, or Zero-day assaults.

 

Network layer DDoS Attacks
UDP Floods Gigabits per second (GPS)
SYN Floods Packets per second (PPS)
NTP Amplification Consume the targets upstream bandwidth
DNS Amplification  

 

VI. The Mirai Botnet

On October 12th, 2016, a massive DDoS attack left much of the internet inaccessible on the United States East Coast. This was a first of a novel category of botnets that exploit IoT device & systems, turning IoT devices that ran a Linux operating system into a remotely controlled bots that can be used as port of a botnet in large scale network attacks. It primarily targets online consumer devices such as: IP cameras and/or home routers. Mirai has two core purposes to locate and compromised IoT devices to further grow the botnet and launch DDoS attacks based on instructions received from a remote command and control. Mirai performs wide-ranging scans of IP addresses, continuously scan the internet of the IP address of IoT devices. Yet, there is hardcoded list of IP address ranges which Mirai bots are programmed that it will not infect during scans. These addresses belong to the US Postal Service, the Department of Defense, the Internet Assigned Numbers Authority (IANA), Hewlett-Packard and General Electric.

Mirai hardcoded list of IP addresses
The hardcoded list of IP address ranges which Mirai bots are programmed that it will not infect during scans

Mirai identifies Locating under-secured IoT devices that could be remotely accessed vulnerable IoT devices using a table common factory default username & passwords, and log into them to infect them with the Mirai malware. Attack function enable it to HTTP flood and OSI layers 3 to 4. DDoS attacks when attacking HTTP floods, Mirai bot hide behind default user-agents. Infect devices will continue to function normally, except for occasional sluggishness, and an increased use of bandwidth.

If an IoT device becomes infected with the Mirai, an administrator should immediately disconnect the device from the network, then reboot the device. Since Mirai malware exists in dynamic memory rebooting the device clears the malware. Afterwards ensure that the previous password for accessing the device has been changed to a strong password.  If you reconnect before changing the password, the device could be quickly infected again with the Mirai malware.

 

VII. Countermeasures/ Protection Techniques of IoT Devices

The following are basic protection techniques suggested by the Cybersecurity and Infrastructure Security Agency (CISA) that would provide basic IoT security protection against a 3rd party or hostile attacker. A many IoT devices might not have powerful processors or enough memory to have an intrusion-detection analysis will likely occur at a gateway device.

An IoT device owner should stop using default/generic passwords and disable all remote (WAN) access to the device. Ensure that all default passwords on the IoT devices have been changed. Updating devices with security patches from the manufacture, when available. Even if a device has a have known software vulnerabilities, patches or work arounds might not be downloaded for a very long period; thus intrusion-detection technique becomes more important.

Device administrators must disable universal plug and play (UPnP) on routers, unless necessary. Lastly, a networking administrator should monitor port 48101 for suspicious traffic on as infected devices often attempt spread malware by using this port to send results to a 3rd party or threat actor. Also, monitoring TCP ports 23 and 2323 for 3rd party to attempts to gain unauthorized control over IoT devices using the network terminal.

Service Port
SSH 22
Telnet 23
HTTP 80
HTTPS 443
IP 2323
IP 48101

 

VIII. Conclusion

As more developers and vendors push new IoT devices and services to the Internet this will lead to the discovery of new IoT threats and attacks against users and systems to control a system or steal data. Most IoT system are designed to a specific application or service and testing the security of the system might be complex and time consuming, but it’s necessary as the number of new devices deployed to the Internet increases each week. Some security threats might not be as widely recognized or known as other are, but new threats to IoT devices and application should be made aware by security professionals and publicly available to developers and administrators to minizine the scope of possible risk to users and devices.

 

Bibliography

Bertino, E., & Islam, N. (2017, February 2017). Botnets and Internet of Things Security. Computer, 76-79.

Burgess, M. (2018, February 16). What is the Internet of Things? WIRED explains. Retrieved from WIRED: https://www.wired.co.uk/article/internet-of-things-what-is-explained-iot

Cisco. (2014). The Internet of Things Reference Model. Cisco.

