Evolving threat landscape means we need to think differently
McAfee's CTO, Steve Grobman, says "The industry needs to think about threats differently. It's not just about malware. We need to think about the types of environments that are going to be impacted".
Whereas most threats used to be considered in terms of the single devices they attacked or breached, the shift to cloud and multi-tenanted environments and a greater variety of end-point devices are forcing everyone to rethink their security plan.
"We have to think about non-traditional devices. If we haven't learned anything other than the criticality that cybersecurity matters for the very cheap to the very expensive from the Dyn incident, it's critical that we think about that, " adds Grobman.
Grobman says manufacturers must look at the entire security lifecycle for all devices from the very cheap to the very expensive. He showed demonstrations of three different devices being breached during a private briefing during the recent Intel Focus conference.
The devices, a WeMo Insight Switch, an Almond router and a Kenwood car stereo head unit, were all exploited by Grobman. And while the hack on the switch caused a minor irritation – a lamp was switched on and off repeatedly – the router was attacked with ransomware rendering it useless and the head unit was compromised so that its interaction with in-car systems was impacted.
Brian Krebs, whose site was compromised by a DDoS attack that exploited vulnerable IoT devices, has published a list of the devices that were used. That was done by an analysis of the username and passwords used by the Mirai malware.
However, there are devices in homes and offices now that run firmware but have had connectivity added to them later.
"I think that's a big part of the problem that we see in IoT," says Grobman. "Many devices or components were developed with the assumption they would never have external connectivity. The fact there's a vulnerability in firmware that's never connected doesn't really matter".
But with increased connectivity in devices, this is becoming a new threat surface. And there's pressure on manufacturers to keep prices of devices low, resulting in security being overlooked.
This is why a new approach is needed says, Grobman.
As well as the explosion of IoT, enterprises are increasingly reliant on new architectures in shared-service environments. For example, with the use container engines to provide services has changed how applications are secured.
Today, if a someone requires a web server, instead of creating a server and installing an operating system and web server software, service providers now deliver very small footprint containers that can run a web server on a minimal code base comprising of only the bare essentials needed. This reduces the threat surface significantly.
Grobman says "For the highly reputable service providers, they do a good job in running a security assurance programs to minimise the risks that there will be escapes from containers".
But he notes there have been hacks in the past that have managed to break out of virtual machines, so it's important to remain vigilant and continue improving security.
"Every time we've added a new security architecture, it eventually has vulnerabilities," says Grobman. "There's no reason to think we won't see issues over time".
As organisations embrace these new technologies, their risk position will change, and that will necessitate continual evolution.
In addition, the ability for containers and virtual machines to be spun up, used and destroyed – sometimes in seconds – for specific tasks makes forensic detection and investigation more difficult. The same processes we are using to improve security can be exploited by threat actors to obfuscate their tracks