The development of crypto ransomware and IoT devices as a threat platform is among the top infosec problems discussed during the Seven Most Dangerous Attack Techniques panel at RSA 2017.
In addition to ransomware, IoT devices and the combination of those two, panelist Ed Skoudis, a fellow with the SANS Institute, Michael Assante, SANS lead for Industrial Control System (ICS) and Supervisory Control and Data Acquisition security, and Johannes Ulrich, director of SANS Internet Storm Centre, listed industrial control system hacks, weak random number generators, a reliance on web services and threats against NoSQL databases as the top seven dangers now confronting society.
The types of attacks and damage potentially caused by these threats range from being locked out of simple, but necessary, devices like a car to having a nation's electric grid partially or fully shut down.
Skoudis said that when cyber-criminals realised IoT devices were more useful as an organised botnet army instead of just simple targets an entirely new and dangerous problem was created. Malicious actors can now organise botnet armies capable of taking almost any organisation offline or hold access or data hostage.
While there is no silver bullet defence that can be implemented, Skoudis did give a few pointers. Companies need to practice excellent network hygiene and limit network shares so one infected endpoint on a network will not spread to the entire system. Even if a company or person becomes compromised there are a few cards the victim can play to limit damage.
The first problem is deciding whether or not the attack is truly crippling and if so should the ransom be paid. Skoudis noted that a company might have a general principle in place of not paying, the reality of the situation might be different and force their hand.
If this happens he suggests lying.
“Look small and poor. This is a negotiation, don't you say you are a Fortune 500 company, pretend you are having a hard time scraping together two bitcoins,” he told the crowd.
He also believes more IoT vendors will start issuing recalls for vulnerable devices in which case people have to send their product back. This, he believes, could put pressure on manufactures to take cyber-security more seriously when they design a new gadget.
The issues facing ICS are even more dangerous, according to Assante. The attacks launched against the Ukrainian grid in 2015 and 2016, while quickly repaired, showed that the bad guys are learning to not only increase the scale of the attack, but also go after the systems used to fix the problem thus possibly keeping people in the dark for even longer periods of time.
The trick to keeping ICS safe is to find that fine balance between automation and human control that will allow a system to work efficiently, yet be flexible enough to allow repair crews to physically go out and get things back online without using the control system itself.
When it comes to securing IoT and larger devices using encryption, Ulrich explained that the primary problem is too may products don't have the built in ability to generate strong encryption.
“Small devices make it difficult to collect enough random events to initialise the algorithms used to create random numbers. Recent research has shown how this can be exploited to break WPA2 encryption. But the problem reaches well beyond Wi-Fi and WPA2. Encryption without good random numbers will put a wide range of security related algorithms at risk,” he noted.