CLOUDFLARE. (2020). What is a DDoS Attack? Retrieved from CLOUDFLARE: https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/

Cybersecurity and Infrastructure Security Agency. (2017, October 17). Alert (TA16-288A) – Heightened DDoS Threat Posed by Mirai and Other Botnets. Retrieved from Cybersecurity and Infrastructure Security Agency: https://www.us-cert.gov/ncas/alerts/TA16-288A

Fruhlinger, J. (2018, March 9). The Mirai botnet explained: How teen scammers and CCTV cameras almost brought down the internet. Retrieved from CSO: https://www.csoonline.com/article/3258748/the-mirai-botnet-explained-how-teen-scammers-and-cctv-cameras-almost-brought-down-the-internet.html

Herzberg, B., Zeifman, I., & Bekerman, D. (2016, October 26). Breaking Down Mirai: An IoT DDoS Botnet Analysis. Retrieved from Imperva: https://www.imperva.com/blog/malware-analysis-mirai-ddos-botnet/

MOSENIA, A., & JHA, N. (2017). A Comprehensive Study of Security of Internet-of-Things. IEEE Transactions on Emerging Topics in Computing, 586-602.

Norton. (2020). What is a distributed denial of service attack (DDoS) and what can you do about them? Retrieved from Norton: https://us.norton.com/internetsecurity-emerging-threats-what-is-a-ddos-attack-30sectech-by-norton.html

Shah, H. (n.d.). Edge computing and Fog computing for enterprise IoT. Retrieved from SIMFORM: https://www.simform.com/iot-edge-fog-computing/

 

 

Ransomware

What is Ransomware?  By now, most of us know that it ruins your files – mostly pictures, documents and other personally created items by encrypting them and asking for a “ransom” to decrypt them.   Ransomware is a vicious malware that locks users out of their devices or blocks access to files until a sum of money or ransom is paid. Attacks cause downtime, data loss, major financial loss and intellectual property theft.    If an attack makes it through a corporation’s defenses to even one computer – it can affect the entire network by encrypting and locking out files on network shared drives used by all employees thus potentially spreading to all computers.   Ransomware can enter the network via an email, computer, phone, tablet or a USB drive.   A file that is on an infected computer or USB drive and transferred to another computer can also cause infection and propagation.  Social media sites can also be used to transfer malware via links and file attachments.

 

95% of security breaches are due to human error and lack of employee training and knowledge

What can you do?

–       Be suspicious of every email you receive.  Treat each as a potential threat especially if there are attachments and links included

–       All of your computers including MAC computers should have a reputable antivirus service

–       Don’t share thumb drives on computers you don’t know or if you are not sure they are “clean”

–       Turn on the Windows firewall on your PC

–       Backup your data and secure those backups.

–       Be wary of what you are downloading on your computer

Quote to Ponder: “Live in the sunshine, swim in the sea, drink the wild air…” Ralph Waldo Emerson

What is cybersecurity?

Cybersecurity, or computer security, is the protection of computer systems from the theft or damage to their hardware, software, of electric data, as well as form the disruption or misdirection of the services they provide. The field is becoming more important due to increased reliance to computer systems, the Internet, wireless networks, and the growth of “smart devices.”

 

Vulnerabilities and attacks

A vulnerability is a weakness is design, implementation, operation or internal control. Most of the vulnerabilities that have been discovered are documented in the common vulnerabilities and exposures (CVE) database. An exploitable vulnerability is one for which at least on working attack or “exploit” exists. Vulnerabilities are often hunted or exploited with the aid or automated tools or manually using customized scripts. To secure a computer system, it is important to understand the attacks that can be made against it. Some of the Benefits of cybersecurity are:

  • Business protection malware, ransomware, phishing, and social engineering
  • Protection for data and networks
  • Prevention of unauthorized users
  • Improves recovery time after a breach
  • Protection for end users
  • Improved confidence in the product for both developers and customers

 

Types of cybersecurity Threats

The process of keeping up with new technologies, security treads and threat intelligence is a challenging and ongoing task.

#1 Ransomware: A type of malware that involves an attacker locking the victim’s computer system files, typically through encryption, and demanding a payment to decrypt and unlock them.  Paying the ransom does not guarantee that the file wills be recovered, or the system stored.

