A Primer for Security

7 downloads 453684 Views 18MB Size Report
Aug 1, 2016 - GasBuddy to find cheap gas? How about ... security perspective in their marketing. ..... some level of home automation for more. 1 Hey, I can ...
August 2016

Volume 14 Issue 8

Internet of Things: Trust  Internet of Things: Security, Privacy and Governance Internet of Things: Arduino Vulnerability Analysis Internet of Things: Key Challenges to Overcome Cloud Dilemma?

Machine Learning: A Primer for Security

INTERNET OF THINGS

Table of Contents DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY Feature 14 Machine Learning: A Primer for Security By Stephan Jou – ISSA member, Toronto Chapter The author examines how machine learning can be leveraged to address the practical challenges of delivering lower-cost security by resolving more threats faster, with fewer resources. It will focus on machine learning security techniques that work at typical levels of data volumes, from those operating with “small data” to those implementing data lakes.

Articles 22 Internet of Things: Trust By R. S. Tumber – ISSA member, UK Chapter This article discusses the fundamental element of the Internet of Things being overlooked: Trust. As billions of devices come online, IoT will increase the potentially staggering attack surface. It will be paramount to protect the keys and certificates for authentication, validation, and access control in order for IoT to be a trusted participant in our information world.

27 Internet of Things: Security, Privacy and Governance By Regner Sabillon – ISSA member, Alberta Chapter This article reviews the history, concepts, and major concerns with the Internet of Things in terms of governance, privacy, ethics, data collection, and security.

Also in this Issue 3

From the President

4

[email protected]

5

Sabett’s Brief

6

Herding Cats

7

Open Forum

8

Security in the News

9

Perspective: Women in Security SIG

32 Internet of Things: Arduino Vulnerability Analysis By Audrey Ann Gendreau – ISSA member, Tampa Bay Chapter This article examines the vulnerabilities to the security of physical computing interactive systems designed to sense and respond to a physical phenomenon, focusing on the Arduino microcontroller.

36 Internet of Things: Key Challenges to Overcome By Aditya Srivastava – ISSA member, Dehradun Chapter This article introduces the Internet of Things and discusses security and privacy challenges when networking these devices.

40 Cloud Dilemma? By Alen Ilic – ISSA member, New York Metro Chapter This article explores issues in relation to the Cloud, both private and public, for storage and operational needs of our information systems.

The IoT, Vintage 2016 The Internet of Threats Architecture 101

Internet of Things – A Veritable Smorgasbord of Privacy, Security & Trust Challenges

10 Association News

©2016 Information Systems Security Association, Inc. (ISSA) The ISSA Journal (1949-0550) is published monthly by

Information Systems Security Association

12100 Sunset Hills Road, Suite 130, Reston, Virginia 20190 703-234-4082 (direct) • +1 866 349 5818 (USA toll-free) +1 206 388 4584 (International) 2 – ISSA Journal | August 2016

From the President Greetings ISSA Members

International Board Officers

Andrea Hoy, International President

President

Andrea C. Hoy, CISM, CISSP, MBA, Distinguished Fellow

Vice President Justin White

Secretary/Director of Operations Anne M. Rogers CISSP, Fellow

Treasurer/Chief Financial Officer Pamela Fusco Distinguished Fellow

Board of Directors Frances “Candy” Alexander, CISSP, CISM, Distinguished Fellow Debbie Christofferson, CISM, CISSP, CIPP/IT, Distinguished Fellow Mary Ann Davidson Distinguished Fellow Rhonda Farrell, Fellow Garrett D. Felix, M.S., CISSP, Fellow Geoff Harris, CISSP, ITPC, BSc, DipEE, CEng, CLAS, Fellow Alex Wood, Senior Member Keyaan Williams Stefano Zanero, PhD, Fellow The Information Systems Security Association, Inc. (ISSA)® is a not-for-profit, international organization of information security professionals and practitioners. It provides educational forums, publications and peer interaction opportunities that enhance the knowledge, skill and professional growth of its members. With active participation from individuals and chapters all over the world, the ISSA is the largest international, not-for-profit association specifically for security professionals. Members include practitioners at all levels of the security field in a broad range of industries, such as communications, education, healthcare, manufacturing, financial, and government. The ISSA international board consists of some of the most influential people in the security industry. With an international communications network developed throughout the industry, the ISSA is focused on maintaining its position as the preeminent trusted global information security community. The primary goal of the ISSA is to promote management practices that will ensure the confidentiality, integrity and availability of information resources. The ISSA facilitates interaction and education to create a more successful environment for global information systems security and for the professionals involved.

A

s I sit at Black Hat and watch the passing of thousands of attendees honing their skills or perhaps increasing their knowledge base in a different area of cybersecurity, I am reminded of the changes our industry has gone through over the years. In looking at what new challenges we have been asked to address with the Internet of Things (IoT), some are more compelling than others. Crucial is the issue of where privacy and security meet. Ask folks if they put their location on their smartphone/smartwatch and proceed to use Google Maps to get quick directions; in most cases you will get a “Yes, why wouldn’t you?” Are you using GasBuddy to find cheap gas? How about the challenges of health care, where a device provides real-time data via satellite to add to a big data database of symptom scenarios and then adjusts the amount of oxygen or air that comes through your CPAP (continuous positive airway pressure) machine. How about insuring the integrity of data from a heart monitor to a pacemaker or other critical device like an iron lung? What about standards for identifying data and patients as well as authentication issues from multiple facilities for health information exchange. We know that personal devices such as FitBits and Jawbone have been well received, but even the FBI and DHS have identified IoT-connected medical devices as potential points of entry for hackers. Some of the first devices for the home had washers and dryers talking to each other to determine how long to dry the clothes. Interconnected devices (e.g., physical security, motion sensor lighting, stereo, front door video doorbells) throughout the home have grown in popularity. Cars have been high on the IoT radar. At DefCon, the Car Hacking Village keeps growing, providing new

areas to be mindful of in our pursuit of security—this year there were sessions dedicated to IoT. To those attending and presenting, many devices for home use still lack security, putting consumers at risk. So, for cybersecurity professionals a few things have changed, but others remain the same. What has changed? Many devices now state what they do from a security perspective in their marketing. What has remained the same? Many do not consider security as a necessity prior to product release, similar to what we have seen in the introduction of new technologies of the past. What is refreshing? Meeting first timers interested in learning about cybersecurity as a career change, wanting to talk to other practicing professionals, and of course interested in ISSA as the international community of choice for cybersecurity professionals dedicated to advancing individual growth, managing technology risk, and protecting critical information and infrastructure. As I sort through the many contacts I made who were interested to learn more about ISSA, I may be reaching out to some of you personally to provide a local resource and introduction to your local chapter. Thank you in advance! Enjoy the Olympic Games in Rio. Having participated in the security of the Los Angeles Summer Olympics, I can truly say that I admire the challenges these athletes go through to get to represent their country on the world stage. The energy you get from being there is difficult to describe; you must experience it. Moving forward,

August 2016 | ISSA Journal – 3

[email protected] Internet of Things Thom Barrie – Editor, the ISSA Journal

L

et me start out with I’m really pleased with this issue, how nearly every article ties into the theme: the Internet of Things. Machine learning takes inputs from myriad sensors, the Arduino is one of the “things,” and the Cloud is its backbone. With all the product hype and visionary promise, there is also a lot of security uncertainty and questionable privacy concerns with this Internet of Things. It is certainly in the early stages—as the child-like “machine” on the cover depicts—and I think Randy Sabett sums it up nicely: “we have many more questions than we have answers, much more speculation than real data, and far less insight into the legal implications.”In addition, over half the feature articles represent academia: one current university student, one recent graduate, one PhD candidate, and one university researcher. Stephen Jou leads in with “Machine Learning: A Primer for Security.” He starts with a fairly simple example—it is a primer after all—and takes it to the ultimate sensory input: the data lake. Machines, of course, never tire of doing the same old same old, stepping through million/billions of events and inputs, discerning patterns that will trigger alerts for the infosec professional to dig into.

The information and articles in this magazine have not been subjected to any formal testing by Information Systems Security Association, Inc. The implementation, use and/or selection of software, hardware, or procedures presented within this publication and the results obtained from such selection or implementation, is the responsibility of the reader. Articles and information will be presented as technically correct as possible, to

4 – ISSA Journal | August 2016

Editor: Thom Barrie [email protected]

The IoT articles tackle challenges, concerns, and trust, aspects of the visionary promise that are left to infosec to pick up and safeguard the pieces. When you read stories of cars being hacked and taken over, medical devices being hacked and taken over, “smart” houses being hacked...you get the picture. There certainly are challenges, concerns, and trust issues in this space of every thing. Of course, I’m just one guy, not much of a target at that. It’s not like I’m sitting on a juicy enterprise network. But that’s not how Branden looks at it in Herding Cats. Check out his “war” with IoT providers in his humble domicile. We know of the CISO not sleeping at night. Does it have to come down to the lord of his castle as well? It’s not so far-fetched. Just check out Audrey Gendreau’s “Internet of Things: Arduino Vulnerability Analysis,” in which she, yes, analyses Arduino vulnerabilities. The Arduino microcontroller, coupled with a Raspberry Pi, is a microcosm of the commercial IoT space. While predominately in the hobbyist/ hacker [in the good sense] space, Audrey puts the Arduino through the paces and it comes up wanting; just like devices being foisted upon the clamoring masses? As you work through this issue, let me know what you think. Our last issue did garner one outraged reader comment that I hope to share with you next issue. Enjoy, Thom

the best knowledge of the author and editors. If the reader intends to make use of any of the information presented in this publication, please verify and test any and all procedures selected. Technical inaccuracies may arise from printing errors, new developments in the industry, and/or changes/enhancements to hardware or software components. The opinions expressed by the authors who contribute to the ISSA Journal are their own and do not necessarily reflect

Advertising: [email protected] 866 349 5818 +1 206 388 4584

Editorial Advisory Board Phillip Griffin, Fellow Michael Grimaila, Fellow John Jordan, Senior Member Mollie Krehnke, Fellow Joe Malec, Fellow Donn Parker, Distinguished Fellow Kris Tanaka Joel Weise – Chairman, Distinguished Fellow Branden Williams, Distinguished Fellow

Services Directory Website

[email protected] 866 349 5818 +1 206 388 4584

Chapter Relations [email protected]

866 349 5818 +1 206 388 4584

Member Relations [email protected]

866 349 5818 +1 206 388 4584

Executive Director [email protected]

866 349 5818 +1 206 388 4584

Advertising and Sponsorships [email protected]

866 349 5818 +1 206 388 4584

the official policy of ISSA. Articles may be submitted by members of ISSA. The articles should be within the scope of information systems security, and should be a subject of interest to the members and based on the author’s experience. Please call or write for more information. Upon publication, all letters, stories, and articles become the property of ISSA and may be distributed to, and used by, all of its members. ISSA is a not-for-profit, independent cor-

poration and is not owned in whole or in part by any manufacturer of software or hardware. All corporate information security professionals are welcome to join ISSA. For information on joining ISSA and for membership rates, see www. issa.org. All product names and visual representations published in this magazine are the trademarks/registered trademarks of their respective manufacturers.

Sabett’s Brief The IoT, Vintage 2016 By Randy V. Sabett – ISSA Senior Member, Northern Virginia Chapter

O

ne of my columns last year about the IoT began with a reference to the Pee Wee Herman movie because of his reference to “INFINITY” and the notion of the IoT going through a similar expansion…OK, if you must, here is the clip. I wrote back then that “[w]hile there is no doubt that the number of connected devices continues to increase exponentially, does the fact that a [fill in the blank with your favorite appliance] can connect to the Internet necessarily mean that the [favorite appliance] needs to be or should be connected to the Internet?” One year later, we are seeing some new issues but also much of the same points as before. As a result, I am going to be lazy and recycle last year’s column on IoT. Many commentators predict that the vast technological changes brought on by the IoT will cause correspondingly vast changes in our societal fabric. I believe the jury is still out on that one. Given the concerns over governmental tracking and surveillance brought on, in part by Mr. Snowden, consider whether everyone (or even a minority of people) will be comfortable with having their weight detected when they walk into the grocery store and stare at the donuts in aisle 7. No, that last scenario is not fiction. According to one of my panelists during a presentation on privacy and cybersecurity that I moderated last month, technology under development will contain sensors designed to detect when specific people stop in front of a particular retail display. That’s right—they will be able to tell a lot more than just that it’s a 150-pound person standing in front of the donuts. Through a variety of data

points (e.g., person’s gait, time of day, time spent in front of the display, etc.) they will able to tell who the person is, at least to a fairly high degree of certainty. Not necessarily the identity of the person right away, but that it’s the same person that was there on some previous occasions.

…we have many more questions than we have answers, much more speculation than real data, and far less insight into the legal implications… While privacy concerns are obvious, the security concerns become almost mind boggling when considering big data tools for mining data. For example, combining loyalty card history with the weight sensor data, a store might be able to start correlating the information. Further, they might be part of an advertising network that would feed such information to donut advertisers. Would such a company think to protect such data? Would they be required to? If so, how and to what level? Let’s take it a step further. What if the company installs video sensors in the store? According to research from HSRC, the global market for video analytics could reach $22B in the next five years. Things easily could go well beyond the supermarket donut aisle. This is not new. Take a look at this 2004 video that I mentioned last year in a column on big data.

We’ve had years of data breaches involving credit card numbers, but the controls built into the system (e.g., Reg. E and Reg. Z, the PCI DSS, and data breach notification laws) have kept actual damages to an artificially tolerable level. Similarly, the loss of intellectual property experienced by numerous companies has been chalked up, rightly or wrongly, as a cost of doing business. What happens when analytics capabilities reach never before heard of levels and individual consumers can be targeted, isolated, analyzed, and correlated in ways for which we haven’t even imagined? What happens to liability in such situations? Well, I may have outdone any of my previous columns in terms of the number of rhetorical questions I’ve asked. But that’s the thing about the IoT—at this point we have many more questions than we have answers, much more speculation than real data, and far less insight into the legal implications as compared to the technical implications. Well, I’m going to stop worrying about that because I’m off to watch Pee Wee Herman’s Big Adventure and have a donut…and no, my local supermarket doesn’t know I’m eating one – my wife bought this box.

About the Author

Randy V. Sabett, J.D., CISSP, is Special Counsel at Cooley LLP (www.cooley. com), and a member of the Boards of Directors of ISSA NOVA and the Georgetown Cybersecurity Law Institute. He was a member of the Commission on Cybersecurity for the 44th Presidency, was named the ISSA Professional of the Year for 2013, and can be reached at rsabett@ cooley.com. August 2016 | ISSA Journal – 5

Herding Cats The Internet of Threats By Branden R. Williams – ISSA Distinguished Fellow, North Texas Chapter

I

was giving a talk about mobile devices recently in Austin, and the conversation of IoT came up. I’m not sure you can go very far in a modern economy without running into an IoT device. Someone asked me how I treat IoT devices in my house since I was on stage talking about the threats of these devices in the enterprise. A few years after I got started in information security, I was put in charge of managing some firewalls for a few enterprises. I spent a lot of time learning the cryptic language of Cisco’s PIX firewall, eventually got a Checkpoint certification, and managed a number of other types of firewalls. I’m a firm believer that you learn by playing (and sometimes breaking) high-tech toys, so I ended up building a multi-zone firewall at my house. I did it more to see what it would be like to manage multiple zones with varying security levels on my own. Granted, my scale was much smaller than many of my clients, but I was doing it better and with fewer resources. My experiences here helped me break the ice with clients who, often times, were frustrated with the ever-increasing demands on their teams and found that the easiest thing to do was to push back on a consultant. So, back to the question at hand: how do I handle IoT devices in my house? Well, for starters, I don’t trust them. This year has been the year of electronification1 of the house in which I replaced a number of standard systems with Internet-enabled versions. I’ve had some level of home automation for more 1 Hey, I can make up a word just as easily as someone else!

6 – ISSA Journal | August 2016

than a decade, but this year we are really stepping outside the constructs of Zigbee networking and moving to devices that are essentially Wi-Fi+App enabled. I’ve put them all on their own segment to launch attacks against each other— away from the laptops used by the wife and kids. There is a particular pay TV service that really cracks me up. They “embrace” networking and make bold claims about how you can stream to any of the devices in your home. Except, we’re at war with each other in my house. My side of the war? You can’t access my devices. You can get access to the Internet to get the guide and stream some content, but that’s all. My devices can access you, however, if they so choose to. Their side of the war? Your devices must be on the same subnet in order to stream. I get it; they are trying to sell their “watch me anywhere, even away from the house” service for an additional fee, and allowing across subnets might jeopardize that. So they don’t trust me to live within the bounds of my agreement, and I don’t trust them to maintain secure systems in my house. I’m less concerned about being specifically targeted, and more concerned about becoming part of a botnet. Given the recent slew of vulnerabilities that affect software on embedded systems, I don’t feel like I’m being unreasonable. So instead, it’s time to brush up on my NAT skills and get some creative routing in place to subvert that control. Is this the most secure option? Nope. If I were in a corporate environment, I’d probably do things a little bit differently (provided the devices could support additional security controls—many of them cannot). Things like isolating each

vendor into its own VLAN or segment, preventing cross talk, potentially even adding additional filtering on the kind and content of their traffic are all key items that are not in place at my house, but should probably be in place on a corporate network with IoT devices. Every security person is familiar with the security/functionality continuum. We learn this early in our training. The most secure systems have no functionality, and the most functional systems have no (or little) security. IoT pushes us toward the functionality end of the continuum by enabling devices we rely on every day to become smarter, thus becoming bigger contributors to our daily lives. Possibly one of the biggest examples include the smart pedometer, which not only tracks our steps every day, but builds a community of individuals who can challenge themselves to get healthier and stronger. As you roll out your versions of smart pedometers in your organization, do so mindfully. Choose vendors who invest in security, and build additional controls around them to keep the rest of your world safe.

About the Author Branden R. Williams, DBA, CISSP, CISM is the CTO, Cyber Security Solutions at First Data, a seasoned security executive, ISSA Distinguished Fellow, and regularly assists top global firms with their information security and technology initiatives. Read his blog, buy his book, or reach him directly at http://www.brandenwilliams.com/.

Open Forum

The Open Forum is a vehicle for individuals to provide opinions or commentaries on infosec ideas, technologies, strategies, legislation, standards, and other topics of interest to the ISSA community. The views expressed in this column are the author’s and do not reflect the position of the ISSA, the ISSA Journal, or the Editorial Advisory Board.

Architecture 101 By Mark Kadrich – ISSA member, Silicon Valley Chapter

E

nterprise security is a battle. If we want to win, we need to change how we think! Should we declare war on hackers, spies, and thieves? No. That’s fighting the same battle we’ve been fighting since the beginning. We need to change our approach to one that is a bit more expansive in scope than the present “what is the vendor du jour for today” approach we’ve been executing for the last 35 years! We need to start thinking that our data security solutions should be integrated in a way that predicts outcomes in a measurable way. We need to start with a set of operating principles that govern how we make decisions during an engineering effort and how we execute against those decisions. A documented set of operating principles This would seem like a brain-dead assumption, but most groups run off to engineer something without the discipline of actually coming up with a plan. A documented set of operating principles enables the group to detect and manage scope-creep. This would mean ignoring the “threat du jour” and keeping your eye on the horizon. You may be considering a cloud architecture or an internal solution. You may have a hybrid. Whatever the decision, you should pick one and plan for it! An agreed upon set of desired architectural behaviors So, what do we want our security architecture to do? Do we want it to detect? Do we want it to deter? Do we want it to prevent? Do we want something aggressive or passive? How fast do we want it to be? How sensitive do we want it to be? Keep in mind that NO security solution is perfect and we will always be dealing with hackers, spies, and thieves. That means new threats. Do you want to be

able to detect a change in how you react to those threats? In short, can you postulate how the system will react when placed under stress and can you verify that behavior? A policy foundation that is used to measure minimal compliance Policy. Policy. Policy. Without it, we are but a piece of driftwood being driven at the will of the currents. Policy drives the foundation for all other decisions. Without policy, what are you spending money on security for? You need the policy to create that baseline of desired behaviors. For example, it is company policy not to give hackers, spies, and thieves access to the company jewels. Now, how do you execute against that? A documented security architecture that is NOT vendor specific One of the first questions I ask potential customers is “can you show me your security architecture?”  In more times then I can recall, the immediate answer is either “McAfee” or “Symantec.” Ignore the fact that the answer is actually not addressing the question, the amount of signal in those answers is immense. And scary. If you can’t answer the first question, how can you even get to the follow on questions? Such as….How does this security technology integrate into the IT infrastructure? What are the various domains of protection? Where is the critical data and can you even draw a line around it? (Don’t get me started on that no-perimeter nonsense) If you’re using a cloud solution, how does it interface with your existing security tools, processes, and procedures? How well do those interfaces work? A documented test and evaluation process I should also add >exercised< here. If you have spent the money to build a se-

curity solution, how do you know that it’s actually working as planned? Those annual evaluations? Right. Every single organization that has suffered a major attack can hold up a document that says they were either HIPAA-compliant or passed a PCI audit. THIS IS NOT TESTING THE SYSTEM! Penetration testing is NOT TESTING THE SYSTEM!! Testing the system means injecting a signal into it and seeing how the system, including ALL of your security vendors, react to it from end-to-end. How long does this take? How sensitive is it? How long until you can detect the threat? How long until you can even notify the right people that you’re under attack? There are more, but these should get you started. By following these basic engineering principles, you can engineer solutions that meet your organization’s requirements, build in some innovation tolerance (or even, gasp, acceptance!), and provide some sorely needed budgetary predictability. That last part is pretty important to your CFO, your board, and your CEO. By having a plan and being able to show progress against it, you should be able to manage costs in a much more predictable way while protecting your corporate data and building a trustworthy data environment. Now that’s progress!

