Internet of Things (IoT) Security

Internet of Things Security

There is not a distinctive standard explanation of what exactly what the Internet of Things (IoT) is. Most professionals define the term as the connection of diverse devices that can provides or request a service over the Internet to enable human-to-thing, thing-to-thing, and thing-to-things for the transmission of data. There are many ways that IoT applications are improving everyday life. Vehicles are now being equipped with small IoT devices that enable vehicles to downloading roadmaps with updated traffic information and protection against auto theft. Even are buildings are having IoT device installed with sensors that allow users to remotely control a building’s energy consumption to different systems such as lights and air conditioners based on preferences. Even many household items are sold being sold with their own embedded processing unit which enable product to have IoT abilities.

The concept of what IoT as systems is composed of has caught the attention of many people from academic and industry. The IoT reference model has been used to explain the each of the different sections within an IoT system ranges from three to seven different levels. The first reference model for IoT system consisted of three levels and described IoT as a system of Wireless Sensor Networks (WSNs).

  1. Application
  2. Cloud server
  3. WSN

The second model proposed model has five-levels and reduces the complexity during interactions between different sections of the model, resulting in simpler applications with well-defined components. The current model created by CISCO in 2014 extends the previous models into seven different levels, where the flow of data has a dominate direction depending on the type of application. The first three levels of the model are grouped into the Edge-side layer.

  • Level 1 consists of edge devices computing nodes such as: smart controllers, sensors, and RDIF readers.
  • Level 2 consists of the many communication components that enable the transmission of data or commands.
  • Level 3 is the edge ( or fog) computing level. This is where simple data processing starts to reduce the computation load in the upper levels, producing a faster response.

The next three layers are grouped into the server or Cloud-side layer.

  • Level 4 reduces the amount of data in motion to resting state by filtering and selective storing network packets to database tables.
  • Level 5 the information becomes abstract to provide the ability to render and store data allowing more efficient and simpler data processing.
  • Level 6 the information can be interpreted in application for marketing, academic, and industrial needs.

The final group contains only level 7, this is where users interact with the data using application from the IoT node data.

 

 

The motivations of potential attackers who launch attacks against IoT devices and systems might include the stealing of sensitive data or compromising IoT component. The vulnerabilities for IoT devices at the first level start with hardware Trojans. These are a major concert for IoT integrated circuits since an attacker can use the circuit to exploit a nodes functionality to get access to data or software running on integrated circuits. This might happen one of two ways:

  • Externally activated trojan by an antenna or sensor
  • Internal-activated trojan once a certain condition is met within the integrated circuits

Non-network side-channel attacks in edge node may reveal critical information under normal operation even when a node is not current using any wireless communication to send or receive data. Lastly, a Denial of service (DoS) attacks can occur against IoT devices and the three main types of attack are: battery draining, sleep deprivation, and outage attacks.

  • In a batter draining DoS attack, an attacker will send many packets to a node forcing it to run varies system checks repeatedly. Since nodes tended to be very small, carrying small batteries with limited energy capacity.
  • In a Sleep deprivation attack, an attacker will attempt to send a chain of request to a node that will appear to be legitimate. Since most IoT nodes are battery-powered node with a limited energy capacity.
  • When a possible outage attacks occurs, an edge node stops performing at normal operating. However, this may be as a result of an unintended error or a system issue.

Implementing RFID tags in IoT device at the edge node level requires all such RFID tags to provide a unique identifier that any nearby RFID reader can read. The tag that is attached to a product or an individual making creating tracking information. Certain types of tags can carry information about the product or individual it is attached to making a node easily inventoried for a third party. The electronic product code (EPC) tags contains two custom fields that create privacy concerns for users: the manufacturer and product code.

The scope of attacks at the communication level of the reference model an attacker might consider for reconnaissance is network eavesdropping or packet sniffing. This occurs when an attacker deliberately listening to private conversion over system communication links. This can prove an attacker with invaluable information when the data is unencrypted or sent in plaintext. Data contained within a network packet might contain the following:

  • Usernames & passwords
  • Shared network passwords
  • Node configuration

A side-channel attack is not easy to implement but are powerful attack against encryption algorithms. This type of attack can be launched from the both edge node and communication levels. However, when a side-channel attack is launched from the communication level are not easily defended against since this method is non-invasive and undetectable. Another possible attack at this level is the injection of fraudulent packets into communication links by inserting new packets in networking or the capturing networking packets then manipulation of the data containing with.

