Doug Lhotka

Technical Storyteller

Opinions and commentary are mine, and do not reflect those of my employer.

(C) Copyright 2019-2023
Doug Lhotka.
All Rights Reserved.
Use of text, images, or other content on this website in generative AI or other machine learning is prohibited.

Just ask “Why?”

By

Today we’re constantly asked to make decisions that have security and privacy implications.  Most of the time these are individually innocuous, but collectively they present significant risk.  All too often, we simply click yes, plug in the cable, share the wifi password, or give up personal information.  Instead, before even asking if it’s secure, ask “Why?”

Here’s some examples:

  • Why does my refrigerator, dishwasher, vacuum cleaner, lightbulbs, or child’s teddy bear need an internet connection?
  • Why does the social media site need my real birthday or current location?
  • Why does the doctor’s office need my SSN (unless you use Medicare)?
  • Why does the retailer need my email address for a receipt?
  • Why does that website have 42 trackers (seriously, just saw that today)?
  • Why does that app need access to my microphone, contacts, or music library?
  • Why does my TV need an internet connection? Why does it have a microphone?
  • Why do I want that technology vendor listening/watching everything I do at home?
  • Why should I always use my primary email address for sites that aren’t important?
  • Why does my bank need my mother’s maiden name?

For many of those, the answer is: to provide some functionality I desire and in exchange the company can exploit and sell my personal information.  For others, it’s inertia (like the Doctor with SSN), or poor security question design (like mother’s maiden name).

 

We all have different tradeoff points – I essentially answer no to them all (or give false information – or a junk email address), others may say yes across the board.   Of course, once you decide it’s worth the tradefoff, before you actually do, then the ‘is it secure’ question needs to be answered.  One quick thought on that – if it can’t be patched, it’s not secure.

So the next time a waffle iron, toothbrush, or coffee maker asks for your wifi password, stop a moment and ask ‘why’, then make a conscious decision about the tradeoffs.

Enough already – get rid of default passwords

By

(c) 2017 Doug Lhotka

There’s been chatter about yet another botnet starting to form using insecure IOT devices.  Many of these are hacked because users never bother to change the default password, which is definitely bad behavior, but it’s also a cop-out by the vendors. The real problem is faulty design.

Simply put there is no reason to ship a device with a common (or easily derived) default password.  Better vendors generate a unique password for each device prior to shipping.  As long as it’s not directly derivable from the device ID) that’s not too bad, though it can cause support issues when, after a factory reset, the consumer has lost the removable sticker and is locked out of their device.  Support can sometimes tell them what the password is, which means they’re all stored in a database somewhere, and kind of renders the whole system moot.

The best option is to ship a device in an inactive/nonfunctional/setup state and require the user to create a password during the initial configuration.  After a factory reset, they’re again prompted to enter a new password – just like we have to do after wiping a smartphone.  So why so vendors still ship with common default passwords?  Maybe it’s cost cutting or lazy programmers & designers, or who knows what else, but in the end, it reflects a lack of secure thinking at the vendor.

So here’s something to ponder as you go into the holiday shopping season and start looking for new gadgets.  If the manufacturer can’t be troubled to provide a system for secure setup, they probably don’t have a system for secure updates either.  And if they can’t do either of those, just how secure do you think the rest of the device is?  Do you really want that on your home network?

IT + OT = Internet of Threats: Securing a Converged Environment

By

© www.depositphotos.com / RA Studio

Back in the dark ages, before IOT, cloud, daily data breaches, and worldwide ransomware alerts (you know, before 2005), the utility industry started to become enamored with the idea of a smart grid and began merging the IT and OT networks – that’s one version of Internet of Things (IOT).  Unfortunately, IOT these days most often means ‘Internet of Threats’.

And that brings us to IOT security, because there’s common challenges across $15 webcams and $1.5M transformers and pumps.  In this post, I’ll address the industrial scale challenges, and pick up the consumer ones in another post.