About the Author Mark Kadrich, CISO San Diego Health Connect, has 30+ years working in the security community, building knowledge, and contributing solutions. He may be reached at [email protected].

August 2016 | ISSA Journal – 7

Security in the News

News That You Can Use…

Compiled by Joel Weise – ISSA Distinguished Fellow, Vancouver, BC, Chapter and Kris Tanaka – ISSA member, Portland Chapter

Report: Fueled by IoT Devices, DDoS Attacks Rising in Size and Frequency http://fedscoop.com/ddos-attacks-arbor-networks-2016.

You might not be worried about hackers gaining access into a single IoT device, but what happens when they start stringing hundreds or thousands of them together? Experts report that distributed denial of service attacks are on the rise, due to IoT devices that generate Internet traffic but are often poorly secured. Here is yet another reason why cybersecurity needs to be an important part of the Internet of Things design process—baked in, not bolted on.

Home Entertainment Tops IoT Security Fears List

http://www.infosecurity-magazine.com/news/home-entertainment-tops-iot/. Televisions, watches, and cars seem harmless, don’t they? But thanks to their ability to connect to the Internet, they are beginning to create more sleepless nights for security professionals. How do you keep your fears in check? Remember the basics—patch often and use strong passwords.

UL Bringing “Adult Supervision” to IoT—Really?

http://www.eetimes.com/document.asp?doc_id=1330011&page_number=1. Is Underwriters Lab cybersecurity standard, known as UL 2900, going to be the answer to the Internet of Things’ need for cybersecurity standards? The jury is still out. After all, it has only been three months since the new standard was introduced. Many of the industry verticals already have their own set of compliance requirements. Will they choose to adopt a uniform standard that will span across all industries? We’ll just have to wait and see.

Canadian Man behind Popular “Orcus RAT”

http://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-rat/. Interesting read on how information security investigative reporter Brian Krebs connected the dots in order to discover the identity of the proprietor of one of the most popular and affordable hacking tools used to access someone else’s computer. What was truly surprising is that the author of Orcus claims that the RAT is a benign tool designed for use by network administrators. However, researchers report that they have seen an increasing number of computers infected with Orcus, unbeknownst to the legitimate owners of the machines. Smells like a nasty RAT to me.

Meet the Technology That Could Be a Surprising Savior in Securing the “Internet of Things”

http://www.forbes.com/sites/valleyvoices/2016/07/01/how-your-office-light-bulb-could-be-spying-on-you/#6676d3a12940. You might not think that smart bulbs turning off and on could be a weak point in your security system, but it is these “boring,” daily processes and patterns that are catching the eyes of attackers. However, to protect and secure our vulnerabilities, we have to be able to see them first, even when they appear to be hidden amongst a seemingly endless sea of details. Luckily, we have artificial intelligence solutions to do the heavy “big data” lifting. Perfect timing too, as IoT devices are predicted to reach 20 billion by 2020.

Decentralizing IoT Networks through Blockchain

https://techcrunch.com/2016/06/28/decentralizing-iot-networks-through-blockchain/. The challenge: How do you provide privacy and security in huge IoT networks while offering some form of validation and consensus for transactions to prevent spoofing and theft? The financial arena may hold the key—using blockchain. Already providing peer-to-peer payment services for cryptocurrencies such as Bitcoin, tech firms are analyzing whether this solution will solve some of the problems connected with the fast-growing IoT industry.

Hacking Pokémon Go: A Classic Case of Follow the Money

http://venturebeat.com/2016/07/19/hacking-pokemon-go-a-classic-case-of-follow-the-money/. Have you been bitten by the Pokémon Go bug yet? The popular game broke records as the app was downloaded nearly eight million times during the first few days after its release. Although the game continues to attract wave after wave of enthusiastic new players, it also is raising security and privacy concerns, as well as attracting the attention of hackers and criminals. As a security professional, this may dissuade you from jumping on the Pokémon bandwagon, but chances are your family and friends are trying to “catch ‘em all.” Don’t forget to remind them to read the fine print, proceed with caution, and practice safe cyber hygiene.

The Internet of Things Will Replace Mobile Phones As the Most Connected Device in 2018

http://www.appstechnews.com/news/2016/jul/25/internet-of-things-will-replace-mobile-phones-as-most-connected-device-in-2018/. The future is IoT. According to the 2016 Ericcson Mobility Report, there will be 28 billion connected devices worldwide by 2021, with nearly 16 billion related to IoT. The big question is “Will we be ready and able to secure all of those devices?” 8 – ISSA Journal | August 2016

Perspective: Women in Security SIG WIS SIG Mission: Connecting the World, One Cybersecurity Practitioner at a Time

Internet of Things – A Veritable Smorgasbord of Privacy, Security & Trust Challenges By Rhonda Farrell – ISSA Fellow, Northern Virginia Chapter the multitude of forms the IoT entities can take [2].

Figure 1 – Internet of Things: Categorical rendering

H

ow to balance technological innovation merits against legal, privacy, and security concerns continues to be at the heart of the raging debate regarding the Internet of Things (IoT). The sheer volume of items that now fall into this category—appliances, cameras, facial and emotion recognition, fitness and medical devices, identification tags, location tracking devices, robotic manufacturing, SCADA systems, sensor infrastructure, smart grid components, smartphones, vehicles, etc.—is to some mind-boggling, while others are delighting in the sheer ease of interoperable connectivity [1, 6, 7, 9, 13].

Privacy challenges Of primary concern in the privacy area is the aggregation of data from multiple endpoints, allowing for analysis and utilization of yielded sensitive information [3]. An example includes traffic signatures that indicate when power to an outlet has been switched on or off, ultimately in the long run revealing user activities and habits, which inadvertently can inform criminal actions [4]. To mitigate the privacy concerns, the Electronic Privacy Information Center (EPIC) recently published an article that recommends the use of privacy enhancing technologies, promotes the use of data minimization techniques, and advocates for much stronger security for IoT devices [1]. Security and trust challenges SANS Institute recently examined the greatest IoT threat vectors, and identi-

fied the following issues, primarily identified due to the high utilization of embedded operating systems and applications [13]: • Patch management (31%) • Malware (26%)

• Denial of service (13%)

• Sabotage and destruction (12%)

A likely mechanism to combat these privacy, security, and trust challenges is to define, implement, and enforce a cyber-resiliency model for IoT like the one depicted in figure 2 [5]. Security experts advocate for building security into the foundations of the IoT systems by ensuring product managers and security specialists work more closely together so that security considerations are addressed throughout the product life cycle. Additional robustness activities also include heightened validity checks, data verification, authentication, and data encryption [11, 12]. Advocates also state that device assessContinued on page 48

With over five billion endpoints in 2015 forecast to grow to over 25 billion endpoints in 2020, it is easy to see how these intelligent, meshed devices support smart cities, smart highways, and smart houses, as well as many key industries including financial services [9,10]. A recent Ernst and Young article identifies that the main IoT adoption drivers include new business opportunities, revenue growth potential, improved decision-making, cost reductions, increased safety and security, and improved infrastructures [14]. Figure 1 visually depicts Figure 2 – Cyber resiliency maturation model, from vulnerable to resilient August 2016 | ISSA Journal – 9

Register Today for the 2016 ISSA International Conference

This year’s conference program is full of engaging, interactive sessions exploring the theme—Survival Strategies in a Cyber World—all designed to help you get your hands around some of the digital world’s hottest topics. Don’t miss out. Register today! For information on sponsorship opportunities, click here. 

2-Second Survey

T

CLICK HERE

he second quarter survey of ISSA members is ready for your input. Please respond to the best of your knowledge.

Internet of Things—Is Your Organization: Ahead of the Curve, Managing It, or Behind the Curve

CSCL Pre-Professional Virtual Meet-Ups

S

o, you think you want to work in Cybersecurity? Not sure which way to go? Not sure if you’re doing all you need to do to be successful? Check out of Pre-Professional Virtual Meet-Ups to help guide you through the maze of cybersecurity. August 29: 3:00 pm - 4:30 pm EST. Mr. Robot – Can it Really Happen?

Save the Date! Special Interest Group Webinars

ISSA Journal Scholastic Writing Award for Best Student Article

T

he ISSA Journal Editorial Advisory Board is inaugurating an annual $1,000 ISSA Journal Scholastic Writing Award for the best article submitted by a current college/university student.  The submission period is now open and the Board will accept articles until October 1, 2016. We encourage students to follow the published editorial calendar but will consider any submission that is focused on information security. The Board will select the best article that meets our professional standards for publication and will feature it in the December 2016 issue of the ISSA Journal. Recipient must be attending an accredited college or university full time and actively pursuing a degree. Submit your article and proof of enrollment to [email protected] by October 1, 2016. Please review our editorial guidelines and the 2016 editorial calendar. For more information: ISSA.org => Learn => Journal. Questions can be directed to editor@ issa.org.

Want to hear more from ISSA’s Special Interest Groups? Join free here. Women in Security SIG August 15: 12:00 pm - 1:00 pm EST. One Woman’s Answer to the Cybersecurity Talent Shortage. Security, Education, and Awareness SIG September 14: 9:00 am - 10:00 am EST. Security Education and Awareness SIG Webinar. Healthcare SIG September 29: 12:00 pm - 1:00 pm EST. Use of Cloud Services in the Healthcare Industry. Financial SIG August 19: 1:00 pm - 3:00 pm EST. Impact of Compliance with Privacy Regulations.

10 – ISSA Journal | August 2016

T

he CISO Executive Forum is a peer-to-peer event. The unique strength of this event is that members can feel free to share concerns, successes, and feedback in a peer-only environment. Membership is by invitation only and subject to approval. Membership criteria will act as a guideline for approval. Dallas, TX: November 3-4, 2016 Theme: Big! For information on sponsorship opportunities, click here.

ISSA IS PLEASED TO ANNOUNCE OUR FIRST KEYNOTE SPEAKER FOR THE ISSA INTERNATIONAL CONFERENCE Michael Coates leads Twitter’s security program across all elements of information security. He is also the former chairman and a current member of the global board of directors for OWASP, the largest open source application security community.

Michael Coates Trust and Information Security Officer, Twitter

Join Michael in his session titled “Building a Security Program That Succeeds - Scale, Efficacy and Executive Support.”

August 2016 | ISSA Journal – 11

ISSA CISO Virtual Mentoring Series LEARN FROM THE EXPERTS! If you’re seeking a career in cybersecurity and are on the path to becoming a CISO, check out the schedule of upcoming presentations.

IoT: The Information Ecosystem of the Future--And Its Issues 2-Hour live event Tuesday, August 23, 2016 9 a.m. US-Pacific/ 12 p.m. US-Eastern/ 5 p.m. London The Internet of Things is a radical game changer. With the number of new devices being linked to networks growing larger every day, so too are the potential dangers. With great change comes great regulation, but are policy makers and industry leaders equipped with the necessary data and risk management skills needed to properly guide us safely into this new world? Join moderator Philip H. Griffin as we examine the myths, realities, promises, and dangers of this rapidly emerging frontier.

ISSA Chapter Events

• August 18-19: Santa Cruz de la Sierra, Bolivia. “Congreso Internacional de Profesionales de Seguridad de la Información.” Para obtener más información y para registrarse, haga clic AQUÍ. • September 8: Phoenix, AZ. “2016 Phoenix Security & Audit.” For details and registration, click HERE. • September 10: Miami, FL. “Annual Hack the Flag & Chili Cook Off.” For details and registration, click HERE. • September 20: Nashville, TN. “InfoSec Nashville.” For details and registration, click HERE. Get your events published in the ISSA Journal and E-News. You will build chapter activities, and your sponsors will appreciate the extra publicity. Send your events with the following information in this exact format: Date, Chapter Name, Time, Location, Title, Speaker, Sponsor, and a hyperlink to Details and Registration. Email to [email protected]. For more ISSA and industry events, visit the ISSA Calendar.

Click here to register! Join the conversation! #ISSAWebConf. View the calendar of web conferences here. For sponsorship opportunities, click here.

Looking to Begin or Advance Your Career?

T

he ISSA Career Center offers a listing of current job openings in the infosec, assurance, privacy, and risk fields. Visit the Career Center to look for a new opportunity, post your resume, or post an opening. Among current 1,027 job listings you will find the following: • Senior Application Security Engineer – The Advisory Board Company, Washington, DC • Information Security Engineer – The University of Vermont Medical Center, Burlington, Vermont • Senior Analyst, Governance – Discover, Riverwoods, Illinois • Pre-Sale Cyber Security Specialist Engineer – Cisco Inc, Chicago, Illinois • Information Security Specialist – X.L. Catlin, Stamford, Connecticut Visit our Career Center online for a full listing of job openings! Questions? Email Monique dela Cruz at [email protected]. 12 – ISSA Journal | August 2016

Elevate Your Career with Writing Experience

A

s a security professional, you have unique and valuable experiences, insights, and information that could positively impact infosec practitioners around the world. Exchanging that wealth of knowledge in our ever-evolving field is vital in helping us all do our jobs better and achieve our individual career goals. Effective writing is an essential skill for achieving your career goals. Do you have an article in mind? Would you find it helpful to bounce your ideas off of other members and get their feedback? The Journal’s Editorial Advisory Board will match you with an experienced author as a resource to help you practice and refine your skills, communicate your knowledge, and raise your visibility and stature. Join Friends of Authors today, and let us know your interests and goals.

The Open Forum The Open Forum is a vehicle for individuals to provide opinions or commentaries on infosec ideas, technologies, strategies, legislation, standards, and other topics of interest to the ISSA community. Open Forum articles are not intended for reporting news; they must provide insight, opinion, or commentary to initiate a dialog as to be expected from an editorial. Articles should be 700-800 words and include a short bio and photo. Please submit to [email protected]. Note that accepted articles may be eligible for CPE credits.

Promo Video – Click Image to View

sions… Looking Ahead at the Ses Forging Your Identity: Credibility beyond Words Tim Roberts and Brent White

Securing the End User

For a social engineer  trying to compromise a building, lying  is one thing, but owning layers of identities and having a bag full of “aces” is what has led us to compromising data centers, security control offices, and more. If a skeptical employee is not buying into a backstory, credibility can sometimes make or break an assessment. In our presentation we discuss red team-based penetration testing techniques that include document, key, and badge forgery, installing malicious devices and key-loggers, setting up local numbers and web search results, and more techniques that have worked for us—real-world scenarios that have led to armed security guards handing over badges and building keys, facilities opening multi-factor-authentication restricted areas, and other successful techniques. We will also discuss ways to help mitigate these types of threats to help make your facilities and information more secure.

Propel Your Career with Personal Strategic Planning Christa Pusateri

Business Skills

Are you thriving in your career? Are you blazing your own trail or allowing chance and circumstance to define it for you? Do you know where you want to go, who you need to help you get there, and how to position yourself against your competition for the next step in your career? It’s time to take action and start your own personal strategic planning process. From defining your personal value to putting a plan in action, you will learn fundamentals of personal strategic planning to propel your career. Join a group of like-minded professionals as we explore a personal planning process through an interactive session that focuses on YOU. You will learn how to identify your purpose, position yourself for success, and put a practical plan in place to propel your career in information security. Join Christa on her mission to help cybersecurity professionals overcome stereotypes and take a proactive approach to personal strategic planning.

Transform from Surviving to Thriving by Preparing for the Next Wave of Cyber Attacks and Information-Borne Threats

Infrastructure

Dr. Guy Bunker Ransomware is running rife, switching modern businesses off while the infection is cleaned, reverting to pen and paper while systems are untrusted. Then there are the enormous fines, damage to reputation, and ongoing costs to remediate. The next generation of malware is hidden in innocuous looking documents, documents that are shared through online collaboration sites as well as sent through email. Furthermore, the metadata found in documents is a phisher’s dream, making it simple for the cybercriminal to gain the trust of personnel. This session will discuss how cybercriminals are targeting organizations through information-borne threats and how to combat them with advanced threat protection functionality that uses deep-content inspection techniques to identify and remove threats in real time while leaving the critical information accessible. While traditional solutions are focused on inbound or outbound traffic, the next generation of adaptive security solutions is direction agnostic and operates across all communication channels.

Improving Incident Response Plans with Advanced Exercises Stephanie Ewing-Ottmers

Incident Response

Organizations are under attack at an increasing rate. Our investments in security technology are topof -mind now more than ever, but we can’t rely solely on the latest tools as the main enhancement to our age-old defensein-depth strategies. Well-prepared operational security teams know that people and process are even more essential as we now assume the bad guys are already in our systems or will be at any moment. So we have to ask ourselves if we’ve invested enough in our people and processes to see us through the challenges ahead. Is our incident response planning commensurate with our risk tolerance level, and does that match our current baseline? What is required to have our teams operate quickly and efficiently in the worst-case data breach or system compromise scenario? If your organization does not have an up-to-date, documented, and tested cybersecurity incident response plan, there is much work to be done. I see it as the equivalent of a 5k walker showing up to run a 26.2 mile marathon. Without an effective training plan and developed muscle memory, it will be a long and painful process in the real-world event. This session will be discuss effective strategies to test your incident response plan, build confidence in the abilities of your team, and improve muscle memory to reduce the time to resolve incidents. August 2016 | ISSA Journal – 13

ISSA

DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY

Machine Learning: A Primer for Security

By Stephan Jou – ISSA member, Toronto Chapter The author examines how machine learning can be leveraged to address the practical challenges of delivering lower-cost security by resolving more threats faster, with fewer resources. It will focus on machine learning security techniques that work at typical levels of data volumes, from those operating with “small data” to those implementing data lakes.

“Machine learning is revolutionizing the security landscape.”

P

opular responses to that statement are all over the map. Some say machine learning is vastly over hyped in our market, while others contend it is the combination of machine learning with access to more data that is the main reason to be optimistic about security in the future.

at leveraging data, big data, and data lakes, machine learning and security clearly will achieve more breakthroughs together.

In the day-to-day world of data security, analytics practitioners who have embraced machine learning are regularly catching bad actors, such as externally compromised accounts or malicious insiders. We do this by using machine learning and analytics to detect indicators of compromise and predict which employees or associates are likely to leave with stolen data. We succeed when we define what is normal, then determine anomalies using machine learning. Machines are simply faster at repetitive tasks like finding inconsistencies in the patterns of data usage, and machines do not tire from scouring through billions of data events per day.

There are two good reasons why machine learning is useful to security. First, it can reduce the cost of standing up and maintaining a security system. In this industry, we’ve spent billions, yet we clearly need better tools to protect our data. The bad guys still have better tools than the good guys, and it still costs too much to investigate and respond to security incidents. The nature of defense is that it simply takes time to build up resistance, only to have a new attack render that defense ineffective or obsolete. This leads to the second reason that machine learning is important: it can reduce the time required to detect and respond to a breach once the inevitable occurs. Proper use of machine learning can have a measurable impact on deployment time and cost, as well as dwell time from incident to response.

At present, the cybersecurity industry is still behind the curve in demonstrating the kind of success that machine learning has achieved in some other industries. But with rapidly growing volumes of data and better behavioral monitoring aimed

In this article, I will examine how we leverage machine learning to address the practical challenges of delivering lower-cost security by resolving more threats faster, with fewer resources. I will focus on machine learning security tech-

14 – ISSA Journal | August 2016

Machine Learning: A Primer for Security | Stephan Jou niques that work at typical levels of data volumes, from those operating with “small data” to those of us implementing data lakes. My purpose is to empower security teams to make use of machine learning to automate what skilled experts can do: prioritize risks so that experts can focus attention on those high-threat anomalies that signify targeted attacks, compromised accounts, and insider threats.