There are new and emerging challenges to securing IoT systems such as dramatic increase in the number of weak links and unexpected uses of data. The dramatic increase in the number are as a result of the special characteristics of devices and cost factors by device manufactures such as compact battery-powered devices with limited storage and computation resources, many market devices are not able to support secure cryptographic protocols. Lastly, the unexpected uses of data from environment or user-related data collection by Internet sensors from present computing enabled by IoT technologies has led to the unwelcome influence of Internet-connected sensors in everyday living around create privacy concerns with users.

As more developers push new IoT devices and services to the Internet this will lead to the discovery of new IoT vulnerabilities and attacks against users and systems. Most system are designed to a specific application or service and testing the security of the system might be complex and time consuming but is necessary as the number of new devices deployed to the Internet by manufactures increases each week. Some security threats might not be as widely recognized other are, but new threats to IoT devices and application should be made addresses both by security professionals and developers to minizine the scope of possible risk to users and devices.

 

References

MOSENIA, A., & JHA, N. (2017). A Comprehensive Study of Security of Internet-of-Things. IEEE Transactions on Emerging Topics in Computing, 586-602.

 

 

Ransomware

What is Ransomware?  By now, most of us know that it ruins your files – mostly pictures, documents and other personally created items by encrypting them and asking for a “ransom” to decrypt them.   Ransomware is a vicious malware that locks users out of their devices or blocks access to files until a sum of money or ransom is paid. Attacks cause downtime, data loss, major financial loss and intellectual property theft.    If an attack makes it through a corporation’s defenses to even one computer – it can affect the entire network by encrypting and locking out files on network shared drives used by all employees thus potentially spreading to all computers.   Ransomware can enter the network via an email, computer, phone, tablet or a USB drive.   A file that is on an infected computer or USB drive and transferred to another computer can also cause infection and propagation.  Social media sites can also be used to transfer malware via links and file attachments.

 

95% of security breaches are due to human error and lack of employee training and knowledge

What can you do?

–       Be suspicious of every email you receive.  Treat each as a potential threat especially if there are attachments and links included

–       All of your computers including MAC computers should have a reputable antivirus service

–       Don’t share thumb drives on computers you don’t know or if you are not sure they are “clean”

–       Turn on the Windows firewall on your PC

–       Backup your data and secure those backups.

–       Be wary of what you are downloading on your computer

Quote to Ponder: “Live in the sunshine, swim in the sea, drink the wild air…” Ralph Waldo Emerson

What is cybersecurity?

Cybersecurity, or computer security, is the protection of computer systems from the theft or damage to their hardware, software, of electric data, as well as form the disruption or misdirection of the services they provide. The field is becoming more important due to increased reliance to computer systems, the Internet, wireless networks, and the growth of “smart devices.”

 

Vulnerabilities and attacks

A vulnerability is a weakness is design, implementation, operation or internal control. Most of the vulnerabilities that have been discovered are documented in the common vulnerabilities and exposures (CVE) database. An exploitable vulnerability is one for which at least on working attack or “exploit” exists. Vulnerabilities are often hunted or exploited with the aid or automated tools or manually using customized scripts. To secure a computer system, it is important to understand the attacks that can be made against it. Some of the Benefits of cybersecurity are:

  • Business protection malware, ransomware, phishing, and social engineering
  • Protection for data and networks
  • Prevention of unauthorized users
  • Improves recovery time after a breach
  • Protection for end users
  • Improved confidence in the product for both developers and customers

 

Types of cybersecurity Threats

The process of keeping up with new technologies, security treads and threat intelligence is a challenging and ongoing task.

#1 Ransomware: A type of malware that involves an attacker locking the victim’s computer system files, typically through encryption, and demanding a payment to decrypt and unlock them.  Paying the ransom does not guarantee that the file wills be recovered, or the system stored.

 

#2 – Malware: Any file or program used to harm a computer user or gain unauthorized access.

  • Worms
  • Virus
  • Trojan horses
  • Spyware

#3 – Social Engineering: An attack that relies on human interaction to trick users into breaking security procedures in order to gain information that is typically protected

#4 – Phishing: A form of fraud where fraudulent emails are sent that resemble emails from reputable sources; however, the intention of these emails is to steal sensitive data. This is the most common type of cyber-attack.