 

#2 – Malware: Any file or program used to harm a computer user or gain unauthorized access.

  • Worms
  • Virus
  • Trojan horses
  • Spyware

#3 – Social Engineering: An attack that relies on human interaction to trick users into breaking security procedures in order to gain information that is typically protected

#4 – Phishing: A form of fraud where fraudulent emails are sent that resemble emails from reputable sources; however, the intention of these emails is to steal sensitive data. This is the most common type of cyber-attack.

  • Credit Card
  • Login Information

 

Tenets of Information System Security

There are three protections that must be extended over information: confidentiality, integrity, and availability (CIA).

cia triad
Confidentiality, integrity and availability, also known as the CIA triad, is a model designed to guide policies for information security within an organization.

#1- Confidentially (Data Privacy)

It is important that only approved individuals can access important information, thus protecting the information from everyone except those with rights to access it. Implementing security controls to help reduce the risk of data leaks by Defining a set of rules that limits access to only authorized users can view information.

Putting an Information Technology security policy framework in place that outlines an identifies where security controls should be used. Protecting private data is the process of ensuring data confidentiality. Organizations must use proper security to this concern. Adopting a data classification standard that defines how to treat data throughout an IT infrastructure.

  • Private data of individuals
  • Intellectual property of businesses
  • Keep data private

 

#2 – Integrity (Validity and accuracy of data)

Integrity ensures that the information is correct and no unauthorized person or malicious software has altered the data. Data lacking integrity (inaccurate and not valid) are of no use to user and organizations.

  • Only authorized users can change information
  • Assurance that the information is trustworthy and accurate

 

#3- Availability (Data is accessible)

Information is accessible by authorized users whenever they request the information and has value if the authorized parties who are assured of its integrity can access the information. Also, information cannot be locked so tight that no one can access it.

The PCI Data Security Standard

The PCI DSS is the global data security standard adopted by the payment card brands for all entities that process, store or transmit cardholder data. The PCI SSC sets the PCI security standards, but each payment card brand has its own program for compliance, validation levels and enforcement

 

Build and Maintain a Secure Network

#1 – Install and maintain firewall and router configuration standards that formalize testing whenever configurations change, and restrict all traffic from “untrusted” networks and hosts, except for protocols necessary for the cardholder data environment. Identify all connections to cardholder data and review of configuration rule sets at least every six months.

#2 – Do not use vendor-supplied defaults for system passwords and other security parameters

 

Protect Cardholder Data

#3 – Protect stored cardholder data

#4 – Use strong cryptography and security protocols such as SSL/TLS, SSH or IPSec to safeguard sensitive cardholder data during transmission over open, public networks

 

Maintain a Vulnerability Management Program

#5 – Install and regularly update anti-virus software or programs. Then check that all anti-virus #6 – mechanisms are current, actively running, and generating audit logs.

 

Implement Strong Access Control Measures

#7 – Assign all users a unique user name before allowing them to access system components or cardholder data.

#8 – Limit access to system components and cardholder data to only those individuals whose job requires such access and restrict physical access to cardholder data.

 

Regularly Monitor and Test Networks

#9 – Track and monitor all access to network resources and cardholder data

#10 – Regularly test security systems and processes

 

Maintain an Information Security Policy

#11 – Maintain a policy that addresses information security for all personnel

 

References:

https://www.pcisecuritystandards.org/document_library

https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf

 

Basic Wireless Network Security

Wireless LAN Types

  • Infra Structure Mode
  • Ad Hoc Network Mode
  • Mixed Network Mode

 

Thread & Vulnerabilities

  • Wireless traffic is easily captured
  • Common WLAN Attacks: Rogue Access Point (AP)
  • Less Common WLAN Attacks: Wired Network Intrusion

 

Basic Wireless Network Security

  • Use a strong password
  • Enabled MAC address filtering
  • Enable network encryption
  • Configure Wireless router to use static IP addresses
  • Disable guest networks (If possible)

 

Policy Management

Define Access Requirements (who needs what & when)

If a guest access is banned, the policy must state this is that steps are being taken to prevent visitor intrusion

Include unique wireless scenarios such as employees at public hot spots and office visitor

Prohibit peer-to-peer (P2P) networking while permitting logged guest session through specific access points with limited:

  • Destination (inside or outside the network)
  • Protocols
  • Session time
  • Bandwidth

 

Other ways to secure a wireless network

Restrict access point placement within the network topology

Wireless applications required protected access to the intranet and/or Internet, and special firewall rules

Wireless access points should always sit outfit the firewall or within a demilitarized zone (DMZ). Using a DMZ can protect the WAN from Internet threats while protecting the wired intranet from WLAN threats.