Automate and learn: What machine learning does best The concept of machine learning is based on the idea that we can use software to automate the building of analytical models and have them iteratively learn, without requiring constant tuning and configuring. Machine learning, if implemented properly, learns by observing your company’s particular data. It should not require rules, tool kits, or a team of data scientists and integrators to endlessly examine the datasets in order to become operational. Similarly, the software should not require a team with system administration or dev-ops skills to architect a big data infrastructure. Many companies’ experiences with analytics date back to when scientists and integrators had to spend months, or even years, to understand the business and how every aspect of the dataset intersected with users and machines. This is no longer the case. Modern machine learning works with the data in your organization, observing it persistently through continuous user, file, and machine monitoring.

Further, machine learning can react automatically to typical business changes by detecting and reacting appropriately to shifting behavior. This is often a surprise to companies accustomed to bringing in teams of consultants and having to re-engage them when a new business unit is created or a merger occurs. It is expected that if there are new behaviors; the old software must be configured; rules constantly rewritten; new thresholds created. But if done correctly, machine learning can learn—then automatically continue to learn— based on updated data flowing through the system. Just as a teacher doesn’t have to tell an equation how to compute the average grade score for the population of a class, the same equation for computing averages will work in classrooms everywhere—or when classes are added or removed. Math is magical, but not magic. The fact is, math cannot do anything that a human can’t do, given enough time and persistence. Math simply expresses what is happening in an automated fashion using equations. In machine learning, such equations are implemented as software algorithms that can run continuously and tirelessly. There is plenty of mystique around the seemingly limitless capabilities of “magical” algorithms that are, in reality, far less responsible for what machine learning can do for security than the data itself. In fact, connecting the data to the math (a process known as feature engineering) and then implementing the math at scale (using appropriate big data technologies) is where the real magic of machine learning for security lies.

August 2016 | ISSA Journal – 15

Machine Learning: A Primer for Security | Stephan Jou ing, customization, building of rules, etc., can greatly accelerate the time to value (figure 1). Whether total deployment time is fast (a couple of hours or few days) or painfully slow (as long as a year!) is largely dependent on the capabilities of the analytics. The real cost disparity emerges when we ask questions such as: • Do I need to set thresholds? • Will we have to write rules?

• Am I paying service fees for these capabilities? • How easy is it?

Figure 1 – Time to value: Security analytics using rules, versus security analytics using machine learning

Cost and time essentials One way to understand how machine learning can have an impact on cost is to look at the steps required to install and use an analytical product. We all know there is fixed time associated with installation and configuration, but it is the tuning and training of the analytics that has been historically costly. There are many steps involved in the process between deciding to start to build a security analytics-enabled process, to receiving valid analytics that can detect and respond to incidents. Choosing the right approach can significantly reduce the time and the cost between the project start, and when value can be provided. Specifically, choosing a proper machine learning-based approach that does not require manual tun-

Don’t Miss This Web Conference!

IoT: The Information Ecosystem of the Future–And Its Issues 2-Hour Live Event: Tuesday, August 23, 2016 9 a.m. US-Pacific/ 12 p.m. US-Eastern/ 5 p.m. London The Internet of Things is a radical game changer. With the number of new devices being linked to networks growing larger every day, so too are the potential dangers. With great change comes great regulation, but are policy makers and industry leaders equipped with the necessary data and risk management skills needed to properly guide us safely into this new world? Join ISSA as we examine the myths, realities, promises, and dangers of this rapidly emerging frontier. Moderator: Philip H. Griffin Click HERE to register.

Click for more information on this or other webinars 16 – ISSA Journal | August 2016

To get value from the system, you obviously want to ask the essential question: How long before we can actually learn something about a breach? By asking and answering this, we can know time to value. To obtain the answer, we need to focus on how machine learning extracts value. It’s popular to focus attention on the algorithm, most likely because recently algorithms such as Deep Learning have been achieving exciting successes in the news. And it’s naturally easy to get lost in that excitement! However, more important than the algorithm is a focus on the right data and correspondent use case appropriate for your particular organization. Getting the right datasets for the job and applying the right principles will trump any given algorithm, every time. With this approach, we can allow machine learning to do what it does best: find evidence, and connect the dots between pieces of evidence, to create a true picture of what is happening. This “connecting of dots” is important because it allows us to show corroboration across datasets. When security professionals talk about alert fatigue, they are really referring to the need for better corroboration so they can reduce the number of results the system fires. Simply put, when we have alert fatigue, the math is not helping us compress the results that the system is finding. But math can help compress billions of events per day into dozens of incidents by effectively scoring all events, and then corroborating multiple-scored events together. A machine learning implementation further means that this approach to reduce false positives and alert fatigue can be done automatically, to give us the reduced cost and faster time to value we’re looking for. But how does that work?

The value of a score: Probabilistic methods vs. rules and thresholds One important machine-learning technique is using probabilistic statistical methods1 to score events for risky indicators, rather than to rely on rules with thresholds that either fire or do not fire. When we talk about scoring an event, we are simply talking about computing a number, for example, between zero and 100. This contrasts with relying on rules that issue a Boolean 1 For a good overview of probabilistic and statistical methods as it applies to machine learning, see: Murphy, K. P. 2012. Machine Learning: A Probabilistic Approach, Cambridge, Massachusetts: MIT Press.

Machine Learning: A Primer for Security | Stephan Jou alert. Boolean alerts either fire or do not fire, based on parameters and thresholds the operator has set. The problem with this approach is that since alerts either fire or do not fire, as the alerts accumulate (in your SIEM, for example), the best we can do is count them. Having 10 alerts, all with limited severity information and context, delivers little information that is helpful. When we score events for risk, we can assign them meaning—for example, 0% is no risk, while 100% is the most extreme risk—and then more smartly aggregate risk values to get a combined picture of the risks associated. Risk scores can give additional context by being associated with not only a particular activity, but also with the assets, people, and machines involved. Mathematical weighting helps us tune and train our model for specific activities, people, assets, and end points on a per-behavior pattern basis. Aggregating scores, rather than simply counting alerts, is more effective because we can define a weighted representation of how risky behavior is. In contrast, if all you have is an alert, you can only say that “X” things happened. While it’s true that we can label events, labeling things either good or bad does not help. In fact, it can be risky. It quickly becomes easy to ignore low probability events or trick the system into ignoring them. You can see why it is possible to get 10,000 alerts when the threshold is set too low, for example. In a typical medium-size business environment, it is quite likely to have the data present us with billions of “events”—multiple bits of evidence of what is happening to the data. Machine learning can work quickly to distill these billions of events to tell the difference between low- and incredibly high-risk events, and then connect them together for a picture, or handful of pictures, that can tell us what is going on. Here,

math helps us compress the results, so instead of having alert fatigue or a group of patterns with arbitrary values, we have a clear picture using statistics of what is anomalous. In addition to using scoring, effective machine learning in data security lets us use probabilistic math, rather than thresholds. Probabilistic methods are better than thresholds because they tell us not just about badAutomatic means no ness, but the probability or degree rules must be fineof badness. We can compute all of tuned, no thresholds the events, not just those arbitrarily deemed likely to be interesting. We must be tweaked, no can much more accurately assess maintenance must the overall risk posture of any entity be performed when and actually measure what security experts are trained to look for—bad your business shifts. or at least “weird” things happening to their data. Finally, we can collect and score all of the events and compute their likelihood of causing us problems. In this way, we create a system that can learn automatically. This automatic learning is an important component of why the machine learning approach works. Automatic means no rules must be fine-tuned, no thresholds must be tweaked, no maintenance must be performed when your business shifts. But how does machine learning pull off this trick?

How machines learn Machines don’t learn in a vacuum; machines learn by continually observing data. Given enough data, machines can turn

SAVE THE DATE FEATURING:* 800+ Attendees Expected 60 Sessions | 7 Tracks | CPEs Up to 100 Exhibits Career Counseling & Networking Center Cyber Defense Center International Awards ISSA Party in the Sky CISO Executive Forum *Subject to change.

HYATT REGENCY |DALLAS, TEXAS NOVEMBER 2-3, 2016 Information Systems Security Association | www.issa.org | 866 349 5818 USA toll-free | +1 206 388 4584 International

August 2016 | ISSA Journal – 17

Machine Learning: A Primer for Security | Stephan Jou data into patterns. Observation of patterns can lead to generalizations, a process accomplished by taking examples and creating general statements or truths. This learning process is true not just of machines, but of humans. Machine learning is nothing more than algorithms2 that automate this same learning process that we as humans do naturally. Consider that when we as humans see something, we know what we probably saw because it is most similar to what we’ve seen before. This is actually an example of a machine learning algorithm known as “nearest neighbor” (or k-nearest neighbors, for the picky). Here is an example of applying machine learning to determine whether an animal is a cat or a dog. By fitting points to a line we can observe that when we see an animal and it has long whiskers (cats) and longer tails (also cats), it is more likely to be a cat than a dog. The more examples we see, the more generalizations prove the rule. While it’s true that sometimes a cat has a short tail and occasionally a dog has really long whiskers, it is mostly not the case. Clusters emerge showing cats and dogs. Children quickly recognize by this method what is a cat and what is a dog. Algorithms, when given examples, can be created to do the same thing, using math to automate this process. Suppose we go around our neighborhood and measure the whisker lengths and tail lengths, in inches, for the first 14 pets we see. We may end up with a set of data points like the following. Whisker Length (input)

Tail Length (input)

Cat or Dog? (output)

5

6

Cat

5.7

11

Cat

4.3

9.5

Cat

4.2

7

Cat

6.4

8

Cat

5.9

10

Cat

5.2

9

Cat

2.3

5

Dog

2.5

3

Dog

4

9.5

Cat

2.1

7

Dog

1.3

9

Dog

3.4

7.5

Dog

Figure 2 – A plot of neighborhood dogs and cats, and their tail and whisker lengths, in inches.

Figure 3 – A simple model that distinguishes between dogs and cats, based on tail and whisker length.

As a human, when given a set of observations that look like figure 2, you might eventually conclude (or learn) that cats generally have longer tails and whiskers than dogs. There are two broad classes of machine learning: supervised learning and unsupervised learning. In supervised learning, we are given the answers. In our cat and dog example, suppose that whenever we are given a whisker length and tail length, we are also told whether the animal is a cat or a dog; this is an example of supervised learning. Rather than simply asking us to “find me dogs and cats,” the data told us what these animals are. Since we, in turn, advised the algorithm about whisker and tail length, this class of algorithm is known as supervised learning. It requires accurate examples. The model, represented visually by the dotted line (figure 3), states that if the tail and whisker length is to the left of the dotted line, declare the animal to be a dog. If it’s on the right, call it a cat. Using the learned model shown in figure 3, we can start to make predictions. When we see animal X, and measure its tail and whisker length, we would predict that it’s a cat, since it is to the right of the dotted line (figure 4). X’s long whiskers and long tail give it away! In unsupervised learning, we hope that a grouping (or clustering) pattern emerges based solely on the input data, without any output labels (figure 5). The data tells the story, self-organizing into clusters. In general, unsupervised learning is a much harder problem than when output labels are available.

Table 1 – Whisker and tail lengths of sample pets 2 There are many good books that introduce the concepts of machine learning. The following book is short and very readable, and does not require a deep math background: Adriaans, P. and Zantinge D., 1996. Data Mining, England: AddisonWesley Longman. The following is a great reference for those more comfortable with mathematical notation. Tan, P.-N.; Kumar, V. and Steinbach, M. 2006. Introduction to Data Mining, Boston: Addison-Wesley Longman. For the coders, try: Conway, D. and White, J. M. 2012. Machine Learning for Hackers, O’Reilly.

18 – ISSA Journal | August 2016

Figure 4 – Predicting with a model

Figure 5 – Data points without labels

Machine Learning: A Primer for Security | Stephan Jou Unsupervised learning means we do not have any “labels,” so we are not told the “answers.” In other words, we observe a set of whisker and tail lengths from 14 animals, but we do not know which are cats and which are dogs. Instead, all we might know (if we’re lucky!) is that there are exactly two types of animals. We might still arrive at a good model to distinguish between dogs and cats (such as the one illustrated in Figure 4), but this is clearly a harder problem! In general, security use cases require a mix of supervised and unsupervised learning, because datasets sometimes have labels, and sometimes have not. An example of datasets where we have a lot of labels is malware: we have many examples of malware in the wild, so for many malware use cases, we can use supervised learning to learn by example. An example of datasets where we have little to no labels is anything related to insider threat or APT; there is generally not enough data available to rely on supervised learning methods.

The importance of the input The input that you give your machine learning model matters significantly. In trying to distinguish cats from dogs, knowing to focus on whisker and tail lengths allowed our machine learning to be successful. If we had chosen less meaningful inputs—such as trying to distinguish cats from dogs by the number of legs—we would have been less successful. The process of picking and designing the right inputs for a model is critically important to succeeding with analytics. For security use cases, research and experience must guide the feature engineering process so that the right model inputs are chosen. For example, we know from CERT, Mandiant, and others that good indicators of insider threat and lateral movement are related to unusually high volumes of traffic. Our own research has discovered that the ratio of an individual’s writes to and reads from an intellectual property repository—something we affectionately call the “mooch ratio”—is a valuable, predictable input as well. By observing such indicators, an effective machine-learning system can predict who might be getting ready to steal data. As you can see, the most important part of data science is selecting the inputs to feed the algorithm. It’s an important enough process to have its own special name: feature engineering. Feature engineering, not algorithm selection, is where data scientists spend most of their time and energy. This process involves taking data—for example, raw firewall, source code, application logs, or app logs—understanding the semantics of the dataset, and picking the right columns or calculated columns that will help surface interesting stories related to our use case. A feature is little more than a column that feeds the algorithm. Picking the right column or features gets us 90 percent of the way to an effective model, while picking the algorithm only gets us the remaining 10 percent. Why? If we are trying to distinguish between cats and dogs, and all we have as inputs are the number of legs, the fanciest algorithm in the world is still going to fail.

But how do we determine the right features? Selecting features requires knowledge. For example, we might include our historical experience or studies from industry organizations such as CERT, academic research, or our own brainstorming. This type of knowledge is the reason we need experts who can take what is in their heads and ask machines to automate it. Creating good features is a far better use of people skills and money, anyone would agree, than hiring expensive hunters to sift through a sea of alerts. Machine learning simply allows us to automate typical patterns so that our highly qualified hunters can focus on the edge cases specific to the company and the business.

Online vs. offline learning There are two modes of machine learning: online and offline. Offline learning is when models learn based on a static dataset that does not change. Once the models have completed their learning on the static dataset, we can then deploy those models to create scores on real-time data. Traditional credit-card fraud detection is an example of offline learning. Credit card companies can take a year of credit card transactions and have models learn what patterns of fraud look like. The learning can take many days or weeks to actually complete. Once completed, those models can be applied in real time as credit-card transactions occur, to flag potentially fraudulent transactions. But the learning part was done off– line from a static dataset. Online learning occurs when we take a live dataset and simultaneously learn from it as the data comes in, while simultaneously deploying models to score activity in real time. This process is quite a bit harder, since we are taking data as it comes in, using live data to get smarter and run models at the same time. This is the nature of modern, machine learning-based credit card fraud detection. It notices what you personally do or do not do. It involves individualized data, simultaneously scoring activity. We use machine learning online to learn and react at the same time. This distinction is important because, for security, many of our use cases require learning new patterns as quickly as possible. We do not always have the luxury of using offline machine learning to collect months and years of data. Instead, it is often more desirable to have models that learn as quickly as possible, as data comes in, and also react as quickly as possible, as data changes. Historically, much of the machine learning we have done is offline because it has been hard to move and analyze data fast enough to run at scale. But now, with big data technologies such as Hadoop,3 HBase,4 Kafka,5 Spark,6 and others, we are able to learn and score as data streams into our system. The speed and volume of our data feeds are so much greater than ever before. Online learning (building the models) and scor3 4 5 6

Hadoop – http://hadoop.apache.org. HBase – https://hbase.apache.org. Kafka – http://kafka.apache.org. Spark – http://spark.apache.org.

August 2016 | ISSA Journal – 19

Machine Learning: A Primer for Security | Stephan Jou to search, for example, on terabytes of data per day. And for this, we have widely available big data-suitable technologies like Solr7 and Elasticsearch.8 Such technology lets us scalably index across all analyses from all detected threats, from all datasets in the data lake. Technologies like Kibana are now readily available to give us a friendly UI and API to search and visualize our results. However, visualizing big data is hard. You can imagine how a pie chart of a thousand users, in which each bar corresponds to one person, leads to a sea of color (figure 6).

Figure 6 – A pie chart showing the top 100 most active tweeters. Source: http://chandoo.org/wp/2009/08/28/nightmarish-pie-charts/

ing (running the models) on terabytes of data a day is now technically possible, whereas it would have been impossible a decade ago.

Leveraging the data lake A final reason that machine learning is more important to security now than ever becomes clear when we consider its use with data lakes. Data lakes matter because they can be input sources for the storage of data logs, as well a repository of an organization’s intellectual property around which we build protection. Clearly, we need big data analytics and automated methods in order to see what threats are happening in this realm. Increasingly, big data lakes are giving us the opportunity to analyze, detect, and predict threats—beyond seeing what has happened—for compliance and forensics purposes. This trend has occurred, in part, because data has gotten too big to store in a SIEM. As we know, most SIEMs can practically store only a few months of data; anything older is dropped or stored where it is not available for analysis. Increasingly, organizations have focused on Hadoop and related technologies as a more cost-effective way to act as the system of record for log files. But how can we better detect threats once we are storing data (e.g., log files) in our Hadoop data lake?

Visualization in the data lake is obviously an enormous field for research involving the challenge of how to take huge amounts of data and convey meaning. It requires understanding, aggregating, summarizing, and the ability to drill down into different levels of detail. Techniques from visualization research—like focus-and-context visualization or an understanding of visual cognition and biological precepts— all come into play here. In other words, visualization is more than just the drawing of the picture; the analytics underneath the picture is equally important. In figure 7, we can see the result of processing more than 45 billion events. We can see that the most important events happened in February and March. Visualization on a large amount of data must tell us a story. By using machine learning and visualization tools, we see the end of a pipeline of analytics using computed risk scores to generate this picture from the raw data. As we learned, math using machine learning is behind the tail end of a picture that shows risk over time. The “matrix” visualization at the top represents 45 billion events. However, the underlying machine learning analysis has processed the events to 7,535 “stories,” each with varying levels of risk, which appears in the visualization as areas occupied by squares. Notice how quickly you see that two of the highest risk time periods occurred in mid-to-late February. Additional interactivity allows the user to zoom in and focus on that specific time region for more detail. 7 Solr – http://lucene.apache.org/solr/. 8 Elasticsearch – https://www.elastic.co/products/elasticsearch.

Search, visualize, detect, predict—and repeat As with any data, we want to be able to search, visualize, detect, and predict threats. With machine learning, we want to combine human expertise with automated analyses for faster, more accurate results. All of these tasks are harder on big data, which requires newer technologies to be capable of handling them at scale. Data lakes let us search across and join all our datasets into a single query. We want to be able 20 – ISSA Journal | August 2016

Figure 7 – A big data interactive visualization from Interset

Machine Learning: A Primer for Security | Stephan Jou Here, every visualization supports large amounts of data, with machine learning and the analytics working behind the scenes to surface and compresses billions of events into dozens of stories we can understand. Further, these visualizations can be interactive, provided you have the right technology to support that interactivity with filtering done using, for example, fast search.

Taming big data Just as we need big data tools to search and visualize, we need tools to detect and predict that are suited to the data lake realm. It’s still important to allow humans to inject business context and priorities, as well as human intuition, into the process. But clearly, standard rules engines may struggle to keep up with the volumes and velocities of the data lake. They are simply not going to scale to the size volume and velocity of a big data engine. Fortunately, just as with search and visualization, there are technologies to support rules engines at scale. Kafka, Spark, and Storm are good examples of technologies which understand how to move data at scale, process patterns at scale, and trigger rules. We also use different math because small-data math does not apply to big datasets. To illustrate, remember how in high school statistics we would always have to make sure our sample size was large enough to be statistically significant? A typical rule was to make sure you had at least a sample size of 20! Back then, it was hard to get data, but that is no longer true. Standard frequentist methods are sometimes not appropriate for large datasets, where a Bayesian approach may be better at dealing with large, messy, data. We also had to invent ways of compressing large amounts of data into small, actionable results that we could visualize, investigate, and plug into workflow. This is best done using math and statistics, and not counting, because as covered earlier, simply adding up scores tells us little that is meaningful. We must use statistical ways of computing and comparing use-principled math and statistics. These are essential technology tools for the data lake. But what about our human experts? Where do we fit in?