In the past, the operational network (OT environment) usually ran SCADA over serial lines, and those networks weren’t directly accessible from the TCP/IP (IT) networks that ran the information systems.   To be sure, there was little security in the SCADA environment – in many cases you could plug directly into a remote terminal and have access to equipment, but you had to actually go on-site (or to a central control point) to do anything.  With the advent of SCADA over IP, those networks and that equipment is now largely routable from the Internet.

These devices were engineered with safety in mind, not security.  Some have direct code running on the device itself, and others are controlled by a workstation – but neither have good update mechanisms available.  Plus, many vendors never provided updated control software for the workstations, nor will allow security tools to be installed on them, so we have a lot of XP still hanging out in the world running multi-million dollar equipment.  At the time, perimeter control security architectures were all the rage (to be fair, that’s about all we had), so the IT and OT networks were segmented and firewalled off from each other.  That worked for a while…or so we thought.

Unfortunately the bad guys have gotten a lot better.  While moats and castles are great, they’ve gotten very good at sneaking in over, around, under or through a door someone put in the wall.  Sometimes there’s a PC with a modem running PCAnywhere (I kid you not – saw that last year) that they get through, and sometimes it’s sideways movement through the network.  In either case, they’re already inside.  On the IT side, it’s bad.  On the OT side, it can be catastrophic and life threatening, as we’ve seen recently with the attacks on the Ukrainian utilities.   So, the response was to stand up a separate OT security infrastructure – everything from SIEM to endpoint (where vendors allow), and all the other tools.  The challenge is that by segregating the IT and OT security infrastructures, you lose the ability to track movement across the organization.   This challenge is growing as the IT and OT environments are continuing to merge into a single infrastructure, not to mention the risk of OT penetration as a result.

So, what to do?  First, for companies with a large OT network – utility, oil & gas, petrochemical, and so forth, leverage your strengths.  Instead of taking a cyber security approach, move to a cyber safety focus.  The operations folks understand preventative maintenance, emergency procedures, and risk management from a safety standpoint – let’s go talk their language instead of ours.  Accident Zero = Incident Zero.

Second, align IT and OT technology infrastructure strategy, security, and architecture (I know, easier said than done).  As the convergence gains steam, it’s time to revisit the two-headed CIO-IT and CIO/CTO/COO-OT structure that’s typical.  Ultimately one person needs responsibility for both environments, and the CISO should report at that level – not just to the CIO-IT (or even further down the chain).  If there’s a chief risk or safety officer, that might be a good place for security to live.

Third, work with procurement to incorporate security requirements into both IT and OT purchases.  Some key ones are:

  • Secure update capability
  • Compatibility with major security solutions (endpoint, SIEM, antimalware)
  • Security SLA, including long-term commitments for patches on major capital equipment, remediation timeframes, and vulnerability alerts and disclosure guarantees
  • Pen testing and vulnerability scanning of OT components prior to release
  • Hands-off remote support – i.e. vendor does not have direct access without local staff involvement. I prefer a screen sharing approach, where the vendor tells staff what to do, so it’s always in-house hands on the keyboard.

Net: Don’t buy things that can’t be updated, or from vendors that don’t have a security plan.

Fourth, leverage what the IT folks have learned to secure the OT environment.  That includes vulnerability assessments and triage of assets.  If (when?) risks are found, have a mitigation plan put in place quickly.  Two cautions: remember that airgaps aren’t a panacea, and the IT folks need to realize that ‘maintenance window’ has a very different level of flexibility in the OT world than the IT – even in a cyber emergency.  The OT environment has to be able to function – perhaps for days or weeks – with an active threat.  Shutting down a blast furnace or drilling rig for a patch or other remediation is neither quick, nor cheap.

In the end, we’re going to see more Black Energy and similar attacks – I had one CISO speculate that their network was likely hosting bad guys who had access, but were dark and just waiting.  Kind of like pre-positioning military equipment in case you need rapid deployment.  While there’s a touch of FUD there, there’s also a bit of probability.    The convergence is happening, and it’s being driven largely by folks figuring how to make it work, not people wondering how it’ll break.  That’s human nature.  So, it’s up to we, the Cyber Safety professionals, to lead our IT and OT teams into a secure IOT future.