  • Credit Card
  • Login Information

 

Tenets of Information System Security

There are three protections that must be extended over information: confidentiality, integrity, and availability (CIA).

cia triad
Confidentiality, integrity and availability, also known as the CIA triad, is a model designed to guide policies for information security within an organization.

#1- Confidentially (Data Privacy)

It is important that only approved individuals can access important information, thus protecting the information from everyone except those with rights to access it. Implementing security controls to help reduce the risk of data leaks by Defining a set of rules that limits access to only authorized users can view information.

Putting an Information Technology security policy framework in place that outlines an identifies where security controls should be used. Protecting private data is the process of ensuring data confidentiality. Organizations must use proper security to this concern. Adopting a data classification standard that defines how to treat data throughout an IT infrastructure.

  • Private data of individuals
  • Intellectual property of businesses
  • Keep data private

 

#2 – Integrity (Validity and accuracy of data)

Integrity ensures that the information is correct and no unauthorized person or malicious software has altered the data. Data lacking integrity (inaccurate and not valid) are of no use to user and organizations.

  • Only authorized users can change information
  • Assurance that the information is trustworthy and accurate

 

#3- Availability (Data is accessible)

Information is accessible by authorized users whenever they request the information and has value if the authorized parties who are assured of its integrity can access the information. Also, information cannot be locked so tight that no one can access it.

The PCI Data Security Standard

The PCI DSS is the global data security standard adopted by the payment card brands for all entities that process, store or transmit cardholder data. The PCI SSC sets the PCI security standards, but each payment card brand has its own program for compliance, validation levels and enforcement

 

Build and Maintain a Secure Network

#1 – Install and maintain firewall and router configuration standards that formalize testing whenever configurations change, and restrict all traffic from “untrusted” networks and hosts, except for protocols necessary for the cardholder data environment. Identify all connections to cardholder data and review of configuration rule sets at least every six months.

#2 – Do not use vendor-supplied defaults for system passwords and other security parameters

 

Protect Cardholder Data

#3 – Protect stored cardholder data

#4 – Use strong cryptography and security protocols such as SSL/TLS, SSH or IPSec to safeguard sensitive cardholder data during transmission over open, public networks

 

Maintain a Vulnerability Management Program

#5 – Install and regularly update anti-virus software or programs. Then check that all anti-virus #6 – mechanisms are current, actively running, and generating audit logs.

 

Implement Strong Access Control Measures

#7 – Assign all users a unique user name before allowing them to access system components or cardholder data.

#8 – Limit access to system components and cardholder data to only those individuals whose job requires such access and restrict physical access to cardholder data.

 

Regularly Monitor and Test Networks

#9 – Track and monitor all access to network resources and cardholder data

#10 – Regularly test security systems and processes

 

Maintain an Information Security Policy

#11 – Maintain a policy that addresses information security for all personnel

 

References:

https://www.pcisecuritystandards.org/document_library

https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf

 

The General Phases of a Computer Attack

#1 Reconnaissance (information gathering)

Collect information using different tools to gain all information about the target organization, application, or network. This is the longest phase, lasting weeks or months.

  • Internet searches
  • Social Engineering
  • Dumpster diving

 

#2 Scanning (Finding Exploits)

Once the attack has found enough information to understand how the system works, the next phase will be to find the exploits in the target using the information gathered in the reconnaissance phase.

  • Open ports
  • Open Services
  • Default Passwords
  • Vulnerable Applications

 

#3 Gaining Access (Enter the target)

With the exploits found in the scanning phase, the attacker will try to enter the target system using different methods. The attack must gain access to one or more network devices.

  • Session hijacking

 

#4 maintaining Access (accomplish goal)

Once access has been gain to the target, an attacker may want to maintain access to a system or network

  • Backdoors
  • Root-kits
  • Trojans

 

#5 Covering Tracks (remove evidence)

In order to cover their tracks to avoid detection by removing any evidence from the system.

  • Change log files

 

Denial of Service (Dos) Attacks

There are many different types of network based attacks on the Internet today.  One of the most common types of attacks is the “Denial of Service (or Dos) attack.”  The Dos attack is a deliberate attempt to prevent authorized users from accessing a system by overwhelming it with a flow of requests.  This is also referred to as a “Distributed Denial of Service” (DDos) attack if a hacker uses a large group of zombie computers within a botnet, a collection of network connected computers communicating with other computers, to flood a system with requests.  The first ever DDos attack was demonstrated by hacker Khan C. Smith during the 1998 Defcon conference.