Humans and machines: Better together With big data and data lakes, machine learning can be far more automated than ever before and as unsupervised as we allow, while still accepting feedback such as in a semi-supervised system. Because data is simply becoming bigger, it is safe to argue that the data lake is inevitable. With machine learning to help us automate and learn—and with the right technologies to help us search, visualize, and detect threats— our human experts take on a new, more expert and guiding role. Here is how I think the security professional is evolving. Advanced chess,9 sometimes called Centaur chess, is a form of chess where the players are actually teams of humans with computer programs. The human players are fully in control but use chess programs to analyze and explore possible 9 Centaur Chess – https://en.wikipedia.org/wiki/Advanced_Chess.

moves. It turns out that the combination of humans and computers together produces stronger chess play than either humans alone or computers alone. Why is the combination of humans with computers so powerful for playing chess? It turns out that computers are generally better at calculating lots of moves, of being consistently tactical, and not making mistakes. Humans, however, tend to have a better holistic feel for the game. They see broad themes and are better able to identify an edge, excelling in strategic play. What is perhaps best, of course, is humans and computers working together. Why spend time looking at log files and billions of events when computers are so good at these tasks? Why look to an algorithm for a strategy on use cases? A skilled cyber hunter fed with amazing data sources and machine learning will save time, because the math never gets tired and rarely, if ever, makes a mistake. This leaves our experts far more free to focus on edge cases and provide feedback and guidance back to the system on new models and features. Better together, the human expert with proper machine learning tools is the winning combination that makes the future of security analytics so optimistic, compelling, and powerful. References —Adriaans, P. and Zantinge D., 1996. Data Mining, England: Addison-Wesley Longman —Conway, D. and White, J. M. 2012. Machine Learning for Hackers, Cambridge: O’Reilly Press. —Guyon, I.; Gunn, S.; Nikravesh, M. and Zadeh, L. A. 2006. Feature Extraction: Foundations and Applications, Netherlands: Springer. —Marz, N. and Warren, J. 2015. Big Data: Principles and Best Practices of scalable Real-Time Data Systems, NY: Manning Publications. —Murphy, K. P. 2012. Machine Learning: A Probabilistic Approach, Cambridge, Massachusetts: MIT Press. —O’Neil, C. and Schutt, R. 2013. Doing Data Science: Straight Talk from the Frontline, Cambridge: O’Reilly Press. —Tan, P.-N.; Kumar, V. and Steinbach, M. 2006. Introduction to Data Mining, Boston: Addison-Wesley Longman. —Tufte, E. R. 1983. The Visual Display of Quantitative Information, Connecticut: Graphics Press. —Zumel, N. and Mount, J. 2014. Practical Data Science with R, NY: Manning Publications.

About the Author Stephan Jou is CTO at Interset. He was previously with IBM and Cognos and holds an M.Sc. in Computational Neuroscience and Biomedical Engineering and a dual B.Sc. in Computer Science and Human Physiology from the University of Toronto. He may be reached at [email protected]. August 2016 | ISSA Journal – 21

ISSA

DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY

Internet of Things: Trust By R. S. Tumber – ISSA member, UK Chapter This article discusses the fundamental element of the Internet of Things being overlooked: Trust. As billions of devices come online, IoT will increase the potentially staggering attack surface. It will be paramount to protect the keys and certificates for authentication, validation, and access control in order for IoT to be a trusted participant in our information world.

Abstract As the Internet of Things (IoT) provides an interface between the digital and physical world, threats of attack can maneuver their way from manipulating information to controlling actions. Billions of human-to-machine and machine-to-machine devices continue to grow in number, promising to increase convenience and efficiency for our way of life. This article discusses the fundamental element of the Internet of Things being overlooked: Trust. As billions of devices come online, IoT will increase the potentially staggering attack surface. It will be paramount to protect the keys and certificates for authentication, validation, and access control in order for IoT to be a trusted participant in our information world.

B

y 2020, it’s estimated that the number of connected devices—between humans and machines (H2M) and machines to machines (M2M)—could explode to 50 billion. Considering there are less than seven billion humans on this planet, 50 billion is a staggering amount [1]. The Internet of Things (IoT) revolves around increased instantaneous machine-to-machine communication, built on cloud computing and sensors; it’s instrumental to the concept of smart cities. IoT unleashes a whole host of uses: enabling you to open a mobile app to preheat your oven, start the washing machine, or remotely turn up the heat on your thermostat; approve a shopping list generated by your fridge; let your pet out of its smart-door; and even detecting rubbish levels in containers in order to optimize the route taken by garbage-collection organizations [3]. The real benefit of IoT lays with the gathering, measuring, evaluating, and leveraging of data between sensors and machines. Transferred from the sensors, this data is utilized by cloud-based applications to transmit and interpret the data, converting intelligence into real-time action [2]. 22 – ISSA Journal | August 2016

For example: Let alone the increased recognition of driverless cars, many of today’s cars are fitted with numerous sensors. When roads are built/re-built, they can be constructed using smart cement—cement equipped with sensors to monitor stress that could lead to potential sinkholes. Additionally, if there is ice on the road, the same sensors in the concrete can detect it and communicate this via wireless Internet to your car. Your car can then instruct the driver to slow down; if he or she doesn’t, the car can slow down automatically. With smart roads, cars could also be re-routed to less-congested roads [2]. However, while IoT may seem to be a worldwide phenomenon and the symbol of efficiency, there is a fundamental concern: Trust.

Trust The issue of trust involves: • How can we ensure the IoT system will continually function as it should? • How can we detect any deficiencies in the operation of the IoT system? • How can we trust the information flow of the IoT system?

As IoT provides an interface between the digital and physical world, threats of attack can maneuver their way from manipulating information to controlling actions. It’s one thing when your organization gets hacked and quite another when your pacemaker, commercial airline, or traffic light control and coordination system gets taken over through security vulnerabilities in IoT devices. As billions of H2M and M2M devices continue to grow in number, they become increasingly attractive attack targets, which continue to grow in both magnitude and sophisti-

Internet of Things: Trust | R. S. Tumber cation, putting trust at risk [3]. Attackers could potentially leverage IoT to: • Morph common ICT worms to the IoT environment

• Target residential IoT environments (e.g., unprotected webcams) • Access intellectual property; conduct sabotage and espionage • Attack hospital intensive-care departments, nuclear power plants (e.g., Stuxnet virus), railways, etc. The critical issue for trusting IoT lays with protecting the keys and certificates used for ensuring authentication, TLS validation, and access control. It’s becoming more difficult to distinguish which keys/certificates can be trusted. Without this ability, trust remains in a perilous state.

Real-world examples The dark side of IoT has already revealed itself, with life-threatening vulnerabilities [6-10]: • Motor industry: In 2015, security experts Charlie Miller and Chris Valasek hacked into a Toyota Prius and a Ford Escape using a laptop plugged into the vehicle’s diagnostic port. This vulnerability enabled the team to manipulate the cars steering, breaking, and headlights. One suggested security control has been to change the certificates used for TLS communication between the vehicles at regular intervals. However, managing the public key infrastructure could be a real struggle if the vehicles cannot determine whether a certificate is legitimate or malicious. Obviously, this is the job of code-signing certificates. • Healthcare industry: In 2014, Scott Erven and his team of security researchers discovered major security flaws whereby they could remotely manipulate devices, includ-

ing those that controlled dosage levels for drug infusion pumps and connected defibrillators. • Hotel industry: This industry is moving towards digital room key access to enable guests to use their smartphone to access their room using a digital certificate. However, what if attackers were able to fraudulently issue their own certificate to misrepresent the guest? • Surveillance industry: In 2014, the UK Information Commissioner’s Office warned that footage from hundreds of thousands of CCTV cameras and baby monitors was being live-streamed on the Internet unknown to their owners. It was found that a Russian website published thousands of these streams, viewable by anyone. The CCTV cameras and baby monitors were configured with insecure default passwords, which were not changed (as is deemed necessary to increase security). • Energy industry: In 2012, security researcher Justin W. Clarke discovered a flaw within a device of a major network infrastructure provider. By decrypting traffic between an end user and that device, an attacker could launch attacks to compromise the energy grid. Considering such attacks exposed not only entry points for cyber attack, but also the disclosure of sensitive data, it is not possible to fully trust IoT devices.

Attack vectors An IoT infrastructure consists of the interconnection of components embedded with electronics, software, sensors, and network connectivity. If any of these are poorly configured, they can potentially affect the security and resilience of a mass-scale deployment of IoT devices, or even the Internet globally. In order to increase confidence amongst the masses and instill trust, these interconnected components must be

Click here for On-Demand Conferences www.issa.org/?OnDemandWebConf

Hacking the Social Grid: Gullible People at 670 Million Miles per Hour 2-Hour Event Recorded Live: July 26, 2016 Legislative Impact: When Privacy Hides the Guilty Party 2-Hour Event Recorded Live: June 28, 2016 Breach Report Analysis – SWOT or SWAT? 2-Hour Event Recorded Live: May 24, 2016 The Sky Is Falling... CVE-2016-9999(nth)? 2-Hour Event Recorded Live: April 26, 2016 Security Software Supply Chain: Is What You See What You Get? 2-Hour Event Recorded Live: March 22, 2016 Mobile App Security (Angry Birds Hacked My Phone) 2-Hour Event Recorded Live: February 23, 2016

2015 Security Review & Predictions for 2016 2-Hour Event Recorded Live: January 26, 2016 Forensics: Tracking the Hacker 2-Hour Event Recorded Live: November 17, 2015 Big Data–Trust and Reputation, Privacy–Cyberthreat Intel 2-Hour Event Recorded Live: Tuesday, October 27, 2015 Security of IOT–One and One Makes Zero 2-Hour Event Recorded Live: Tuesday, September, 22, 2015 Biometrics & Identity Technology Status Review 2-Hour Event Recorded Live: Tuesday, August 25, 2015 Network Security Testing – Are There Really Different Types of Testing? 2-Hour Event Recorded Live: Tuesday, July 28, 2015Global

A Wealth of Resources for the Information Security Professional – www.ISSA.org August 2016 | ISSA Journal – 23

Internet of Things: Trust | R. S. Tumber secured via methods such as device identity, geographic location capability, data transport channels, and mechanisms for encryption, authentication, and authorization. Drilling down to the different attack vectors upon a typical IoT environment, these can be categorized into three groups where the issue of trust can be addressed [4, 5]: Attacking the device IoT devices must possess the computing power, memory, and storage capacity to support adequate encryption, authentication, and authorization protocols. As such protocols may require user intervention in terms of configuration and provision, IoT devices need to be protected from tampering, theft, and other forms of compromise. To establish device identity and aid authentication and authorization with other devices, device ID certificates should be issued to each device—at the point of manufacture. Intertwined within an identity framework, devices can be recognized and managed across the IoT environment. Attacking the communication: H2M and M2M Beyond personal data, an IoT environment will be communicating device data (stored by the device’s manufacturer and service provider) such as product designs, usage statistics, billing records, decryption keys, authorization codes, parameters, logs, etc. Although not every IoT endpoint will possess the capability for bi-directional communication, data transport channels need to be encrypted to protect this data from interception, disclosure, and modification, thus, ensuring the data’s confidentiality and integrity. Attacking the “master” Here, master is the term given to the device manufacturer, cloud service provider, and IoT provider. The master’s role is to issue and manage the devices and assist with the data analysis. Entrusted with vast amounts of data, the master could be the prime attack target. To protect against this, the master should integrate code signing of the firmware/software updates using digital certificates. Also, device communication should be conducted via TLS certificates.

Establishing trust IoT environments cannot rely on perimeter- or detection and remediation-based IT security solutions. A dynamic approach to security is required, enabling the secure on-boarding of devices and dynamic key generation to determine which devices and conditions are required for registration, authorization, and provisioning. An effective security solution must also deliver efficient policy-driven data encryption with application-level control to provide security for IoT data flows between devices, services, and applications. • Secure device provision: The process of introducing and on-boarding devices into an IoT application must be securely controlled while meeting the specific requirements of each IoT environment.  24 – ISSA Journal | August 2016

• Secure credential management: Managed PKI services from reputable organizations have revolutionized the cost and complexity of digital certificate infrastructures. Many of these services now include support for smaller IoT-style certificates to help deliver stronger security to a wider range of devices. An effective solution should also directly integrate with reputable PKI providers to securely automate certificate provisioning, revocation, and renewal processes. Additionally, the creation of a direct, authenticated, policy-enforced binding between devices and the credentials that are assigned to them will help to prevent the use of certificates and keys from unauthorized devices. • Secure updates: Unauthorized software and firmware updates are a major threat vector for IoT devices. Unlike other cyber attacks, IoT breaches can have physical consequences that may result in loss of life. There are three critical security requirements for delivering updates securely to IoT devices: 1. Securing access to the updates 2. Verifying the source of the updates 3. Verifying the integrity of the updates An effective solution will need to deliver these three critical requirements for IoT environments. Access to secure updates would need to be restricted to authorized devices. These updates should be encrypted for target devices and not be exposed to unprotected software or firmware. Finally, secure updates will need to ensure that both the source of the updates and the integrity of the updates themselves are verified. This will help to deliver end-toend protection for device updates. • Policy-driven encryption: As examples have shown, data-transfer mechanisms utilizing transport-based security protocols have been compromised and do not guarantee end-to-end data security. To help prevent this, policy-driven end-to-end security can be integrated to protect data as it moves between the IoT devices and applications. An effective solution can take advantage of dynamic key generation to ensure data can be encrypted with onetime-use keys that are not shared or stored. Datasets may be encrypted for specific recipients, independently from data transport protocol security. Particular policies can be utilized to determine precisely which data needs to be encrypted, while ensuring regulatory compliance.

Conclusion Although the Internet of Things promises a number of efficiencies, increased competitiveness, improved customer service, and even new market opportunities, security breaches won’t just threaten our data, but our lives (e.g., a man-in-themiddle attack taking control over our vehicles) as well. Trust, therefore, is now an overwhelming issue for us all, even with the attack vectors secured with strong encryption, digital certificates, authentication, and authorization protocols, etc. In order to deploy strong security to address IoT’s risky

Whether or not there’s honor among thieves, the reality is they cooperate. Cybercriminals are joining forces to strategize and launch new attacks. Encrypted chat rooms. Social media. Multinational syndicates. Today the need is more vital than ever: the good guys must band together. Collaboration and information sharing is the key to snuffing out threats.

Cincinnati Detroit Dallas Denver St. Louis Bay Area Seattle

September 8 September 14-15 September 27-28 October 5-6 October 18-19 October 27 November 9-10

That’s what we’re uniquely about. SecureWorld conferences connect you to like-minded pros in your local community, giving you invaluable access to practitioners, thought leaders, and vendors. Distilling the global complexities of cybersecurity down to your city, your network, your shot at a decent night’s sleep. Don’t go it alone. Register for a SecureWorld event near you.

SecureWorld. See globally. Defend locally. www.secureworldexpo.com

Shaping the conversation Beyond our conferences, we help you stay connected and informed year-round. SecureWorld Media is your premier source of cybersecurity content—including breaking industry news, original articles and research, expert interviews, exclusive web conferences, and CPE training courses. Visit us today to sign up for digital events and subscribe to the SecureWorld POST e-newsletter.

www.secureworldexpo.com

Internet of Things: Trust | R. S. Tumber paradigm, policy-driven data encryption, credential management, access control, and secure updates will be required to instill device-based trust for IoT devices.

7. Gemalto, Securing the Internet of Things (IoT), (2016) – http://www.safenet-inc.com/data-protection/securing-internet-of-things-iot/.

References

8. Greenberg, Hackers Remotely Kill a Jeep on the Highway - With Me in It, (2015) – https://www.wired.com/2015/07/ hackers-remotely-kill-jeep-highway/.

1. Cisco, Securing the Internet of Things: A Proposed Framework, (2016) –http://www.cisco.com/c/en/us/ about/security-center/secure-iot-proposed-framework. html. 2. D. Burrus, The Internet of Things Is Far Bigger Than Anyone Realizes, (2016) –http://www.wired.com/insights/2014/11/the-internet-of-things-bigger/. 3. Libelium, 50 Sensor Applications for a Smarter World, (2016) –http://www.libelium.com/top_50_iot_sensor_ applications_ranking/. 4. J. Parkinson, When Will We Be Able to Trust the IoT?, (2016) – http://ww2.cfo.com/internet-of-things/2016/03/ when-will-we-be-able-to-trust-the-iot-internet-ofthings/. 5. Wikipedia, Internet of Things, (2016) – https://en.wikipedia.org/wiki/Internet_of_Things. 6. S. Gibbs, Q&A: Who is Watching My Home Webcam? (2014) – https://www.theguardian.com/technology/2014/ nov/20/webcam-russians.

9. D. Peterson, Ruggedcom Backdoor Revealed - Fragile, (2012) – http://www.digitalbond.com/blog/2012/04/24/ ruggedcom-backdoor-revealed-fragile/. 10. K. Zetter, It’s Insanely Easy to Hack Hospital Equipment, (2014) – https://www.wired.com/2014/04/hospital-equipment-vulnerable/.

About the Author As well as being a cybersecurity specialist, Rajinder Tumber has been “Highly Commended” by a panel of expert judges for the “Personality of the Year” award in the cybersecurity industry. He is also a finalist for the “IT Manager of the Year” award from Computing and BCS – The Chartered Institute for IT. Additionally, Rajinder Tumber is a sci-fi/ fantasy novelist, and he participates in exclusive cyber-related roundtables, thought-leadership, mentoring, and public-speaking events. He may be reached at rajinder.tumber@ hotmail.co.uk.

ISSA SPONSORSHIP

IT’S GOOD FOR BUSINESS

OPPORTUNITY OF THE YEAR

Party in the Sky

Reunion Tower – Dallas, Texas ISSA’s Signature Event, November 2, 2016, 6pm to 9pm

Photo Booth Music

Capture the Flag

Logo Ice Sculpture

Extensive Signage

Contact ISSA Director of Business Development Joe Cavarretta, [email protected]. 26 – ISSA Journal | August 2016

Sponsor Opportunities »» IoT: The Information

Ecosystem of the Future—And Its Issues: 8/23/16 »» Security Architecture & Failure Mode Threat: 9/27/16
 »» How to Recruit and Retain Cybersecurity Professionals: 10/25/16
 »» When TLS Reads: Totally Lost Security. SHA zam! 11/15/16

ISSA

DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY

Internet of Things: Security, Privacy and Governance By Regner Sabillon – ISSA member, Alberta Chapter This article reviews the history, concepts, and major concerns with the Internet of Things in terms of governance, privacy, ethics, data collection, and security. Abstract The Internet of Things includes countless devices connected to the Internet to improve the quality of people’s lives in their personal and professional environments. It enables data collection but has many security, ethical, governance, and privacy issues. This article reviews the history, concepts, and major concerns with the Internet of Things in terms of governance, privacy, ethics, data collection, and security of the Internet of Things.

Brief history of IoT

T

he Internet—widely known as the Network of Networks—has grown from its inception in the early days to a huge technology phenomenon in the digital era. Back in the day, no one could have predicted what the Internet has become and how a set of inventions contributed to its architecture. The Internet of Things (IoT) is not new; in fact, its roots are based on the ubiquitous computing, pervasive computing, ambient intelligence, or ubicomp concepts that represent computing technology being available anytime and everywhere. Mark Weiser, considered the father of ubiquitous computing [1], defined it as “the method of enhancing computer use by making many computers available throughout the physical environment, but making them effectively invisible to the user” [2]. Kevin Ashton, co-founder of the Auto-ID Center (Massachusetts Institute of Technology) coined the term Internet of Things while presenting at Procter & Gamble in 1999. He described it as an evolution of the Internet whereby computers are empowered with their own means of gathering information [3]. The IoT, along with cloud computing, is recognized as the global third wave of the Information and Communications Technology (ICT) industry. The European Union created the European Internet of Things Research Cluster (IERC) in 2009 [4]. The Internet of Things

Group from Cisco (IOTG) predicted that there will be over 50 billion connected devices by 2020 [5]. The Internet of Things relies on many communication technologies, applications, and protocols like RFID, near field communications (NFC), machine-to-machine (M2M), wireless sensors, actuator networks, LTE, 3G, 4G, GSM, wireless network sensor (WSN), supervisory control and data acquisition (SCADA), CDMA, GPRS, Wi-Fi, Bluetooth, Z-Wave, and ZigBee [6]. Hackers always find new ways to exploit IoT security flaws and vulnerabilities will only increase as the industry grows. According to Zhou (2015), Web 3.0: The Internet of Things is the Internet of machines because data is generated by machines and consumed by humans and things. He argues that IoT runs on four major application categories: smart systems, RFID, WSN, and M2M using intranets, extranets, and the Internet to communicate, based on cloud services, software-asa-service (SaaS), and service-oriented architecture (SOA) [7]. The IoT industry is still in its infancy; hence, a security checklist does not exist that applies to all connected devices or “things,” but in order to gain consumer confidence manufacturers must consider the security fundamentals that the US Federal Trade Commission (FTC) is proposing (table 1) [8].