Wireless traffic should be segregated so different polices can be applied

The General Phases of a Computer Attack

#1 Reconnaissance (information gathering)

Collect information using different tools to gain all information about the target organization, application, or network. This is the longest phase, lasting weeks or months.

  • Internet searches
  • Social Engineering
  • Dumpster diving

 

#2 Scanning (Finding Exploits)

Once the attack has found enough information to understand how the system works, the next phase will be to find the exploits in the target using the information gathered in the reconnaissance phase.

  • Open ports
  • Open Services
  • Default Passwords
  • Vulnerable Applications

 

#3 Gaining Access (Enter the target)

With the exploits found in the scanning phase, the attacker will try to enter the target system using different methods. The attack must gain access to one or more network devices.

  • Session hijacking

 

#4 maintaining Access (accomplish goal)

Once access has been gain to the target, an attacker may want to maintain access to a system or network

  • Backdoors
  • Root-kits
  • Trojans

 

#5 Covering Tracks (remove evidence)

In order to cover their tracks to avoid detection by removing any evidence from the system.

  • Change log files

 

Data Protection

As Data is sent around the world the growth of cyber crime has exposed the personal data on millions of consumer, which has led some jurisdictions around the world to look to regulatory measures to help to look to regulatory measures to help safeguard this personal data. Stricter rules about handling sensitive customer data are being, or have been, implemented to address these- concerns. The implementation of new data protection laws raises questions about if a jurisdiction are implementing  ways the prevent the ability to get their citizens’ data through legal ways.

Japan has reformed its privacy law and established specific rules for handling person information that would be applicable to cloud providers.

China has tightened laws on foreign data and cloud services, implemented new surveillance measures, and enhanced their scrutiny of cross-border data transfer. The regulations requires firms to store data locally in China, forcing cloud providers to transfer the management of their cloud businesses to Chinese-owned companies, or directly partner with Chinese ventures to comply to the regulation

 

Boarder in the Cloud By Keith Kirkpatrick

Kovter (Trojan 2018)

Kovter

A Trojan, acting as click fraud malware or a ransomware downloader. It cannot spread on its own, relies on users to run them by mistake or visit a malicious webpage it is disseminated via malspam email attachments containing malicious office macros. Reports indicate that infections have received updated instructions from command and control infrastructure to serve as a remote access backdoor.

Kovter has transformed through various iterations in its lifespan. Originally, Kovter acted as a form of police ransomware by locking infected devices and displaying a fake message pretending to be a fine payment message from legitimate law enforcement entities. Then evolved into Click fraud malware using code injection to infect its target, stole information and exfiltrated to its Command & Control (C2) servers. It current version is a fileless malware installed using by autorun registry entries and expands by adding file components for shell spawning techniques.

 

Platforms targeted:   Windows system

Infection Flow

  1. Arrives by spam mail
  2. Installs components for shell spawning
  3. Creates a registry entry containing malicious scripts;
  4. Injects a shell code in the PowerShell process upon system restart or upon execution of the shortcut or batch file
  5. Shell code will spawn the regsvr32.exe process that will connect to various URLs for click fraud.

Infection: Email attachment with JavaScript file hiding inside a 7-zip

Upon execution it downloads the second part from C2 servers and saved to %TEMP%. Once completed the Kovter elevates to a fileless operation and persistence status. It’s obfuscated JavaScript and binary payloads are written into the Windows Registry.