Some methods an attacker may use to initiate a DDos attack include consuming all the computational resources within a network, disrupting the configuration information within a system, or obstructing the communication media between the intended users’ and victims’ network so that they can no longer communicate.  If a DDos attack is launched, the following symptoms will be experienced: slow network performance, unavailability of services and resources, and the disruption of physical network components.

The two most common types of DDos attacks are: Ping Flooding and Smurf attack.  In a Ping Flood type attack, the attacker will use the Ping utility to send multiple networked computers a flood of packets.  The Ping utility works by a user first sending an Internet Control Message Protocol (IMCP) echo request message to a given host,  in which the host will respond with an ICMP echo response message which indicating that the host is online.

A second type is a “Smurf Attack” (or SYN flood attack) in which an attacker tricks a computer device into responding to false requests.  An unsuspecting victim broadcasting a ping request to all computers on the network but changes the address from which the request originated using a technique called “IP Spoofing.”  In most cases, Dos attacks involve IP spoofing by forging IP sender addresses so that the location of the attacking machines cannot easily be identified and traced back to the source IP address.

A great online resource to better learn about how DDos network attacks are carried out is http://www.digitalattackmap.com.  Built through a collaborative effort between Google and Arbor Network, this site shows live data visualization of network traffic which matches the signature of daily DDos attacks from around the world.

In conclusion, it is not possible for a network administrator to defend against all types of Dos attacks.  Staying current with network security threats and simple network hardening, the risk of network failure by a network based attack is greatly reduced.

External Sources

http://www.digitalattackmap.com

http://www.incapsula.com/ddos/ddos-attacks/denial-of-service.html

http://en.wikipedia.org/wiki/Denial-of-service_attack

Worm (Write Once Read Many)

A worm (Write Once Read Many) is a standalone type of malware software program that can self-replicated itself in order to spread to other computers or networks in emails, instant messaging, IRC chat, Peer to Peer network connections. Some of the more modern tends in worm mitigation techniques are using packet filters, ACL’s in routers and switches, and lastly null routing.

The one of the first computer worm attacks which was sent over the early versions of the Internet infecting nearly 10% of UNIX computes which belong to NASA, Berkley, MIT, Stanford, and the Pentagon. Release in November 2nd, 1988 was called the “Morris Worm”, named after its designer Robert Morris. Studying as an undergraduate at Cornell University experimenting with self-propagating programs, he choose to release the worm from MIT to disguise the fact it was created at Cornell. Once Robert Morris realized the extent of damage the worm was doing to the Internet he contacted a friend at Harvard to discuss how to stop the worm. The worm took advantage of a hole in the debug mode of the UNIX sendmail program to mitigate through the network.

The main difference between a virus and a worm is that worms do not need to attach itself to an existing program to infiltrate a system, whereas virus attach themselves to files and require user interaction to infiltrate the computer. Worms use a networks to travel from one computer to another without any user interaction. Worms can be programmed with a payload, code added to the worm to do more than just spread the worm, which can do any of the following:

  • Delete files
  • Encrypt files (Cryptoviral extortion)
  • Send Documents in an email
  • Install a backdoor on a computer

When a worm installs a backdoor on a computer it becomes a “zombie”, which comprises the computer and can be used remotely to perform any type of malicious task.

Not all worms are bad. There has been a lot of research over the years to designs “good intention” worms which can be used as network diagnostic programs. When research started to learn more about worms and how they spread in order to create non-malicious worms. John Shock and Jon Hupp of Xerox, researched and designed a worm to allow testing of Ethernet principles on their internal computer networks. Another type was the Nachia worm, which exploited a vulnerability in the Microsoft Remote procedure call (RPC) service to search for installed malware on a system then tried to install a security patch from Microsoft to prevent any further infection.

Programmers and network penetration testers can use Worms for either good or malicious purposes. No one can protect themselves of every type of malware or network worm, but with basic computer knowledge and anti-malware software installed on their computer, any user can protect themselves from most types of malware attacks.

External Sources

http://en.wikipedia.org/wiki/Computer_worm

http://www.bbc.co.uk/webwise/guides/internet-worms

http://en.wikipedia.org/wiki/Welchia

http://groups.csail.mit.edu/mac/classes/6.805/articles/morris-worm.html