IoT concepts Rivers Publishers defines IoT as the new era of ubiquitous connectivity and intelligence, where a set of components, products, services, and platforms connects, virtualizes, and integrates everything in a communication network for digital processing. The European Internet of Things Research Cluster defines IoT as: An integrated part of the future Internet, including existing and evolving Internet and network developments, and could be conceptually defined as a dynamic global August 2016 | ISSA Journal – 27

Internet of Things: Security, Privacy and Governance | Regner Sabillon

IoT Security Considerations

Description

Security culture

Encourage a security culture with stakeholders and staff

Security by design

Implement security right from the start; especially from the design phases of products and throughout the product lifecycle

Defense-in-depth

Incorporate security measures at all levels

Risk-based approach

Identify all possible risks and create a mitigation plan

Data collection

Carefully decide what kind of data you want to collect from your customers

Password administration

Avoid default passwords

Encryption techniques

Consider stronger encryption methods

Add salt

Salting will add strings of characters to passwords before the md5 hash is resolved

Rate limiting

Implement network controls over the inbound and outbound data traffic

Authentication

Enforce strong authentication

Interface security

Design system interfaces to reduce cyber attacks

Proper security testing

Perform all different testing scenarios before launching your product

Customer communication and support

Maintain a two-way communication with your clients

Security updates for products

Define a security update program

Table 1 – FCC security considerations for IoT

network infrastructure with self-configuring capabilities based on standard and interoperable communication protocols where physical and virtual “things” have identities, physical attributes, and virtual personalities, use intelligent interfaces, and are seamlessly integrated into the information network. Furthermore, it is considered a dynamic global network infrastructure where physical and virtual “things” are connected [9]. The International Telecommunication Unit (ITU) created the ITU-T Study Group 20; this group is responsible for the IoT standardization requirements with a focus on IoT applications in smart cities and communities. ITU defines IoT as [10]: A global infrastructure for the information society, enabling advanced services by interconnecting (physical and virtual) things based on existing and evolving interoperable information and communication technologies. NOTE 1 – Through the exploitation of identification, data capture, processing, and communication capabilities the IoT makes full use of things to offer services to all kinds of applications while ensuring that security and privacy requirements are fulfilled. NOTE 2 – From a broader perspective, the IoT can be perceived as a vision with technological and societal implications. 28 – ISSA Journal | August 2016

Gartner defines IoT as the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment [11]. These concepts have common ground for integration with physical and virtual things using information networks.

IoT applications In most cases, the “things” will communicate and share data using embedded systems, sensors, and public or private apps. The IERC has categorized a list of emerging IoT applications: • • • • • • • •

Wearables Smart health and wellness Smart homes and buildings Smart energy Smart mobility and transport Smart manufacturing and industrial IoT Smart cities Smart farming and food security

IoT devices must have security and privacy features built in from the early stages of their design and architecture involving data collectors, data storage, data processors, data servers, and data gateways [12].

Governance According to the Internet Society, the IoT or M2M (machine-to-machine) is expected to exceed 50 billion “things” in 2020; that is, 99 percent of everything produced will be connected to the Internet and the connectivity growth will result in 1.2 trillion USD of connected-device revenues [13]. The IoT is already part of the third wave in computing, where one person deals with many computing devices. On the first wave one computer (mainframe) was shared by multiple users; on the second wave one person used one personal computer. While there are many organizations involved in various degrees with IoT standardization and governance processes, most regulations come from the Institute of Electrical and Electronics Engineers (IEEE), ITU, European Telecommunications Standards Institute (ETSI), IERC, the Internet Engineering Task Force (IETF), the National Institute of Standards and Technology (NIST), the Organization for the Advancement of Structured Information Standards (OASIS), the World Wide Web Consortium (W3C), and the Internet Society [14]. Some IoT standards include the IEEE privacy and security architecture for consumer wireless devices working group (COM/SDB/P1912 WG), the IoT Top 10 Project from the Open Web Application Security Project (OWASP), and the Cyber-Physical Systems Public Working Group (CPS PWG) from the NIST Engineering Laboratory Cyber-Physical Systems and Smart Grid Program Office.

Privacy A 2014 TRUSTe survey highlighted that 60 percent of end users have basic IoT privacy awareness, 88 percent want to limit

ACTIONABLE INTELLIGENCE:

Symantec

Government Symposium

Stay Smart. Stay Secure.

AUGUST 30, 2016

Walter E. Washington Convention Center I Washington, D.C.

www.symantec.com/symposium

LAST YEAR: Over half a billion

430 million

One zero-day vulnerability

personal information records were lost to breach

new malware variants were discovered

was discovered

each week

Symantec

Government Symposium

Back for its 13th year, the 2016 Symantec Government Symposium will convene 1,000 attendees to discuss this evolving cyber landscape – and how we can fight back.

DON’T MISS:

James Comey

and OPM

Acting Director Beth Cobert

A spotlight on the 2016 Symantec Internet Security Threat Report

The TechXpo showcasing today’s most innovative cyber security solutions, programs, and simulations

30

JOIN US ON AUGUST

The Cyber Awards ceremony, recognizing excellence in government cyber security

The TECHTalks panel, with expert commentary from today’s leading cyber minds

Keynote presentations from FBI Director

Four break-out tracks with more than 30 speakers covering threat intelligence, risk management, insider threats, and so much more

As we discuss how to transform security data into timely intelligence that helps us protect infrastructure,

information, and identities.

Register today: www.symantec.com/symposium

Internet of Things: Security, Privacy and Governance | Regner Sabillon the data collection from smart devices, and 87 percent of Internet users are really concerned on how their personal data is collected through smart devices [15]. Like with any computing interaction, IoT privacy must be protected in terms of personal information collection, storage and retention, confidentiality, people privacy, and personal behavior privacy. Furthermore, IoT privacy shall include protection of the data exchange, protection of server information, protection of data usage, and the publication of transparent data usage policies. Additional research is needed for heterogeneous devices preserving technology privacy, legal, liability, cloud computing trust, and privacy policy management. Consumers really care about protecting their privacy; they demand that controls must be implemented to protect their privacy, and IoT devices should have privacy controls built in. In a nutshell, IoT privacy issues could be very important barriers to the growth of IoT.

Ethics Insufficient research has been dedicated to investigate ICT ethics and IoT ethics; the existing studies are mostly linked to borrowed principles from biomedical ethics [16]. IoT ethics can be further studied using universal principles like autonomy, harm avoidance, justice, privacy, and data protection. IERC (2015) considers some ethical IoT elements like separation between privacy and ethics, knowledge education for users, identity, informed consent, trust, social digital divide, human agency, and the fear of rising social isolation. IoT ethical principles must be addressed in terms of rights to liberty, avoiding harm, beneficence, justice, privacy, and data protection. These principles must include some features like informed consent, safety, social solidarity, universal services, accessibility, sustainability, equality, fairness, data collection limitation and retention, use limitation, transparency, people privacy, and data purpose specification. Computer ethics is normally seen as static and passive. A more interactive approach is required as IoT ethics are changing to a dynamic and positive view based on all types of encountered risks.

Data minimization We are already dealing with big data environments, but with the existing predictions for the IoT growth we could easily see extremely large data with the future connected “things.” The International Data Corporation predicted that in 2019 there will 126.1 million devices and the worldwide wearable market will reach 45.1 percent of a five-year compound annual rate (CAGR) [17]. Laplante (2016) highlights that there are three reliability issues that affect big data IoT systems: authentication, security, and uncertainty. All these factors are within the notion of trust scope [18].

30 – ISSA Journal | August 2016

Data minimization consists of creating awareness in companies for limiting the amount of data collected, retained, and disposed. Data minimization focuses on two privacy related risks: 1. Large amounts of data attract data thefts and this risk increases the potential harms to customers 2. Large amounts of customer data may be used for other purposes Companies can decide not to collect data at all, collect only the necessary data, collect less sensitive data, or implement de-identification.

Security A recent IoT HP research study (2015) identified that 80 percent of devices raise privacy concerns, 70 percent lack encryption to the Internet and local network, 80 percent have weak passwords, 60 percent reported web interface security issues, and 90 percent of devices collected personal information via the cloud, the device, or the app [19]. Radio frequency identification (RFID) systems and tags are widely used in IoT. RFID operates in the industry, scientific, and medical frequency band (100 KHz–5.8 GHz). RFID tags are classified as passive, semi-passive, and active, and these tags are embedded in proximity cards, credit cards, vehicle ignition keys, passports, driver’s licenses, and to track cattle [20]. RFID has known vulnerabilities linked to information security: the ability of end users to download their own applications with open source code vulnerabilities is a known exploit that hackers can take advantage to exploit worms outside web-browsing capabilities, changing applications functionalities in social networking environments, and to crack personal passwords. In addition, RFID electronic circuits can broadcast corrupted data to databases or computer systems that are vulnerable to viruses or denial-of-service attacks (DoS). Attackers with the right tools and equipment can make copies of RFID electronic circuits from a cheap product and load it to an expensive item. This cybercrime technique is being used to steal vehicles with RFID scanners; cybercriminals can hack to steal the signal of the original ignition key by operating an electronic device to duplicate RFID signals. RFID tags can be read to target people carrying expensive items, exposing them in order to steal their personal information. While complex encryption can be implemented on active RFID tags, it is not a widely common practice because it requires too much power. Furthermore, an encrypted tag ID can simply be tracked using clandestine reading. While the ISO 18000-7 standard allows locking RFID tags for enhanced security, when the active tag is in a locked status, it will not recognize some commands, but the memory can still be read [21]. Some considerations to improve IoT security in the near future should include security standardization, the implemen-

Internet of Things: Security, Privacy and Governance | Regner Sabillon tation of core components of data security, strong authentication, data encryption, access control, patch management, port protection, and perimeter protection and offer embedded protection against malware.

Summary The massive growth of the global IoT industry is imminent, regardless of the existing security, privacy, and governance issues. There is still time to address all these concerns if the stakeholders, manufacturers, and regulators work together to correct security and privacy deficiencies. Creating trust is necessary in order to provide suitable environments for IoT security, privacy, and governance. Fragmentation of the IoT industry is one the biggest challenges to overcome; manufacturers, governments, and regulation entities must work together to find global solutions. The Internet of Things will probably be less secure and more vulnerable than the conventional Internet due to many factors. In the future it is likely that IoT will interact with both physical and virtual worlds to enhance people’s lives. There are many challenges to overcome but many efforts must be oriented towards the enforcement of standards, stakeholder education, promoting better security and privacy practices, and thus strong legislation. References 1. Weiser, M., March 1996.Ubiquitous Computing – http:// www.ubiq.com/hypertext/weiser/UbiHome.html. 2. Weiser, M., July 1993. Some Computer Science Problems in Ubiquitous Computing, Communications of the ACM. (reprinted as “Ubiquitous Computing”. Nikkei Electronics; December 6, 1993; pp. 137-143.) – http://www.ubiq. com/hypertext/weiser/UbiCACM.html. 3. Ashton, K., June 2009. That ‘Internet of Things’ Thing, RFID Journal – http://www.rfidjournal.com/articles/ view?4986. 4. IoT European Research Cluster, European Research Cluster on the Internet of Things (IERC), 2011. 5. Lopez Research LLC, 2013. An Introduction to the Internet of Things (IoT): Part 1 of the IoT Series – http://www. cisco.com/c/dam/en_us/solutions/trends/iot/introduction_to_IoT_november.pdf. 6. Britton, K., 2016. Handling Privacy and Security in the Internet of Things. Journal of Internet Law, April 2016, pp. 3-7. 7. Zhou, H., 2015. The Internet of Things in the Cloud: A Middleware Perspective. Boca Raton: CRC Press, Taylor & Francis Group 8. US Federal Trade Commission, 2015. Careful Connections: Building Security in the Internet of Things – https:// www.ftc.gov/system/files/documents/plain-language/ pdf0199-carefulconnections-buildingsecurityinternetofthings.pdf. 9. Vermesan, O. et al. Internet of Things Strategic Research Roadmap – http://www.internet-of-things-research.eu/ pdf/IoT_Cluster_Strategic_Research_Agenda_2011.pdf.

10. International Telecommunications Union (ITU), June 2012. Overview of the Internet of Things (ITU-T Y.2060). Series Y: Global Information Infrastructure, Internet Protocol Aspects and Next-Generation Networks. 11. Gartner IT Glossary, 2016. Internet of Things – http:// www.gartner.com/it-glossary/internet-of-things/. 12. Herold, R., 2015. The Criticality of Security in the Internet of Things. ISACA Journal, Volume 6, 2015. 13. Internet Society, 2015. “Global Internet Report 2015: Mobile Evolution and Development of the Internet,” Geneva, Switzerland – http://www.internetsociety.org/globalinternetreport/assets/download/IS_web.pdf. 14. Towards a Definition of the Internet of Things (IoT), IEEE – Internet of Things, May 2015, Issue 1 – http://iot. ieee.org/images/files/pdf/IEEE_IoT_Towards_Definition_Internet_of_Things_Issue1_14MAY15.pdf. 15. Ipsos MORI, 2014. TRUSTe Privacy Index: 2014 Internet of Things Edition. US Edition, February 2014 – https:// www.truste.com/resources/privacy-research/us-internet-of-things-index-2014/. 16. IoT European Research Cluster, European Research Cluster on the Internet of Things (IERC), 2015. IoT Governance, Privacy and Security issues – http://www. internet-of-things-research.eu/pdf/IERC_Position_Paper_IoT_Governance_Privacy_Security_Final.pdf. 17. International Data Corporation (IDC), 2015. Worldwide Quarterly Wearable Device Tracker – http://www.idc. com/getdoc.jsp?containerId=prUS25519615. 18. Laplante, P., May 2016. The Internet of Things and Big Data Systems: The International Bazar. IEEE Reliability Magazine, May; pp.5-6 – http://iot.ieee.org/images/files/ pdf/iot-and-big-data-systems-the-international-bazaar. pdf. 19. Hewlett Packard, 2015. Internet of Things Research Study: 2015 Report – http://www8.hp.com/h20195/V2/ GetPDF.aspx/4AA5-4759ENW.pdf. 20. Maharjan, S., 2010. RFID and IoT: An Overview. Simula Research Laboratory, University of Oslo – http://www. uio.no/studier/emner/matnat/ifi/INF5910CPS/h10/undervisningsmateriale/RFID-IoT.pdf. 21. Yan, L., Zhang, Y., Yang, L. and Ning H., 2008. The Internet of Things: From RFID to the Next-Generation Pervasive Networked Systems. Boca Raton: Auerbach Publications, Taylor & Francis Group, LLC

About the Author Regner Sabillon, C|CISO, ITIL, CGEIT, CRISC, ISO 27001 LA, I.S.P., ITCP, MBA, M.Sc., is a PhD candidate at the Network and Information Technologies Programme – Catalonian Open University (UOC), Spain, and a Canadian researcher in cybersecurity, cyber law, cyberforensics, and cybercrime areas. He is an instructor at Athabasca University, Canada, and an ICT specialist with more than 20 years of experience. He can be reached at [email protected]. August 2016 | ISSA Journal – 31

ISSA

DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY

Internet of Things: Arduino Vulnerability Analysis By Audrey Ann Gendreau – ISSA member, Tampa Bay Chapter This article examines the vulnerabilities to the security of physical computing interactive systems designed to sense and respond to a physical phenomenon, focusing on the Arduino microcontroller.

Abstract This article examines the vulnerabilities to the security of physical computing interactive systems designed to sense and respond to a physical phenomenon. Working towards mapping security configuration issues to policies for automated end-to-end trust in the Internet of Things, it analyses vulnerabilities of physical computing from the unique perspective of the Do-It-Yourself (DIY) community.

T

his article is about vulnerabilities of physical computing from the unique environmental perspective of ordinary people (e.g., the Do-It-Yourself community) using electronic prototyping tools to build interactive systems designed to sense and respond to the physical world. When connected to the Internet, less visible objects are more susceptible to attacks [7]; yet, they act as end nodes monitoring and encoding the analog world into digital data as part of the Internet of Things (IoT).

group of inventors and artist as part of what is designated as the Maker Movement, incentivized by hackathons for student teams. In this context, “hacking” means building a new electronic object or application quickly [24].

Mini computers and microcontrollers In the tool set of the maker movement, there are two basic platforms: mini computers and microcontrollers. The current popular mini computers include Raspberry Pi and BeagleBone Black, which are both Linux distributions with Python scripting [5]. To enable physical computing, they use a general purpose input/output (GPIO) extension board. One of the GPIO interfaces frequently utilized is the Arduino [6][8], a microcontroller electronic prototyping platform and the use case for this study.

This is important to security professionals because the new trend in the IoT research community is towards an all-inclusive approach to the security posture of the IoT. Currently, the proposed intrusion detection systems of the future are designed to detect millions of intrusions in the whole of cyberspace by either integrating detection functionality into the network stack, or using computational intelligence based systems [28]. To this end, the commonalities across the domains (i.e., Do-It-Yourself physical computing) in the IoT need to be recognized in order to establish policies to be enforced when a device is connected to the IoT.

The first standard Arduino system was released in 2005 and began the international Do-It-Yourself (DIY) revolution in physical computing and maker movement. Physical computing is analogous to the concept of traditional embedded programming [1], while the maker movement is a broader term used to cover both technology-based DIY as well as hand made textiles and other creative arts. In the same way users once built their own computers at home, makers now use a combination of hardware and software to build interactive systems that can sense and respond to physical phenomenon such as home security monitoring systems or a talking heart rate monitor. Moreover, this distinction is in large part environmental, as these undocumented objects exist in homes and public libraries and are frequently developed and maintained by minors, the IoT’s weakest link.

With respect to previous mobile embedded systems, todays devices used to facilitate physical computing offer greater flexibility, affordability, and programmability to the average user. Moreover, barriers due to lack of experience or skill have been removed by fostering a new nontechnical electronic user

This article presents an analysis of the threats of physical computing in the IoT using the Arduino as a case study. It reflects the most recent systems, including a special release designed for the IoT. Attack patterns are analyzed with respect to their exploitability and impact on individual objects

32 – ISSA Journal | August 2016

Internet of Things: Arduino Vulnerability Analysis | Audrey Ann Gendreau and their users (e.g., minors, Arduino systems, and the local environmental risk that they represent).

Methodology

Temporal Metrics Base Exploitability

The threat analysis is conducted according to NIST: The Common Configuration Scoring System (CCSS): Metrics for Software Security Configuration Vulnerabilities [15]. The CCSS incorporates the base score into the optional temporal and environmental perspectives for a more holistic assessment of the security posture of a system. The following is a detailed explanation of the models, but see the documentation [15] for the list of parameter values. According to the specifications of the system, each scored notation is to provide the abbreviated metric name, a colon, followed by the metric value.

General Exploit Level – GEL General Remediation Level – GRL

Temporal Exploitability

Temporal Score Figure 2 – Temporal Score [15]

Base metric evaluation The base metric is focused on the threat posed by a security configuration issue that is constant over time and across user environments. The only required metric is the Base Score, shown in figure 1.

Base Metrics Confidentiality Impact – CI

Access Vector – AV

Integrity Impact – I

Authentication – Au

Availability Impact – A

Access Complexity – AC

TemporalScore = ((0.6 * Impact) + (0.4 * TemporalExploitability) – 1.5) * f(Impact) TemporalExploitability = min(10, Exploitability * GEL * GRL) Environmental metric evaluation The third metric is the Environmental Score. Also optional, it is important when used to capture the character of physical computing vulnerabilities.

Environmental Metrics Environmental Confidentiality Impact – EC

Base Impact

Base Exploitability

Base Score Figure 1 – Base Metrics

Base Score is based on two criteria: Impact and Exploitability. These are conducted according to six criteria: Access Vector (AV), Authentication (Au), Access Complexity (AC), Confidentiality Impact (CI), Integrity Impact (I), and Availability Impact (A). BaseScore = ((0.6 * Impact) + (0.4 * Exploitability) - 1.5) * f(Impact) Impact = 10.41 * (1 - (1 - CI) * (1 - I) * (1 - A)) Exploitability = 20 * AV * AC * Au f(Impact) = 0 if Impact = 0, 1.176 otherwise

Environmental Integrity Impact – EI Environmental Availability Impact – EA Confidentiality Requirement – CR Integrity Requirement – IR

The two components of the CCSS temporal metrics are the General Exploit Level (GEL) and the General Remediation Level (GRL). GRL measures the available remediations that can mitigate the vulnerability (e.g., network firewalls, training). GEL measures the frequency of the attack.

