The popular and sometimes controversial Shodan search engine made some changes recently that drew attention mostly of the latter variety. If you are not familiar with Shodan, it is the self-proclaimed “first search engine for Internet-connected devices” providing information about the connectedness of everything from refrigerators to power plants.
The new capability at Shodan that drew such wide attention was the creation of a section enabling subscribers to search for webcams streaming video openly over port 554 with no authentication. The new-found availability of snapshots from cameras in a variety of public and in some cases, all too private locations, has kicked up a new cloud of dust (and wave of concern) around the security and associated privacy issues introduced by the Internet of Things (IoT).
Now, I will be the first to acknowledge that there is something very unnerving about the potential of searching for open streaming cameras, and this news was enough to cause me to take another look at the video cameras I have as part of my home security system. Furthermore, I would never seek to belittle the concerns of the everyday consumer when it comes to matters of privacy and security.
Still, never underestimate the potential of raw emotions to mask or cause us to overlook some separate yet equally important security questions when it comes to the IoT. The advent of billions of connected devices is creating yet another example of our often forgotten stepchild of the “CIA” triad, specifically ‘Availability’ playing second fiddle to its more drama-laden siblings, ‘confidentiality’ and ‘integrity.’
Risks of connected devices
A simple search for articles related to IoT security will bear this out. This past summer, much of the talk was around the high profile Tesla vulnerability that was showcased at the Black Hat conference. News of this issue was piled onto the existing uproar around software vulnerabilities found in Jeep Cherokees earlier that same month. The notion of someone taking control of our cars while we are driving generates obvious anxiety and calls warranted attention to just how secure the software development lifecycle is for many of these suddenly network-focused manufacturers.
However, another more recent news story caught my eye as an indication of the availability risks posed by the IoT. Just last month, Nest thermostats were found to have a software bug that drained the battery and eventually rendered the device inoperable, causing many customers’ heating systems to shut down in the dead of winter. With this example, two major risks related to availability become evident when we’re talking about the proliferation of IoT devices:
1. The greater importance of network (and device) availability as more and more critical aspects of our lives get moved online
2. The increased threat posed to critical networks and systems from a potential ‘bot army’ of vulnerable devices.
The second factor highlights a story within this story, namely the inability of our security operations to keep pace with the automation of the threat landscape. We know with certainty that attackers are increasing their use of automation to speed up and generally complicate the process of detecting and mitigating attacks. For instance, in 2015 we see a two-fold increase in the number of attacks that were very short in duration; what we would call ‘bursty’ attacks. At face value, this might sound like a positive because shorter attacks mean less damage, right? Not necessarily.
In some cases, attack tools have learned to adapt to the means of attack detection in use by many organizations that rely on a sampling of traffic to measure for attacks. By adjusting their attacks to send very large volumes of traffic outside of these sampling windows, they can cause tremendous disruption downstream in networks or application infrastructure while evading detection. This allows them to linger and have a lasting impact until eventually detection comes as a result of system failure.
Another reason that ‘bursty’ attacks should be cause for concern is that they are often an indication of an automated bot testing various attack tactics and vectors until it finds one that works. Additionally, these automated tools can be used to test multiple attack targets against a given attack vector until they find one that cannot defend from the attack, at which point they become the primary target of the campaign and endure more sustained attacks from a proven tactic.
With such clear advances and growth of automated bots in the threat landscape, surely most in the security arena must be quickly adapting to respond, right? Sadly this is not the case and most organizations are not keeping up with their use of automated security tools. Each year, we survey several hundred IT security and operations professionals to understand trends around both the threat environment and best practices for protection.
State of automation in security operation
This year we asked some specific questions about the state of automation in security operation. Over 80% of those we surveyed say their security tools require a medium to high rate of manual tuning, which really means they cannot effectively protect against new attacks until a human being makes a decision. Over the past two decades, the security industry has put an enormous amount of energy and investment in tools that visualize the threat landscape and consolidate disparate security information, alerts, etc. in an effort to streamline the decision process for security professionals.
These steps have had a substantially positive impact on the ability for organizations to improve responsiveness to new or even forthcoming threats. However, the time has come for the security industry to take the next step in this process, which means understanding there are situations where the human has to be removed altogether from the process to enable an automated attack lifecycle.
To fight the pace of development and adoption of IoT devices is to fight a losing battle. History has shown us time and time again that despite security concerns, many consumers will adopt new technologies and gradually accept a sacrifice of security and privacy for everyday convenience. This means that the burden for ensuring critical aspects of network or system availability in the face of the potential ‘bot army’ will fall largely to those running the networks. For those of you in this unfortunate reality, it’s time to recognize that the very automation that is complicating the threat landscape is also the answer to the problem. The security professional best equipped in this future are those who today are exploring, implementing and trusted automated security protections.