Prevention

  • Being careful when downloading anything from internet
  • Using an ad blockers within a web browser
  • Disabling JavaScript on a web browser

Mitigation

Running an antivirus scan, such as Windows Deference, will flag any problem programs that are of concern. Kovter uses either Explorer.exe or Regsvr32.exe to launch and run in memory.  In most Windows environments, there won’t be any Regsvr32.exe processes running for any length of time in memory. If it is found running it is possibly nefarious and should be reviewed. To identify bad versions of explorer and Regsvr32.exe, look at the number of libraries loaded in its memory space and where on disk the process was launched.

 

References:

Kovter Malware Fileless Persistence Mechanism (IBM X-Force Exchange)

Kovter Killer: How to Remediate the APT of Clickjacking

Top 10 Malware January 2018

Threat Spotlight: Kovter Malware Fileless Persistence Mechanism

 

What is Cyber-Warfare?

In the past, cyber-warfare was a fictional concept presented in movies and TV shows.  A recent example includes the action thriller Blackhat (2015,) where the FBI teams up with China to locate cyber-criminals that have hacked a Hong Kong nuclear plant and the Mercantile Trade Exchange in Chicago.  Unfortunately, cyber-warfare is more than just a fictional concept. Today, there is more and more evidence that some countries are using state sponsored hacking to infiltrate other countries’ networks and infrastructure.

Why is this a real threat?  Strategic cyber-warfare, unlike the term as it may imply, does not involve hand-to-hand combat.  It represents a great threat, not only the military but the general public.  Cyber-warfare is an internet-based conflict involving politically motivated attacks on information and information systems.  Cyber-warfare attacks and disables websites and networks.  It disrupts essential services, steals or alters classified data, cripples financial systems, and much more.  Once an attack is launched, it is hard to figure out who launched the cyber-attack.  Along with industry leaders, the US department of Defense is becoming more aware and now implementing security measures in order to better protect the public and prepare for future threats from state sponsored hacker attacks.

Cyber-warfare is politically motivated by enemy countries to attack another country’s infrastructure such as (but not limited to,) water treatment plants, power grids (electricity and natural gas,) telecommunications, and public transportation.  Targets are either strategic or tactical for the sole purpose of espionage or sabotage.  Cyber-espionage entails stealing sensitive information or gaining insight into another infrastructure such as enemy troop movement or weapons systems.  Cyber-sabotage can cause equipment failure and significant damage such as nuclear meltdown or massive power outages.

One of the possible targets for state sponsored hackers is our country’s electrical power grid.  The U.S. Department of Homeland Security is working together with energy providers to enhance the security of control systems.  More security is being developed and implemented as the next generation of “smart grid” energy networks are being built.

What happens during a cyber-warfare attack?  Hackers target and attack an opponent’s network infrastructure or resources in their database that contain sensitive data.  They infiltrate a given system to determine flaws and explore those flaws to gain control of that system and/or destroy it beyond recovery.

Malware (short for malicious software) is the term for hostile or intrusive software designed to cause intentional harm to computer systems.  Disguised or embedded into non-malicious files, malware includes viruses, worms, Trojan horses, ransomware, spyware, adware, and scareware.  Some of the known malware tools that state sponsored hackers have used in their attacks are:

Flame (also known as “Skywiper,”) was discovered in 2012 by the MAHER Center of Iranian National and used to target countries in the Middle East.  This type of malware created a fake Microsoft document appearing as an update through Microsoft. It was distributed to all computers on the network running a Window’s operating system.  Purely espionage by design, Flame recorded audio, screenshots, keyboard activity, network traffic, and recorded Skype conversations that scattered throughout the world.

Stuxnet, a computer worm, was discovered in 2010 and targeted industrial programmable controls (PLCs.)  PLCs allow the automation of electromechanical processes such as those used to control machinery on factory assembly lines, amusement rides, and power plants.  The virus propagates throughout the network modifying the codes and giving unexpected commands.  Iran’s Natanz nuclear facility was the target of a Stuxnet worm which sabotaged operational capacity and caused serious technical problems forcing shutdown.

Cyber-warfare is more than a fictional concept.  It is very real.  While movies and TV transmit a popular perception of cyber-warfare, they exist solely for entertainment.  The challenge is to differentiate cyber-warfare in the real world and find ways to minimize the damage and ultimately prevent them.