Base Exploitability General Exploit Level – GEL

Local Exploit Level Local Vulnerability Prevalence – LVP Perceived Target Value – PTV

Availability Requirement –AR Collateral Damage Potential – CDP

Local Remediation Level – LRL

Environmental Impact

Environmental Exploitability

Temporal metric evaluation The Temporal Score is focused on the time-variant aspect of threats with real-time data streaming, a critical aspect of IoT (figure 2).

Base Impact

Environmental Score Figure 3 – Environmental metrics August 2016 | ISSA Journal – 33

Internet of Things: Arduino Vulnerability Analysis | Audrey Ann Gendreau The Environmental Score measures differences between environments that affect vulnerabilities risk. These aspects of vulnerability severity are categorized as: Local Exploit Level (LEL), Local Remediation Level (LRL, and Local Impact. EnvironmentalScore = ((0.6 * EnvironmentalImpact) + (0.4 * EnvironmentalExploitability) – 1.5) * f(Impact) EnvironmentalImpact = min( 10, 10.41 *(1 – (1 – EC * CR) * (1 – EI * IR)) * (1 – EA * AR)) * CDP) EnvironmentalExploitablility = min (10, Exploitability * GEL * LEL * LRL) LEL = LVP * PTV

Analysis The Common Attack Pattern Enumeration and Classification (CAPEC) reference framework [13] is a catalogue of attack patterns designed to provide a common language. The framework was designed by MITRE Corporation and complements the NIST SP 800-126 taxonomy for automation standard [14], which proposes a taxonomy that measures security in order to certify secure software and systems. In NIST SP 800-126 , the CCSS is recommended for scoring the vulnerabilities. CAPEC categorizes attack patterns into six different domains: 1. Social Engineering, CAPEC403 2. Supply Chain, CAPEC437 3. Communications, CAPEC512 4. Software, CAPEC513 5. Physical Security, CAPEC514 6. Hardware, CAPEC515 At the time of this writing there are 504 different attack patterns. Working towards automation as a goal for end-to-end security in the IoT, the first step is to manually analyze the components facilitating the IoT paradigm. Using this methodology, CAPEC in combination with the Common Configuration Scoring System (CCSS) was utilized. Organized by domains, each category is listed as an attack vector with shared and expanding subcategories of attacks. Within the limitations of this article, a subset of the attack domains was analyzed and researched for the Arduino as a pilot for evaluating the security posture of the IoT. According to this methodology the cases should be examined from the perspective of the highest score for the vulnerability. These are the minors in the DIY community driving physical computing gadgetry to create non-industry-based applications and objects.

Social Engineering, CAPEC403 The category of Social Engineering is focused on attacks of trickery and deception that exploit people in order to obtain information for the purpose of computer system access. As discussed in Cybersecurity’s Weakest Link: Humans [19], people are the weakest link in security. 34 – ISSA Journal | August 2016

CAPEC404: Social Information gathering attacks In this category the attacker gathers information about a targeted individual or organization in combination with executing the attack. Spear phishing, CAPEC163, is an indirect decendent of CAPEC404. To execute a spear phishing attack, a malicious files is attached to an email, or users are directed to a fake website. In both cases there is a hidden payload designed to exploit the victim. Using this technique along with other factors, microcontrollers—the components of programmable logic units (PLU)—are increasingly being compromised. In 2010, the first well-documented exploit, Stuxnet, targeted Iranian nuclear plant centrifuges. More recently, this year there was an attack on Israel’s Public Utility Authority and another on a Germain plant’s blast furnace [20]. A similar platform, social engineering can be used to physically exploit an Arduino microcontroller. Base Score (figure 1): because an Arduino can be accessed remotely, the Access Vector is network. The Access Complexity is high because a payload needs to be downloaded for the exploit to be successful. No authentication is required to trigger the vulnerability: Authentication is none. The Impact metrics are set to complete because of the high probability of a complete system compromise. The resulting Base Score is 7.6. Temporal Score (figure 2): the General Exploit Level is none. Still relatively new, campaigns to exploit cell phones are just beginning to surface [21]. The Arduino is a much newer platform than the state-of-the-art cell phone, and attack patterns are not yet observed. Nonetheless, the Arduino hobbyist is interested in the electronics DIY community and Arduino forums. These are additional social-engineering platforms to gleam information from and new channels in which to communicate on. However, the Reddit sub DIY electronics group and Arduino sites contain minimal information in registered user profiles. The Arduino profile includes name, location, post history, date registered, and signature. The Reddit user profile has even less information. The General Remediation Level is high, representing the effectiveness of security training on social engineering to exploit an Arduino would have on the maker movement. The Temporal Score is 6.9. Environmental Score (figure3): The characteristics of Arduino vulnerabilities are similar to other environments. The environmental score targets the impact on the device and not the user. For this reason, social engineering techniques for child exploitation are not considered. To compute the environmental score, the Local Vulnerability Prevalence is low, representing the author’s perception of the percentage of Arduinos that are connected to the Internet at this time. The Perceived Target Value or motivation is considered low because an attack on hobbyists is not going to produce large monetary or nation-state gains. There is a lot that we can do to stop these types of attacks. There are two primary reasons people fall victim to social engineering [19]: • People take the path of least resistance, or mental shortcuts that are triggered by messages looking legitimate

Internet of Things: Arduino Vulnerability Analysis | Audrey Ann Gendreau • The assumption that online systems are safe

With education these can be remediated; thus, Local Remediation Level is high. The Impact metrics remain complete to indicate the level of access. Collateral Damage Potential is set to low because exploitation would cause slight damage loss. Confidentiality Requirements are low, the Integrity is medium, and the Availability is the highest as an Arduino is used for entertainment or as a hobby. The Environmental Score is 5.7. CAPEC410: Information elicitation via social information gathering This attack is a subset of CAPEC404. It involves three of the same attacks: gathering information, social engineering, and social information gathering via pretexting. However, the later attack has a more extensive list of attacks. The only attack used to gather information is pretexting, which is acting out a role in order to gather information. An attacker could pretend to act as an adviser on how to construct a device while remotely gaining access to the physical space. For example, in the 2015 Internet Security Report by Symantec they stated that May 2014 the FBI and police in 19 countries arrested more than 90 people in connection with “creepware.” These are attacks using Internet-connected webcams to spy on people. Similarly, in the Arduino forum there is a post asking for help to build glasses that capture images when blinking. Therefore, as these devices are monitoring the physical space they are also at greater risk. The base, temporal, and environmental parameter values of this issue are almost the same as category 404. However, unlike spear phishing, the attacks in this category do not result in a complete attack. For this reason, the base and environmental impact metrics are set to partial. The Base score is 5.1. The changed Base Score effects the Temporal Score: 4.4. The Environmental Score is 4.5. CAPEC416: Target influence via social information gathering This attack focuses on the social engineering perspective by exploiting inherent human psychological predispositions. While the additional social media sites for Arduino development expanded the social information gathering attack surface, it is limited by the scientific tone and restricted content. For this reason the base, temporal, and environmental parameter values are the same as CAPEC410.

Supply Chain, CAPEC437 CAPEC438 Modification during manufacture An attacker modifies the technology, product, or component during manufacturing in order to attack a supply chain entity. The Arduino platform is open source, and as such the same absence of control promoting inventiveness and growth prevents establishing safeguards. There are many different solution providers and clones. What prevents a back door from being flashed as part of the new operating system?

The following are two examples of loading malware on hardware in a production line. In 2007, Taiwanese Ministry of Justice discovered that Seagate hard drives had two Trojans built into them that uploaded data to a pair of websites hosted in Beijing. More recently, the Galaxy 54 smartphone shipped from a factory in China was preloaded with a Trojan masquerading as Google Play Store. Attackers recorded phone calls, read emails, intercepted financial information, and remotely watched and listened in via phone cameras and microphones. This author points out that it is conceivable that everything from refrigerators and clocks to wearables could be weaponized [22]. Base Score: 7.2, Temporal Score: 6, and Environmental Score: 5.8. CAPEC439: Manipulation during distribution An attacker tampers with the technology, product, or component during integration or packaging for distribution. Supply chain operations are usually multi-national as are Arduinos purchased from china. Also, there are many different components and sensor add-ons for the physical computing platforms. The different types of communication and sensors can replace legitimate hardware with counterfeit. According to the CAPEC documentation, fewer than 10 transistors out of billions are required to create malicious functions [13]. In 2011, faulty transistors were found in an electromagnetic interference filter as part of a US Navy helicopter (SH-60). While believed not to be intentional, the detective part was traced back to a production company in China [22]. For this reason, the scores are mostly the same as in CAPEC438. However, total ruin is not emanate with replaced Arduino parts. The reason is the CPU is not replaceable on the microcontroller. It is only the auxiliary parts that would be replaced (i.e., sensors, bread boards, communication components, cameras, and wires). The Collateral Damage Potential is set to medium-high, which makes little difference, and Continued on page 45

March 2015 Volume 13 Issue 3

Troubling Trends of Espionage Power to the Password

Why We Need to Know Physical Security

The Identity of Things: Privacy and Security Concerns

Troubling Trends of Espionage

ISSA Journal Back Issues – 2015 Past Issues – digital versions: click the download link: ISSA.org => Learn => Journal

Legal and Regulatory Issues The State of Cybersecurity Physical Security Security Architecture / Security Management Infosec Tools The Internet of Things Malware and How to Deal with It? Privacy Academia and Research Infosec Career Path Social Media and Security

[email protected]  •  WWW.ISSA.ORG August 2016 | ISSA Journal – 35

ISSA

DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY

Internet of Things: Key Challenges to Overcome By Aditya Srivastava – ISSA member, Dehradun Chapter This article introduces the Internet of Things and discusses security and privacy challenges when networking these devices.

Abstract The Internet has greatly changed society. For example, Internet-enabled applications such as WhatsApp and Facebook have become part of our daily lives. A question that has aroused curiosity among many IT specialists and technocrats is “Can the Internet provide the same impact to modern society when electronic devices containing embedded microcontrollers communicate?” This article introduces the Internet of Things and discusses security and privacy challenges when networking these devices.

Introduction The Internet of Things (IoT) devices are mostly “smart” electronic devices featuring artificial intelligence combined with machine learning via the inputs provided by the user, meaning that the device would be able to sense the presence of user and start working. Imagine a device that could connect with you that understands your likes and needs and works accordingly; for example, an IoT device can shop online (intelligent shopping) for you based on your preferences, and can even inform you about the recent sale on a particular commodity that you might often require. While the concept may seem vague, in the near future IoT devices will become an indispensable reality. An IoT device will have following prerequisites: 1. Unobstructed Internet connectivity – Continuous Internet connectivity is essential, ensured via a robust infrastructure with end-to-end security. 2. Microcontroller is a must – A microcontroller is the most important prerequisite as it is a small computer on a single integrated circuit board having a CPU, memory, and programmable input and output, which will make the device smarter and capable of things that Internet of Things promises. 36 – ISSA Journal | August 2016

3. Devices must have sensors – Sensors will monitor the environment: sensing the physical presence of humans, sensing temperature, recognizing voice commands, etc., and will act as inputs to the device microcontroller. 4. Highly durable batteries and low power consumption– The devices will operate continuously—24/7 in most places—and require unobstructed Internet availability; hence, the devices would also require power 24/7. Generation of this large amount of continuous power will be a challenge, so the devices must be designed for low power consumption. IT industry is working to enable many common devices to function as IoT devices. Some of these include: • Smart refrigerator: The day is not far off when we can look inside our fridge at any time and from anywhere; the only requirement would be a good Wi-Fi connection for the fridge. • Smart structural health: Monitoring vibrations and material conditions in buildings, bridges, and monuments can determine if a structure is verging on failure.

IoT challenges The Internet of Things is a revolutionary concept, but to fully realize it few challenges must be overcome. 1. Every device needs an IP address. Doing so on a large scale means generating an enormous number of them. The current IPv4 era is coming to an end with IPv6 taking over, but what if the volume of devices increases such that even IPv6 might not be sufficient? The only solution would be to prepare IPv8. The challenge is not only generating these IP addresses but for assigning them as well. Industry will require new machines to do so, but they must

Internet of Things: Key Challenges to Overcome | Aditya Srivastava be compatible with existing machinery so the current industrial model is not disturbed. 2. Robust and strong devices. The devices need to be strong enough to resist physical damage that might be caused to the sensors that form the heart of the IoT device, and thus need strong protection. Rigidity of the product must be paramount from the beginning of developments well as ability to resist physical damage [2]. 3. General awareness. Awareness of the changing environment and technology advancements must be spread to the general populace so that they can understand the power of IoT-based devices. They should be guided properly regarding the disposal of these devices as improper disposal could pose a threat to them as traditional electronic devices are not connected to the Internet as is the case of IoT devices. These devices contain data and that data can be leaked if someone gets the hold of it, potentially harming the owner of the device. A proper life cycle control mechanism must be defined so that these cases do not happen. 4. Skilled workforce. A large number of skilled workers who understand the technology is required to work in this new environment.

Security and privacy concerns Security and privacy are by far the biggest challenges to be overcome so that the Internet of Things can be widely implemented and fulfill its promise of a interconnected smart world. In the ’80s and ’90s when the digital revolution began, few had thought that the whole world be encompassed by devices and their applications. As the we approached the 21st century, computers were connected to each other to share information. This then lead to concerns over the security of the communication between them as vulnerabilities were discovered and exploited, breaching the privacy of the users and their trust. Today we are looking at consumer devices like microwaves, refrigerators, and televisions as having abilities to compute and communicate with each other and their human owners; now security and privacy concerns are a top priority, requiring a combination of cybersecurity and physical security to be able to sustain this technology. Giving household appliances the permission to access our gadgets’ info—and by extension our personal info—could pose security and privacy risks. In 2015, the US Department of Homeland Security “National Preparedness Report (2015) [9] described the dangers of household appliances being hacked; but more devices could prove vulnerable. Privacy is also a concern. The Huffington Post recently ran an article about household items that could be spying on us like TVs and even some health-related devices such as pacemakers [10].

proached with new thinking and creativity as IoT is different and at present lacks the platform for security. This lack of a standardized platform enables an enormous amount of threats, vulnerabilities, and risks [6]. Threats, vulnerabilities, and risks • Vehicles, control systems, and electronic devices like microwaves can be remotely accessed and manipulated, potentially causing injury, destruction, and even death. For example, a hacker may get access to your microwave and increase the temperature of the microwave to such a level that it explodes, which may result in a fire in the house. • Improper data provided to healthcare providers can lead to incorrect diagnostics, which can be a threat to the patient and his or her life. For example, a hacker may manipulate the sensor data, rendering an incorrect diagnostic. • Chances of robbery, murder, or other forms of physical crime as intruders gain access to homes or small commercial businesses by hacking smart locks. • Taking control of an automated vehicle by the hacker and causing road accidents by hacking the electronics and computers of the vehicle; launching a denial-of-service attack against the internal bus communications. • Critical warnings of the device can go unnoticed, which can lead to worse situations. For example, the warning of gas leaking from a broken pipe can go unnoticed if the sensor information is manipulated by an attacker.

BUILD BETTER DEFENSES Join us at the O’Reilly Security Conference, a new event focused on building better defenses. Learn about practical, cutting-edge solutions from other security practitioners working in the trenches.

Amsterdam, The Netherlands November 8–11, 2016 oreil.ly/securityEU @oreillysecurity

Save 20% Use code PCSC

These recent reports expose the criticality of the situation. Cybersecurity and privacy must be baked in rather than an afterthought to getting devices to market. It must be apAugust 2016 | ISSA Journal – 37

Internet of Things: Key Challenges to Overcome | Aditya Srivastava sign or scope of the product before anything else. To have an effective security architecture, developers should follow these three steps outlined by Harbor Research [7]. 1. Address security impact in the customer environment 2. Apply a multi-faceted security approach 3. Define life-cycle controls

Figure 1 – IoT environment [Source: aeris.com]

Securing all layers of IoT implementations is a fundamental and crucial step to safeguard private information belonging to the enterprise and its customers. However, securing all layers can lead to greater complexity, which can lead to greater security risks.

• Physical damage to the IoT devices.

Address security impact in the customer environment

Figure 1 describes the architecture of the IoT environment. First a user makes a request to the IoT device through an app on his phone or over the Internet on his laptop; the device records the request and the sensors on the device record the data and push it to the cloud where the data is stored and a copy is moved to partners for analytics purpose. The same happens when a device fetches some data from the cloud.

Companies should work through the probable risks that the consumer might face if their devices are attacked. They should have appropriate mitigation strategies to tackle those risks in the customer’s environment. Companies should innovate methodologies to protect customer data from security and privacy breaches or other harm. They should test these hypothetical environments, analyzing the data sent by customers, at what places it will be sent, and at where the data will stored.

• Tracking people’s location through unauthorized access to the GPS of the device.

As we see from the IoT architecture, each and every component is vulnerable to being attacked and poses a threat. The possible solution to this is to make each and every component secure so that there is no access point for the attacker. Another is to make a backup security plan so as to prevent single points of failure, like having multiple paths and critical component backups of the architecture. Solutions must fulfill the following requirements [1]: 1. Visibility must be provided into applications, protocols, and users 2. Devices and components must continue to work even when they are under attack 3. Compliance and government regulations must be met 4. Solutions must be scalable and cost effective 5. Solutions must be available all the time Security company Veracode created hypothetical breach scenarios that are possible in the real world, targeting a variety of consumer IoT devices [4]. They tested basic security procedures on the devices such as enforcing the user to have a strong password and changing the default admin password of the router. They found risks such as improper validation of certificates like TLS/SSL, which allowed an attacker to perform man-in-the-middle attacks. They also tested the machine learning capabilities of the devices by replaying the same attack patterns to determine whether the device recognizes and learns from the attack or does not and succumbs to it. Businesses that harness IoT will have the competitive advantage over the others who do not, but those businesses will have to focus on security and privacy of the user as well as de38 – ISSA Journal | August 2016

Apply a multi-faceted security approach Below are five functions that help address component vulnerabilities in the IoT platform: 1. Identity 2. Access and user management 3. Encryption 4. Analytics 5. Network security Identity – The devices will be communicating with each other and other components in the IoT architecture; hence, each device would require unique identification: a unique ID number or some key value to verify itself and maintain trust. It will be a challenge to keep the database of device IDs secure and out of reach of the attackers. Access and user management – There should be mechanisms to manage and control access of the users. Gateways should be configured to only allow devices to access the internal services that are authorized and refusing devices that are not, protecting information that is not meant for those devices. Encryption – This is the best practice to secure anything, but encrypting large volumes of real-time data will be a challenging aspect of IoT security. To encrypt the data, organizations must categorize and determine various protocols available. Data must be protected at all stages, including while at rest, in transit, and in use. Analytics – As analytics will play a big role in IoT and its development, analytics related to security will be very critical. Security analytics that actively assess network traffic, whether firewall-based or other hardware, to search for malware or

Internet of Things: Key Challenges to Overcome | Aditya Srivastava years to come our world will be a SMARTER and more secure world. References 1. Cisco IoT System Security: Mitigate Risk, Simplify Compliance, and Build Trust, CISCO (2015) – http://www. cisco.com/c/dam/en/us/products/collateral/se/internet-of-things/iot-system-security-wp.pdf 2. Jon Collins, “Why Is Securing the Internet of Things So Difficult?,” Gigaom – https://gigaom.com/2016/06/03/ why-is-securing-the-internet-of-things-so-difficult/.

Figure 2 – Device life cycle

other anomalies that may indicate a threat to the system in real time will support a more advanced network of devices. Network security – While devices and gateways should be embedded with AV and other security protections, fuller network protections should include segmentation and network-level awareness and management. Define life-cycle controls A product life cycle should be defined from the deployment to disposal, and adequate levels of security should be provided to each phase for the smaller devices and components with short life spans as well as large and industrial devices that can last much longer. Harbor Research suggests a four-phase life cycle [7] (figure 2): • Deployment • Operations

• Incident and Response

• Retirement and Disposal

As mentioned above, making customers knowledgeable is crucial; therefore, companies should provide life-cycle control procedures for the devices. Knowledgeable consumers will make for a more secure IoT environment as they understand the device life cycle from setting up the devices to their ultimate disposal.

Conclusion The Internet of Things has joined the physical and virtual worlds. The day when vehicles, buildings, and even the simplest of physical devices will be connected to each other over a network without any human-to-human or human-to-machine interaction is upon us. Although there are numerous challenges to be overcome, with developments and advancements being made the Internet of Things will soon be more fully implemented. Improved security and privacy will be required to make the future of these technologies sustainable. If the constraints are overcome in a financially viable manner, then IoT is going to revolutionize our future lifestyle, and in

3. Stacey Higginbotham, “The Internet of Things Needs a New Security Model. Which One Will Win?,” Gigaom – https://gigaom.com/2014/01/22/the-internet-of-thingsneeds-a-new-security-model-which-one-will-win/. 4. “Veracode Study Reveals the Internet of Things Poses Cybersecurity Risk,” Veracode – https://www.veracode. com/veracode-study-reveals-internet-things-poses-cybersecurity-risk. 5. “White Paper: Top Ten Security Considerations for the Internet of Things,” Axway – https://www.axway.com/ en/gate/129. 6. CSA Mobile Working Group, “Security Guidance for Early Adopters of the Internet of Things (IoT),” Cloud Security Alliance (2015) – https://downloads.cloudsecurityalliance.org/whitepapers/Security_Guidance_for_ Early_Adopters_of_the_Internet_of_Things.pdf. 7. “Security for the Internet of Things Report,” Harbor Research – http://harborresearch.com/download-security-for-the-internet-of-things-report/. 8. SANS Institute Reading Room, “Securing the Internet of Things Survey,” SANS (2014) – https://www.sans. org/reading-room/whitepapers/analyst/securing-internet-things-survey-34785. 9. “National Preparedness Report 2015,” US Department of Homeland Security (2015) – http://www. fema.gov/media-librar y-data/1432751954859-fcaf 2 a c c 3 65b5 a7213a 38 bb e b5 c d1d 61/2 015 _ NPR_508c_20150527_Final.pdf. 10. Juliette Kayyem, “Can a Smart Home Be a Safe Home?” Huffington Post, 5/17/16 – http://www.huffingtonpost.in/ entry/can-a-smart-home-be-a-safe-home_b_9986636.

About the Author Aditya Srivastava is a student at University of Petroleum and Energy Studies currently pursuing a Bachelor’s of Technology in Computer Science Engineering with specialization in Cybersecurity and Forensics by IBM. Currently he is Joint Secretary for the college ACM student chapter and Designing Head of ISSA Dehradun Chapter. He may be reached at adiyash96@ gmail.com. August 2016 | ISSA Journal – 39

ISSA

DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY

Cloud Dilemma? By Alen Ilic – ISSA member, New York Metro Chapter This article explores issues in relation to the Cloud, both private and public, for storage and operational needs of our information systems.

Abstract It seems that we have arrived at the point that we no longer question whether or not businesses (and private users) need the cloud infrastructure, but rather to what extent and how to incorporate cloud usage to fit business needs. This article will explore the issues in relation to the Cloud, both private and public, for storage and operational needs of our information systems.

S

o the question I am exploring is: are we getting ahead of ourselves? Are we approaching this migration in a thoughtful way so as to maximize returns on our investment? This article will explore the issues in relation to the Cloud, both private and public, for storage and operational needs of our information systems. Lowering cost, utilization of resources, rises in performance and flexibility, and outsourcing infrastructure management are all great advantages besides the Cloud being a $131B successful industry trending hot at the moment [7]. But what are the pitfalls? I will be exploring the challenges being faced by businesses, and how those challenges might slow and limit the extent of ongoing migration. The most recognizable challenge and concern is security, and I will be taking a close look at it. That being said, I will also identify other challenges and limits to the benefits associated with the Cloud along with major issues being reported by users across industries. Additionally, new threats associated with virtual machines and hypervisors are emerging and might become serious concerns if not dealt with properly. This article is not going to be an equivalent of a “cautionary tale” but rather an vhonest examination of what questions every business should ask itself before taking the plunge and a high view of issues it might encounter; in other words, finding out how to proceed with cloud implementation so as to benefit the business. I will pose a few questions on whether the business is ready and equipped to make such changes and meet those challenges? 40 – ISSA Journal | August 2016

What makes the Cloud such a hot commodity? So let’s take a look at what makes the Cloud so appealing? To make a generalization, cloud computing’s major attraction is that it “allows more efficient computing by removing most of the upfront costs of setting up an IT infrastructure. It allows organizations to expand or reduce their computing facilities very quickly” [4] The sales pitch for taking the step and moving your data and applications to the Cloud goes something like this: storing data and using applications remotely rather than doing it yourself can and does cut IT costs dramatically, not to mention lessens the need for capital investment into new and expensive data centers, large IT teams, and related costs. Figure 1 is an illustration of those (increasing) benefits.

Figure 1 – Cloud benefits 2014 over 2013

Cloud infrastructure provides flexibility along with scalability so you can have the exact size and shape of cloud that you need, no more no less. In addition, disaster recovery is made almost easy to accomplish; there are providers like Amazon Web Services (AWS), backing up your data in twelve large centers world-wide, so if one (or two) of those centers goes down for whatever reason, you are still good to go. That being said, businesses need to decide whether public or private cloud is the suitable choice for them. Both of those options provide certain benefits and disadvantages that should be

Cloud Dilemma? | Alen Ilic carefully weighted. What is appropriate for business in question should be the main guiding principle. As illustrated in figure 2 there will be some choices to be made and things to consider when choosing the option that would be satisfactory. This article will not go into details on this topic other than to point out the complexity of the decision process as to how to make the confidentiality, integrity, and availability (CIA) of your data best work for you in a specific cloud environment. With many options to choose from that are available today, that choice might get to be more complicated than we might think.

Fu ll

con tro Tot l al c ust om Sca iza tio lab n ilit y Lo we ntr y-l eve Un ite lp rru ric e pte Les dp sc e rfo om rm ple an En xe ce try nv -le i ron vel me Mo sol nt uti nit on ori ng No ha rdw are Re cos liab t le s ecu rity

Benefits and Disadvantages

Private Cloud Public Cloud

✓✓✓ ✓ ✓✓✓ ✓✓ ✓✓✓ ✓ Source: fpwebinars

Figure 2 – Private/public cloud benefits and advantages

As noted before, benefits that are being promised by moving to cloud infrastructures are many and hard to ignore. “The increasing popularity of cloud storage services has lead companies that handle critical data to think about using these services for their storage needs. Medical record databases, large biomedical datasets, historical information about power systems, and financial data are some examples of critical data that could be moved to the Cloud” [3]. Other perks include centralized and easy-to-manage software updates, access control, and by default remote access. This, in turn, speeds up operations, increases productivity and collaboration, and— yes—saves and makes money. Sounds really good, doesn’t it? From this point I will take a closer look at the “small print.”

How cloud providers deal with safety concerns? Cloud propagators would say that it is by far the safest option. Your data is entrusted to top-of-the-line security teams that are highly specialized in security matters and probably better equipped to handle any security issues than your average, run-of-the-mill IT department. Also, one area that most cloud providers seem to be in agreement with is security and using the best, appropriate industry practices to achieve the highest possible level of protection. “Security mechanisms that have been standardized across the IaaS industry are mostly comprised of well-known security mechanisms such as firewalls, physical security, corporate segregation for customer data, and network encryption that have been imported from the hosting industry” [8]. Additionally, cloud providers encourage you to choose and implement your own encryption, protecting data that is both in storage or while on the move. Some go even a step further. Mark Crosbie, international head of trust and security for Dropbox, improves on

March 2016

July 2016

May 2016

Volume 14 Issue 3

Volume 14 Issue 5

Volume 14 Issue 7

Crypto Wars II

Do Data Breaches Matter? A Review of Breach Data and What to Do Next FedRAMP’s Database Scanning Requirement: The Letter and Spirit Smart Practices in Managing an Identity Auditing Project On the Costs of Bitcoin Connectivity

Social Media Impact: Is It Possible to Be Social and Secure? User-Managed Access: Do We Need Yet Another Standard? Social Media: The Danger Zone Stop Delivery of Phishing Emails

Fragmentation in Mobile Devices Mobile Application Security

Mobile App Testing for the Enterprise

MOBILE APPS

Do Data Breaches Matter?

Impact of

Social Media on

Cybersecurity Employment

A Review of Breach Data and What to Do Next

Crypto Wars II

BREACH REPORTS: COMPARE/CONTRAST

And How to Use It to Improve

Your Career

★ ★ ★ ISSA ★ ★ ELECTION ★ ★ 2016 ★ ★ ★

ISSA Journal 2016 Calendar Past Issues – click the download link: ISSA.org => Learn => Journal

JANUARY

Securing the Cloud

FEBRUARY

Big Data / Data Mining & Analytics

MARCH

Mobile Apps

APRIL

Malware Threat Evolution

MAY

Breach Reports – Compare/Contrast

JUNE

Legal, Privacy, Regulation

JULY

Social Media Impact

AUGUST

Internet of Things

Editorial Deadline 7/12/16

SEPTEMBER

Payment Security

Editorial Deadline 7/22/16

OCTOBER

Cybersecurity Careers & Guidance Editorial Deadline 8/22/16

NOVEMBER

Practical Application and Use of Cryptography Editorial Deadline 9/22/16

DECEMBER

Security Architecture

Editorial Deadline 10/22/16 You are invited to share your expertise with the association and submit an article. Published authors are eligible for CPE credits. For theme descriptions, visit www.issa.org/?CallforArticles.

[email protected]  •  WWW.ISSA.ORG August 2016 | ISSA Journal – 41

Cloud Dilemma? | Alen Ilic this concept: “We split each data file into chunks—a process called sharding,” he says, “and these chunks are then separately encrypted and stored in different places, so if someone did manage to break in and decrypt the data, they’d only get access to random blocks” [1].

Is everyone moving to the Cloud? The trend is towards doing so, but as of now a little over 50 percent of US businesses and just over 10 percent of all worldwide data is stored in the Cloud. These numbers are for businesses that in large part depend on cloud services. For the companies that are using the Cloud to a certain, smaller degree, the numbers are even higher. A Tech Target survey reports that “Nearly half the companies polled in our most recent cloud storage survey say they’re using one or more cloud storage service providers to store an average of 24 percent of their total data. While backup is still the most favored application for cloud storage with 63 percent of respondents saying at least some of the backup data goes to the Cloud, other applications are gaining momentum as well: disaster recovery was cited by 44 percent of respondents, followed closely by collaboration/file sharing (41 percent), archiving (40 percent), primary storage (38 percent) and near-line storage (19 percent)” [6]. That being said, the trend is clearly upward, both in the number of businesses using the Cloud and the breadth of usage. On that note, Cisco reports that by 2019, more than four-fifths (86 percent) of workloads will be processed by cloud data centers; 14 percent will be processed by traditional data centers [2]. Goldman Sachs research points to the same future expansion of cloud infrastructure in the same manner Cisco does (figure 3). Some financial institutions, which are conservative in this matter as a rule, are reinforcing this trend and slowly starting to utilize the Cloud. As reported by BBC, “Late last year, US bank Capital One said it was reducing the number of its own data centers from eight to three by 2018 and moving a lot of its processes and product development to AWS. And Towergate Insurance recently announced that it was migrating its IT infrastructure to the public Cloud as well” [1]

Figure 3 – Cloud computing infrastructure and platform market

Safety Challenges still to consider Not all is smooth sailing, though. Some of the reasons to move to the Cloud are also concerns by many. First thing that comes to mind is security and integration, and some new 42 – ISSA Journal | August 2016

Figure 4 – Cloud challenges 2016 vs. 2015

challenges are developing over the time with expansion of cloud services and number of businesses taking advantage of it. So are there any good reasons for caution when it comes to such a big step as moving your business data and operations to the Cloud? All of the challenges noted in figure 4 certainly indicate so. It is interesting (but not altogether surprising due to the well-documented and projected lack of qualified experts in the field) that resources and expertise have overtaken security as a primary concern in this recent survey. Four major groupings of potential downsides that we can identify are “loss of availability, loss and corruption of data, loss of privacy, and vendor lock-in” [3]. So, let’s start with some obvious downsides: it can be rather uncomfortable for someone else to have access and be responsible for keeping your data safe. “However, as data moves away from an organization’s protected infrastructure, ensuring data security and compliance with data protection laws will become even more of a challenge” [10]. Not to mention that your data is stored right next to someone else’s data in the public cloud, leaving you open to variety of vulnerabilities such as “threats from a malicious cloud service provider (CSP) and threats from other customers of their CSP” [8]. Considering large amounts of data that are stored from multiple sources (public cloud) leads to cloud providers becoming a big, juicy target worth spending time and resources on attacking, especially DDoS for those attackers who are just malicious and want to wreak havoc. Granted, most attacks have been focused on independent data centers, but it is only a matter of time for cloud providers to become primary targets for major attacks of multiple varieties. Additionally, most of the threats that your IT department deals with are also very much present when outsourcing data access and storage to others. Insider threats from your own employees and employees of cloud providers add an even greater threat than when doing it on your own. This could be a good indicator why cloud providers give customers the option to handle their own encryption keys so inside vulnerabilities are limited. We have seen governments move towards easing legal privacy protections so they can have access to any data they seem fit, and recent revelations about questionable government activities (think Snowden) are not reassuring either. Another major concern is compliance and your ability

Cloud Dilemma? | Alen Ilic to meet the requirements set for certain types of personally identifiable information (PII) for heavily-regulated sectors such as financial services and healthcare.

New hypervisor and VM vulnerabilities In continuation of discussing challenges, partitioning servers into virtual machines (VM) and having hypervisors regulate traffic has been traditionally considered a security advantage because the process of virtualization helps isolate processes along with simplification of the kernel. “We assume that one virtual machine can’t see or gain access to the resources (disk space, memory, and so on) used by other virtual machines running on the same host. Virtual machines are supposed to be isolated by, among other things, a hypervisor or monitor program” [16]. However recent vulnerability assessments have painted a somewhat different story and some of the most common hypervisors have become sources of concern because of those vulnerabilities. Bauer, in Paranoid Penguin, has correctly foreseen this, and from what I can tell, he was is in the minority. In 2011 he wrote “Virtualization overwhelmingly has been driven by hardware resource management and other operational and economic concerns rather than security. In fact, virtualization, as most commonly deployed nowadays, is arguably a bigger source of security issues than it is a security tool” [16]. Over 95 percent of the hypervisor market is served by four major varieties, and all of them have known vulnerabilities, two of which (Xen and KVM) are freely available. “VMWare has a total presence of 81 percent, and 52 percent of the data centers use it as their primary hypervisor, followed by Xen (81 percent presence, 18 percent as primary), KVM (58 percent presence, 9 percent as primary), and Microsoft’s Hyper-V (43 percent presence, 9 percent as primary)” [11, 12]. As we have recently witnessed with AWS and Rackspace in September 2015, they needed to deal with potential risk that parts of their stored data could have been compromised because of a security vulnerability of Xen Server. Large chunks of their cloud infrastructure needed to be rebooted in a short period of time to account for this vulnerability. “While there were no reports of compromised data, the vulnerability could have allowed those with malicious intent to read snippets of data belonging to others or to crash the host server through following a certain series of memory commands” [14]. According to vulnerabilities (CVE) reported by MITRE, most of them could be exploited for denial-of-service attacks; however, there is also a substantial number that could go further than that. “Roughly 50 percent of vulnerabilities reported so far can lead to security breaches in all three fronts (CIA). The second most common effect of exploiting these vulnerabilities is to only pose a threat to the availability of the hypervisors (denial of service)” [13]. In order to mitigate these vulnerabilities, the trend is to use thin hypervisors with a small footprint so as to limit a number of potential vulnerabilities. “With minimal software and computing overhead, they limit the number of ways malicious code can intrude” [15].

Other issues to note Cloud providers are varied and there is no interfacing standardization to speak of, so choosing the right one might prove difficult. “Cloud vendors have not taken into account cloud interoperability issues, and each cloud comes with its own solution and interfaces for services” [4]. And once you choose a provider, it might be creating dependence on the chosen provider, which is less than desirable, making moving to a different provider difficult and costly. Lastly, and by no means the least concerning, is your ability to use the cloud effectively. Hiring capable talent is needed to integrate your operations into an cloud infrastructure, and it is a tall order to “integrate with cloud-specific runtime processes, involving service deployment, discovery, selection, composition, and management activities, including migration, elasticity, and resource allocation” [9] Those experts in their respective fields are hard to find and even harder to retain. If you don’t succeed in acquiring a certain level of expertise, you might end up having performance, security, and uptime issues that will reflect poorly on your bottom line and could cause a number of related issues.

Conclusion So, while it might seem like a no-brainer to many, moving to the Cloud should be weighted carefully on a case-by-case basis. Not all businesses may necessarily benefit from it. Indeed,

Easy and Convenient! www.issa.org/store/default.asp

Computer Bags • Short-Sleeve Shirt Long-Sleeve Shirt • Padfolio Travel Mug • Baseball Cap • Fleece Blanket Proud Member Ribbon Sticky Note Pads (12 pk.)

Place Your Order Today: ISSA Store! August 2016 | ISSA Journal – 43

Cloud Dilemma? | Alen Ilic moving to the Cloud might prove to be more of a headache than a benefit, especially if your IT department is not up to the challenge. That is probably why we have a substantial rise in the hybrid approach—keeping more sensitive data close at hand and other data and applications in the Cloud. But this approach is also very sensible for businesses that have their own IT infrastructure in place and could be properly utilized: “employ a hybrid cloud model where the enterprise uses its own private resources for the majority of its computing, but then ‘bursts’ into the Cloud when local resources are insufficient” [5], limiting major reliance on cloud providers and providing greater control of your information systems. That being said, the first question to ask yourself is whether the cost-benefit ratio is favorable. Then choose the most reputable and capable provider that you have an ironclad service level agreement (SLA) with. There are many moving parts in this equation, and careful consideration should be given when choosing how to proceed in regards to possible migration or even only an increase in reliance on the cloud infrastructure. Once the decision is made in a thoughtful and prudent manner, and some level of certainty is achieved, you could actually reap the benefits, not the problems. “Negotiating appropriate service levels, as well as conducting due diligence on the cloud vendor’s technical infrastructure, will be essential to gaining confidence that the vendor has the ability to ensure appropriate access to, and availability of, data” [10]. In other words, the Cloud has the potential to be the great leap forward for your business operations, security included, but we have to have the resources, the good partner in the chosen provider, and sufficient know-how to take advantage of all the things the Cloud provides in a way of happy returns. Otherwise you might end up investing large amounts of money and time, only to produce a high level of downtime and strain relations with your IT department over inevitable downsizing, with little in a way of benefits acquired. References 1. M. Wall, “Can We Trust Cloud Providers to Keep Our Data Safe?” BCC – http://www.bbc.com/news/business-36151754. 2. Cisco Global Cloud Index: Forecast and Methodology, 2014–2019 White Paper – http://www.cisco.com/c/en/ us/solutions/collateral/service-provider/global-cloud-index-gci/Cloud_Index_White_Paper.pdf. 3. A. Bessani, M. Correia, B. Quaresma, F. Andre, “Dependable and Secure Storage in a Cloud-of-Clouds,” University of Lisbon, ACM Transactions on Storage (TOS), volume 9 Issue 4, November 2013. 4. Toosi et al, “Interconnected Cloud Computing Environments,” Journal ACM Computing, volume 47 Issue 1, July 2014 Article No. 7 5. Tian Guo, Upendra Sharma, Prashant Shenoy, Timothy Wood, Sambit Sahu, “Cost-Aware Cloud Bursting for Enterprise Applications,” April 2014 ACM Transactions 44 – ISSA Journal | August 2016

on Internet Technology (TOIT): volume 13 issue 3, May 2014 6. R. Castagna, “More Companies Turn to Cloud Storage Service Providers,” Vice President of Editorial, retrieved on 5/16/16 from http://searchcloudstorage.techtarget. com/feature/More-companies-turn-to-cloud-storageservice-providers. 7. “Gartner Says Worldwide Public Cloud Services Market to Total $131 Billion,” Gartner – http://www.gartner. com/newsroom/id/2352816. 8. W. Huang, A. Ganjali, B. Kim, S. Oh, D. Lie, “The State of Public Infrastructure-as-a-Service Cloud Security,” ACM Computing Surveys (CSUR) volume 47 issue 4, July 2015, article No. 68 9. C. Ardagna, R. Asal, E. Damiani, Q. Vu, “From Security to Assurance in the Cloud: A Survey, July 2015, ACM Computing Surveys (CSUR): volume 48 issue 1, September 2015. 10. P. Brudenall, B. Treacy, P. Castle, “Outsourcing to the Cloud: Data Security and Privacy Risks, retrieved on 5/16/16 – https://www.hunton.com/files/Publication/ b167f27d-be0a-488b-85a3-b3d1beef295c/Presentation/ PublicationAttachment/b30173c6-ea56-4040-a8c958b484df9183/outsourcing_to_the_Cloud.pdf. 11. Nexenta Hypervisor Survey – https://nexenta.com/company/media/press-releases/nexenta-releases-server-hypervisor-market-share-survey-results. 12. Is the Hypervisor Market Expanding or Contracting? – http://www.aberdeen.com/Aberdeen-Library/8157/ AI-hypervisor-server-virtualization.aspx 13. D. Perez-Botero, J. Szefer, R. Lee, “Characterizing Hypervisor Vulnerabilities in Cloud Computing Servers,” May 2013 – http://caslab.eng.yale.edu/people/jakub/papers/scc2013.pdf. 14. Hypervisor Security Issues – http://www.thewhir.com/ web-hosting-news/another-xen-hypervisor-security-issue-pushes-aws-rackspace-reboot-cloud-servers. 15. N. Henderson, “Three Hypervisor and Virtual Environment Security Concerns – http://searchservervirtualization.techtarget.com/feature/Three-hypervisor-and-virtual-environment-security-concerns. 16. M. Bauer, “Paranoid Penguin: How to Worry about Linux Security,” August 2010, Linux Journal: volume 2010 issue 149, September 2006 ACM digital Library, membership access.

About the Author Alen Ilic lives in NYC, just received his Bachelors in InfoSec, and is looking to learn more by getting hands-on experience and taking graduate-level classes. Any questions/comments, please contact him at [email protected].

Internet of Things: Arduino Vulnerability Analysis | Audrey Ann Gendreau

Internet of Things: Arduino Vulnerability Analysis Continued from page 35

thus, produces the same scores CAPEC438. Base Score: 7.2, Temporal Score: 6, and Environmental Score: 5.8.

Communications, CAPEC512

CAPEC117: Interception The attacker monitors and collects data streams, but what distinguishes it from other similar attack patterns is that the attacker explicitly observes certain data channels and reads the content. Sniffing attacks are part of this attack pattern and any WPAN XBee broadcast can be received by another XBee [23]. When sending data to the serial port, there is nothing to stop another XBee from picking up the broadcast. Moreover, a new board, the Arduino Yun, is specially designed for the IoT. In addition to the ATmega32u4, it has a secondary higher-level Atheros processor that is used to integrate an outdated Linux Kernal compiled specifically to run on embedded devices. Based on Openwrt, it supports Wi-Fi and Ethernet capability. The Arduino connects to the Linux environment through a bridge in order for the scripts that are run to communicate with the network interfaces. This network configuration enables the Arduino administration interface to be accessed using port 80, viewing this connection on the network in plain text. Other problems include automated connection to the nearest access point when the default fails to connect. This enables disassociate packets to be sent in order to force it to re-authenticate and reveal a hidden ESSID, capture WPA/ WPA2 handshakes, and more [27]. We analyze the WPAN case. Base Score: 5.8; Temporal Score: 4.2; and Environmental Score: 5. CAPEC272: Protocol manipulation This attack targets the communication protocol stack. One of the sub attack patterns is CAPEC220, which targets Client-Server Protocol Manipulation and the ability to bypass the authentication process in order to spoof other clients or servers. An Arduino using an Ethernet Shield, an easily added on component, can be configured as a simple webserver [17]. Shodan is a web crawler that works off banners to list the available servers on the Internet [16]. At the time of this writing, scanning using the search term Arduino returns results of an Arduino server that is visible on the Internet. Typically with microcontrollers (as in the Arduino) there is not an authentication process to bypass. Shodan has examples of the ability to reconfigure microcontrollers over the Web. According to Shodan [16], the only barrier is that the technology of microcontrollers is more complex and varied than traditional programming. The base, temporal, and environmental scores were determined as follows. Base Score: 10; Temporal Score: 7; and Environmental Score: 7.1. CAPEC548. Contaminate resource This attack pattern exposes information to unauthorized entities on devices or networks. The cross contamination configuration is one that is suggested as a gateway solution

in the Arduino literature [25]. The Arduino can exist as an end node or an edge node. The protocol of a wireless sensor network (WSN) is not the same as a WLAN. WSN are data centric, and due to the physical size of the embedded system the software capability is restricted by the limited hardware and power, especially computationally expensive software such as encryption algorithms. Using ZigBee, a proprietary protocol to facilitate a WSN, the nodes are both computers and routers sending data towards the sink [3]. The sink is the gateway where the data is forwarded in order to collect it upstream using Ethernet or Wi-Fi. IoT-centered cloud services, such as Xively, collect data streaming from the secondary network [4]. Therefore, having two different network spheres is a potential point of attack of the integrity of the end-toend link [9]. To safeguard the network, one protocol should be used. Currently, 6LoWPAN is the solution [9][10]. The devices can communicate across the Internet without having to transform the packets from ZigBee-to-IP and the other way around. However, this does not seem to be widely adopted at this time by the majority of the Andruino DIY community. It is much easier to fit an Arduino with Ethernet capability with an Xbee and it’s shield, a ZigBee based WPAN add-on. Base Score: 7.5; Temporal Score: 8.1; and Environmental Score: 10. CAPEC262: Manipulate resources This attack is a decendent of CAPEC548. The attack pattern focuses on the adversary’s ability to manipulate one or more resources. Examples include physically isolated devices being picked up, reconfigured or even reprogrammed, and returned to the WSN. The removable and reprogrammed Arduino case is analyzed. Base Score: 5.4; Temporal Score: 5.3; and Environmental Score: 7.6. CAPEC607: Obstruction An attacker obstructs the interactions between system components in order to degrade system performance. The sub attack patterns include everything from manipulation of resources and communications, to physical destruction or blockage and jamming. CAPEC601: Jamming is one of the related attack patterns. It is when an adversary uses radio noise or keeps the device in receive mode in order to prevent it from sending data, for example, using a microcontroller to construct a device with an RF sensor, by emitting signals on the particular channel at the same frequency repeatedly and stronger [26]. Base Score: 5.2; Temporal Score: 4.2; and Environmental Score: 6.

Software, CAPEC513 Attack patterns focus on exploitation of software application. However, with the microcontrollers or other physical computing devices, when monitoring a physical phenomenon in real time, it is less likely to be interrupted. An unpatched system exposes many software vulnerabilities. The following are a few specifically addressed. August 2016 | ISSA Journal – 45

Internet of Things: Arduino Vulnerability Analysis | Audrey Ann Gendreau CAPEC115: Authentication bypass Without authentication on a microcontroller, the ramifications of bypassing authentication will occur, and thus produces the same scores as CAPEC220. CAPEC123: Buffer manipulation Buffer attacks involve adding more input than can be stored in the allocated buffer. With little available memory in the Arduino, it is easy to perform both a heap and stack buffer overflow attack by consecutive subroutine calls with a large number of variables. Heap attacks can be performed separately by repeatedly allocating buffers in order to write over existing data in memory [27]. C. Alberca, et al show how reading inputs from the serial interface larger than the expected size without checking the boundaries crashes an Arduino YUN system [27]. To compute the Base Score, because the vulnerability for this case uses a Bluetooth interface, the Access Vector is adjacent network. The Access Complexity is medium. As demonstrated by the Arduino YUN, Linux commands executed through the bridge can create a buffer overflow on the Arduino using a typical Bluetooth interface with defaulted root privileges. The Authentication Metric is none. The impact metrics are set to complete because it crashes the system. Base Score: 8.3; Temporal Score: 6.4; and Environmental Score: 6.5. CAPEC125: Flooding An attacker depletes the resources of target by rapid and large number of interactions within a period of time. An example is a DoS attack. In the discussed Arduino Yun specialty platform, because the Linux kernel responds from prohibited interfaces as a DNS server, it allows a DoS attack. Also, the system crashes when there is a DoS because of a firewall bug [27]. Base Score: 10; Temporal Score: 8.1; and Environmental Score: 7.1. CAPEC622: Electromagnetic side channel CAPEC622 and CAPEC623: Compromise Emanations are derived from CAPEC189, a decendent of CAPEC 188. In a summarization of microcontroller-based system threats D. Strobel, et al demonstrate that both electromagnetic side channel and other compromising emanation attacks are feasible. In particular, they experimented with an ATmega8, part of the family of Arduino microcontrollers [18]. Base Score: 6.9; Temporal Score: 6; and Environmental Score: 2.2. CAPEC623: Compromise emanations The analysis is similar to CAPEC622.

Physical security, CAPEC514 Attack patterns exploit the physical security of a system to achieve an advantage. Focused on the decendent, CAPEC547 Physical Destruction of Device or Component, it is easily accomplished if the device is outside or in public space. For example, Shifting Times, an art work created by Camille Utterback, is on display outside in San Jose, California [2]. 46 – ISSA Journal | August 2016

Therefore, the removed reprogrammed device in CAPEC262: Manipulate Resources produces the same results.

Hardware, CAPEC515 CAPEC169: Foot printing This is information gathering or reconnaissance before the attack. As discussed Shodan returns the banner of Arduino servers. The banner shows vulnerability of unpatched systems. Base Score: 5; Temporal Score: 3.1; and Environmental Score: 3.8. CAPEC440: Hardware integrity attack This occurs when technology is compromised and deployed to a victim’s location for purpose of carrying out an attack. In the future, will trading gadgets be part of this hobbyist paradigm? This has to do with trust and how it is established, similar to the business model used by eBay and others. Base Score: 10; Temporal Score: 7; and Environmental Score: 6.8. CAPEC441: Malicious logic insertion A device that can be reprogrammed and entered back ino the system is possible. The resulting score for this case is the same as CAPEC262: Manipulate Resources. The attacks in a DIY environment as a study on the potentially weakest link in the IoT has been conducted using a combination of the CCSS methodology and a subset of the CAPEC list of vulnerabilities. While the CCSS does not define the range for good or bad scores, it does state that as a subjective-based assessment, five point differences are meaningless. For this reason, two major groups were identified: attack patterns with a base vector of 10 and another group where the scores range between 8.3 and 6.9. The critical attack patterns with a vector of 10 are decendents of the communication, software, and hardware domains. They include Client-Server Protocol Manipulation, Contaminate Resource, Authentication Bypass, Flooding, and Hardware Integrity Attack. The major attack patterns ranging between 8.3 and 6.9 include Buffer Manipulation, Social Information Gathering, Modification during Manufacturing, Manipulation during Distribution, Electromagnetic Side Channel, and Compromise Emanations. Without a representation of frequency of Arduino attacks, the temporal score was not meaningful. However, in the higher scored vulnerabilities it was observed that there was a greater disparity between the environment and base scores. For example, in the Reverse Engineering domain (CAPEC188) the overall Base Score was 6.9 compared to the environment score of 2.2. Contrary, the Malicious Logic Insertion (CAPEC441) Base Score is 5.4 compared to the 5.3 Environmental Score. This can be interpreted as a greater DIY environmental influence (e.g., confidentiality and integrity are not critical in a hobby culture) on the higher risk vulnerabilities.

Internet of Things: Arduino Vulnerability Analysis | Audrey Ann Gendreau

Conclusion The Internet of Things encompasses the whole cyberspace. Utilizing physical computing, it extends into our physical environment as well. As these are undocumented, and thus, less visible objects that are connecting to the Internet, they can pose a serious threat. For example, it was proven that a power grid could be shut down using stoves [28]. For this reason, to become a trusted participant in our information world, a holistic IDS that utilizes policy derived from the CCSS scores computed in this article and others in order to configure the common language in NIST: The Technical Specification for the Security Content Automation Protocol [14] may one day ubiquitously communicate with an undocumented device before it is permitted to connect to the IoT.

Acknowledgements This research was directly influenced by an EEE/Internet2/ NSF co-sponsored End-to-End Trust and Security for IoT workshop on February 4, 2016, in Washington, DC. In our group on case studies, we found that in order to establish trust, policies across the different domains needed to be developed. If interested, contact the author for the CCSS spreadsheet used for computing the values. This article has been condensed for publication. The full paper is available here. References 1. D. Kusher, The Making of Arduino, The IEEE Spectrum, October 2011. 2. Shifting Time: San Jose – http://camilleutterback.com/projects/shifting-time-san-jose/. 3. K. Karl and A. Willig, Protocols and Architectures for Wireless Sensor Networks, West Sussex, Hoboken, N.J.: Wiley, May 2005. 4. T. Karvinen, K. Karvinen, and V. Valtokari, Make: Sensors, Maker Media Inc., Sebastopol, CA, May 2014 5. C. Pfister, Getting Started with the Internet of Things, O’Reilly, Sebastopol, CA, 2011 6. J. Blum, Arduino, John Wiley & Sons, 2014. 7. C. Osborne, CCTV Cameras Worldwide Used in DDos Attacks, ZDNet – http://www.zdnet.com/article/cctv-cameras-worldwide-used-in-ddos-attacks/, October 26, 2015. 8. Arduino Store USA – http://store-usa.arduino.cc. 9. J. Titus, 6LoWPAN Goes Where Zgbee Can’t, Electronic Comonent News (ECN), 2009. 10. N. Kushalnagar, G. Montenegro, and C. Schumacher, IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs), RFC 4919 (https://tools.ietf.org/html/rfc4919), August 2007. 11. Z. Shelby and C. Bormann, 6LoWPAN: The Wireless Embedded Internet, 1st ed.; John Wiley & Sons Ltd: Chichester, UK 2009. 12. NIST: Guide for Conducting Risk Assessments – http:// nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf. 13. CAPEC VIEW: Domains of Attack – http://capec.mitre.org/ data/definitions/3000.html.

14. NIST: The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.0 – http:// nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-126.pdf. 15. NIST: The Common Configuration Scoring System (CCSS): Metrics for Software Security Configuration Vulnerabilities –http://csrc.nist.gov/publications/nistir/ir7502/nistir-7502_ CCSS.pdf. 16. J. Matherly, Complete Guide to Shodan, Lean Pub, February 2016. 17. Arduino, Web Server – https://www.arduino.cc/en/Tutorial/WebServer. 18. D. Strobel, D. Oswald, B. Richter, F. Schellenberg, and C. Paar, Microcontrollers as (In) Security Devices for Pervasive Computing Applications, In Proceedings of the IEEE, 102(8), 1157-1173, July 2014. 19. A. Vishwanath, Cybersecurity’s Weakest Link: Humans, Government Technology, May 2016. 20. A. Vishwanath, When Hackers turn your lights off, CNN, February 2016 – http://www.cnn.com/2016/02/11/opinions/ cyber-infrastructure-attacks-vishwanath/index.html. 21. Symantec Corpration, Internet Security Threat Report, April 2016. 22. P.W. Singer, Hacked Hardware Could Cause the Next Big Security Breach, Popular Science, February. 2015. 23. J. Market, M. Massoth, k-P. Fischer-Hellman, S. M. Furnell, and C. Bolan, Attack Vectors to Wireless ZigBee Network Communications—Analysis and Countermeasures, In Proceeding s of SEIN 2011, October 2011. 24. A. George, How Your World Works, Popular Mechanics, pp..21-22, December/January 2016. 25. D. Norris, The Internet of Things: Do-It-Yourself at Home Projects for Arduino, Rapberry Pi, and BeagleBone Black, Mc Graw Hill, pp. 243-245, 2015 26. Rehna V J, Kehkeshan Jalall S, Hasrsha K, Vinay V, Cell Phone Detection and Jamming System for GSM - 900 MHz and 1800 MHz Frequency Bands, International Journal of Advanced Trends in Computer Science and Engineering – http://www.warse.org/pdfs/2014/icceitsp052014.pdf. 27. Alberca, G. Suarez-Tangil, S. Pastrana, P. Palmieri, Securithy Analysis and Exploitation of Arduino Devices in the Internet of Things, ACM CF’16, May 2016. 28. A. Gendreau, Survey of Intrusion Detection Systems Towards an End-to-End Secure Internet of Things, IEEE 4th International Conference on Future Internet of Things and Cloud (FiCloud-2016), Vienna, Austria, August 2016.

About the Author Audrey Gendreau, PhD, CISSP, GCFE is a university-level Cybersecurity Researcher with several publications focused on the security of the Internet of Things. She may be reached at [email protected].

August 2016 | ISSA Journal – 47

Women in Security Special Interest Group | Rhonda Farrell

WIS SIG:Internet of Things – A Veritable Smorgasbord of Privacy, Security & Trust Challenges Continued from page 9

ments should take into consideration the potential harms attributable to the device, the device’s sophistication level in the areas of connectivity and access channels, functional capabilities, and its cyber-anatomy as well as the breadth and scope of security integrated across the cybersecurity life cycle [8]. A recent article by Symantec breaks out IoT security into four cornerstones: (1) Protecting communications; (2) Protecting devices; (3) Managing devices; (4) and Understanding your system [9]. Additional studies focus on reducing risk by overriding and limiting device autonomy and stipulating requirements for higher levels of human intervention and control over sensitive device functionality [4]. Lastly, advocates focus on the implementation of effective risk management programs, including organizational vulnerability analysis of disruptive attack scenarios, user-impact analysis, as well as additional financial and non-financial impacts associated with cyber attacks [12, 13]. All told, following a cyber-resiliency model to reduce risks for our sizable global IoT build-out, just seems SMART! Join the international conversation at #ISSAWISSIG, [email protected], and via LinkedIn. Be BRAVE, Be BOLD, Own Your Future! References 1. Electronic Privacy Information Center, Internet of Things (June 4, 2016) – https://epic.org/privacy/internet/iot/. 2. Kamboj, J. Internet of Things: End of Human Race? (July 18, 2015) – https://www.linkedin.com/pulse/internetthings-end-human-race-gaurav-kamboj. 3. TechTarget, Internet of Things (IoT Privacy) (October 2014) – http://internetofthingsagenda.techtarget.com/definition/ Internet-of-Things-privacy-IoT-privacy. 4. The Privacy, Security Risks of the Internet of Things (January 22, 2016) – http://www.usnews.com/news/articles/2016-01-22/the-privacy-security-risks-of-the-internetof-things. 5. Business Digital Security, A Long Journey from Cybersecurity to Cyber Resiliency (September 10, 2015) – https:// business-digital-security.com/a-long-journey-from-cybersecurity-to-cyber-resilience/.

6. Office of the Privacy Commissioner of Canada, The Internet of Things – An Introduction to Privacy Issues with a Focus on the Retail and Home Environments (February 2016) – https://www.priv.gc.ca/information/research-recherche/2016/iot_201602_e.pdf. 7. Postscapes, Internet of Things Privacy Threats and Countermeasures (May 28, 2016) – http://postscapes.com/ internet-of-things-privacy-threats-and-countermeasures/. 8. Kedgley, M., Cybersecurity of the Fridge: Assessing the Internet of Things Threat (May 31, 2016) – http://www. scmagazineuk.com/cyber-security-of-the-fridge-assessingthe-internet-of-things-threat/article/495675/. 9. Symantec, An Internet of Things Reference Architecture (2016) – https://www.symantec.com/content/dam/symantec/docs/white-papers/iot-security-reference-architecture-en.pdf. 10. PwC, Cyber: Securing your Internet of Things (December, 2015) – http://www.pwc.com/us/en/financial-services/ financial-crimes/publications/assets/internet-of-things-cyber.pdf. 11. Violino, B., What the Internet of Things Means for Security (October 14, 2013) – http://www.csoonline.com/article/2134066/mobile-security/what-the-internet-of-thingsmeans-for-security.html. 12. Turner, M., How to Secure the Internet of Things (June 2015) – http://www.computerweekly.com/opinion/How-tosecure-the-internet-of-things. 13. Pescatore, J., Securing the Internet of Things Survey (January 2014) –https://www.sans.org/reading-room/whitepapers/analyst/securing-internet-things-survey-34785. 14. EY, Cybersecurity and the Internet of Things (March 2015) – http://www.ey.com/Publication/vwLUAssets/EY-cybersecurity-and-the-internet-of-things/$FILE/EY-cybersecurity-and-the-internet-of-things.pdf.

About the Author Dr. Rhonda Farrell, J.D., CISSP, CSSLP is an Associate at Booz Allen Hamilton (BAH) and a member of the Board of Directors at ISSA Intl and ISSA-NOVA. She also holds an officer position within IEEE and committee positions within ASQ. She is the Co-Founder of the WIS SIG and works cross-organizationally to actively enhance cybersecurity-oriented programs internationally. She can be reached at [email protected].

ISSA Women in Security Special Interest Group Mission: Connecting the world, one cybersecurity practitioner at a time. Vision: The WIS SIG is committed to developing women leaders globally, building a stronger cybersecurity community fabric, and enabling success across the globe.

ISSA Special Interest Groups — Join Today! It’s Free! 48 – ISSA Journal | August 2016